We're trying to provide another way to authenticate users against the umbraco backoffice interface but is a special authentication flow that doesn't meet any of the traditional OAuth ones.
My question is: does the umbraco identity extensions (https://github.com/umbraco/UmbracoIdentityExtensions) project is suitable for this type of customization? Is there any other best approach for this type of custom authentication?
Wel,l indeed ;) Old time say that if you don't have a dog you can hunt with a cat, right?
So what we did? The SSO service provider that we needed to integrate with umbraco backoffice user authentication works using the SAML2 protocol, in which by itself isn't compatible with the OAuth... or at least without some dark-side magic on it... I guess.
To start, we've installed the umbraco identity extensions in order to have a way for developing the MyCustomPasswordChecker class that you can use to override the default umbraco backoffice authentication behaviour, like:
// Set your own custom IBackOfficeUserPasswordChecker
userManager.BackOfficeUserPasswordChecker = new MyPasswordChecker();
Although the given options are quite limited by return valid credentials or leave for fallback authentication it's enough to start by someplace to achieve your goal.
So we develop two API services: GetSamlRequest and PostAndProcessSamlResponse. The first returns the request that is required to ask for a Saml SSO authentication flow, and we injected on the umbraco back-office login view - with a little "umbrangular" you can do so great magic here. The user requests authentication and is redirected to the SSO page provider and after the authorization the SSO provider post into the second service.
Now with the SSO response, we can process and determine if the user has the authorization and we can now generate a special token with the required data to inject back on the login view... again with some "umbrangular" automagic, the form is now posted against the MyCustomPasswordChecker class to sort out the rest of the process. Either returns ValidCredentials or we pass on the fallback mode for the umbraco backoffice handler as usual.
Hi Gancalo,
I am trying to achieve the SSO authentication. Could you please little more information on configuration for SAML.
In my case, our infrastructure team would take care of SSO configuration and provide us the necessary user information (such as id, email etc) as claims.
Kindly provide little extra information on setting up in the Umbraco backoffice for authentication and authorization. Is there any sample code that we could reuse.
The flow: first when the login page is loaded, you have to request at your middle man the SAML request, this the first step to have the SAML request of your SSO provider ready to send. Then if the users clicks on the your SSO btn on umbraco login page, you now have to perform the redirect into the SSO page with your previous request that you now have hidden in that btn. After the user perform login on the SSO page, they'll POST you back into the second service you need. In this service, you now will decode the SAML response, inorder to find if user/pass is ok, etc, etc, and then, you generate a token for you internal umbraco login page and redirect the user again for you umbraco login page with that token. On the umbraco login page, if you find this token, you now call you third service to "auto loggon" the user, validate your token, and implement that customBackoffice password checker, of umbraco, and pass the user through.
Custom umbraco backoffice authentication
Hi all,
We're trying to provide another way to authenticate users against the umbraco backoffice interface but is a special authentication flow that doesn't meet any of the traditional OAuth ones.
My question is: does the umbraco identity extensions (https://github.com/umbraco/UmbracoIdentityExtensions) project is suitable for this type of customization? Is there any other best approach for this type of custom authentication?
Thank you all.
Have you made any progress with this? I'm also looking to use a custom authentication flow that we use for our internal applications.
Hi Gabe, thanks for your comment.
Wel,l indeed ;) Old time say that if you don't have a dog you can hunt with a cat, right?
So what we did? The SSO service provider that we needed to integrate with umbraco backoffice user authentication works using the SAML2 protocol, in which by itself isn't compatible with the OAuth... or at least without some dark-side magic on it... I guess.
To start, we've installed the umbraco identity extensions in order to have a way for developing the MyCustomPasswordChecker class that you can use to override the default umbraco backoffice authentication behaviour, like:
You can find on the official documentation the complete example of this implementation.
Although the given options are quite limited by return valid credentials or leave for fallback authentication it's enough to start by someplace to achieve your goal. So we develop two API services: GetSamlRequest and PostAndProcessSamlResponse. The first returns the request that is required to ask for a Saml SSO authentication flow, and we injected on the umbraco back-office login view - with a little "umbrangular" you can do so great magic here. The user requests authentication and is redirected to the SSO page provider and after the authorization the SSO provider post into the second service.
Now with the SSO response, we can process and determine if the user has the authorization and we can now generate a special token with the required data to inject back on the login view... again with some "umbrangular" automagic, the form is now posted against the MyCustomPasswordChecker class to sort out the rest of the process. Either returns ValidCredentials or we pass on the fallback mode for the umbraco backoffice handler as usual.
If you need further details please let me know.
Thank you all
Hi Gancalo, I am trying to achieve the SSO authentication. Could you please little more information on configuration for SAML.
In my case, our infrastructure team would take care of SSO configuration and provide us the necessary user information (such as id, email etc) as claims.
Kindly provide little extra information on setting up in the Umbraco backoffice for authentication and authorization. Is there any sample code that we could reuse.
Appreciate your time.
Thank you.
The flow: first when the login page is loaded, you have to request at your middle man the SAML request, this the first step to have the SAML request of your SSO provider ready to send. Then if the users clicks on the your SSO btn on umbraco login page, you now have to perform the redirect into the SSO page with your previous request that you now have hidden in that btn. After the user perform login on the SSO page, they'll POST you back into the second service you need. In this service, you now will decode the SAML response, inorder to find if user/pass is ok, etc, etc, and then, you generate a token for you internal umbraco login page and redirect the user again for you umbraco login page with that token. On the umbraco login page, if you find this token, you now call you third service to "auto loggon" the user, validate your token, and implement that customBackoffice password checker, of umbraco, and pass the user through.
You can try to look at: https://github.com/gfchaves/AuthGovPTSaml here you can find the first steps of the SAML protocol and the request itself.
is working on a reply...