Identity Providers

IdentityServer supports authentication using external identity providers. The external authentication mechanism must be encapsulated in a Katana authentication middleware.

Katana itself ships with middleware for Google, Facebook, Twitter, Microsoft Accounts, WS-Federation and OpenID Connect - but there are also community developed middlewares (including Yahoo, LinkedIn, and SAML2p). See here for a list of options.

To configure the middleware for the external providers, add a method to your project that accepts an IAppBuilder and a string as parameters.

public static void ConfigureIdentityProviders(IAppBuilder app, string signInAsType)
{
    var google = new GoogleOAuth2AuthenticationOptions
    {
        AuthenticationType = "Google",
        Caption = "Google",
        SignInAsAuthenticationType = signInAsType,
        ClientId = "...",
        ClientSecret = "..."
    };
    app.UseGoogleAuthentication(google);

    var fb = new FacebookAuthenticationOptions
    {
        AuthenticationType = "Facebook",
        Caption = "Facebook",
        SignInAsAuthenticationType = signInAsType,
        AppId = "...",
        AppSecret = "..."
    };
    app.UseFacebookAuthentication(fb);

    var twitter = new TwitterAuthenticationOptions
    {
        AuthenticationType = "Twitter",
        Caption = "Twitter",
        SignInAsAuthenticationType = signInAsType,
        ConsumerKey = "...",
        ConsumerSecret = "..."
    };
    app.UseTwitterAuthentication(twitter);
}

Notes

• AuthenticationType must be a unique value to identify the external identity provider. This value will also be used for the idp claim in the resulting tokens. Furthermore the same value can be used to pre-select identity providers during authorization/authentication requests using the acr_values parameter (see this for more information). This value is also used to restrict the allowed identity providers on the Client configuration.
• Caption specifies the label of the button on the login page for the identity provider. If Caption is an empty string, the identity provider will not be shown on the login page. But can still be used via the login hint.
• SignInAsAuthenticationType must be set to the value we pass in via the signInAsType parameter

Assign the configuration method to the IdentityProviders property on the AuthenticationOptions:

var idsrvOptions = new IdentityServerOptions
{
    SiteName = "IdentityServer3",
    Factory = factory,
    SigningCertificate = Cert.Load(),

    AuthenticationOptions = new AuthenticationOptions 
    {
        IdentityProviders = ConfigureIdentityProviders
    }
};

app.UseIdentityServer(idsrvOptions);

Adding WS-Federation Identity Providers

WS-Federation based identity providers can be added in the exact same way as shown above.

For backwards compatibility reasons, the WS-Federation middleware listens to all incoming requests and inspects them for incoming token posts. This is not an issue if you only have one WS-Federation middleware configured, but if you have more than one, you need to set an explicit and unique CallbackPath property that matches the reply URL configuration on the IdP. Note that the CallbackPath must be relative to the root, and not relative to the Identity Server module path. For example if the external provider is configured to post auth tokens to http://mydomain.com/SubFolder/IdSrv/MyExternalProvider then the CallbackPath should be set to /SubFolder/IdSrv/MyExternalProvider.

var adfs = new WsFederationAuthenticationOptions
{
    AuthenticationType = "adfs",
    Caption = "ADFS",
    SignInAsAuthenticationType = signInAsType,

    MetadataAddress = "https://adfs.leastprivilege.vm/federationmetadata/2007-06/federationmetadata.xml",
    Wtrealm = "urn:idsrv3"
};
app.UseWsFederationAuthentication(adfs);