Introduction to Geneva - Using passive federation
Using Geneva in for authentication in your website is called "passive federation". It relies on other factors like redirection and javascript to perform it's actions. "Active federation", like you can do in services or smart clients, can implement the WS-trust protocol directly. For more information read this excelent white paper by Keith Brown.
In my previous post, I explained how to set-up a Geneva server, that we're going to use in this scenario. We're going to use a sample application that is present in the "Samples"-folder of the Geneva Framework, the "Simple claims-aware web application using managed STS". This site contains no more than a default.aspx that shows information about the logged on identy. It has no logon page of itself. To use the Geneva STS as the identity server we have to make some changes to the web.config. The web-application has to know where it can find the STS, information to validate the tokens it receives and which claims the application will be using. Fortunately, you don't have to write it yourself. You can use the FedUtil-tool that can be found in the Geneva framework folder.
First you have to point the tool to the web.config file it needs to update and enter the url of the web-application (this has to be a SSL-url, be sure to match the casing of the vdir or you get problems). You also have to select a certificate the application can use to sign the tokens it sends itself (you can use the SSL-certificate). On the next page you have to give a reference to the metadata of the STS. The url of the metadata is: https://[hostname]/FederationMetadata/2007-06/FederationMetadata.xml.
If you have problemes retrieving the metadata, it could be that there are problems with your SLL certificate. Do no use the ip-address in the url, but the host-name. If your SSL certificate is self-created like mine you also have to import it to the browsers "Trusted Root Certification Authorities" (Tools > Internet Options > Content > Certificates).
In the next screen you select the claims that your application needs and the STS offers, in this case you can select them all:
After finishing the wizard the FedUtil-tool has inserted the needed nformation in the config-file. It also has created a metadata.xml file that contains the information the STS will need to communicate with the client.
From the STS side we want to control which applications are using the services. You can do this by adding a "relying party" to the STS in the Geneva Server Management tool. On the first screen you're required to enter the URL to the metadata-file in the client application. This is the file we just created using the FedUtil tool.
Again, if the tool has problems retrieving the metadata this probably has to do with the SSL certificate. The solution is the same as described above, but now by adding the SLL-certificate of the client-application to the browser of the server.
In the next screen just add a name and description for the relying party. Then select the claims we want to expose (in this case leave them all selected) and save the relying party.
This is all the configuration we need to do. From the client startup your website. If all went wel, you will be presented the folowing screen:
When you look closely to the url you can see that this a url on the STS server. Choose the sign-in option on the left and after that for username/password. Enter an username and password from the server and you will be redirected to the default page of your application (I modified the code a little to show all claims available).
If your browser enters an endless loop after siging in, you have probably entered the name of the vdir of your application in the incorrected casing. Everytime you enter the name of the vdir the casing has to be exactly the same as in IIS.
This is all there a is for a basic authentication scenario. In a next post I will show how the use the identiy and the claims in code.
