Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Madura Silva 27 posts 79 karma points
    Jan 12, 2016 @ 04:02
    Madura Silva
    0

    Single Sign on with Azure AD

    Hi all,

    One of our client wants to implement SSO with Azure AD for member login. So they are asking few more details but I have no idea. I appreciate very much if someone can reply who know this implementation.

    Does Umbraco compatible with the ADFS 3.0 protocols such as being claims-aware and SAML ?

    They have suggest following workflow. implementation diagram

    1. External user hits Umbraco site.
    2. Authentication request redirection to published ADFS URL on ADFS proxy.
    3. ADFS proxy sends request to ADFS internal farm.
    4. User credentials checked against domain controller.
    5. If successful, ADFS sends STS (security token service) to clients browser. This is called a claim.
    6. Client sends claim from STS to Umbraco website allowing the user to authenticate.
    7. There is also a DirSync server we currently have on-premises that syncs selected AD user objects into Azure AD. This is for Office 365.
  • Madura Silva 27 posts 79 karma points
    Jan 31, 2016 @ 23:01
    Madura Silva
    0

    Finally I was able to do this.

    Steps

    Install-Package Umbracocms Setup Umbraco website Install-Package UmbracoIdentity

    Install-Package Microsoft.Owin.Security.WsFederation

    in web.config change the owin:appStartup to UmbracoIdentityStartup

      <add key="owin:appStartup" value="UmbracoIdentityStartup" />
    

    Create a member group in Umbraco. I created a member group "mg"

    Modify ExternalLoginConfirmation method in UmbracoIdentityAccountController class to add a member group when adding a new member.

    [HttpPost]
            [AllowAnonymous]
            [ValidateAntiForgeryToken]
            public async Task<ActionResult> ExternalLoginConfirmation(ExternalLoginConfirmationViewModel model, string returnUrl)
            {
                if (User.Identity.IsAuthenticated)
                {
                    //go home, already authenticated
                    return RedirectToLocal(returnUrl);
                }
    
                if (ModelState.IsValid)
                {
                    // Get the information about the user from the external login provider
                    var info = await OwinContext.Authentication.GetExternalLoginInfoAsync();
                    if (info == null)
                    {
                        return View("ExternalLoginFailure");
                    }
    
                    var user = new UmbracoApplicationMember()
                    {
                        Name = info.ExternalIdentity.Name,
                        UserName = model.Email,
                        Email = model.Email
    
                    };
    
    
                     var result = await UserManager.CreateAsync(user);
                    if (result.Succeeded)
                    {
                        result = await UserManager.AddLoginAsync(user.Id, info.Login);
    
                        if (result.Succeeded)
                        {
    
                            //add member  to the member group   
                        ApplicationContext.Current.Services.MemberService.AssignRole(user.Id, "mg");
    
                            await SignInAsync(user, isPersistent: false);
    
                            // For more information on how to enable account confirmation and password reset please visit http://go.microsoft.com/fwlink/?LinkID=320771
                            // Send an email with this link
                            // string code = await UserManager.GenerateEmailConfirmationTokenAsync(user.Id);
                            // var callbackUrl = Url.Action("ConfirmEmail", "Account", new { userId = user.Id, code = code }, protocol: Request.Url.Scheme);
                            // SendEmail(user.Email, callbackUrl, "Confirm your account", "Please confirm your account by clicking this link");
    
                            return RedirectToLocal(returnUrl);
                        }
                    }
                    AddModelErrors(result);
                }
    
                ViewBag.ReturnUrl = returnUrl;
                return View(model);
            }
    

    Add UseWsFederationAuthentication in UmbracoIdentityStartup class

    You can get more details about registering an app in Azure AD from this link http://www.cloudidentity.com/blog/2014/02/20/ws-federation-in-microsoft-owin-componentsa-quick-start/

    using Microsoft.Owin.Security.WsFederation;
    
     app.UseWsFederationAuthentication(
                    new WsFederationAuthenticationOptions
                    {
                        //MetadataAddress = "https://login.windows.net/azurefridays.onmicrosoft.com/federationmetadata/2007-06/federationmetadata.xml",
                        MetadataAddress = "https://login.windows.net/84ob4fo8-4a6c-44dc-afae-ob942fc14649/FederationMetadata/2007-06/FederationMetadata.xml",
                        Wtrealm = "http://myapps/wsfed",
    
    
                    });
    

    Create a new template in Umbraco for user login.

    @using Umbraco_UseAzureAD_2.Models.UmbracoIdentity
    @inherits Umbraco.Web.Mvc.UmbracoTemplatePage
    @{
        Layout = "Master.cshtml";
    }
    
    <div class="row">
        <div class="small-12 columns">
            <h2>Account</h2>
        </div>
    </div>
    
    
    
    <div class="row">
        <div class="small-12 columns">
            @Html.Partial("~/Views/UmbracoIdentityAccount/ExternalLoginsList.cshtml", new ExternalLoginListViewModel { Action = "ExternalLogin" })
    
        </div>
    </div>
    
  • Laurent 1 post 71 karma points
    Feb 17, 2016 @ 15:31
    Laurent
    0

    Is this recommended solution working for CMS admin users authentication with Azure AD? I have a similar requirement

  • Madura Silva 27 posts 79 karma points
    Mar 10, 2016 @ 00:54
    Madura Silva
    0

    I'm not sure is this a recommended solution but that worked for me. I have implemented this for members.

  • Jonas Thierry 10 posts 91 karma points notactivated
    Feb 09, 2018 @ 13:06
    Jonas Thierry
    0

    Great article...

    Im getting the error:

    A default value for SignInAsAuthenticationType was not found in IAppBuilder Properties. This can happen if your authentication middleware are added in the wrong order, or if one is missing.

    Im adding the app.useWsFederationAuthentication code here:

    protected override void ConfigureMiddleware(IAppBuilder app) {

            //Ensure owin is configured for Umbraco back office authentication. If you have any front-end OWIN
            // cookie configuration, this must be declared after it.
            app
                .UseUmbracoBackOfficeCookieAuthentication(ApplicationContext, PipelineStage.Authenticate)
                .UseUmbracoBackOfficeExternalCookieAuthentication(ApplicationContext, PipelineStage.Authenticate);
    
            // Enable the application to use a cookie to store information for the 
            // signed in user and to use a cookie to temporarily store information 
            // about a user logging in with a third party login provider 
            // Configure the sign in cookie
            app.UseCookieAuthentication(new FrontEndCookieAuthenticationOptions
            {
                Provider = new CookieAuthenticationProvider
                {
                    // Enables the application to validate the security stamp when the user 
                    // logs in. This is a security feature which is used when you 
                    // change a password or add an external login to your account.  
                    OnValidateIdentity = SecurityStampValidator
                        .OnValidateIdentity<UmbracoMembersUserManager<UmbracoApplicationMember>, UmbracoApplicationMember, int>(
                            TimeSpan.FromMinutes(30),
                            (manager, user) => user.GenerateUserIdentityAsync(manager),
                            UmbracoIdentity.IdentityExtensions.GetUserId<int>)
                }
            }, PipelineStage.Authenticate);
    
    
            app.UseWsFederationAuthentication(
             new WsFederationAuthenticationOptions
             {
                 MetadataAddress = "https://login.microsoftonline.com/myOwn/federationmetadata/2007-06/federationmetadata.xml",
                 Wtrealm = "https://someUrl",
    
    
             });
    
    
    
            app.UseUmbracoPreviewAuthentication(ApplicationContext, PipelineStage.Authorize);
    
    
    
        }
    
  • Shannon Deminick 1501 posts 5124 karma points hq
    Feb 27, 2018 @ 23:59
    Shannon Deminick
    0

    Hi all, thanks for documenting this here. I would love to have some snippets available on install in the docs here: https://github.com/Shazwazza/UmbracoIdentity/wiki/External-Authentication-(OAuth)

    Any chance anyone feels like contributing to these docs?

    • AzureAD integration and how to UseWsFederationAuthentication
    • How to modify the local account creation options (i.e. automatically add the member to a user group)
Please Sign in or register to post replies

Write your reply to:

Draft