Thanks to Gaurav Mantri for answering my earlier question Azure ACS Set Up in C#.
However can someone explains to me, how the following line is secured?
if (!ClaimsPrincipal.Current.Identity.IsAuthenticated)
The client in the ACS schema is conveniently a man in the middle, he might fail loging into Facebook, for example and this gets relayed to ACS (I'm assuming this portion is secured), but now ACS is telling the client to go back to the relying party about the failure.
How is that last part secured? What stops the client from tampering the ACS message "Fail" to "Success"? How would Asp.Net even knows how to verify signature and decrypt the message?
For that matter what key was it using to encrypt/sign the message exchange? And how would that work in a webfarm/Azure environment?
You specify the key which will be used for message exchange.
When you configure Azure ACS in the management portal, you specify private key which will be used to sign tokens(Certificates and Keys tab).
When you configure web application to use Azure ACS, reference to the certificate to validate signature is added to web.config:
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="https://xxxxx.accesscontrol.windows.net/">
<keys>
<add thumbprint="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" />
</keys>
<validIssuers>
<add name="https://xxxxx.accesscontrol.windows.net/" />
</validIssuers>
</authority>
</issuerNameRegistry>
UPDATE
The certificate is passed to the web application by ACS along with signed security token in the X509Certificate element (I've removed namespaces):
<RequestSecurityTokenResponse>
<Lifetime>
<Created>2013-06-19T06:15:16.618Z</Created>
<Expires>2013-06-19T07:15:16.618Z</Expires>
</Lifetime>
<AppliesTo>
<EndpointReference>
<Address>http://xxx.cloudapp.net/</Address>
</EndpointReference>
</AppliesTo>
<RequestedSecurityToken>
<Assertion ID="xxx" IssueInstant="2013-06-19T06:15:16.636Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>https://xxx.accesscontrol.windows.net/</Issuer>
<Signature>
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="xxx">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>xxx</ds:DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>xxx</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>xxx</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID>iiiii</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
</Subject>
<Conditions NotBefore="2013-06-19T06:15:16.618Z" NotOnOrAfter="2013-06-19T07:15:16.618Z">
<AudienceRestriction><Audience>http://xxx.cloudapp.net/</Audience></AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>aaa</AttributeValue></Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2013-06-19T06:15:15.999Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>