I am trying to setup external login support (ADFS) on Umbraco 8.6.1.
Here is my OWIN startup:
public class ConfigureOwinStartup
{
public void Configuration(IAppBuilder app)
{
app.SanitizeThreadCulture();
app.SetUmbracoLoggerFactory();
// Configure back office users membership provider
app.ConfigureUserManagerForUmbracoBackOffice(
Umbraco.Core.Composing.Current.Services,
Umbraco.Core.Composing.Current.Mapper,
Umbraco.Core.Composing.Current.Configs.Settings().Content,
Umbraco.Core.Composing.Current.Configs.Global(),
Umbraco.Core.Security.MembershipProviderExtensions.GetUsersMembershipProvider().AsUmbracoMembershipProvider());
// Ensure OWIN is configured for Umbraco back office authentication
app.UseUmbracoBackOfficeCookieAuthentication(
Umbraco.Web.Composing.Current.UmbracoContextAccessor,
Umbraco.Web.Composing.Current.RuntimeState,
Umbraco.Core.Composing.Current.Services.UserService,
Umbraco.Core.Composing.Current.Configs.Global(),
Umbraco.Core.Composing.Current.Configs.Settings().Security);
app.UseUmbracoBackOfficeExternalCookieAuthentication(
Umbraco.Web.Composing.Current.UmbracoContextAccessor,
Umbraco.Web.Composing.Current.RuntimeState,
Umbraco.Core.Composing.Current.Configs.Global());
app.UseUmbracoPreviewAuthentication(
Umbraco.Web.Composing.Current.UmbracoContextAccessor,
Umbraco.Web.Composing.Current.RuntimeState,
Umbraco.Core.Composing.Current.Configs.Global(),
Umbraco.Core.Composing.Current.Configs.Settings().Security,
PipelineStage.Authorize);
// Configure additional back office authentication options
app.ConfigureBackOfficeAdfsAuthentication();
app.UseSignalR(Umbraco.Core.Composing.Current.Configs.Global());
app.FinalizeMiddlewareConfiguration();
}
And this is my ADFS extension:
public static void ConfigureBackOfficeAdfsAuthentication(
this IAppBuilder app,
string caption = "AD FS",
string style = "btn-microsoft",
string icon = "fa-windows")
{
var adfsMetadataEndpoint = ConfigurationManager.AppSettings["AdfsMetadataEndpoint"];
var adfsRelyingParty = ConfigurationManager.AppSettings["AdfsRelyingParty"];
var adfsFederationServerIdentifier = ConfigurationManager.AppSettings["AdfsFederationServerIdentifier"];
app.SetDefaultSignInAsAuthenticationType(Constants.Security.BackOfficeExternalAuthenticationType);
var wsFedOptions = new WsFederationAuthenticationOptions
{
Wtrealm = adfsRelyingParty,
MetadataAddress = adfsMetadataEndpoint,
Caption = caption,
Notifications = new WsFederationAuthenticationNotifications
{
SecurityTokenValidated = notification =>
{
var upnClaim = notification.AuthenticationTicket.Identity.FindFirst(System.Security.Claims.ClaimTypes.Upn);
if (upnClaim == null)
{
return Task.FromResult(0);
}
// Add the email address to the Email Claim of the identity, so that Umbraco's AutoLink
// feature works properly.
notification.AuthenticationTicket.Identity.AddClaim(new Claim(System.IdentityModel.Claims.ClaimTypes.Email, upnClaim.Value));
return Task.FromResult(0);
}
},
SignInAsAuthenticationType = Constants.Security.BackOfficeExternalAuthenticationType,
TokenValidationParameters = new TokenValidationParameters() { ValidAudience = adfsRelyingParty }
};
wsFedOptions.ForUmbracoBackOffice(style, icon);
wsFedOptions.AuthenticationType = adfsFederationServerIdentifier;
var autoLinkOptions =
new ExternalSignInAutoLinkOptions(true, defaultUserGroups: null)
{
OnAutoLinking = (backOfficeIdentityUser, externalLoginInfo) =>
{
//this callback will execute when the user is being auto-linked but before it is created
//so you can modify the user before it's persisted
throw new Exception("In auto linking");
}
};
// AutoLink setup
wsFedOptions.SetExternalSignInAutoLinkOptions(autoLinkOptions);
app.UseWsFederationAuthentication(wsFedOptions);
}
}
Everything seems to be OK, as you can see I throw an exception myself (I cannot debug on localhost in this case)
The claim has the correct email address of the ADFS user and the user exist in Umbraco (added manually before)
But what happends is that the umbraco login form refreshes and the user is not logged in..
Umbraco ADFS is not logging in
Hello,
I am trying to setup external login support (ADFS) on Umbraco 8.6.1.
Here is my OWIN startup:
And this is my ADFS extension:
Everything seems to be OK, as you can see I throw an exception myself (I cannot debug on localhost in this case)
The claim has the correct email address of the ADFS user and the user exist in Umbraco (added manually before)
But what happends is that the umbraco login form refreshes and the user is not logged in..
I need help! ;)
What can I try to do?
I got it all working for a while, the implementation it self was ok, but the issue was an empty role array, returned from the ADFS provider.
Once we got the right roles, I could update the user roles during login and all was working fine.
Maybe I can help others with this.
what roles from ADFS? did they create roles specificly for umbraco? for editor/admin/etc ? and what were the right roles? the aliases?
We got this fully functioning. I'm happy to share our source code if you need. Just send me a PM.
I would love to see exactly how, but i cant find a way to PM.
Hey Matthew, I think PMing is not on option on here.
I am also trying to get this to work. At this moment I can get de ADFS auth to work. But only if I first link an Umbraco member to the account.
My thought was if a member does not exist, umbraco should create it. The code never seems to hit the OnAutoLinking.
do you have the full code for this anywhere?
is working on a reply...