One of our client wants to implement SSO with Azure AD for member login. So they are asking few more details but I have no idea. I appreciate very much if someone can reply who know this implementation.
Does Umbraco compatible with the ADFS 3.0 protocols such as being claims-aware and SAML ?
They have suggest following workflow.
External user hits Umbraco site.
Authentication request redirection to published ADFS URL on ADFS proxy.
ADFS proxy sends request to ADFS internal farm.
User credentials checked against domain controller.
If successful, ADFS sends STS (security token service) to clients browser. This is called a claim.
Client sends claim from STS to Umbraco website allowing the user to authenticate.
There is also a DirSync server we currently have on-premises that syncs selected AD user objects into Azure AD. This is for Office 365.
Create a member group in Umbraco. I created a member group "mg"
Modify ExternalLoginConfirmation method in UmbracoIdentityAccountController class to add a member group when adding a new member.
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> ExternalLoginConfirmation(ExternalLoginConfirmationViewModel model, string returnUrl)
{
if (User.Identity.IsAuthenticated)
{
//go home, already authenticated
return RedirectToLocal(returnUrl);
}
if (ModelState.IsValid)
{
// Get the information about the user from the external login provider
var info = await OwinContext.Authentication.GetExternalLoginInfoAsync();
if (info == null)
{
return View("ExternalLoginFailure");
}
var user = new UmbracoApplicationMember()
{
Name = info.ExternalIdentity.Name,
UserName = model.Email,
Email = model.Email
};
var result = await UserManager.CreateAsync(user);
if (result.Succeeded)
{
result = await UserManager.AddLoginAsync(user.Id, info.Login);
if (result.Succeeded)
{
//add member to the member group
ApplicationContext.Current.Services.MemberService.AssignRole(user.Id, "mg");
await SignInAsync(user, isPersistent: false);
// For more information on how to enable account confirmation and password reset please visit http://go.microsoft.com/fwlink/?LinkID=320771
// Send an email with this link
// string code = await UserManager.GenerateEmailConfirmationTokenAsync(user.Id);
// var callbackUrl = Url.Action("ConfirmEmail", "Account", new { userId = user.Id, code = code }, protocol: Request.Url.Scheme);
// SendEmail(user.Email, callbackUrl, "Confirm your account", "Please confirm your account by clicking this link");
return RedirectToLocal(returnUrl);
}
}
AddModelErrors(result);
}
ViewBag.ReturnUrl = returnUrl;
return View(model);
}
Add UseWsFederationAuthentication in UmbracoIdentityStartup class
A default value for SignInAsAuthenticationType was not found in IAppBuilder Properties. This can happen if your authentication middleware are added in the wrong order, or if one is missing.
Im adding the app.useWsFederationAuthentication code here:
//Ensure owin is configured for Umbraco back office authentication. If you have any front-end OWIN
// cookie configuration, this must be declared after it.
app
.UseUmbracoBackOfficeCookieAuthentication(ApplicationContext, PipelineStage.Authenticate)
.UseUmbracoBackOfficeExternalCookieAuthentication(ApplicationContext, PipelineStage.Authenticate);
// Enable the application to use a cookie to store information for the
// signed in user and to use a cookie to temporarily store information
// about a user logging in with a third party login provider
// Configure the sign in cookie
app.UseCookieAuthentication(new FrontEndCookieAuthenticationOptions
{
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user
// logs in. This is a security feature which is used when you
// change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator
.OnValidateIdentity<UmbracoMembersUserManager<UmbracoApplicationMember>, UmbracoApplicationMember, int>(
TimeSpan.FromMinutes(30),
(manager, user) => user.GenerateUserIdentityAsync(manager),
UmbracoIdentity.IdentityExtensions.GetUserId<int>)
}
}, PipelineStage.Authenticate);
app.UseWsFederationAuthentication(
new WsFederationAuthenticationOptions
{
MetadataAddress = "https://login.microsoftonline.com/myOwn/federationmetadata/2007-06/federationmetadata.xml",
Wtrealm = "https://someUrl",
});
app.UseUmbracoPreviewAuthentication(ApplicationContext, PipelineStage.Authorize);
}
Single Sign on with Azure AD
Hi all,
One of our client wants to implement SSO with Azure AD for member login. So they are asking few more details but I have no idea. I appreciate very much if someone can reply who know this implementation.
Does Umbraco compatible with the ADFS 3.0 protocols such as being claims-aware and SAML ?
They have suggest following workflow.
Finally I was able to do this.
Steps
Install-Package Umbracocms Setup Umbraco website Install-Package UmbracoIdentity
Install-Package Microsoft.Owin.Security.WsFederation
in web.config change the owin:appStartup to UmbracoIdentityStartup
Create a member group in Umbraco. I created a member group "mg"
Modify ExternalLoginConfirmation method in UmbracoIdentityAccountController class to add a member group when adding a new member.
Add UseWsFederationAuthentication in UmbracoIdentityStartup class
You can get more details about registering an app in Azure AD from this link http://www.cloudidentity.com/blog/2014/02/20/ws-federation-in-microsoft-owin-componentsa-quick-start/
Create a new template in Umbraco for user login.
Is this recommended solution working for CMS admin users authentication with Azure AD? I have a similar requirement
I'm not sure is this a recommended solution but that worked for me. I have implemented this for members.
Great article...
Im getting the error:
A default value for SignInAsAuthenticationType was not found in IAppBuilder Properties. This can happen if your authentication middleware are added in the wrong order, or if one is missing.
Im adding the app.useWsFederationAuthentication code here:
protected override void ConfigureMiddleware(IAppBuilder app) {
Hi all, thanks for documenting this here. I would love to have some snippets available on install in the docs here: https://github.com/Shazwazza/UmbracoIdentity/wiki/External-Authentication-(OAuth)
Any chance anyone feels like contributing to these docs?
UseWsFederationAuthenticationis working on a reply...