The FDOT STS (FDOT.Security.STS) is a Security Token Service that utilizes
Windows Identity Framework 4.5 to create an enterprise
claims-based Authorization system. When used in a web solution, the FDOT STS performs a passive redirect to a login page for authentication. The FDOT STS is designed to accept ISA, RACF, or Active directory authentication that the developer specifies in either the application's
web.config or
ClaimsIdentityConfig
Configuration Methods
Visual Studio Template with Owin
The easiest way to get going is using the Visual Studio 2015 MVC Template. By using this, you can get WS-Fed configuration and Owin middleware automatically set up for development.
Once the project is built, you can run it and see it redirect to the sts, then back to the application after you log in. This will get you through development, but will not be enough to get you through to server deploys until you make some changes.
Convert From DevToUnit To UnitConvert From DevToUnit to System
Convert From DevToUnit To Production
Below, you can see what the Visual Studio MVC Template creates that allows you to connect to the STS.
-For those who like granular control with no client dependencies (warning: no automated server deployment configuration updates for this method)
-For those who like granular control and performing config tranformations.(warning: no automated server deployment configuration updates for this method)
-see also
Web.Config File Based Configuration Example IdentityConfigFDOT.Security.STS.Client
DEPRECATED - DO NOT USE
FDOT.Security.STS.Client
Endpoint URLs
Development Metadata:
https://codev1.dot.state.fl.us/FDOT.STS/federationmetadatatest/2007-06/federationmetadata.xml
Development Issuer:
https://codev1.dot.state.fl.us/FDOT.STS/TestToken/Issue
Unit Test Metadata:
https://codev1.dot.state.fl.us/FDOT.STS/federationmetadata/2007-06/federationmetadata.xml
Unit Test Issuer:
https://codev1.dot.state.fl.us/FDOT.STS/SecurityToken/Issue
System Test Metadata:
https://fdotws1.dot.state.fl.us/FDOT.STS/federationmetadata/2007-06/federationmetadata.xml
System Test Issuer:
https://fdotws1.dot.state.fl.us/FDOT.STS/SecurityToken/Issue
Production Metadata:
https://fdotwp1.dot.state.fl.us/FDOT.STS/federationmetadata/2007-06/federationmetadata.xml
Production Issuer:
https://fdotwp1.dot.state.fl.us/FDOT.STS/SecurityToken/Issue
Signing out
When a user logs into your application via the passive sts, they are also logged into the STS. This means there is one session token active at the STS and one at your relying party application. The reason the STS needs to have a token is so that subsequent calls to the STS from other relying parties will not force the user to log in again. The following code will log the user out of the relying party application AND remove the STS token.
public ActionResult Logout()
{
var authModule = FederatedAuthentication.WSFederationAuthenticationModule;
var fullRequest = string.Format(StsConfig.LogoutQueryStringFormat,
authModule.Issuer, authModule.Realm, authModule.Realm);
authModule.SignOut(false);
Response.Redirect(fullRequest);
return null;
}Important Notes
Be sure to add the following to your Global Config!
private void Application_BeginRequest(object sender, EventArgs e)
{
// This corrects WIF error ID3206 "A SignInResponse message may only redirect within the current web application: '/NHP' is not allowed."
// For whatever reason, accessing the site without a trailing slash causes this error.
if (String.Compare(Request.Path, Request.ApplicationPath, StringComparison.InvariantCultureIgnoreCase) == 0 && !(Request.Path.EndsWith("/")))
Response.Redirect(Request.Path + "/");
}