Sign in Register
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • shanem 39 posts 93 karma points
    Jan 18, 2016 @ 12:43
    shanem
    0

    Logging into Umbraco 7.3.0+ back-office using AD with ADFS

    I need to authenticate back-office users in Umbraco 7.3.0 with our local test Active Directory (AD) server. Due to the introduction of Identity in Umbraco 7 it seems we need to make use of Active Directory Federation Services (ADFS) in order to authenticate against our AD.

    I can successfully authenticate against our test AD in Umbraco 6.2.0 using ActiveDirectoryMembershipProvider, but can't do the same in ADFS.

    Here is my code to to connect to the ADFS server from umbraco:

    using System.Configuration;
using System.IdentityModel.Tokens;
using Microsoft.Owin.Security.ActiveDirectory;
using Owin;
using Umbraco.Web.Security.Identity;

namespace MyCompany.Membership.Umbraco.Extensions
{
    public static class AdfsAuthExtensions
    {
        /// <summary>
        /// Configure Active Directory Fedration Services so we can connect to LDAP connections.
        /// </summary>
        /// <param name="app">The app builder.</param>
        /// <param name="caption">Sign in with caption.</param>
        /// <param name="style">The button CSS class.</param>
        /// <param name="icon">The button icon CSS class.</param>        
        public static void ConfigureBackOfficeActiveDirectoryFederationServicesAuthentication(
            this IAppBuilder app,
            string caption = "Active Directory",
            string style = "btn-microsoft",
            string icon = "fa-windows")
        {
            var options = new ActiveDirectoryFederationServicesBearerAuthenticationOptions
            {
                MetadataEndpoint = ConfigurationManager.AppSettings["AdfsMetadataEndpoint"],
                TokenValidationParameters = new TokenValidationParameters() { ValidAudience = ConfigurationManager.AppSettings["AdfsAudience"] }
            };

        options.ForUmbracoBackOffice(style, icon);            

        app.UseActiveDirectoryFederationServicesBearerAuthentication(options);
    }
}
}

    The config options are:

        <add key="AdfsMetadataEndpoint" value="https://adfsserver/federationmetadata/2007-06/federationmetadata.xml" />
<add key="AdfsAudience" value="https://testadfs.local" />

    My ADFS meta data URL (https://adfsserver/federationmetadata/2007-06/federationmetadata.xml) is visible from my dev machine but has an invalid SSL certificate.

    The extension method is called like this:

    using Microsoft.Owin;
using Owin;
using Umbraco.Core;
using Umbraco.Core.Security;
using Umbraco.Web.Security.Identity;

[assembly: OwinStartup("UmbracoCustomOwinStartup", typeof(UmbracoCustomOwinStartup))]

namespace MyCompany.Membership.Web
{
    public class UmbracoCustomOwinStartup
    {
        public void Configuration(IAppBuilder app)
        {
            // Configure back office users membership provider
            app.ConfigureUserManagerForUmbracoBackOffice(
                ApplicationContext.Current,
                MembershipProviderExtensions.GetUsersMembershipProvider().AsUmbracoMembershipProvider());

            // Ensure OWIN is configured for Umbraco back office authentication
            app
                .UseUmbracoBackOfficeCookieAuthentication(ApplicationContext.Current)
                .UseUmbracoBackOfficeExternalCookieAuthentication(ApplicationContext.Current);

            // Configure additional back office authentication options            
            app.ConfigureBackOfficeActiveDirectoryFederationServicesAuthentication();
        }
    }
}

    I have setup a "Relying Party" in ADFS with an identifier of https://testadfs.local.

    My error that I'm getting is:

    AuthenticationException: The remote certificate is invalid according to the validation procedure. WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

    So my question is:

    1. Has anyone successfully connected to ADFS in Umbraco 7.3.0+?
    2. Do you have any pointers?

    Thanks!

    Copy Link
  • shanem 39 posts 93 karma points
    Jan 19, 2016 @ 14:42
    shanem
    1

    A quick update - I solved the invalid certificate issue. The solution was:

    1. Generate a self-sign cert in IIS on the ADFS server
    2. Export this cert as a PFX file
    3. Import this cert to the "Trusted Root Certifications Authorities (Local Computer)" in MMC
    4. Uninstall stand alone ADFS on the server
    5. Reinstall ADFS and point to new self-sign cert during wizard setup
    6. On the ADFS server assign the new cert to the IIS website for SSL
    7. Copy PFX file to local dev machine
    8. Import this cert to the "Trusted Root Certifications Authorities (Local Computer)" in MMC on the dev machine

    Now the federation metadata URL (https://adfsserver/federationmetadata/2007-06/federationmetadata.xml) shouldn't complain about an invalid cert.

    Copy Link
  • shanem 39 posts 93 karma points
    Jan 19, 2016 @ 14:43
    shanem
    0

    I can now access the Umbraco 7 backoffice login screen but don't have an external provider button showing... almost there I think.

    Anybody know how to add external providers so they show a login button?

    Here is my new code but it's not working: 

    public static void ConfigureBackOfficeActiveDirectoryFederationServicesAuthentication(
        this IAppBuilder app,
        string caption = "Active Directory",
        string style = "btn-microsoft",
        string icon = "fa-windows")
    {            
        var options = new ActiveDirectoryFederationServicesBearerAuthenticationOptions
        {
            MetadataEndpoint = ConfigurationManager.AppSettings["AdfsMetadataEndpoint"],
            TokenValidationParameters = new TokenValidationParameters { ValidAudience = ConfigurationManager.AppSettings["AdfsAudience"] }
        };                       

        options.ForUmbracoBackOffice(style, icon);
        options.SetExternalSignInAutoLinkOptions(new ExternalSignInAutoLinkOptions(true));            

        Log.InfoFormat(
            "SocialStyle={0}, SocialIcon={1}, UmbracoBackOffice={2}, AuthenticationType={3}",
            options.Description.Properties["SocialStyle"],
            options.Description.Properties["SocialIcon"],
            options.Description.Properties["UmbracoBackOffice"],
            options.AuthenticationType);            

        app.UseActiveDirectoryFederationServicesBearerAuthentication(options);
    }
    Copy Link
  • shanem 39 posts 93 karma points
    Jan 19, 2016 @ 17:58
    shanem
    1

    Hey me again :) I've managed to get the external provider button to display. My code is below:

    public static void ConfigureBackOfficeActiveDirectoryFederationServicesAuthentication(
        this IAppBuilder app,
        string caption = "Active Directory",
        string style = "btn-microsoft",
        string icon = "fa-windows")
    {
        string adfsMetadataEndpoint = ConfigurationManager.AppSettings["AdfsMetadataEndpoint"];
        string adfsAudience = ConfigurationManager.AppSettings["AdfsAudience"];

        var wsFedOptions = new WsFederationAuthenticationOptions
        {
            Wtrealm = adfsAudience,
            MetadataAddress = adfsMetadataEndpoint,
            AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType,
            SignInAsAuthenticationType = Constants.Security.BackOfficeExternalAuthenticationType
        };            

        wsFedOptions.ForUmbracoBackOffice(style, icon);
        wsFedOptions.SetExternalSignInAutoLinkOptions(new ExternalSignInAutoLinkOptions(true));
        wsFedOptions.Caption = caption;

        app.UseWsFederationAuthentication(wsFedOptions);

        var adfsOptions = new ActiveDirectoryFederationServicesBearerAuthenticationOptions
        {
            MetadataEndpoint = adfsMetadataEndpoint,
            TokenValidationParameters = new TokenValidationParameters { ValidAudience = adfsAudience },
            AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType
        };

        app.UseActiveDirectoryFederationServicesBearerAuthentication(adfsOptions);
    }

    The secret was using WS-Federation but now I'm missing Microsoft.IdentityServer dll on the server. Almost there...

    Copy Link
  • Elias 25 posts 108 karma points
    Jun 09, 2016 @ 12:53
    Elias
    0

    Hi shanem,

    I'm curious, have you finally managed to do this login work?

    Copy Link
  • shanem 39 posts 93 karma points
    Jun 09, 2016 @ 13:30
    shanem
    0

    I didn't, sorry. I will look into it again when I have a moment and post my findings here.

    Copy Link
  • Frederik Raabye 72 posts 276 karma points MVP 2x c-trib
    Aug 05, 2016 @ 08:25
    Frederik Raabye
    0

    Hi Shanem

    Did you manage to get this up and running?

    Copy Link
  • Frederik Raabye 72 posts 276 karma points MVP 2x c-trib
    Aug 10, 2016 @ 09:48
    Frederik Raabye
    0

    I created a related thread here with WS-Federation code: https://our.umbraco.org/forum/extending-umbraco-and-using-the-api//79201-account-auto-linking-not-working-with-owin-ad-fsws-federation-authentication

    Copy Link
Please Sign in or register to post replies

Write your reply to:

Draft