- Yes it is doable with SAM
- Yes you wont have to hit AD each time after initial transformation
what you should do is this
Implement a ClaimsAuthenticationManager on your site. This will intercept your first request and take in your initial ClaimsPrincipal. The initial ClaimsPrincipal will just contain your username and the SIDs of your AD groups.
Inside your implementation of the ClaimsAuthenticationManager you will read out your application specific claims from AD and create a new transformed ClaimsPrincipal. This will then be serialized to an Auth Cookie.
Subsequent requests will be intercepted by SAM and you will not be required to do the claims transformation from AD as you have already done it the first time.
This is how you do it:
Create a ClaimsAuthenticationManager something like this:
public class AdClaimsAppender : ClaimsAuthenticationManager { public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal) { if (!incomingPrincipal.Identity.IsAuthenticated) { return base.Authenticate(resourceName, incomingPrincipal); } var adClaims = GetExtraAdClaims(incomingPrincipal); var newClaimsIdentity = new ClaimsIdentity(adClaims, "Windows"); var newClaimsPrincipal = new ClaimsPrincipal(newClaimsIdentity); return base.Authenticate(resourceName, newClaimsPrincipal); }
} }
Add the SAM module to your web config
<system.webServer> <modules> <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler"/> </modules> </system.webServer>
Set up your SAM cookie in your global asax
using System.IdentityModel.Services; using System.IdentityModel.Services.Configuration; public class MvcApplication : HttpApplication { protected void Application_Start() { AreaRegistration.RegisterAllAreas(); RouteConfig.RegisterRoutes(RouteTable.Routes); FederatedAuthentication.FederationConfigurationCreated += FederatedAuthentication_FederationConfigurationCreated; } private static void FederatedAuthentication_FederationConfigurationCreated(object sender, FederationConfigurationCreatedEventArgs e) { //from appsettings... const string domain = ""; const bool requireSsl = false; const string authCookieName = "YourSiteAuth"; //default is fedauth, i normally create my own name as it is easier to identify when you have a lot of cookies. e.FederationConfiguration.CookieHandler = new ChunkedCookieHandler { Domain = domain, Name = authCookieName, RequireSsl = requireSsl, PersistentSessionLifetime = new TimeSpan(0, 0, 30, 0) }; }