Reputation: 69
Supporting Individual User Accounts AND internal Organizational Accounts via ADFS in MVC5
We built a new (about to hit pilot) .NET web application which uses Individual Accounts. All the identity management is working fine. The app is only for company employees but it needs to be available externally to them. Identity Roles(security levels) and Claims (user attributes) are managed within the application.
The requirements are now for SSO if the user is on a windows computer(and logged into the domain) and the ability to log in to the application and authenticate against Active Directory if not already logged in via windows (or on a non windows device). Log in through external accounts like facebook is not active (although OWIN is installed).
Just to be clear of the goals: A user account exists in the application and the roles and claims are managed by the application owner from within the application instead of in AD by IT. If the user is already on her windows computer, the credentials are recognized by the application and no log in page is needed. If the user is not on windows (vpn not available, or on a non windows device) they are directed to a log in page that authenticates against Active Directory.
The app is using all the latest versions of MVC 5.2, EF 6.1, and Identity 2.1.
I have found information on configuring Azure and also using on-premises using ADFS and a proxy, but I still don't have a complete picture of how to combine the user credentials and claims from AD while still using the local user account Roles and Claims.
How should the authentication be configured? What ties the Individual user account to the AD account?
Any links and specific steps on how to configure are appreciated.
Upvotes: 3
Views: 686
Answers (2)
Reputation: 11
Btw: you could also use auth0 if you wish to implement some more complex login scenarios without all the headache that comes with it.
They provide a very cool service. Although I don't like to rely on a third party web service for such an important part of my software. If the web service is unavailable, my app does nothing. So maybe better go the extra mile and implement it yourself.
Upvotes: 0
Reputation: 11
The with using ADFS is, that it replaces your login page. Think of it as if it was a facebook login. When the user comes from outside the ADFS server will not get a windows authentication, so it will present its own login page. You wont have to implement anything.
The only important parts: The adfs servers web front end has to be published to the internet and both, your app and the adfs login web need SSL.
All your app does is redirecting to the adfs server and back. Just like a default facebook login.
Also have a look at the new owin middleware for federated login. It makes it much easier than the old web.config monster way, that the project template uses. The middleware works much like the social logins.
Upvotes: 1
Related Questions
- Form based authentication using ADFS in .net MVC application
- Login as different user using ADFS Authentication
- Mvc Application, user authentication STS (ADFS)
- MVC ASP.NET using On-Premises Orgnaization Authentication
- Supporting Individual User Accounts AND Organizational Accounts in MVC5 / ASP.Net Identity 2
- .NET MVC5 w/ ADFS and Windows Authentication
- ADFS Authentication in ASP.NET 5 MVC 6
- Allow anonymous users to access certain areas of a site that is protected by Organizational Accounts authentication
- MVC5 Web app using ADFS On-Premises Organizational Auth and Visual Studio 2013 localhost development
- ADFS 2.0 windows authentication with custom roles