CODEWITHSUNDEEP
asp.net-core.net-coreadfsws-federation
user1958994
user1958994

Reputation: 19

.NET CORE and ADFS no Claims Available

Migrating to .NET Core 3 from a 4.6 project and I'm not 100% sure I am implementing things properly.

I followed the steps in this article, making sure to configure startup.cs following the code sample under the "Use WS-Federation without ASP.NET Core Identity" section. https://learn.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-3.0

Login seems to be working in that I'm redirected to MS login and sent back to my app with the expected cookies, for example MSISAuthenticated. But, user.identity.isauthenticated is always false and I have no claims available. Is this expected behavior? Perhaps I'm not configuring things properly? Ideally I'd like to be able to check if a user is authenticated and access the claims.

I've come across a number of articles about adding policies based on groups, but how would [Authorize (Policy="SomeGroup")] even work if no claims are available?

ConfigureServices Code: enter image description here

Configure Code: enter image description here

Controller Action:

        public IActionResult Index()
        {
            var identity = (ClaimsIdentity)User.Identity;
            ViewBag.Claims = identity.Claims;

            return View();
        }

View Code: 

@using System.Security.Claims;
@{
    ViewBag.Title = "Home Page";
    IEnumerable<Claim> claims = (IEnumerable<Claim>)ViewBag.Claims;
}

@if (User.Identity.IsAuthenticated)
{
    <div class="jumbotron">
        <h1>Successful Sign On!</h1>
    </div>

    <div class="row">
        <div class="col-md-12">
            <h2>WS Federation Services Claims</h2>
            @foreach (Claim claim in claims)
            {
                <p>
                    <b>@(claim.Type.ToString())</b>
                    <br />
                    @(claim.Value.ToString()) (type: @(claim.ValueType.ToString()))
                    <hr />
                </p>
            }
        </div>
    </div>
}
else
{
    <div class="jumbotron">
        <h1>SSO Test</h1>
        <p class="lead">To sign in using Microsoft's single sign-on service, click the button below.</p>
        <p><a href="/account/signin" class="btn btn-primary btn-lg">Sign in &raquo;</a></p>
    </div>
}

Upvotes: 2

Views: 1462

Answers (1)

sergeyxzc
sergeyxzc

Reputation: 615

perhaps the fact is that you are not send the desired ResourceUrl to ADFS. Then ADFS considers the default resource and issues a token without claims. See more info on 3 step in "High level AD FS authentication flow"

enter link description here

AD FS identifies the resource which the client wants to access through the resource parameter passed in the auth request. If using MSAL client library, then resource parameter is not sent. Instead the resource url is sent as a part of the scope parameter: scope = [resource url]//[scope values e.g., openid].

Upvotes: 1

Related Questions