There are two ways in which Windows Identity Foundation (WIF) can utilize the WS-Federation passive WAUTH parameter to specify an authentication type. There are a few questions to ask before deciding which method to implement:

1. Can the WAUTH parameter remain static for a Relying Party (RP) application?

Meaning: The authentication type always remains the same for all users of this RP application. This application would be a single instance which is always accessed by users who need the same authentication type.

2. At what point in the authentication flow is the WAUTH parameter injected?

Possibilities include: The requestor (the user agent) or the WIF RP. This goes hand-in-hand with question number 1 because you might only want the WIF RP to inject WAUTH when the authentication type can be static. If the administrator is handing out or publishing links to the WIF RP which include a WAUTH value, then you would want to implement the change which allows the requestor to inject WAUTH.

Selecting Authentication Methods at Runtime
WS-Federation provides WAUTH as a query string parameter, and SAML 2.0 provides RequestedAuthNContext for authN method selection at runtime.  For WS-Federation, acceptable WAUTH parameters are documented at http://msdn.microsoft.com/en-us/library/77c337e9-e11c-4747-a3cd-ea8faebc9496(v=PROT.10)#id14 which is an appendix entry for MS-MWBF 2.2.3 wsignin1.0 Request Message.

Method of authentication wanted wauth URI
User name/password authentication urn:oasis:names:tc:SAML:1.0:am:password
SSL client authentication urn:ietf:rfc:2246
Windows integrated authentication urn:federation:authentication:windows


Usage Examples

WAUTH injection by requestor

1. The user agent utilizes a link to the WIF RP with WAUTH appended

Example: https://myApp.contoso.com/?WAUTH=insert-authentication-type-URI-here such as https://myApp.contoso.com/?WAUTH=urn:oasis:names:tc:SAML:1.0:am:password

2. The WIF RP detects WAUTH in the incoming request and sets authenticationType to the value being passed in

3. WIF builds the WS-Federation sign-in request containing WAUTH and redirects the user agent to the RP-STS

4. The RP-STS detects the presence of WAUTH in the sign-in request and should honor the requested authentication type



Note: Detecting and utilizing WAUTH at the STS is built into Microsoft's Active Directory Federation Services (AD FS) 2.0 product. If you have written your own WIF STS or are using a third party STS, you will need to ensure that your STS can work with the WAUTH parameter.

WAUTH injection by WIF RP

1. The user agent utilizes a link to the WIF RP

Example: https://myApp.contoso.com/

2. The WIF RP builds a WS-Federation sign-in request with the hard-coded authenticationType value specifiied in its web.config file

3. The WS-Federation sign-in request containing the hard-coded WAUTH parameter is sent to the RP-STS via redirect

4. The RP-STS detects the presence of WAUTH in the sign-in request and should honor the requested authentication type.



Note: Detecting and utilizing WAUTH at the STS is built into Microsoft's Active Directory Federation Services (AD FS) 2.0 product. If you have written your own WIF STS or are using a third party STS, you will need to ensure that your STS can work with the WAUTH parameter.

Code Samples

This code is provided "AS IS" with no warranties, and confers no

rights. For more information please visit
http://www.microsoft.com/info/cpyright.mspx

to find terms of use.

WAUTH injection by requestor

1. Add a global.asax file to your web application

2. Add the following code:

<%@ Application Language="C#" %>

< %@ Import Namespace="Microsoft.IdentityModel.Web" %>


< script runat="server">

void WSFederationAuthenticationModule_RedirectingToIdentityProvider

(object sender, RedirectingToIdentityProviderEventArgs e)

{

string strWauth = HttpContext.Current.Request.QueryString["wauth"];

if (strWauth != null)

{

e.SignInRequestMessage.AuthenticationType = strWauth;

}

}


WAUTH injection by RP


1. Edit the <federatedAuthentication> element of the RP web.config to include authenticationType

2. Example:

<federatedAuthentication>

<wsFederation passiveRedirectEnabled="true"

issuer="https://localhost/BasicWebSite_STS/"

realm="https://localhost/BasicWebSite/" 

authenticationType="insert-authentication-type-URI-here"

requireHttps="true" />

<cookieHandler requireSsl="true" />

< /federatedAuthentication>