Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Peter van den Dungen 20 posts 164 karma points
    May 01, 2020 @ 06:55
    Peter van den Dungen
    0

    Umbraco ADFS is not logging in

    Hello,

    I am trying to setup external login support (ADFS) on Umbraco 8.6.1.

    Here is my OWIN startup:

     public class ConfigureOwinStartup
    {
        public void Configuration(IAppBuilder app)
        {
            app.SanitizeThreadCulture();
            app.SetUmbracoLoggerFactory();
    
            // Configure back office users membership provider
            app.ConfigureUserManagerForUmbracoBackOffice(
                Umbraco.Core.Composing.Current.Services,
                Umbraco.Core.Composing.Current.Mapper,
                Umbraco.Core.Composing.Current.Configs.Settings().Content,
                Umbraco.Core.Composing.Current.Configs.Global(),
                Umbraco.Core.Security.MembershipProviderExtensions.GetUsersMembershipProvider().AsUmbracoMembershipProvider());
    
            // Ensure OWIN is configured for Umbraco back office authentication
            app.UseUmbracoBackOfficeCookieAuthentication(
                Umbraco.Web.Composing.Current.UmbracoContextAccessor,
                Umbraco.Web.Composing.Current.RuntimeState,
                Umbraco.Core.Composing.Current.Services.UserService,
                Umbraco.Core.Composing.Current.Configs.Global(),
                Umbraco.Core.Composing.Current.Configs.Settings().Security);
    
            app.UseUmbracoBackOfficeExternalCookieAuthentication(
                Umbraco.Web.Composing.Current.UmbracoContextAccessor,
                Umbraco.Web.Composing.Current.RuntimeState,
                Umbraco.Core.Composing.Current.Configs.Global());
    
            app.UseUmbracoPreviewAuthentication(
                Umbraco.Web.Composing.Current.UmbracoContextAccessor,
                Umbraco.Web.Composing.Current.RuntimeState,
                Umbraco.Core.Composing.Current.Configs.Global(),
                Umbraco.Core.Composing.Current.Configs.Settings().Security,
                PipelineStage.Authorize);
    
            // Configure additional back office authentication options            
            app.ConfigureBackOfficeAdfsAuthentication();
    
            app.UseSignalR(Umbraco.Core.Composing.Current.Configs.Global());
    
            app.FinalizeMiddlewareConfiguration();
        }
    

    And this is my ADFS extension:

        public static void ConfigureBackOfficeAdfsAuthentication(
            this IAppBuilder app,
            string caption = "AD FS",
            string style = "btn-microsoft",
            string icon = "fa-windows")
        {
            var adfsMetadataEndpoint = ConfigurationManager.AppSettings["AdfsMetadataEndpoint"];
            var adfsRelyingParty = ConfigurationManager.AppSettings["AdfsRelyingParty"];
            var adfsFederationServerIdentifier = ConfigurationManager.AppSettings["AdfsFederationServerIdentifier"];
    
            app.SetDefaultSignInAsAuthenticationType(Constants.Security.BackOfficeExternalAuthenticationType);
    
            var wsFedOptions = new WsFederationAuthenticationOptions
            {
                Wtrealm = adfsRelyingParty,
                MetadataAddress = adfsMetadataEndpoint,
                Caption = caption,
                Notifications = new WsFederationAuthenticationNotifications
                {
                    SecurityTokenValidated = notification =>
                    {
                        var upnClaim = notification.AuthenticationTicket.Identity.FindFirst(System.Security.Claims.ClaimTypes.Upn);
    
    
                        if (upnClaim == null)
                        {
                            return Task.FromResult(0);
                        }
    
    
                        // Add the email address to the Email Claim of the identity, so that Umbraco's AutoLink 
                        // feature works properly.
                        notification.AuthenticationTicket.Identity.AddClaim(new Claim(System.IdentityModel.Claims.ClaimTypes.Email, upnClaim.Value));
    
                        return Task.FromResult(0);
                    }
                },
                SignInAsAuthenticationType = Constants.Security.BackOfficeExternalAuthenticationType,
                TokenValidationParameters = new TokenValidationParameters() { ValidAudience = adfsRelyingParty }
            };
    
            wsFedOptions.ForUmbracoBackOffice(style, icon);
    
            wsFedOptions.AuthenticationType = adfsFederationServerIdentifier;
    
            var autoLinkOptions =
                new ExternalSignInAutoLinkOptions(true, defaultUserGroups: null)
                {
                    OnAutoLinking = (backOfficeIdentityUser, externalLoginInfo) =>
                    {
                        //this callback will execute when the user is being auto-linked but before it is created
                        //so you can modify the user before it's persisted
                        throw new Exception("In auto linking");
                    }
                };
    
            // AutoLink setup
            wsFedOptions.SetExternalSignInAutoLinkOptions(autoLinkOptions);
    
    
    
            app.UseWsFederationAuthentication(wsFedOptions);
        }
    }
    

    Everything seems to be OK, as you can see I throw an exception myself (I cannot debug on localhost in this case)

    The claim has the correct email address of the ADFS user and the user exist in Umbraco (added manually before)

    But what happends is that the umbraco login form refreshes and the user is not logged in..

    I need help! ;)

    What can I try to do?

  • Peter van den Dungen 20 posts 164 karma points
    Jun 15, 2020 @ 07:11
    Peter van den Dungen
    101

    I got it all working for a while, the implementation it self was ok, but the issue was an empty role array, returned from the ADFS provider.

    Once we got the right roles, I could update the user roles during login and all was working fine.

    Maybe I can help others with this.

  • Craciun Ovidiu Daniel 2 posts 72 karma points
    Oct 28, 2020 @ 12:04
    Craciun Ovidiu Daniel
    0

    what roles from ADFS? did they create roles specificly for umbraco? for editor/admin/etc ? and what were the right roles? the aliases?

  • matthew mcalister 12 posts 84 karma points
    Oct 28, 2020 @ 12:48
    matthew mcalister
    2

    We got this fully functioning. I'm happy to share our source code if you need. Just send me a PM.

  • Craciun Ovidiu Daniel 2 posts 72 karma points
    Oct 28, 2020 @ 13:05
    Craciun Ovidiu Daniel
    0

    I would love to see exactly how, but i cant find a way to PM.

  • Sjaak van der Heide 27 posts 98 karma points
    Jan 06, 2021 @ 07:43
    Sjaak van der Heide
    0

    Hey Matthew, I think PMing is not on option on here.

    I am also trying to get this to work. At this moment I can get de ADFS auth to work. But only if I first link an Umbraco member to the account.

    My thought was if a member does not exist, umbraco should create it. The code never seems to hit the OnAutoLinking.

  • matthew mcalister 12 posts 84 karma points
    Aug 24, 2020 @ 15:59
    matthew mcalister
    0

    do you have the full code for this anywhere?

Please Sign in or register to post replies

Write your reply to:

Draft