问题
According to documentation, both module will used to create instance of IClaimsPrincipal. I am not understanding why WIF bother to use 2 HttpModules instead of one? Sorry, I am new in WIF
回答1:
You don't need both to have the IClaimsPrincipal in the pipeline. You need the latter, the SessionAuthenticationModule. It is responsible for converting the WIF cookie into the principal object (similar what FormsAuthenticationModule does with a form cookie).
The former, WSFederationAuthenticationModule is responsible only for the initial SAML post from the indentity provider to your application - the module consumes the post and issues the WIF cookie. Alternatively you can do it with a wif:FederatedPassiveSignIn control placed on your login form.
When I code WIF-enabled applications, I usually have only the SAM module and I use the login control for issuing cookies.
回答2:
The big difference is that the WSFederationAuthenticationModule intercepts requests and will redirect the user to be authenticated by the STS while the SessionAuthenticationModule uses the WIF-token cookie to authorize the user on subsequent requests.
The SessionAuthenticationModule fires first in the pipeline so if you already have a session cookie (i.e., you've already been authenticated), the session module will grant you access.
The MSDN documentation does a decent job of describing this.
来源:https://stackoverflow.com/questions/13395912/wsfederationauthenticationmodule-v-s-sessionauthenticationmodule