I have just published Windows Identity Foundation (WIF) and Azure AppFabric Access Control (ACS) Service Survival Guide.

It has the following structure:

• Problem Scope
  • What is it?
  • How does it fit?
  • How To Make It Work?
• Case Studies
• WIF/ACS Anatomy
  • Architecture
  • Identification (how a client identifies itself)
  • Authentication (how client's credentials validated)
  • Identity flow (how the token flows through the layers/tiers)
  • Authorization (how relying party - application or service - decides to grant or deny access)
  • Monitoring
  • Administration
• Quality Attributes
  • Supportability
  • Testability
  • Interoperability
  • Performance
  • Security
  • Flexibility
• Content Channels
  • MSDN/Technet
  • Codeplex
  • Code.MSDN
  • Blogs
  • Channel9
  • SDK
  • Books
  • Conventions
  • Forums
• Content Types
  • Explained
  • Architecture scenarios
  • Guidelines
  • How-to's
  • Checklists
  • Troubleshooting cheat sheets
  • Code samples
  • Videos
  • Slides
  • Documents
• Related Technology
• Industry
• Additional Q&A

Constructive feedback on how to improve much appreciated.

Related Books

• Programming Windows Identity Foundation (Dev - Pro)
• A Guide to Claims-Based Identity and Access Control (Patterns & Practices)

This post outlines common configuration settings in web.config related to Windows Identity Foundation (WIF) when used with ASP.NET applications.

Summary of Common WIF Configuration Settings

Below is the summary of common configuration setting related to WIF:

• Authentication and Authorization configurations.
• Register Http Modules with ASP.NET pipeline
• Identity Model Configuration Section
• Initializing Audience
• Federation Configuration
• Token Encryption
• Trusted Token Issuers

Rest of this post cover details of each configuration

Authentication and Authorization configurations

• Authentication configured to “None”.
• Authorization configured to deny all unauthenticated users.

<authorization>
  <deny users="?" />
</authorization>
<authentication mode="None" />

Register Http Modules with ASP.NET pipeline

• WIF Http Modules registered with ASP.NET pipeline.
• When working with Development Web Server that ships with Visual Studio (Cassini) modules registered under <system.web.httpModules> section.
• When working with IIS7 modules registered under <system.webServer.modules> section. In that case additional attribute needed preCondition="managedHandler" .
• WSFederationAuthenticationModule added by default. Responsible for redirecting unauthenticated requests. Refer to visuals at Claims-Based Architectures.
• SessionAuthenticationModule added by default. Responsible for maintaining authentication session and parsing tokens into .Net Types. Refer to visuals at Claims-Based Architectures.
• ClaimsAuthorizationModule added by developer in when implementing Claims Based Authorization. For more info - Windows Identity Foundation (WIF) By Example Part III – How To Implement Claims Based Authorization For ASP.NET Application

<add name="WSFederationAuthenticationModule"
     type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

<add name="SessionAuthenticationModule"
     type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

<add name="ClaimsAuthorizationModule" 
     type="Microsoft.IdentityModel.Web.ClaimsAuthorizationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

Identity Model Configuration Section

• Required to enable WIF related configuration in web.config. Added by default when adding STS Reference.

<configSections>
  <section name="microsoft.identityModel"
           type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>

Initializing Audience

• Required to make sure incoming tokens intended for the application.
• Usually has the URI’s (URL’s) of the application, this is what’s configured in the sample from Windows Identity Foundation (WIF) By Example Part II – How To Migrate Existing ASP.NET Web Application To Claims Aware:

<microsoft.identityModel>
  <service>
    <audienceUris>
      <add value="http://localhost:10130/MigrateWindowsAuthenticationToWIF" />
    </audienceUris>

Federation Configuration

• Required by WSFederationAuthenticationModule and by SessionAuthenticationModule.
• issuer – end point of the Token Issuer. In my case it is pointing to SelfSTS that I have used for development purposes in Windows Identity Foundation (WIF) By Example Part II – How To Migrate Existing ASP.NET Web Application To Claims Aware
• realm – value attached to wtrealm. Read more about it here - Windows Identity Foundation (WIF) Explained – Web Browser Sign-In Flow (WS-Federation Passive Requestor Profile)
• requireHttps and requireSsl – specifies whether the communications should be performed over HTTPS (SSL). Make no mistake – you want to specify true for both in production environment.

<federatedAuthentication>
  <wsFederation 
        passiveRedirectEnabled="true"
        issuer="http://localhost:8000/STS/Issue/"
        realm="http://localhost:10130/MigrateWindowsAuthenticationToWIF"
        requireHttps="false" />
  <cookieHandler requireSsl="false" />
</federatedAuthentication>

Token Encryption

• Required when tokens are encrypted.
• It’s an optional extra security step in protecting the tokens despite the fact the tokens sent over HTTP (SSL).
• Located in <microsoft.identityModel.service> element.
• This is how it looks for the A Guide to Claims-Based Identity and Access Control – Code Samples (online):

<serviceCertificate>
  <certificateReference x509FindType="FindBySubjectDistinguishedName"
       findValue="CN=adatum" storeLocation="LocalMachine" storeName="My" />
</serviceCertificate>

Trusted Token Issuers

• Required to identify trusted token issuers.
• Makes it possible to verify token being signed by trusted token issuer.

<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
  <trustedIssuers>
    <add thumbprint="313D3B54E2140192A8C7ED626332B6BF9106A9EC" name="SelfSTS" />
  </trustedIssuers>

Related Books

• Programming Windows Identity Foundation (Dev - Pro)
• A Guide to Claims-Based Identity and Access Control (Patterns & Practices) – free online version
• Developing More-Secure Microsoft ASP.NET 2.0 Applications (Pro Developer)
• Ultra-Fast ASP.NET: Build Ultra-Fast and Ultra-Scalable web sites using ASP.NET and SQL Server
• Advanced .NET Debugging
• Debugging Microsoft .NET 2.0 Applications

More Info

• Windows Identity Foundation (WIF) and Azure AppFabric Access Control (ACS) Service Survival Guide
• Azure AppFabric Access Control Service (ACS) v 2.0 High Level Architecture – Web Application
• Windows Identity Foundation (WIF) Explained – Web Browser Sign-In Flow (WS-Federation Passive Requestor Profile)
• Protocols Supported By Windows Identity Foundation (WIF)
• Windows Identity Foundation (WIF) By Example Part I – How To Get Started.
• Windows Identity Foundation (WIF) By Example Part II – How To Migrate Existing ASP.NET Web Application To Claims Aware
• Windows Identity Foundation (WIF) By Example Part III – How To Implement Claims Based Authorization For ASP.NET Application
• Identity Developer Training Kit
• A Guide to Claims-Based Identity and Access Control – Code Samples
• A Guide to Claims-Based Identity and Access Control — Book Download

• Overview
  • Identity Challenges – SSO, Identity Flow, Fine Grained Authorization (Changed from: Identity Silos)
  • The Claims-Based Identity Model
  • Solution Concept (Changed from: Basic Scenario)
  • Security Token Service
  • Relying Party
  • Solution Implementation Overview (Changed from: Federation Scenario)
  • Fast track (How to use this content)
• Getting Started
  • Windows Identity Foundation SDK - Download and Installation of runtime and dev tools (External)
  • Windows Identity Foundation Download and Installation of runtime only (External)
  • Requirements (Changed from Windows Identity Foundation SDK)
  • How to: Build an ASP.NET Relying Party Application
  • How to: Build a WCF Relying Party Application
• Product Features
  • What is Windows Identity Foundation?
  • Expose claims to ASP.NET applications and WCF services via Integration with IIdentity and IPrincipal
  • Visual Studio Templates
  • Administrative trust management using FedUtil tool
  • Federated Sign In ASP.NET control
  • Translate between claims and NT tokens
  • Support for Identity Delegation Scenario via ActAs token
  • Supports the WS-Trust protocol, Active Profile
  • Supports WS-Federation, Passive profile
  • Glossary
• Architecture
  • The Claims-Based Identity Model
  • Integration with IIdentity and IPrincipal
  • How WIF Processes Requests– (Changed from: Building Relying Party Applications)
  • Security Token Service
  • Relying Party
  • What is an IP-STS and what is a RP-STS?
  • WS-Federated Authentication Module Overview
  • Session Management
  • IssuerNameRegistry
  • Claims to Windows Token Service (c2WTS) Overview
  • ClaimsAuthenticationManager, ClaimsAuthorizationManager, and OriginalIssuer
  • Claims Issuance Pipeline
  • Token Handlers
  • Built-In Token Handlers
• Application Scenarios and Solutions
  • Integrating WIF with ASP.NET web applications (Changed from: Building ASP.NET Relying Party Applications)
    • How to: Build an ASP.NET Relying Party Application
    • How To: Establishing Trust from an ASP.NET Relying Party Application to an STS using FedUtil
    • How To: Establishing Trust from an ASP.NET Relying Party Application to an STS using the FederatedPassiveSignIn
    • Sample: Simple Claims Aware Web Application
    • Sample: Claims based Authorization
    • Sample: Using Claims In IsInRole
  • Integrating WIF with WCF services (Changed from: Building WCF Relying Party Applications)
    • WCF Application Compatibility
    • WCF: WSTrustChannelFactory and WSTrustChannel
    • WCF: Built-in Bindings Overview
    • How to: Build a WCF Relying Party Application
    • How To: Establishing Trust from a WCF Relying Party Service to an STS using FedUtil
    • Sample: Simple Claims Aware Web Service
    • Sample: Claims based Authorization
    • Sample: Using Claims In IsInRole
  • Building Security Token Services (STS) (Changed from: Building an STS)
    • How to: Build Passive Profile (WS-Federation) STS – For ASP.NET (Changed from: How to: Build an ASP.NET STS)
    • How to: Build Active Profile (WS-Trust) STS – For WCF (Changed from: How to: Build a WCF STS)
• WIF Anatomy
  • Identification (how a client identifies itself)
    • WIF Client
    • ASP.NET: Missing Web Client
    • WCF: WSTrustChannelFactory and WSTrustChannel
    • WCF: Built-in Bindings Overview
  • Authentication (how client's credentials validated)
    • Building ASP.NET Relying Party Applications – Explained
    • How to: Build an ASP.NET Relying Party Application – How to
    • Building WCF Relying Party Applications – Explained
    • How to: Build a WCF Relying Party Application – How-to
  • Identity flow (how the token flows through the layers/tiers)
    • Session Management
    • Claims to Windows Token Service (c2WTS) Overview
    • Identity Delegation Scenario – How-To
    • Token Handlers - Explained
    • How to Use SAML 2 Tokens
    • Thread Safety When Reserializing Bootstrap Tokens
  • Authorization (how relying party - application or service - decides to grant or deny access)
    • Step-Up Authentication Scenario – How-to
    • Implement Authorization in ASP.NET – How-to [Missing]
    • Implement Authorization in WCF – How-to [Missing]
    • Best Practices for ClaimsPrincipal.IsInRole
    • Configure WCF Service Virtual Directories to Allow Anonymous Access
    • Design Considerations: IPrincipal and IClaimsPrincipal
  • Monitoring
    • WIF Tracing
  • Identity Provider
    • Building an STS – Explained
    • How to: Build an ASP.NET STS – Explained
    • ASP.NET Security Token Service Web Site – how to
    • How to: Build a WCF STS  - Explained
    • WCF Security Token Service – how to
  • Trust Management
    • FedUtil - Federation Utility for Establishing Trust from an RP to an STS
    • How To: Establishing Trust from an ASP.NET Relying Party Application to an STS using FedUtil
    • How To: Establishing Trust from a WCF Relying Party Service to an STS using FedUtil
    • How to: Perform Trust Management using FedUtil
    • How To: Establishing Trust from an ASP.NET Relying Party Application to an STS using the FederatedPassiveSignIn
  • Configuration
    • Web.Config changes when building Claims-Aware ASP.NET Web Site
    • Web.Config changes when building Claims-Aware WCF Service
    • Web.Config changes when building ASP.NET Security Token Service Web Site
    • Web.Config changes when building WCF Security Token Service
    • Configuration
    • ConfigureServiceHost
    • FederatedPassiveSignIn.AutoSignIn Redirect
    • Security Token Service Issuer Name
    • SessionSecurityToken Expiration Time
    • Windows Identity Foundation (WIF) Configuration Sections in ASP.NET Web.Config (External)
    • Token Handler Configuration
• Quality Attributes
  • Supportability
    • Known Issues
    • Case Sensitivity Login Failure
    • Certain Configuration Settings are Ignored
    • Compatibility with IssuedTokenAuthentication.KnownCertificates
    • Cookie Mode SSPI Authentication Not Supported
    • Quota Exceeded Exception When Using SAML2 Tokens that Contain ActAs Claims
    • Some Claims and ClaimsIdentity Properties Not Serialized
    • SSL Certificate Validation Failure
    • WCF Authentication Flags Compatibility
    • WS-Trust Verbs
  • Performance and Scalability
    • Sample: Claims Aware Web Application in a Web Farm
  • Security
    • Replay Detection
    • Security Considerations
    • Handling wtrealm and wreply
    • Secure Conversations
  • Flexibility
    • How to: Add a Custom Token Handler
    • How to: Create a Custom Issuer Name Registry
• Related Technology
  • Microsoft Federation Extensions for SharePoint 3.0
• API Reference
• Appendix
  • How-to’s index
    • How to: Build an ASP.NET Relying Party Application
    • How to: Build a WCF Relying Party Application
    • How to: Programmatically Enable WIF on a WCF Service
    • How to: Access Claims in an ASP.NET Page
    • How to: Request a Token from the c2WTS
    • How to: Build an ASP.NET STS
    • How to: Build a WCF STS
    • How to: Enable Tracing
    • How to: Build a Managed Card Issuance Site
    • How to: Add a Custom Token Handler
    • How to: Display the Caller's Sign-In Status
    • How to: Create a Custom Issuer Name Registry
    • How to: Perform Trust Management using FedUtil
    • How to: Configure Token Resolvers
    • How To: Establishing Trust from an ASP.NET Relying Party Application to an STS using FedUtil
    • How To: Establishing Trust from a WCF Relying Party Service to an STS using FedUtil
    • How To: Establishing Trust from an ASP.NET Relying Party Application to an STS using the FederatedPassiveSignIn
  • Code samples index (Changed from: Windows Identity Foundation SDK)
    • Simple Claims Aware Web Application
    • Simple Claims Aware Web Service
    • Simple Web Application With Information Card SignIn
    • Simple Web Application With Managed STS
    • Claims Aware Web Application in a Web Farm
    • Using Claims In IsInRole
    • Authentication Assurance
    • Federation For Web Services
    • Federation For Web Applications
    • Identity Delegation
    • Web Application With Multiple SignIn Methods
    • Federation Metadata
    • Claims Aware AJAX Application
    • Convert Claims To NT Token
    • Customizing Request Security Token
    • Customizing Token
    • WSTrustChannel
    • Claims based Authorization
    • A Guide to Claims-Based Identity and Access Control – Code Samples
  • Training
    • Identity Developer Training Kit
    • A Guide to Claims-Based Identity and Access Control — Book Download
    • WIF Workshop 1: Introduction to Claims-Based Identity and WIF
    • WIF Workshop 2: Lab on Basic Web Sites
    • WIF Workshop 3: Scenarios and Architecture I
    • WIF Workshop 4: Scenarios and Architecture II
    • WIF Workshop 5: Lab about Web Sites and STS
    • WIF Workshop 6: WIF ASP.NET Pipeline and Extensibility Points
    • WIF Workshop 7: WIF and WCF
    • WIF Workshop 8: Lab about WIF and WCF
    • WIF Workshop 9: WIF and Windows Azure
    • WIF Workshop 10: Lab about WIF and Windows Azure
  • Forums
    • Claims based access platform (CBA), code-named Geneva
    • Security for the Windows Azure Platform
    • Windows Live ID: Development

Related Books

• Programming Windows Identity Foundation (Dev - Pro)
• A Guide to Claims-Based Identity and Access Control (Patterns & Practices) – free online version
• Developing More-Secure Microsoft ASP.NET 2.0 Applications (Pro Developer)
• Ultra-Fast ASP.NET: Build Ultra-Fast and Ultra-Scalable web sites using ASP.NET and SQL Server
• Advanced .NET Debugging
• Debugging Microsoft .NET 2.0 Applications

Related Info

• Windows Identity Foundation (WIF) Configuration Sections in ASP.NET Web.Config
• Windows Identity Foundation (WIF) and Azure AppFabric Access Control (ACS) Service Survival Guide
• Azure AppFabric Access Control Service (ACS) v 2.0 High Level Architecture – Web Application
• Windows Identity Foundation (WIF) Explained – Web Browser Sign-In Flow (WS-Federation Passive Requestor Profile)
• Protocols Supported By Windows Identity Foundation (WIF)
• Windows Identity Foundation (WIF) By Example Part I – How To Get Started.
• Windows Identity Foundation (WIF) By Example Part II – How To Migrate Existing ASP.NET Web Application To Claims Aware
• Windows Identity Foundation (WIF) By Example Part III – How To Implement Claims Based Authorization For ASP.NET Application
• Identity Developer Training Kit
• A Guide to Claims-Based Identity and Access Control – Code Samples
• A Guide to Claims-Based Identity and Access Control — Book Download