Azure Active Directory with MVC, the client and resource identify the same application

Question

Following up this question:

How to do both Azure Active Directory Single Sign On and Forms Authentications on ASP.NET MVC

I have tried writing the simple code on Login action of default MVC 4 which uses both default Forms Authentication and Azure Active Directory SSO:

public async Task<ActionResult> Login(LoginModel model, string returnUrl)
{
    if (ModelState.IsValid && WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
    {
        return RedirectToLocal(returnUrl);
    }

    authContext = new AuthenticationContext(authority, new TokenCache());
    var result = await authContext.AcquireTokenAsync(resourceId, clientId, new UserCredential(model.UserName, model.Password));

    // more code
}

So if the normal Login WebSecurity.Login is not successful, I try to acquire token from AAD by using ADAL.NET with credential (username/password) following this post: http://www.cloudidentity.com/blog/2014/07/08/using-adal-net-to-authenticate-users-via-usernamepassword/

When running application I got the error from Azure:

AADSTS90027: The client '[ClientId]' and resource '[ResouceId]' identify the same application.

I am not sure whether it really makes sense to use ADAL with credential directly on MVC Login action. Please someone give me a hint on this stuff.

Answer 1

ADAL is not meant to achieve web sign-on in a web application. ADAL helps an application to obtain a token for accessing another resource: in other words, it helps your application to be a CLIENT. Moreover, the username/password is not available in web apps as it is meant to be used only in native applications. In order to use both FormsAuth and Azure AD, please consider adding both the ASP.NET identity middleware and the OpenId Connect middleware. The OpenId Connect middleware is the library one should use for achieving web SSO with Azure AD.