Reputation: 34109
Azure AD and ASP.NET Identity + OWIN, which approach to use?
We have ASP.NET application which has been in production for last 4-5 years. Now im trying to implement new authentication using Azure AD, ASP.NET Identity & OWIN framework. Our application users also need to have access to cloud app “BOX” which already supports SSO using Azure. So idea is to add our application into Azure AD and configure SSO.
NOTE: We DO NOT have Active Directory on premises, i just want to use Azure AD for web app authentication.
And as usual after going through lot of documentation on MSDN I am confused which authentication mechanism I should be using.
1st Approach - Based on Microsoft article here
I have configured the following packages using Nuget
PM> Install-Package Microsoft.Owin.Security.OpenIdConnect
PM> Install-Package Microsoft.Owin.Security.Cookies
PM> Install-Package Microsoft.Owin.Host.SystemWeb
Then I have configured app in Azure AD, and then in ASP.Net application configure 'ida:ClientId', 'ida:Tenant' and 'ida:PostLogoutRedirectUri' in app settings. And then you call the following code at startup (and also do some extra step as per the article)
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
});
}
2nd Approach – Based on Template provided by VS 2013 Ultimate
Here when you create new application using VS 2013 and configure the authentication using Organizational Account option, it adds the following appsettings
'ida:FederationMetadataLocation', 'ida:Realm' and 'ida:AudienceUri' and then adds the code to authenticate user
Questions
1> I am not sure which approach I should be using, and what’s the difference.
2> As per Microsoft video here if you create application using 2nd approach, Visual Studio will create application in Azure AD for that tenant. But its does not create anymore, has this changed recently? Do we always have to manually create application in Azure AD?
EDIT1
When i create new MVC or Web Form app in VS 2013 and configure authentication, there are 4 options. 2 of them are 'Individual Accounts' and 'Organizational Accounts'. The approach 1 mentioned above is for "Individual Accounts" and Approach 2 is for Organizational Accounts. However i still dont know when should i use one over other? Why one use client id vs another use restful API (federation metadata)? If i want same user to have access to multiple cloud applications which approach should i use?
Upvotes: 3
Views: 5501
Answers (2)
Reputation: 7394
sorry for the confusion. What you are experiencing is the stratification of multiple versions as the technology evolves. Let me clarify a couple of points.
- Visual Studio 2013 shipped before the OWIN middleware for web sign on was available. Because of that, the ASP.NET project templates were still based on old technology (Windows Identity Foundation) and old protocols (ws-federation).
- After VS2013 shipped, we developed new classes (which you encountered in the quickstart article) which support web sign on through a more nimble object model (OWIN middleware) and via more modern protocols (openid connect). You have the choice of using such classes "manually", as described in the quickstart, or to use the NEW templates in Visual Studio 2015 - which abandon the old tech (WIF) and automate a) the generation of projects using OWIN middleware b) the provisioning of one entry for the app in an Azure AD tenant of your choice.
- The choice of Individual accounts vs "work & school" accounts allows you to select whether your application authenticates users one by one (for the former) and owns all user's details, or if you want your app to outsource authentication to the organization from which your users are coming from. If you want to use Azure AD, you want to do the latter: authentication is done by Azure AD, you just want your app to be configured to redirect to Azure AD when it's time to authenticate a user.
Upvotes: 6
Reputation: 1161
Here are all AzureAD samples. https://github.com/azure-samples?query=active-directory
In particular these OIDC samples should get you going. Let me know if you get stuck.
https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnet5
Upvotes: 1
Related Questions
- Where are the Login and Register pages in an AspNet Core scaffolded app?
- How can I change the table names when using ASP.NET Identity?
- ASP.NET MVC Identity - Using internal User and Azure AD Authentication together
- OWIN OpenId Authentication - Active Session after logout
- Use ASP.Net Core 2 Identity with Azure Ad single tenant authentication
- Asp.net Identity using password and Azure Active Directory authentication
- Can/Should I use Asp.Net Identity with Organizational Accounts?
- Supporting Individual User Accounts AND Organizational Accounts in MVC5 / ASP.Net Identity 2
- Use OWIN to connect an ASP.NET MVC application to Azure AD or use the default templates
- Details of customizing ASP.NET Identity (OWIN) use of Entity Framework