Federated authentication in ASP.NET MVC with Access Control Service

How to integrate a classic (MVC 5 and before) ASP.NET MVC application and a new type ASP.NET MVC (6?) OWin with an Azure Access Control Service (ACS). Users are authenticated outside of an application by third party authentication providers such as Facebook, Google, Yahoo etc. This process is called federated authentication.

A classic ASP.NET MVC project can be downloaded here https://github.com/mchudinov/AspMvcACSClassic

A new OWin-based ASP.NET MVC project can be downloaded here https://github.com/mchudinov/AspMvcACSOwin


There are tons information in the Internet about how to setup and configure federation authentication with ASP.NET.

This MSDN article Federated Identity with Microsoft Azure Access Control Service. It covers the technology idea, terminology, protocols etc.

This blog post has a nice explanation of web.config options Windows Identity Foundation (WIF) Configuration Sections in ASP.NET Web.Config

Here are some articles how to implement federation authentication for ASP.NET MVC 5 application with OWin (using VS 2013 or 2015):

In a classic ASP.NET MVC project federated authentication is defined as module and configured in <system.webServer> section of Web.config file.

In a OWin-based solution federated authentication is enabled via a Configuration method of Startup class:

I want to add authentication events capturing (for logging or whatever).

1. Capturing of ACS authentication events in classic ASP.NET MVC
ASP.NET uses to classes for federated authentication WSFederationAuthenticationModule and SessionAuthenticationModule. Authentication events can be captured in inherited classes:

Now these new classes must be referred in Web.config as federation modules:

2. Capturing of ACS authentication events in OWin ASP.NET MVC
To capture authentication events in OWin application WsFederationAuthenticationNotifications class should be used. What I need is just create a WsFederationAuthenticationNotifications object and assign delegates to it’s notification properties, then use this object in WsFederationAuthenticationOptions class instance. All modifications can be done in OWin Startup class in Startup.Auth.cs file that configures authentication.