问题
I am currently working on a vb.net MVC5 application and using WS-Federation to authenticate all the users from an ADSF 3.0 server. Everything is working fine; when the users try to access a secured controller marked with the AUTHORIZE attribute, the users are redirected to the STS login page, they login and they come back. I am able to read the CLAIMS provided by the ADFS server.
My problem is that i need to create a local entry in my database when a new authenticated user comes in after login to store additional informations. I do not want the user to register manually, if he is authenticated, it means i can trust this user.
The Startup.Auth.vb looks like this :
Partial Public Class Startup
Private Shared realm As String = ConfigurationManager.AppSettings("ida:Wtrealm")
Private Shared adfsMetadata As String = ConfigurationManager.AppSettings("ida:ADFSMetadata")
Public Sub ConfigureAuth(app As IAppBuilder)
app.UseCookieAuthentication(New CookieAuthenticationOptions() With {
.AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
.LoginPath = New PathString("/Home/Login")
})
app.UseWsFederationAuthentication(New WsFederationAuthenticationOptions() With {
.AuthenticationType = "ExternalCookie",
.Wtrealm = realm,
.MetadataAddress = adfsMetadata,
.Wreply = "https://myapp.com/Home/SSOLogin"
})
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType)
End Sub
End Class
In my Home controller, i have created the SSOLogin Action to be able to do what i need to do to test the presence of this user and create it if it does not exists
Public Function SSOLogin() As ActionResult
' Some code here to check if user exists or not and create it
End Function
I put a breakpoint in my action but it is never hit because the middleware handles and detect the postback before it hits the action method and does a Redirect 302 to the originally requested secured page.
The question
Are there any way to trap the callback in the WSFederation middleware or maybe add an event to the global.asax to do my user automatic creation only after authentication, not on all requests ?
Thanks for your time !
回答1:
After the WsFederationAuthenticationHandler has validated the inbound token, you can register to receive a notification. WsFederationAuthenticationOptions.Notifications is where you can do that. In startup.cs you want to set notification for: WsFederationAuthenticationNotifications.SecurityTokenValidated.
Patrice, here is some code that will give you an idea of how to hook the notification. this code is usually placed in startup.auth.cs.
var wsFederationOptions = new WsFederationAuthenticationOptions
{
Notifications = new WsFederationAuthenticationNotifications
{
SecurityTokenValidated = (notification) =>
{
var identity = notification.AuthenticationTicket.Identity;
var defaultName = identity.FindFirst ("<claim-that-identifies-user>");
// do work here
return Task.FromResult<object>(null);
}
},
MetadataAddress = wsFedMetadataAddress,
Wreply = host,
Wtrealm = clientId
};
app.UseWsFederationAuthentication(wsFederationOptions);
来源:https://stackoverflow.com/questions/35423145/how-to-trap-a-ws-federation-callback-in-an-owin-mvc5-app-to-automatically-create