Reputation: 1447
Claims and Roles
I am in the process of migrating an MVC5 application from forms authentication to federated authentication. I am using ADFS to federate my application and that is working fine. I have groups set up in AD already and thought that when I would use this code:
if(ClaimsPrincipal.Current.IsInRole(@"MY-ROLE"))
True would be return if the AD user was in fact a member of "MY-ROLE" this doesn't appear to be the case. Am I missing something here?? (I am new to federated services so forgive me if I have missed something obvious)
Upvotes: 0
Views: 456
Answers (1)
Reputation: 46700
You need to add a claim rule that maps groups to Roles.
Send LDAP Attribute as Claim.
Use "Token Groups - Unqualified Names" and map to Role
i.e. Rule language would be:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";tokenGroups;{0}", param = c.Value);
WIF on the application side will then do the mapping to IsInRole.
Upvotes: 1
Related Questions
- Federated authentication from ASP.NET MVC to SharePoint
- Mvc Application, user authentication STS (ADFS)
- ASP.Net MVC claims authorization and authentication
- Updating claims using Federated Authentication in asp.net mvc
- .NET MVC5 w/ ADFS and Windows Authentication
- ADFS Authentication in ASP.NET 5 MVC 6
- ADFS 2.0 windows authentication with custom roles
- How to use ADFS 2.0 with asp mvc 4
- Role membership creation with ADFS login
- MVC3 and Active Directory Federation Services