Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Gonçalo Chaves 14 posts 146 karma points
    Jul 20, 2018 @ 17:24
    Gonçalo Chaves
    0

    Custom umbraco backoffice authentication

    Hi all,

    We're trying to provide another way to authenticate users against the umbraco backoffice interface but is a special authentication flow that doesn't meet any of the traditional OAuth ones.

    My question is: does the umbraco identity extensions (https://github.com/umbraco/UmbracoIdentityExtensions) project is suitable for this type of customization? Is there any other best approach for this type of custom authentication?

    Thank you all.

  • Gabe Alam 6 posts 96 karma points
    Aug 08, 2018 @ 19:19
    Gabe Alam
    0

    Have you made any progress with this? I'm also looking to use a custom authentication flow that we use for our internal applications.

  • Gonçalo Chaves 14 posts 146 karma points
    Aug 24, 2018 @ 13:40
    Gonçalo Chaves
    100

    Hi Gabe, thanks for your comment.

    Wel,l indeed ;) Old time say that if you don't have a dog you can hunt with a cat, right?

    So what we did? The SSO service provider that we needed to integrate with umbraco backoffice user authentication works using the SAML2 protocol, in which by itself isn't compatible with the OAuth... or at least without some dark-side magic on it... I guess.

    To start, we've installed the umbraco identity extensions in order to have a way for developing the MyCustomPasswordChecker class that you can use to override the default umbraco backoffice authentication behaviour, like:

      // Set your own custom IBackOfficeUserPasswordChecker   
      userManager.BackOfficeUserPasswordChecker = new MyPasswordChecker();
    

    You can find on the official documentation the complete example of this implementation.

    Although the given options are quite limited by return valid credentials or leave for fallback authentication it's enough to start by someplace to achieve your goal. So we develop two API services: GetSamlRequest and PostAndProcessSamlResponse. The first returns the request that is required to ask for a Saml SSO authentication flow, and we injected on the umbraco back-office login view - with a little "umbrangular" you can do so great magic here. The user requests authentication and is redirected to the SSO page provider and after the authorization the SSO provider post into the second service.

    Now with the SSO response, we can process and determine if the user has the authorization and we can now generate a special token with the required data to inject back on the login view... again with some "umbrangular" automagic, the form is now posted against the MyCustomPasswordChecker class to sort out the rest of the process. Either returns ValidCredentials or we pass on the fallback mode for the umbraco backoffice handler as usual.

    If you need further details please let me know.

    Thank you all

  • Arun 5 posts 85 karma points
    Jun 18, 2019 @ 14:07
    Arun
    0

    Hi Gancalo, I am trying to achieve the SSO authentication. Could you please little more information on configuration for SAML.

    In my case, our infrastructure team would take care of SSO configuration and provide us the necessary user information (such as id, email etc) as claims.

    Kindly provide little extra information on setting up in the Umbraco backoffice for authentication and authorization. Is there any sample code that we could reuse.

    Appreciate your time.

    Thank you.

  • Gonçalo Chaves 14 posts 146 karma points
    Jul 06, 2019 @ 11:12
    Gonçalo Chaves
    0

    The flow: first when the login page is loaded, you have to request at your middle man the SAML request, this the first step to have the SAML request of your SSO provider ready to send. Then if the users clicks on the your SSO btn on umbraco login page, you now have to perform the redirect into the SSO page with your previous request that you now have hidden in that btn. After the user perform login on the SSO page, they'll POST you back into the second service you need. In this service, you now will decode the SAML response, inorder to find if user/pass is ok, etc, etc, and then, you generate a token for you internal umbraco login page and redirect the user again for you umbraco login page with that token. On the umbraco login page, if you find this token, you now call you third service to "auto loggon" the user, validate your token, and implement that customBackoffice password checker, of umbraco, and pass the user through.

    You can try to look at: https://github.com/gfchaves/AuthGovPTSaml here you can find the first steps of the SAML protocol and the request itself.

Please Sign in or register to post replies

Write your reply to:

Draft