Reputation: 583
Identityserver 4 and Azure AD
I'm looking into using Identity Server 4 for authentication within a C# based MVC application. I'd like to use accounts stored in Azure AD as a source of valid users but the documentation only seems to refer to Google and OpenID & only mentions Azure in passing.
Does anybody know of any good documentation and/or tutorials on how to use Azure AD in the context of using it with Identity Server 4?
Upvotes: 35
Views: 37311
Answers (3)
Reputation: 70146
IdentityServer4 has documentation with "Sign-in with External Identity Providers"
Unfortunately it is not complete but this is what I did:
Startup.cs for .NET 5, Program.cs for .NET 6:
services.AddAuthentication()
.AddOpenIdConnect("aad", "Azure AD", options =>
{
options.ClientSecret = "<ClientSecret>";
options.ResponseType = OpenIdConnectResponseType.Code;
options.ClientId ="<ClientId>";
options.Authority = "https://login.microsoftonline.com/<TenantId>/";
options.CallbackPath = "/signin-oidc";
})
.AddIdentityServerJwt();
You will then see an external login under "Use another service to log in.":
When completing login you should see this message.
Default settings got stuck after clicking on Register. It was due to the new email not being confirmed. This could be solved with setting SignIn.RequireConfirmedAccount = false
services.AddDefaultIdentity<ApplicationUser>(options =>
options.SignIn.RequireConfirmedAccount = true)
You could also use "Resend email confirmation" or set EmailConfirmed to true in [dbo].[AspNetUsers] for the new user.
Azure AD settings. You will also need to add a client secret under Certificates & secrets.
Upvotes: 2
Reputation: 28481
There is a sample with Azure AD on github , forked from External Login sample provided in IdentityServer samples.
The sample also fixed a known issue "State parameter generated by middleware is too large for Azure AD #978"
Upvotes: 10
Reputation: 2315
You can use signin to Azure AD from IdentityServer just as you would use signin to IdentityServer from e.g. a Javascript or MVC app.
I have done this recently, and all you need to do is register OpenIdConnect options to Azure Ad like this:
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
});
}
More info about this here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-devquickstarts-webapp-dotnet
You should then in your Login action call the ChallengeAsync method:
var authenticationProperties = new AuthenticationProperties { RedirectUri = "your redirect uri" };
await HttpContext.Authentication.ChallengeAsync(your policy, authenticationProperties);
Then provide a callback method as a GET method then follow the External Login samples provided in IdentityServer samples: https://github.com/IdentityServer/IdentityServer4.Samples/blob/dev/Quickstarts/4_ImplicitFlowAuthenticationWithExternal/src/QuickstartIdentityServer/Quickstart/Account/AccountController.cs
Upvotes: 20
Related Questions
- Microsoft.AspNetCore.Identity with Azure ActiveDirectory
- IdentityServer on Azure
- .Net Core Identity and Azure AD Authentication
- IdentityServer 4 with Active Directory on Premise
- How to combine Asp.Net Identity with Azure AD Authorization
- Configuring Identity Server to use ASP.NET Identity roles
- Identity Server 4 not working when deployed to Azure Web Site
- Azure AD Claims in IdentityServer4
- IdentityServer 4 with Active Directory
- Connecting IdentityServer4 with Azure Active Directory