WIF 4.5: Database Authentication

Question

I have started looking into using WIF 4.5 in our projects to replace our old security behaviour. It was a simple Forms Authentication login page, in which we verify the username/password in the database. This was our authentication behaviour.

I'm doing ASP.NET applications.

Now with WIF, I understand that authentication behaviour should be done by an external STS (Azure, or Active Directory). However I still want to perform my own validation of a username/password in a database, but I am unsure if I can/should do this with WIF.

Here are my questions:

1) Should I make my own STS, or use some other means? 2) Can I keep the authentication to "Forms" in my config file. or should I use some other configuration?

Thanks!

Answer 1

1) yes, you should have your own sts or use an existing one. Writing one is difficult if you do it for the first time but easy every other time then. I wrote a detailed tutorial once, it is for wif 4 but should be easy to port to wif 4.5.

http://www.wiktorzychla.com/2011/08/quest-for-customizing-adfs-sign-in-web.html

2) yes, you can use forms authentication for both sts and your application, however, since forms has numerous subtle issues, it is recommended to use SessionAuthenticationModule to maintain user sessions.

http://www.wiktorzychla.com/2011/08/quest-for-customizing-adfs-sign-ing-web.html

http://www.wiktorzychla.com/2012/09/forms-authentication-revisited.html

Switching to SAM doesn't usually involve other changes in your application if you rely on common authentication and authorization mechanisms (web forms authorization, mvc authorization filters).

Answer 2

Yes - you can do it with WIF but you can't use ADFS which only authenticates against AD.

Suggest you look at Thinktecture.IdentityServer.

It's an open-source STS (so you can make changes) and authenticates against a SQL DB.