I want to develop an centralized application where different organization users can log-in and perform operations in my site later i will generate report out of it and give it to each organization. I am maintaining my own SQL DB where i will save all the organization issuer , certificate thumbprint details etc….I am able to dynamically send the signinRequest based on the Organization id. However, while coming back from their ADFS server with the token i need following details to be added in my web.config to validate the token. I dont want to expose these details in my web.config for 2 reasons. - Security [i need to have all the organizations details in config which may result some fraud access] -Performance [if i have 100 organization who is going to use my app, is it advisible to configure all the issuerauthority in my config. wont it hit the performance]
<issuerNameRegistry type=”System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry”>
< authority name=”name”>
<keys>
<add thumbprint="{Org 1 thumbprint}"/>
<add thumbprint="{Org 2 thumbprint}"/>
<add thumbprint="{Org 3 thumbprint}"/>
</keys>
<validIssuers>
<add name="http://test.login.edu/adfs/service/trust">
<add name="Org 3 url">
<add name="Org 4 url">
<add name="Org 5 url">
</validIssuers>
</authority>
</issuerNameRegistry>
Your help will be very much appreciated Thanks Jeevitha
After Some research, i have come up with the solution and it works fine too..
I will have the following setting in my web, config. [My custom class with do the return token validation from the issuer]
<issuerNameRegistry type="ADFS_Lib.AccessControlServiceIssuerNameRegistry, ADFS_Lib">
</issuerNameRegistry>
In my class, i will be overridding the IssuerRegistry calss GetIssuerName method and validate the return token and issuer in my DB whether its configured or not
public class AccessControlServiceIssuerNameRegistry : IssuerNameRegistry
{
public override string GetIssuerName(SecurityToken securityToken, string requestedIssuerName)
{
//here my DB validation code goes
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.