Fighting WIF for my own IPrincipal in an MVC app

Question

I want to add Azure ACS to one of my sites, but having issues with all of the magic. I have an MVC app that uses a global filter to set a custom IPrincipal for the life of the request. The problem with the "add STS reference" methodology of WIF is that it short circuits this via an HttpModule.

This much I know: ACS bounces back to my Web app to the URL I configured it for, and that bounce is a POST with the normalized SAML token. I'm not interested in WIF setting cookies or any of that nonsense... I just want to get the claims I'm interested in from the POST and deal with setting auth stuff up myself from there. What's the workflow? The documentation is lousy, and focuses on the magic "right click" solution.

Answer 1

I think there is a really easy solution to your problem:

Register on the SecurityTokenValidated event of the WSFederationAuthenticationModule, set e.Cancel to true and start your sign in logic with the information provided in the ClaimsPrincipal property of the event args.

Setting Cancel to true on the event args prevents WIF from creating any IPrincipal or session, so you can handle this stuff by your self.

Answer 2

There are many examples of using WIF + MVC, with different levels of control. I would suggest these ones: http://claimsid.codeplex.com or the ones in the Identity Training Kit.

WIF pretty much takes care of everything for you. For deeper extensibility, you should check Vittorio's book.

Regarding: I just want to get the claims I'm interested in from the POST and deal with setting auth stuff up myself from there.

What would you want to do yourself that WIF doesn't? What functionality would you include in your IPrincipal that IClaimsPrincipal doesn't provide?

There are many knobs and levers in WIF with all kind of fine grain control. It would probably help if you share what is it you want to do.