• Article

Enhancing an ASP.NET Membership Provider Website with Identity Provider Capabilities

Version: 1.1.0

Description

This lesson demonstrates how to add a simple STS to you ASP.NET membership provider-based website. By adding a simple page containing WIF code you will enable your partners to accept your users in their websites, even enabling Single Sign On for the users already logged in your website!

Overview

Contrary to what you may have heard, reaping the benefits of claims-based identity & access management does not necessarily require any rip & replace intervention on your existing asset. In this short hands-on lab we will demonstrate how you can easily enhance a common ASP.NET membership provider website with identity provider capabilities, enabling new scenarios without disrupting the existing functionalities or your user’s experience. Furthermore, we will do all this without requiring any special security knowledge. The code we will demonstrate is not production ready, of course; however it should be enough for giving you idea of the general application’s structure.

Let’s assume that you are running a website which manages authentication via the mechanisms offered by ASP.NET Membership: the user store is based on SqlMembershipProvider, the credential gathering is implemented via forms authentication plus Login web control, roles and profile information are managed via the usual ASP.NET classes.

Let’s also assume that you have a business partner, running a website as well, which would like to be able to offer special conditions to your users: recognize them as your users, personalize the experience or handle authorization according to user information you keep in your profiles or roles, perhaps even achieve single sign on between your site and theirs. In other words, your business partner would like to use your website as an Identity Provider (IP). Traditionally, the trivial solutions to the problem (like duplicating credentials stores and keeping them synchronized) would require so much work that it would seldom make business sense: however claims based identity and the Windows Identity Foundation Framework lower the bar, making the above significantly easier to implement and maintain.

The Windows Identity Foundation Framework solution can be extremely simple: we just publish an extra page in our website, whose sole purpose is offering an entry point to our application when a user of ours wants to sign in a third party partner website. Such a page, which in the identity jargon takes the name of passive Security Token Service (or passive STS), will understand requests presented via standard protocol (in our exercise it will be WS-Federation, but the principle holds for other protocols as well) and will return the requested values using the same conventions. The use of standards not only guarantees that the third party website will be free to leverage whatever technology or platform uses the same standard, but also makes possible the use of specific tooling for automating many of those processes and hiding away the details of the specific implementation.

This hands-on lab will help you to apply the solution described above, by enhancing an existing APS.NET website with a simple STS and by configuring another website to take advantage of that STS.

Objectives

In this Hands-On Lab, you will learn how to:

  • Enhance an ASP.NET website with membership provider with identity provider capabilities
  • Configure an ASP.NET website to accept and authorize users from an external identity provider

System Requirements

You must have the following items to complete this lab:

Setup

You must perform the following steps to prepare your computer for this lab.

  1. Open a Windows Explorer window and browse to the lab’s Source\Setup folder.

  2. Double-click the Dependencies.dep file in this folder to launch the Dependency Checker tool and install any missing prerequisites. This will also install some code snippets that will be used across the lab and the localhost certificate used in the second exercise by the local STS.

    Note:
    This process may require elevation. The .dep extension is associated with the Dependency Checker tool during its installation. For additional information about the setup procedure and how to install the Dependency Checker tool, refer to the Setup.docx document in the Assets folder of the training kit.

  3. Once closed the code snippets installer, the setup script will proceed with the certificates installation. Press Y if you want to continue with the required certificates installation.

    Figure 1

    Installing the localhost certificate

    Note:
    Note: If you are running Windows 7 or Windows 2008 R2 you might not see this window.

  4. When finished press any key to close the setup console.
Note:
In addition to the setup script inside the %YourInstallationFolder%\Labs\MembershipAndFederation\Source\Setup folder, there is a Cleanup.cmd file you can use to uninstall all the code snippets installed by the SetupLab.cmd script.

Exercises

The following exercise makes up this Hands-On Lab:

  1. Enhance an ASP.NET Membership Website with Identity Provider Capabilities and Use it from a Third Party Website
Note:
Each exercise is accompanied by a starting solution. These solutions are missing some code sections that are completed through each exercise and therefore will not work if running them directly.

Inside each exercise you will also find an end folder where you find the resulting solution you should obtain after completing the exercises. You can use this solution as a guide if you need additional help working through the exercises.

Estimated time to complete this lab: 25 minutes.

next >

Downloads

Download The Offline Training Kit
Download Hands-on Lab Document (DOCX)
Download Hands-on Lab Source Files

Contents