Enabling Federated Identity in Web Applications
version = 16jul14

The fedid web project scaffolding nuget package supports the following two user stories.
 
1.  As a web app developer I want to apply settings needed to enable wsfed security extensions on my relying party web site exposed content and service endpoints.
 
2.  As a web app developer I want to apply settings needed to enable oauth jwt and swt authorization header security on my relying party web site exposed service endpoints.

/*** note - this nuget package's OAuthAuthenticationModule was created as an interim solution while we awaited the azure active directory [aad] and open web interface for .net [owin] katana product group's [pg] nuget package solutions for oauth token based request authN and authZ. You should be using that aad/katana pg fully supported story wherever you can. For scenarios it covers and associated samples see http://aka.ms/aadAuthScenarios, http://aka.ms/aadSamples and http://aka.ms/owinScAh . ***/
 
The following steps outline how you use it:
 
1.  if you don’t have the visual studio nuget package manager extension installed use http://nuget.org/ | install nuget to add it
 
2.  apply windows identity foundation (wif) wsfederation signin + session token security settings to your project. For nfx45/wif45 projects this involves using the vs13 | file | new | [ asp.net pipeline ] web app project wizard or vs12 | <project> | identity and access extension wizard.  For nfx40+nfx35/wif10 projects this involves using the fedutil.exe wizard or vs12 | <project> | add sts reference wizard.  If you have a wcf services system.serviceModel section in your web.config this will require commenting that out b4 running wizard and then uncommenting it afterwards otherwise you'll end up with wstrust security settings being applied by wizard. 
 
3.  with your web project selected open package manager console enter "Install-Package FedId.Web.Project.Scaffolding -version 1.7.0.5" or from the manage nuget packages dialog search for and install the "fedid web project scaffolding" nuget package.  The latter option only works if you have domain credentials and have added ave added https://ms-nuget.cloudapp.net/api/v2/ feed entry to tools | package manager | settings | sources.  The current package drops target nfx45/wif45 + identity and access extension settings project support.  As noted above for owin pipeline project support see the pg's katana security middleware modules.  If you need nfx40/wif10 + add sts reference/fedutil settings project support you'll need to pull the 1.6.0.11 drop.
 
4.  in order for App_Code/SignInRequestResponseValidator.cs behaviors to work in the case of nfx45/wif45 projects the Web.config /system.web/httpRuntime attribute requestValidationMode must be set to "4.0" vs "4.5".  Having it set to "4.5" causes the RequestValidator to not fire when wsfed signin http form post back events occur.  You only need this enabled if you plan to use legacy winrt app adfsV2 federation setups. Also the System.IdentityModel.Services assembly reference needs to be set to CopyLocal="True" vs "False" otherwise you'll get a runtime compilation error from this source file.  Currently the fedid web nuget package installer is configured to take care of that latter setting for you.
 
5.  To complete enabling of legacy winrt app adfsV2 federation signin support, if you will be using it, open web.config and configure the RpAllowedMsApps entry to contain a csv list of the win8 app ms-app://<sid>/; values that you want to allow being careful to note that these are case and uri format sensitive values, i.e. lower case 's', and '/' terminated.
 
note - the objective with the addition of this package is to enable wsfed session token security for browser clients and oauth/jwt+swt security for rich clients [ modern win8 xaml/c# + html/js apps and phone xaml/c# apps and nfx winform/wpf/console apps ]. Consider wstrust a legacy fedid protocol due to its lack of support for signin across a broad set of identity providers (idp) and inability to be used across a broad set of web tier service endpoint stacks [ wcf service, wcf web api, wcf data service, mvc4 web api, custom.
 
 
example solution is available here, see WebApp1/WebRole1 | Web.config for details of what nuget package added. These projects demonstrates use of this nuget package to support modern browser and native client apps calling webapi endpoints. WebApp1 demonstrates its use for an aad/acs/adfs federated azure web site using wsfed session token [ browser client ] + oauth bearer tokens [ native client apps ]. WebRole1 demonstrates its use for an aad/acs/adfs federated azure web role with the signin request response validator processing enabled for the legacy winrt app adfsV2 federation story.
 
 
miscellaneous notes
 
- The corresponding symbols and sources for the assemblies provided by this nuget package are being published on //symbolsource.org/.  This enables f11 step into debugging support that allows you to delve deeper into any of the routines this package provides.  For details on how to enable f11 step into debugging support see the post "Debugging NuGet Packages using SymbolSource".  To optimize that experience i recommend using the "only specified modules" option and entering the names of the assemblies provided in nuget package that you want to debug thru.
 
- If you read this then you may find the posts "Debug and Test of Web Applications", "Enabling Federated Identity in Phone Applications" and "Enabling Federated Identity in WinRT Applications" also of interest.
 
- For more documentation and samples see "Acs Samples", "Acs Samples Index", "Identity Developer Training Kit" and Windows Azure Toolkit for Windows 8.