Home/ Questions/Q 6555193
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T12:47:23+00:00

I have successfully integrated SSO with WIF on my two Web Domain. Now I

  • 0

I have successfully integrated SSO with WIF on my two Web Domain. Now I have a requirement that some users sign on using SSO and other users do not use SSO. How I can achieve this thing?

I would appreciate your help,

Thanks

Shahram Javed

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Your question is a little vague so maybe this is not the correct answer. Let me relate our story (which Eugenio helped with) with the hopes it helps the OP or someone else. I’m interpreting “not for other user” as that some users do not use SSO: presumably they use forms authentication or something different.

    We use WIF for SSO in a web application that also supports a wif-implemented version of forms authentication.

    If someone comes to the Sign In page and provides a user name and password, we use WIF to set a self-issued ClaimsPrincipal. Essentially, the website is providing claims to itself. FederatedAuthentication is used in the same way that FormsAuthentication normally is: set a cookie using a static method on FederatedAuthentication. Bit different, but basically the same principal.

    var token = FederatedAuthentication.SessionAuthenticationModule
    .CreateSessionSecurityToken(claimsPrincipal, "MyApp.Token",
    DateTime.UtcNow, DateTime.UtcNow.AddDays(7), false);
FederatedAuthentication.SessionAuthenticationModule
    .AuthenticateSessionSecurityToken(token, true);

    Our web app uses a single trusted provider (an ADFS server that negotiates with N federated partners). We need a custom way to decide whether to to redirect unauthenticated users to the Sign In page or to ADFS for SSO users. We disable passive redirect so WIF doesn’t automatically send people to ADFS.

    <wsFederation passiveRedirectEnabled="false"
    issuer="https://adfs.ourplace.com/adfs/ls/"
    realm="http://www.ourplace.com" .../>

    From here we use an authentication attribute (we use ASP.NET MVC but whatever is appropriate for you).

    public class MyAuthorizeAttribute : FilterAttribute, IAuthorizationFilter
{
    public void OnAuthorization(AuthorizationContext filterContext)
    {
        if (filterContext.HttpContext.User.Identity.IsAuthenticated)
            return; // all good

        RedirectTo(IsSSO() ? GetADFSUrl() : GetSignInUrl();
    }
}

    To decide whether the user is an SSO user or not when they are unauthenticated is the Home Realm Discovery problem. Different people solve it differently. For us, when an SSO user first connects to the system using SSO we lay down a persistent cookie with their home realm (which is the Claims Provider Identifier in ADFS). If the cookie is absent, they go to Sign In. If the cookie is present, they get redirected to ADFS. The URL is:

    var adfsEntryPoint = FederatedAuthentication.WSFederationAuthenticationModule.Issuer;
var wtRealm = FederatedAuthentication.WSFederationAuthenticationModule.Realm;
var whr = <from home realm cookie>
var redirectUrl = string.Format("{0}?wa=wsignin1.0&wtrealm={1}&whr={2}",
    adfsEntryPoint,
HttpContext.Server.UrlEncode(wtRealm),
HttpContext.Server.UrlEncode(whr));

    If you redirect directly to N federated partners, maybe store the token renewal URL in the cookie.

    • 0