Hi

I am playing around with Beta 2. I have managed to get a really ASP.NET project to talk a Geneva Server. However I only want to use Windows Integrated AUthentication with my site as this would be deployed in a Intranet scenario with the users in the same AD as the Geneva server.

So whenever a user connects to the site , they get presented with the Geneva Signin page , where they have to select the current Identity provider and then select "Windows integrated Authentication". After that they connect to the site as expected.

Question is how to skip these questions and have the users signin automatically.

I am probably missing something very basic.

Regards

Hi Kim,

If you open up the web.config for the WSFederationPassive.Web site, you can configure the available authentication methods.

Look for this element:

<authenticationTypes basic="true" forms="true" integrated="true"
issuedToken="true" sslClient="true" />

And modify it as follows:

<authenticationTypes basic="false" forms="false" integrated="true"
issuedToken="false" sslClient="false" />

When Geneva sees that only one authentication type is supported, it will skip the selection pages and automatically try to authenticate with that method.

Colin

Hi Kim,

If you open up the web.config for the WSFederationPassive.Web site, you can configure the available authentication methods.

Look for this element:

<authenticationTypes basic="true" forms="true" integrated="true"
issuedToken="true" sslClient="true" />

And modify it as follows:

<authenticationTypes basic="false" forms="false" integrated="true"
issuedToken="false" sslClient="false" />

When Geneva sees that only one authentication type is supported, it will skip the selection pages and automatically try to authenticate with that method.

Colin

Hi Colin

I knew it was something fairly trivial . Thnx for your prompt response. :)

Regards
Kim

What happens if both Windows Integrated and Forms Auth areavailable and I want the Geneva server to try Integrated first before falling back to Forms Auth?

So the experience i expect is that a when a intranet user hits my application, he is redirected to Geneva server - gets authenticated , but when a extranet user accesses the application, he is given a login page since Windows integrated will fail.
Another idea ifyou feelthat is not extensibleis that I tell geneva server the authentication method to use when i redirect from the RP. (perhaps i know because the request from external users will havea different host header as against a intranet user- https://blah.com as against https://blah )

I agree all this can be implemented because fed passive site is customizable, but i think you should support the above out of the box.

Rob,

To the best of my knowledge it's not trivialto fallback from Windows Integrated Auth silently. If Windows Auth fails to sign-in using Kerberos, IE will prompt for a username/password even before the website gets control of the flow (to redirect to a forms auth page, for example).

Currently, to make your scenario work would require deploying two Geneva Server sign-in websites, one for intranet and one for extranet on the proxy, and some DNS magic. Basically, users within the private/corporate network would be redirected to the intranet site when they go to https://blah.com, and users on the Internet - to the extranet site.

Dan

Thanks for your response Dan!

What about letting theRP dictate theauth methodwhen we redirect to the passive site? That should be easy -No?

Have you explored the wauth parameter (WS-Federation Passive profile) or RequestedAuthenticationContext (SAML WebSSO profile) that an RP can specify in its request?

Geneva will interpret these values if they are present and limit the authentication pages that are shown to the user accordingly. Would this work in your scenario?

Thanks Colin, I looked at the WS-Federation Passive profile spec and it says

wa

This required parameter specifies the action to be performed. By including the action, URIs can be overloaded to perform multiple functions. For sign-in, this string MUST be "wsignin1.0".

Am i missing something? Are you talking about wctx?


Thanks
Rob

Colin - Can you explain this further - how does Geneva interpret the "wauth" parameter in WS-Federation passive profile? Are you referring to the Geneva Identity Server or Geneva Framework?

It would be great if Geneva Identity Server could receive the "wauth" parameter in the "wa=wsignin1.0" request, then redirect the user to a specificURL to load the appropriate web page that prompts the user for authentication.