Pored SAML i OIDC protokola sustav AAI@EduHr za ASP.NET aplikacije omogućuje korištenje i WS-FED (ADFS) protokola.
Potrebno je instalirati nuget paket microsoft.aspnetcore.authentication.wsfederation i slijediti upute koje su dostupne na Microsoftovim stranicama:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-8.0#add-ws-federation-as-an-external-login-provider-for-aspnet-core-identity
U verzijama .NET 7 i 8 postoji bug koji do pisanja ovih uputa nije ispravljen pa je potrebno primijeniti zakrpu koja je opisana ovdje:
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1258
Slijedi primjer koda za ASP.NET 8 Core Web c# aplikacije:
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.WsFederation;
using Microsoft.AspNetCore.Identity;
using Microsoft.EntityFrameworkCore;
using Microsoft.IdentityModel.Tokens.Saml;
using Microsoft.IdentityModel.Tokens;
using primjer.Data;
using System.Security.Claims;
using Microsoft.Extensions.DependencyInjection;
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
})
.AddWsFederation(wo =>
{
wo.MetadataAddress = "https://fed-lab.aaiedu.hr/sso/module.php/adfs/idp/metadata.php";
wo.Wtrealm = "https://testna-aplikacija.hr";
wo.TokenHandlers.Clear();
wo.TokenHandlers.Add(new CustomSamlSecurityTokenHandler());
wo.Events = new WsFederationEvents()
{
OnSecurityTokenValidated = async context =>
{
// Ukoliko su potrebne dodatne provjere korisnika
var ci = context.Principal.Identity as ClaimsIdentity;
}
};
})
.AddCookie();
// Add services to the container.
var connectionString = builder.Configuration.GetConnectionString("DefaultConnection") ?? throw new InvalidOperationException("Connection string 'DefaultConnection' not found.");
builder.Services.AddDbContext<ApplicationDbContext>(options =>
options.UseSqlServer(connectionString));
builder.Services.AddDatabaseDeveloperPageExceptionFilter();
builder.Services.AddDefaultIdentity<IdentityUser>(options => options.SignIn.RequireConfirmedAccount = true)
.AddEntityFrameworkStores<ApplicationDbContext>();
builder.Services.AddRazorPages();
var app = builder.Build();
// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
app.UseMigrationsEndPoint();
}
else
{
app.UseExceptionHandler("/Error");
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthorization();
app.MapRazorPages();
app.Run();
public class CustomSamlSecurityTokenHandler : SamlSecurityTokenHandler
{
public override async Task<TokenValidationResult> ValidateTokenAsync(string token, TokenValidationParameters validationParameters)
{
if (token.Contains("
"))
{
token = token.Replace("
", "");
}
try
{
var configuration = await validationParameters.ConfigurationManager.GetBaseConfigurationAsync(CancellationToken.None).ConfigureAwait(false);
var issuers = new[] { configuration.Issuer };
validationParameters.ValidIssuers = validationParameters.ValidIssuers == null ? issuers : validationParameters.ValidIssuers.Concat(issuers);
validationParameters.IssuerSigningKeys = validationParameters.IssuerSigningKeys == null ? configuration.SigningKeys : validationParameters.IssuerSigningKeys.Concat(configuration.SigningKeys);
validationParameters.IssuerSigningKey = configuration.SigningKeys.First();
validationParameters.ValidIssuer = configuration.Issuer;
}
catch (Exception e)
{
Log.Error(e, "Greška u custom handleru: {token}", token);
}
return await base.ValidateTokenAsync(token, validationParameters);
}
}
Hvala kolegi Vidu Kašiću na pomoći pri izradi ovih uputa.