RIA Services and Windows Identity Foundation – Claims enabling a RIA application

re: RIA Services and Windows Identity Foundation – Claims enabling a RIA application

Carl — Thu, 07 Oct 2010 13:14:52 GMT

Eugenio, can Silverlight be active ou passive?

re: RIA Services and Windows Identity Foundation – Claims enabling a RIA application

Siva — Wed, 10 Feb 2010 11:31:59 GMT

The example worked for me Thanks, but i would like to logoff and re-login to my app then How do i redirect to the STS provider when i

click the login link from Silverlight app,

re: RIA Services and Windows Identity Foundation – Claims enabling a RIA application

Eugenio Pace - MSFT — Fri, 18 Dec 2009 18:47:16 GMT

No, RIA Services uses HttpContext.Current.User. It doesn't do anything special with it.

Who is hosting the web service?si the same app that hosts the web site?

re: RIA Services and Windows Identity Foundation – Claims enabling a RIA application

Terence Lewis — Fri, 18 Dec 2009 17:01:42 GMT

You say above: 'If you break into the application (server side) and inspect the User object from the HttpContext you’ll notice there’s a “ClaimsIdentity” and you have access of course to the claims collection, etc. That is part of the “magic” performed by WIF modules'. However, when I run a similar scenario to the above, but without Ria Services (Raw Silverlight 3 with a passive STS), when I check Thread.Principle.Identity it says IsAuthenticated=false and none of my claims are in the Claims collection.

I've traced the whole process through fiddler and I can see that the STS does issue the claims (I turned all the encryption off to verify), and these claims are passed to the web-server and stored in a cookie, which my WCF request is then passing back to the server. However, when I get into the WCF operation, although the type of Thread.Principal.Identity is IClaimsIdentity, nothing is filled into this object. Is RIA services maybe doing something special to fill these values in that I'm missing?

re: RIA Services and Windows Identity Foundation – Claims enabling a RIA application

Eugenio Pace - MSFT — Fri, 04 Dec 2009 19:26:02 GMT

Thanks!!

There's not much code besides what I shared in the post. Most of it is genrated code (the STS).

The only added code is the roles provider with this single method:

public override string[] GetRolesForUser(string username)

{

var id = HttpContext.Current.User.Identity as IClaimsIdentity;

return (from c in id.Claims

where c.ClaimType == ClaimTypes.Role

select c.Value).ToArray();

}

re: RIA Services and Windows Identity Foundation – Claims enabling a RIA application

Ruslan Urban — Fri, 04 Dec 2009 16:28:01 GMT

Good article, Eugenio.

Would you be able to publish solution code, please?

re: RIA Services and Windows Identity Foundation – Claims enabling a RIA application

Eugenio — Wed, 28 Oct 2009 21:59:55 GMT

Run FedUtil.exe from the command line. I found a similar issue when i ran it from VS (no changes).

re: registering new users.

My little PoC was not complete of course. You wouldn't probably "register" users from your app any more. When you trust an identity provider, you delegate all those responsibilities to it. Your app doesn't care about users any more. It does care for other purposes (for example for storing customization options). But the lifecycle of users (create, delete, update, forget password, etc) are now the issuer responsibility (whoever that is).

re: RIA Services and Windows Identity Foundation – Claims enabling a RIA application

Reggie Chen — Wed, 28 Oct 2009 21:49:53 GMT

Hi,

I downloaded HRApp, and ran "Federation Utility Tool" from VS 2008's tool meuu, my web.config did not change. I tried to manually copying down the parts you showed to my web.config, it is not working either. The pasted image looks a bit blurry to me, do you mind publish the whole project or web.config?

I have not yet gone through the guide examples in detail, but what would happen if I register new user from HRApp? Don't you need to implement some service class code at the provider end?

I am trying to build a claim-awared PRISM application. My idea is instead of redirecting to STS's login HTML page, the prism app would load an xap to do validation/registration against a membership store at the STS site on demand. Is it doable? My understanding is in the passive federation model, the web server redirects you to sign in page, and get back the control to the website. In my case, the redirection will be triggered by a PRISM shell or a navigation application upon clicking login button to run an xap file on demand, and it will need to return to the silverlight app with its state intact. Can it be done?

Thanks.

Reggie