Skip to content

MembershipReboot in IdentityServer

October 23, 2013

Many people have asked for a sample of integrating MembershipReboot into IdentityServer as the identity management library. I was finally galvanized to build a sample and so here it is. It supports all four main extensability points of IdentityServer that related to users, which are the IUserRepository, IUserManagementRepository, IClientCertificatesRepository, and IClaimsRepository interfaces, so you can login (with both passwords and client certificates) and then from the admin screen you can create/delete users, set password, add/remove roles, and add/remove client certificates. I feel bad this it took so long to build this sample (since it only took about an hour to code it from scratch and get it configured and tested in IdentityServer).

Enjoy.

22 Comments leave one →
  1. October 24, 2013 1:39 am

    Reblogged this on http://www.leastprivilege.com.

  2. Tong Li permalink
    November 14, 2013 2:53 am

    Great post.

    If instead of a DB, we authenticate through an internal REST service, with simple userId/pwd plus some custom profile parameters, which of the four extensability points would you recommend that we use? Thank you.

  3. December 16, 2013 7:16 pm

    Ok I need a little help to get started with your sample.

    Is it merely a matter of reconfiguring the IdentityServer Webapp files, identity.config and repositories.config, to use the libraries from your sample, Thinktecture.IdentityServer.Core and MembershipRebootUserRepository, rather than the ‘out of the box’ libraries,Thinktecture.IdentityServer.Core and Thinktecture.IdentityServer.Core.Repositories?

    • December 18, 2013 9:56 am

      Yep, plus any additional .config work needed by MR (such as DB connection strings, etc.)

      • Connie DeCinko permalink
        April 8, 2014 8:45 pm

        Do we install MR first? Or just copy the appropriate files from your sample into my IdentityServer install? I don’t see instructions. Do we need to do anything to the database already configured by IS?

        • April 8, 2014 8:58 pm

          Yes, it’s a .NET assembly, so add the reference. If you’re doing it as a VS project, then all the dependencies will get added. If you’re adding as a file then you’ll need all the NuGets as well. It’s prolly easier to add it as a VS project reference. HTH

  4. April 3, 2014 11:09 am

    We have decided to use IdentityServer V2 (with membership reboot) for SSO. However, I need some suggestions/help in getting it working.

    Sorry for the long post and thank for being patient in reading this. Not sure if this is right place for this post. Let me know where to do if not here. I have very little prior experience with SSO implementations and hence it is getting difficult in making decisions.

    Here is our scenario.

    Our system is architected into two subsystems:
    The business layer – published as REST API – ASP.NET MVC Web API (Resource Server?)
    The UI Layer – ASP.NET MVC 4 web application consuming the API (Relying Party?)

    This is just one application and there are more. While some follow a similar architecture as above, others are just ASP.NET MVC application (without REST API)

    Our requirement now is to implement SSO for all the above explained application stack.

    After a wide range of discussions, we decided to go with an OpenSource solution and finally picked IdentityServer.

    What have we done so far:
    Was able to deploy Identity Server – from the download build and from code
    Was able to get Membership reboot integrated with IdentityServer, as we needed most of the features, like – Two Factor, Secret Questions etc. Thanks for Membership reboot.

    I am a little confused between WS-Federation, SAML and JWT to understand what fits our scenario and what kind of configuration does it need on the ID server setup.

    I have been waling through the samples provided in both ID and MR and have also done good amount of reading. Directing me to appropriate links also would do a great help.

    Any guidance or help in this regard is greatly appreciated.

    Excuse me if the question is lame. Thanks for reading through this.

    • April 3, 2014 11:21 am

      Well, the best place to read would be the wiki for each of those projects in github. That acts as a guide for features, which will help educate you on the various approaches. Then as you have questions, post them to the github issue tracker.

      • April 3, 2014 11:30 am

        Thanks for the response. I did go through the wiki of both the products and of course samples too. And in fact, some samples explain similar – if not same – approaches. I was just wondering if there is anything that closely matches with what I am looking for. Just that we will be rest assured with our decisions.

  5. Connie DeCinko permalink
    April 13, 2014 7:47 pm

    Ok, looks like everything is configured and working. I can login to site/idSrv and creahttp://vimeo.com/51666380 to the membershipReboot.sdf database. But, I don’t see anything different than a regular Identity Server install. Should the change be more obvious? How do I get my test app (http://vimeo.com/51666380) to use the MembershipReboot login page instead of the IS login?

  6. Connie DeCinko permalink
    April 13, 2014 7:53 pm

    Why am I getting this error after I login as a user: WIF10201: No valid key mapping found for securityToken: ‘System.IdentityModel.Tokens.X509SecurityToken’ and issuer

  7. Connie DeCinko permalink
    April 16, 2014 12:03 pm

    I’ve now successfully migrated my databases to SQL Server and have MR and IS working together. Problem… the login is handled by the STS(IS) so that I get SSO and a token. However, that means I don’t have the benefits of the MR login such as brute force prevention, account locking after too many attempts, etc.?

  8. Connie DeCinko permalink
    April 22, 2014 11:41 am

    Ok, learning more. I now realize, what I really want from MR included in my STS is the code in the sample, i.e. the Single Tenant sample. That sample is where it appears are the bits that deal with login abuse prevention and also have the self-service functions such as password reset, and other account management. In simple terms, I’d like to just drop the SingleTenantWebApp on my server configured for idSrv and be off to the races. In reality, what do I have to do? Another way to look at this… I want everything SingleTenantWebApp / MembershipReboot has to offer… plus a secure token so any website I configure as a relying party can use my login system.

    Feel free to treat me like a newbie… I need docs, videos, anything.

    • April 22, 2014 2:21 pm

      Identity Server specifically does not manage identities, but you can customize it to do so. This would all be custom for your requirements.

  9. Connie DeCinko permalink
    May 2, 2014 11:57 am

    Does anyone provide training or consulting for this type of integration? I’ve struggled for weeks and it’s just not working. I can get each one working by itself but getting MR working while providing a security token just ain’t happening. @Bhasker Kottapally what did you come up with?

  10. Benny Emmers permalink
    September 10, 2015 8:34 am

    I’m running the IdentityServer in OWIN. I have a (restFul)webApi with resourceAuthorization on his method. If I use InmemoryUsers everything works nice. When a webApi is called the caller is redirected to the login screen and after valid login it goes back to the url of the webApi. When I replace the inmemory user with the MembershipReboot then I also get the login page and the user is checked but the redirection goes back to the root of the webApi For example: localhost:4040 instead of localhost:4040/api/protectedCustomer. Do you have an idea what goes wrong ?
    Thanks

    • Benny Emmers permalink
      September 10, 2015 10:08 am

      Found it. The error happened when a transformation is perfomed on the claims (my own code). Thanks for the nice example.

    • October 1, 2015 5:07 pm

      Hmm, when calling Web APIs if the call is not allowed then there should be a 401 response, not a redirect. Beyond that, I’m not sure.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: