TechNet
Products
IT Resources
Downloads
Training
Support
Products
Windows
Windows Server
System Center
Microsoft Edge
Office
Office 365
Exchange Server
SQL Server
SharePoint Products
Skype for Business
See all products »
Resources
Channel 9 Video
Evaluation Center
Learning Resources
Microsoft Tech Companion App
Microsoft Technical Communities
Microsoft Virtual Academy
Script Center
Server and Tools Blogs
TechNet Blogs
TechNet Flash Newsletter
TechNet Gallery
TechNet Library
TechNet Magazine
TechNet Wiki
Windows Sysinternals
Virtual Labs
Solutions
Networking
Cloud and Datacenter
Security
Virtualization
Updates
Service Packs
Security Bulletins
Windows Update
Trials
Windows Server 2016
System Center 2016
Windows 10 Enterprise
SQL Server 2016
See all trials »
Related Sites
Microsoft Download Center
Microsoft Evaluation Center
Drivers
Windows Sysinternals
TechNet Gallery
Training
Expert-led, virtual classes
Training Catalog
Class Locator
Microsoft Virtual Academy
Free Windows Server 2012 courses
Free Windows 8 courses
SQL Server training
Microsoft Official Courses On-Demand
Certifications
Certification overview
Special offers
MCSE Cloud Platform and Infrastructure
MCSE: Mobility
MCSE: Data Management and Analytics
MCSE Productivity
Other resources
Microsoft Events
Exam Replay
Born To Learn blog
Find technical communities in your area
Azure training
Official Practice Tests
Support options
For business
For developers
For IT professionals
For technical support
Support offerings
More support
Microsoft Premier Online
TechNet Forums
MSDN Forums
Security Bulletins & Advisories
Not an IT pro?
Microsoft Customer Support
Microsoft Community Forums
Sign in
Home
Library
Wiki
Learn
Gallery
Downloads
Support
Forums
Blogs
Resources For IT Professionals
United States (English)
Россия (Pусский)
中国(简体中文)
Brasil (Português)
Skip to locale bar
Editing: Windows Identity Foundation (WIF): How to Utilize the WS-Federation WAUTH Parameter to Specify an Authentication Type
Wiki
>
TechNet Articles
>
Windows Identity Foundation (WIF): How to Utilize the WS-Federation WAUTH Parameter to Specify an Authentication Type
Article
Edit
History
Title
<p style="margin-right: 0px;" dir="ltr">There are <strong>two ways</strong> in which Windows Identity Foundation (WIF) can utilize the WS-Federation passive WAUTH parameter to specify an authentication type. There are a few questions to ask before deciding which method to implement:<br /> <br /> <strong>1.</strong> <strong>Can the WAUTH parameter remain static for a Relying Party (RP) application?<br /> <br /> </strong>Meaning: The authentication type always remains the same for all users of this RP application. This application would be a single instance which is always accessed by users who need the same authentication type.<br /> <br /> <strong>2.</strong> <strong>At what point in the authentication flow is the WAUTH parameter injected?<br /> <br /> </strong>Possibilities include: The requestor (the user agent) or the WIF RP. This goes hand-in-hand with question number 1 because you might only want the WIF RP to inject WAUTH when the authentication type can be static. If the administrator is handing out or publishing links to the WIF RP which include a WAUTH value, then you would want to implement the change which allows the requestor to inject WAUTH.</p> <p><strong>Selecting Authentication Methods at Runtime</strong><br /> WS-Federation provides WAUTH as a query string parameter, and SAML 2.0 provides RequestedAuthNContext for authN method selection at runtime. For WS-Federation, acceptable WAUTH parameters are documented at <a href="http://msdn.microsoft.com/en-us/library/77c337e9-e11c-4747-a3cd-ea8faebc9496(v=PROT.10)#id14">http://msdn.microsoft.com/en-us/library/77c337e9-e11c-4747-a3cd-ea8faebc9496(v=PROT.10)#id14</a> which is an appendix entry for <a href="http://msdn.microsoft.com/en-us/library/54759c9b-4298-44f7-9026-f5ee815594d8(v=PROT.10)">MS-MWBF 2.2.3 wsignin1.0 Request Message</a>.</p> <table> <tbody> <tr> <th>Method of authentication wanted</th> <th>wauth URI</th> </tr> <tr> <td>User name/password authentication</td> <td>urn:oasis:names:tc:SAML:1.0:am:password</td> </tr> <tr> <td>SSL client authentication</td> <td>urn:ietf:rfc:2246</td> </tr> <tr> <td>Windows integrated authentication</td> <td>urn:federation:authentication:windows</td> </tr> </tbody> </table> <h2 style="margin-right: 0px;" dir="ltr"><a name="Usage_Examples"></a><span style="text-decoration: underline;"><br /> Usage Examples</span></h2> <h5 style="margin-right: 0px;" dir="ltr"><a name="WAUTH_injection_by_requestor"></a>WAUTH injection by requestor</h5> <p style="margin-right: 0px;" dir="ltr">1. The user agent utilizes a link to the WIF RP with WAUTH appended<br /> <br /> <strong>Example:</strong> https://myApp.contoso.com/?WAUTH=<em>insert-authentication-type-URI-here</em> such as https://myApp.contoso.com/?WAUTH=urn:oasis:names:tc:SAML:1.0:am:password<br /> <br /> 2. The WIF RP detects WAUTH in the incoming request and sets authenticationType to the value being passed in<br /> <br /> 3. WIF builds the WS-Federation sign-in request containing WAUTH and redirects the user agent to the RP-STS<br /> <br /> 4. The RP-STS detects the presence of WAUTH in the sign-in request and should honor the requested authentication type<br /> <br /> <br /> <br /> <strong>Note:</strong> Detecting and utilizing WAUTH at the STS is built into Microsoft's Active Directory Federation Services (AD FS) 2.0 product. If you have written your own WIF STS or are using a third party STS, you will need to ensure that your STS can work with the WAUTH parameter.</p> <h5 style="margin-right: 0px;" dir="ltr"><a name="WAUTH_injection_by_WIF_RP"></a>WAUTH injection by WIF RP</h5> <p style="margin-right: 0px;" dir="ltr">1. The user agent utilizes a link to the WIF RP<br /> <br /> <strong>Example:</strong> https://myApp.contoso.com/<br /> <br /> 2. The WIF RP builds a WS-Federation sign-in request with the hard-coded authenticationType value specifiied in its web.config file<br /> <br /> 3. The WS-Federation sign-in request containing the hard-coded WAUTH parameter is sent to the RP-STS via redirect<br /> <br /> 4. The RP-STS detects the presence of WAUTH in the sign-in request and should honor the requested authentication type.<br /> <br /> <br /> <br /> <strong>Note:</strong> Detecting and utilizing WAUTH at the STS is built into Microsoft's Active Directory Federation Services (AD FS) 2.0 product. If you have written your own WIF STS or are using a third party STS, you will need to ensure that your STS can work with the WAUTH parameter.</p> <h2 style="margin-right: 0px;" dir="ltr"><a name="Code_Samples"></a><span style="text-decoration: underline;">Code Samples</span></h2> <p style="margin-right: 0px;" dir="ltr"><strong>This code is provided "AS IS" with no warranties, and confers no <br /> <br /> rights. For more information please visit </strong><a href="http://www.microsoft.com/info/cpyright.mspx"><strong><span style="color: #0066dd;">http://www.microsoft.com/info/cpyright.mspx</span></strong></a> <br /> <br /> <strong>to find terms of use.<br /> <br /> </strong></p> <h5 style="margin-right: 0px;" dir="ltr"><a name="WAUTH_injection_by_requestor"></a>WAUTH injection by requestor<strong></strong></h5> <strong></strong> <p style="margin-right: 0px;" dir="ltr">1. Add a global.asax file to your web application<br /> <br /> 2. Add the following code:<span style="font-size: 10px;"></span></p> <span style="font-size: 10px;"> <p><span style="font-size: 12px;"><%@ Application Language="C#" %><br /> <br /> < %@ Import Namespace="Microsoft.IdentityModel.Web" %><br /> <br /> <br /> < script runat="server"><br /> <br /> void WSFederationAuthenticationModule_RedirectingToIdentityProvider<br /> <br /> (object sender, RedirectingToIdentityProviderEventArgs e)<br /> <br /> { <br /> <br /> string strWauth = HttpContext.Current.Request.QueryString["wauth"];<br /> <br /> if (strWauth != null) <br /> <br /> {</span></p> </span> <p><span style="font-family: lucida sans typewriter std,lucida sans typewriter std; font-size: 12px;"><strong> </strong>e.SignInRequestMessage.AuthenticationType = strWauth;<strong> <br /> <br /> </strong></span><span style="font-family: lucida sans typewriter std,lucida sans typewriter std; font-size: 10px;"></span><span style="font-size: 12px;"> } <br /> <br /> }<br /> <br /> <br /> </span></p> <span style="font-size: 12px;"> <h5><a name="WAUTH_injection_by_RP"></a>WAUTH injection by RP<br /> <br /> <br /> <span style="font-size: 12px;">1. Edit the <federatedAuthentication> element of the RP web.config to include authenticationType<br /> <br /> 2. Example:<br /> <br /> <federatedAuthentication><br /> <br /> <wsFederation passiveRedirectEnabled="true" <br /> <br /> issuer="https://localhost/BasicWebSite_STS/" <br /> <br /> realm="https://localhost/BasicWebSite/" <br /> <br /> </span><span style="font-size: 12px;">authenticationType="insert-authentication-type-URI-here" <br /> <br /> </span><span style="font-size: 10px;"></span><span style="font-size: 12px;"> requireHttps="true" /> <br /> <br /> <cookieHandler requireSsl="true" /> <br /> <br /> < /federatedAuthentication><br /> <br /> </span></h5> </span>
Comment
Tags
Please add 7 and 7 and type the answer here: