Home > Identity Server > Identity Server v3 LOB Part 1 Hosting IDS v3 with IIS

Identity Server v3 LOB Part 1 Hosting IDS v3 with IIS

This is Part 1 of a series of three posts about setting up and configuring Identity Server for a Line Of Business application.


Intro Identity Server v3 Walk through for LOB application

Part 1 Hosting Identity Framework With IIS

Part 2 IDSv3 Web Api & WCF Configuration

Part 3 IDS Client Walkthrough

Client Sample Code

Identity Server Code


In part one, we are going to do a walkthrough a modified version of the Thinktecture.IdentityServer3 solution which can be found here.

In this post, we’re going to cover:

  1. How to setup a 2048+ bit certificate and then how to make sure your app pool account has permissions.
  2. Hard coding our Client & Scope data. We won’t go into many details as its fairly straight forward for the examples.
  3. We will create a simple LocalClaimsProvider as well as a Local User Service. We won’t tie directly to a database. However, in these classes you will be able to write your own code to use whatever type of repository you like.

The link for Identity Server Code above is the solution we will be working our way through in this post. I’m not going to go into how to create the entire solution from scratch.

2048 Bit Certificate

We work with predominately Microsoft technology. So we will walk through how to install a certificate on a Windows 8 computer running IIS.

  1. Start clicking Start, type in Run and in the Run text box, type in MMC.
  2. Next File, Add Remove Snap-In, Highlight Certificates and click Add

  1. When prompted, make sure to select Computer Account and click next.

  1. Leave Local Computer selected and click Finish.
  2. Expand Certificates/Persona/Certificates and right click on Certificate.
  3. Next, if you are importing a Certificate, choose Import.
  4. If you want to get a Certificate from an Active Directory, select Request New Certificate.

  1. After the certificate shows up in the Certificates folder, right click on it and select Manage Private Keys.
  2. A Permissions window will popup, click Add.
  3. In the Select Users, Computers, Service Accounts or Groups window, if your computer is in a domain, click on Locations and select your computer and click Ok.
  4. Next enter the name of the App Pool being used by the web application hosting the IdSrv web app in the Thinktecture IdentityServer3 solution you downloaded. The format would be IIS AppPool\<Type Identity’s name here>
    1. This assumes you opened the solution in a Visual Studio 2013 instance which you opened up as administrator.
    2. Doing so, a web directory in IIS should have been created. If not, however you go about doing it, make sure a virtual directory is setup in IIS.
    3. Then select or create an AppPool to use.
  5. Click Ok and you should see the Identity of the AppPool. May sure it has at least Read permissions. (May require full control, I’m not 100% sure.)
  6. Now we must open up IIS manager and make sure the web site which contains the Virtual Directory for IdSrv has its Https Binding configured to use the Certificate we just imported/created.

Virtual Directory configuration

In the IDS solution, now you will need to change app.settings to your environment. All app settings for the IdSvr web app are in IdSrv.config.

  1. First you need to configure the IdentityCertCommonName to make the subject name of the certificate we setup in the previous section. (The key for this could have been named better.). You can open the certificate and look at the subject to get the values you need to update here.
  2. If you’re running Identity locally, you can leave the other settings. I would suggest you change the IdentitySiteName to whatever you want your site name to be. This value shows up in the Login page.
  3. EnableIdentityLogging, I would leave set to true while in Dev. Obviously you would want to change this value to false in production.

Client & Scope

I haven’t had that much time to get into client and scope so I’ve just hard coded values in the existing IDS Client and Scope classes. Maybe at a later date a blog post on how to dynamically create these is warranted.

Local User Service

Our custom applications we have our own credential related tables which store user, role and security information. Identity Server Framework allows you to easily build a custom user server. In the sample code, the custom user service can be found in the IdentityServices project.

In the sample we create user bob in the LocalUserService constructor and load it into memory. However, you can do the look up in the AuthenticateLocalAsyn method if you need to authenticate against a repository.

In the Startup.cs configuration method, we instantiate the custom LocalClaimsProvider class. Then we register it with factories UserService.

Local Claims Provider

To pull back our records and build custom claims, we create a custom LocalClaimsProvider class which you can also find in the IdentityServices project. We created a custom GetUserClaims() method. Currently we manually create some claims. However, you could make your database calls here and pull back records to build your custom claims.

Note, we had to add the nameidentifier claim to satisfy @Html.AntiForgeryToken() in MVC websites.

As with the Local User Services, instantiate the custom Claims provider in Startup and add it to the factory ClaimsProvider.












Categories: Identity Server
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: