Port the WsFederation middleware from Katana

[Tratcher]

Depends on System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.Protocol.Extensions.

[StevenVandenBroeck]

Any news on WsFederation in ASP.NET 5 ?

[blowdart]

The dependency still stands and that work has not yet been completed by the team that owns the IdentityModel pieces.

[brockallen]

Any plans to add signoutcleanup support? That was missing in Katata v3's implementation. It's nice to have single sign-on, but single sign-out is also nice :)

[brentschmaltz]

signoutcleanup is on the map.

WsFed in on the map also, no time frame yet.

[rsbavaresco]

Hi, how about it, now?

[blowdart]

We're still awaiting support from the WAAD team, they're the ones driving it.

[brentschmaltz]

Yep, it is on our plates and radar. No promises till we drop OIDC.

[lomithrani]

Is there any alternative to authentify using wsfederation or saml2 meanwhile ?

[aredfox]

Is there any news on the feature / roadmap for this feature, as this is now holding back starting new applications in ASPNET5 for our organisation.

[marc-mueller]

Is there any update so far? Not being able to support SAML within our ASP.NET 5 application is currently a showstopper for our project since we have some dependencies with existing systems.

[Tratcher]

This is not happening for v1.0. We'll follow up afterwards.

[marc-mueller]

So this means that the development has not started yet? Is there any estimation about the release?

[Tratcher]

Correct. No, we haven't scheduled any of the post-v1 work yet.

[rschiefer]

We use ADFS extensively for 20 or so internal web applications. This would be a major blocker for us to migrate to ASP.NET Core.

Can someone post a link to the related dependencies so we can go show support for that work as well?

[helmsb]

We've used ADFS as the core of our authentication for our internal application framework which is used throughout our organization. This is a huge blocker for us going to .NET Core.

[Tratcher]

@blowdart @brentschmaltz is it this one? https://github.com/dotnet/corefx/issues/4278

[MaximRouiller]

Just bouncing this again. I'm still seeing people trying the Katana bits with .NET Core.

I'll refer them to this issue.

[leastprivilege]

Maybe it is just me - but I see a lot of companies using ADFS via WS-Fed. They are all blocked to move forward to ASP.NET Core (let alone .NET Core).

Is this a way to push adoption of Windows Server 2016 ;) (I am afraid this does not work that way)

[marc-mueller]

I fully agree with @leastprivilege. There are so many large companies with their ADFS via WS-Fed setup and they won't change that fast. On the development side we are faster then on the infrastructure side and this would allow us to push ASP.NET Core.

[brentschmaltz]

@leastprivilege @marc-mueller @MaximRouiller @helmsb the roadmap to make this happen is fully understood. Everytime I bring it up, the beancounters ask who really cares, if you do care, contact your contacts here at MSFT directly.

@Tratcher dotnet/corefx#4278 is the start of it. CoreFx is the rightfull owner of SignedXml. Once that is in place, IM can re-introduce EnveopledSignatureReader (which should be in IM) and an updated SamlToken / Handler and WsFedSupport.

[MaximRouiller]

@brentschmaltz Right now, I don't. I just see a confusion around the packages.

I'll talk to my beancounter if I ever need it urgently.

[brentschmaltz]

@MaximRouiller I was referring my Microsoft beancounters who want to ensure the number 1 priorities are what we are focused on. So they need to hear from you.

[karelz]

Just to close the loop and to clarify: https://github.com/dotnet/corefx/issues/4278 is making progress towards being .NET Standard 2.0 extension, however it is not the dependency blocking WS-Fed. More technical details are posted here: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/500#issuecomment-275218749.

[danroth27]

For folks looking for WS-Fed support in ASP.NET Core could you please chime in with:

1. What identity providers do you need to integrate with that require WS-Fed? We've heard from folks who want to use WS-Fed with older ADFS installations, but are there other identity providers you need to integrate with?
2. For folks wanting to use WS-Fed with ADFS is updating to Windows Server 2016 and using OIDC instead an option?
3. Do you need WS-Fed support on .NET Core (ex to run cross-platform) or would it be sufficient if this only worked on the full .NET Framework on Windows?

The more data we can get on your requirements the better. Thanks!

[clairernovotny]

I need this to be an IdP to SharePoint IaaS as it only supports WS-Fed 1.1. The scenario is bridging AAD B2C, which doesn't support WS-Fed 1.1 to SharePoint by using IdentityServer as a protocol bridge/IdP. We cannot do that using .NET Core today because of this.

[brockallen]

For folks wanting to use WS-Fed with ADFS is updating to Windows Server 2016 and using OIDC instead an option?

This is not an option for most of my customers. If they could then they'd just use the OIDC support in 2016.

Do you need WS-Fed support on .NET Core (ex to run cross-platform) or would it be sufficient if this only worked on the full .NET Framework on Windows

For now the full .NET framework would be sufficient, but I'd argue that eventually .NET Core will also be desirable.

[adalinesimonian]

What identity providers do you need to integrate with that require WS-Fed? We've heard from folks who want to use WS-Fed with older ADFS installations, but are there other identity providers you need to integrate with?

At least in my use case, it's really just older ADFS installations.

For folks wanting to use WS-Fed with ADFS is updating to Windows Server 2016 and using OIDC instead an option?

This is not an option for many reasons, be they bureaucratic or technical.

Do you need WS-Fed support on .NET Core (ex to run cross-platform) or would it be sufficient if this only worked on the full .NET Framework on Windows?

Absolutely would need it on .NET Core - the application server is running RHEL.

[danroth27]

@vibronet

[marc-mueller]

Our main scenario is also to support older versions of ADFS which cannot be upgraded in the near future.

Concerning the target frameworks: Our target is to use the library cross platform, so .NET framework is not an option in our projects.

[leastprivilege]

I need this to be an IdP to SharePoint IaaS

@onovotny We are talking about the WS-Fed MW - not IdP functionality.

But anyways - WS-Fed IdP support for IdentityServer4 is coming soon.

[leastprivilege]

FTR

It is about older ADFS/ADFS proxies which cannot be easily upgraded (after all that's what you get for hard coupling ADFS with the Windows Server version).

While .NET Core support would be nice - I think full .NET is good enough for now and would be an easy port.

[clairernovotny]

@leastprivilege good to know -- misread the context then, thought it was for Ws-Fed all-up for the underlying signed xml libraries.

[Compufreak345]

I want to sign this as well - we need the support for WS-Fed because we need to use a customers old version of ADFS - upgrading to Windows Server 2016 is not an option. Full .NET would be completely OK for us, we already need to use it for other features.

[poke]

Adding my voice here as well. WS-Fed support on full .NET Framework would be enough for us.

Since this keeps getting mentioned, why is everyone referring to “old versions” of ADFS? We are using a current version of ADFS running on Windows Server 2016. Is there a way we can integrate that into ASP.NET Core? (We need ADFS for compatibility with certain legacy applications)

[danroth27]

@poke With Windows Server 2016 you should be able to use OpenID Connect instead of WS-Fed.

[poke]

@danroth27 Do you happen to have any example on how to configure that properly?

[danroth27]

Does this article help?: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/development/enabling-openid-connect-with-ad-fs-2016

[poke]

@danroth27 Took me a while to transfer that over to ASP.NET Core, but yes, that article did help me, especially on the ADFS side. I’ve got it working now, thanks a lot!

[klings]

What @leastprivilege and @brockallen said. WS-Fed MW would give us a path to ASP.NET Core. ADFS is part of the problem.

[chrisdrobison]

For those of you who are interested, I ported the Katana WsFederation middleware over to ASP.NET Core. It has a hard dependency on the full .NET Framework. I have yet to build the Nuget package and publish it, but I'd love for anyone who wants to give it a go to see if it will be sufficient until something is put in place officially by Microsoft.

https://github.com/chrisdrobison/aspnetcore-wsfed

[Tratcher]

Nice work @chrisdrobison. We have something in the works that will use the latest version of IdentityModel to avoid dependency version conflicts. It will similarly be restricted to the full .NET Framework for now.

Side note: please don't use Microsoft in your package names if you intend to publish it (see https://github.com/aspnet-contrib).

[chrisdrobison]

@Tratcher Sounds good, I'll remove the name.

[leastprivilege]

@chrisdrobison nice! I have some real world usage for that. I can help you with review, testing and automated builds.

[chrisdrobison]

@leastprivilege Thanks! That would be much appreciated.

[Compufreak345]

@chrisdrobison Thanks for your work as well, I (probably misconfigured something and) created your first issue ;)

[leastprivilege]

@Tratcher do you have an ETA? the version conflict is icky.

[Tratcher]

Not quick, we're just beginning the work at the IM layer.

[chrisdrobison]

Do you happen to know if there is going to be a package newer than this published?

https://www.nuget.org/packages/Microsoft.IdentityModel.Protocols.WsFederation/2.0.0-beta8-305061149

I could attempt to upgrade the work I've done, but I fear all the other packages that one depends on are much newer now and this one has kind of been left behind.

[Tratcher]

Yes, that package will get updated/replaced.

[chrisdrobison]

Do you know when that will happen?