I have captured quick steps for creating Claims Aware ASP.NET Web Site that utilize ASP.NET Profile feature.

• Open VS 2010 in elevated mode as Administrator. Needed for WIF integration.
• File-> New -> Web Site. Give it a name, http://localhost/ClaimsMappedToProfile.
• Configure IIS to load user profile.
  • Open IIS Manager.
  • Find out what AppPool your application is using by selecting your App, right-click on it, and Select Manage Application -> Advanced Settings.
  • On the top left hand side, select Applications Pools, and go ahead and select the App Pool used by your app.
  • Right-click on it, and select Advanced Settings, Go to the Process Model Section and Find the "Load User Profile" Option and set it to true.
  • This should mitigate the exception: "The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating."
• Click on Website, and then on ASP.NET Configuration on the menu.
• IE should open ASP.NET Web Site Administration Tool.
• Click on provider tab.
• Click on Select a single provider for all site management data link
• Click on test link next to AspNetSqlProvider. You should see Successfully established a connection to the database message. Click Ok to discard it.
• Add the following entries to the web.config.

<profile enabled="true" defaultProvider="AspNetSqlProfileProvider">
       <providers>
             <clear/>
             <add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/"/>
       </providers>
       <properties>
             <add name="PostalCode" type="System.String"/>
       </properties>
</profile>

• Add Textbox, Button, and Label controls to the Default.aspx page.
• Add the following code to the page’s code behind:

string user = string.Empty;
protected void Page_Load(object sender, EventArgs e)
{
    user = User.Identity.Name;
}
protected void Button1_Click(object sender, EventArgs e)
{
    Profile.PostalCode = Server.HtmlEncode(TextBox1.Text);
}
protected override void OnPreRender(EventArgs e)
{
    base.OnPreRender(e);
    Label1.Text = Profile.PostalCode + " " + user;
}

• Go to ACS and get WS-Federation metadata URL.
• In Visual Studio 2010 Run FedUtil by right clicking on the project and choosing  Add STS reference…
• Provide the WS-Federation metadata URL obtained from ACS management portal.
• Test your work by running the application and getting authenticated by different IdP’s
• NOTE: if you have the same name on different IdP’s – you will get the same profile data for both. If you store sensitive data in the ASP.NET profile it might introduce a security breach.

Related Books

• Programming Windows Identity Foundation (Dev - Pro)
• A Guide to Claims-Based Identity and Access Control (Patterns & Practices) – free online version
• Developing More-Secure Microsoft ASP.NET 2.0 Applications (Pro Developer)
• Ultra-Fast ASP.NET: Build Ultra-Fast and Ultra-Scalable web sites using ASP.NET and SQL Server
• Advanced .NET Debugging
• Debugging Microsoft .NET 2.0 Applications

Related Info

• Windows Identity Foundation (WIF) and Azure AppFabric Access Control (ACS) Service Survival Guide
• Windows Identity Foundation (WIF) Fast Track
• Windows Identity Foundation (WIF) Code Samples
• Windows Identity Foundation (WIF) SDK Help Overhaul

Volume 1 for Windows Identity Foundation (WIF)  Questions & Answers is published. The idea is actively monitor different sources with questions and answers and expose it in coherent easy to find and read Q&A hubs.

This is the first batch of Q&A’s.

• Q: I am getting exception with the following message after deploying my application to a farm: "Key not valid for use in specified state"
• Q: I am getting exception: "Configuration Error...Unrecognized attribute 'targetFramework'. Note that attribute names are case-sensitive."
• Q: I am getting exception: "A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo...")."
• Q: What are the options for implementing authorization in claims aware application?
• Q: I am receiving exception with the following message: "The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating."

Related Books

• Programming Windows Identity Foundation (Dev - Pro)
• A Guide to Claims-Based Identity and Access Control (Patterns & Practices) – free online version
• Developing More-Secure Microsoft ASP.NET 2.0 Applications (Pro Developer)
• Ultra-Fast ASP.NET: Build Ultra-Fast and Ultra-Scalable web sites using ASP.NET and SQL Server
• Advanced .NET Debugging
• Debugging Microsoft .NET 2.0 Applications

Related Info

• Windows Identity Foundation (WIF) and Azure AppFabric Access Control (ACS) Service Survival Guide
• Windows Identity Foundation (WIF) Fast Track
• Windows Identity Foundation (WIF) Code Samples
• Windows Identity Foundation (WIF) SDK Help Overhaul

Azure AppFabric Access Control Service (ACS) v2 provides powerful feature of token transformation. It gives you ability to transform a token by adding new claims or changing claims that come with the original token. Consider the following generic architecture of ACS:

Notice that the token received from IdP (Identity Provider), colored green, is different from the token received from ACS, colored blue. The transformation is done by ACS and its behavior can be controlled by using Rules and Rule Groups.

Each rule describes specific transformation. Rules are not directly associated with your application. Rules aggregated into Rule Groups, Rule Groups applied to your application (Relying Party). Consider the following diagram:

The process of creating token transformation can be described be as follows:

1. Create transformation Rules.
2. Aggregate relevant rules into Rule Group.
3. Apply relevant Rule Groups to Relying Party.

Related Books

• Programming Windows Identity Foundation (Dev - Pro)
• A Guide to Claims-Based Identity and Access Control (Patterns & Practices) – free online version
• Developing More-Secure Microsoft ASP.NET 2.0 Applications (Pro Developer)
• Ultra-Fast ASP.NET: Build Ultra-Fast and Ultra-Scalable web sites using ASP.NET and SQL Server
• Advanced .NET Debugging
• Debugging Microsoft .NET 2.0 Applications

Related Info

• Windows Identity Foundation (WIF) and Azure AppFabric Access Control (ACS) Service Survival Guide
• Windows Phone 7 and RESTful Services: Delegated Access Using Azure AppFabric Access Control Service (ACS) And OAuth
• Integrating ASP.NET Web Applications With Azure AppFabric Access Control Service (ACS) – Scenario and Solution
• SSO, Identity Flow, Authorization In Cloud Applications and Services – Challenges and Solution Approaches
• Azure AppFabric Access Control Service (ACS) v 2.0 High Level Architecture – Web Application
• Azure AppFabric Access Control Service (ACS) v 2.0 High Level Architecture – REST Web Service Application Scenario