Supporting Individual User Accounts AND Organizational Accounts in MVC5 / ASP.Net Identity 2

后端 未结 3 908
刺人心
刺人心 2021-02-01 08:19

I\'ve created an ASP.Net MVC5 application, in which I have configured (and have working fine) Individual User Accounts via Google, Facebook, etc.

What I\'d like to do is

相关标签:
3条回答
  • 2021-02-01 08:54

    I managed to implement this by doing the following:

    First, adding a reference to the Microsoft.Owin.Security.OpenIdConnect Nuget package.

    Second, configuring it in my Startup.Auth.cs:

    app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
    {
        ClientId = "From the Azure Portal (see below)",
        Authority = "https://login.windows.net/<domain>.onmicrosoft.com",
        Notifications = new OpenIdConnectAuthenticationNotifications
        {
            RedirectToIdentityProvider = (ctx) =>
            {
                if (ctx.Request.Path.Value.EndsWith("ExternalLogin"))
                {
                    string appBasePathUrl = ctx.Request.Scheme + "://" + ctx.Request.Host + ctx.Request.PathBase;
                    ctx.ProtocolMessage.RedirectUri = appBasePathUrl + "/";
                    ctx.ProtocolMessage.PostLogoutRedirectUri = appBasePathUrl;
                }
                else
                {
                    ctx.State = NotificationResultState.Skipped;
                    ctx.HandleResponse();
                }
    
                return Task.FromResult(0);
            }
        },
        Description = new AuthenticationDescription
        {
            AuthenticationType = "OpenIdConnect",
            Caption = "SomeNameHere"
        }
    });
    

    Third, I setup the application in the Azure Portal (classic):

    Fourth, I added a separate logon page for admin users:

    @using (Html.BeginForm("ExternalLogin", "Home"))
    {
        @Html.AntiForgeryToken()
        <div class="ui basic segment">
            <div class="ui list">
                <div class="item">
                    <button type="submit" name="provider" value="OpenIdConnect" class="left floated huge ui button social">
                        <i class="windows icon"></i>
                        <span>My Org Name</span>
                    </button>
                </div>
            </div>
        </div>
    }
    

    Fifth, the ExternalLogin action doesn't need to change - we just let OWIN middleware redirect us to the external login page. The flow would then direct the user back to the ExternalLoginCallback action.

    Finally, in the ExternalLoginCallback action, I check the incoming claims to determine that the login was via Azure AD, and instead of calling into ASP.NET Identity, I construct my own ClaimsIdentity, which has all my (application specific) claim information which my application recognises as an admin user.

    Now, admin users navigate to https://example.com/admin, click the login button, are redirected to the Azure AD login, and windup back at the application as an admin user.

    0 讨论(0)
  • 2021-02-01 08:58

    Your best bet would be to leverage Azue AD Access Control Services (ACS) and setup the Identity Providers to include Azure AD, Facebook, et al. See the documentation here: http://azure.microsoft.com/en-us/documentation/articles/active-directory-dotnet-how-to-use-access-control/

    0 讨论(0)
  • 2021-02-01 08:59

    ACS can indeed be used, however as you have already implemented Google/Facebook signin I recommend that you directly integrate with Azure AD instead of going through an intermediate STS like ACS/thinktecture.

    If your app' signin experience involves the user clicking on "Signin with Google/Signin with Facebook" stickers - you can add "Signin with your company' account." (there's even a recommended branding style: http://msdn.microsoft.com/en-us/library/azure/dn132598.aspx If you app performs realm discovery and forwards the user to the appropriate IdP (employing a text box saying something like "Enter your email address to sign in") - then you could add matching for your company name email addresses and forward those users to AAD.

    In both cases, your application will issue an SSO request to SSO endpoint of AAD: https://login.windows.net/{company domain name/id}/{wsfed/saml/oauth2}. If you're using .Net, WSFed, this should see you through: http://msdn.microsoft.com/en-us/library/azure/dn151789.aspx. Look for the code:

    SignInRequestMessage sirm = FederatedAuthentication.WSFederationAuthenticationModule.CreateSignInRequest("", HttpContext.Request.RawUrl, false);
    result = Redirect(sirm.RequestUrl.ToString());   
    

    There's also an OpenIdConnect sample here: http://msdn.microsoft.com/en-us/library/azure/dn151789.aspx

    0 讨论(0)
提交回复
热议问题