Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

  • Søren Müller 3 posts 73 karma points
    Jan 14, 2021 @ 13:26
    Søren Müller

    umbraco user login external openid


    I'm trying to get user login to backoffice to work with third party IDP. So far, I get a login button above the normal umbraco loginprompt. I get redicted to third party login page and after login I get redirected back to umbraco with token. I hould now login, but indtead it just goes to loginpage again . I use the UmbracoCms.IdentityExtensions, Microsoft.Owin.Security.OpenIdConnect++.

    I have been banging my head for 2 days now, hoping some have an idea..:-|

    My code so far:

    In UmbracoStandardOwinStartup::ConfigureUmbracoAuthentication(IAppBuilder app) i call:


    That function is here:

     public static void ConfigureBackOfficeKeycloakAuth(this IAppBuilder app, string clientId,
            string caption = "Login", string style = "btn-google", string icon = "fa-google")
            app.UseCookieAuthentication(new CookieAuthenticationOptions
                AuthenticationType = persistentAuthType
            var identityOptions = new OpenIdConnectAuthenticationOptions
                Caption = caption,
                Authority = "<auth url>",
                ClientId = clientId,
                RedirectUri = "https://localhost:44330/umbraco/",
                PostLogoutRedirectUri = "https://localhost:44330/Umbraco",
                ResponseType = "id_token token",
                Scope = "openid profile roles email",
                MetadataAddress = "<auth url>/realms/umbracoTest/.well-known/openid-configuration",
                SignInAsAuthenticationType = Constants.Security.BackOfficeExternalAuthenticationType
            identityOptions.ForUmbracoBackOffice(style, icon);
            identityOptions.Caption = caption;
            // Fix Authentication Type 
            identityOptions.AuthenticationType = "<auth url>";
            // Configure AutoLinking
            //var autoLinkOptions = new ExternalSignInAutoLinkOptions(true);  // autoLinkExternalAccount = true
            //autoLinkOptions.AllowManualLinking = false;
            //identityOptions.SetBackOfficeExternalLoginProviderOptions(new BackOfficeExternalLoginProviderOptions
            //    AutoRedirectLoginToExternalProvider = false,
            //    DenyLocalLogin = false, // if ANY external provider has this property set, local login will be disabled
            //    AutoLinkOptions = autoLinkOptions
            // not sure if nessesary
            identityOptions.Notifications = new OpenIdConnectAuthenticationNotifications
                SecurityTokenValidated = ClaimsTransformer.GenerateUserIdentityAsync

    and finally

    the ClaimsTransformer.GenerateUserIdentityAsync function:

    public static async Task GenerateUserIdentityAsync(
        OpenIdConnectAuthenticationOptions> notification)
        var id = notification.AuthenticationTicket.Identity;
        // we want to keep first name, last name, subject and roles
        var givenName = id.FindFirst(ClaimTypes.GivenName);
        if (givenName == null) givenName = id.FindFirst("name");
        var familyName = id.FindFirst(ClaimTypes.Surname);
        if (familyName == null) familyName = id.FindFirst("name");
        var email = id.FindFirst(ClaimTypes.Email);
        if (email == null) email = id.FindFirst(ClaimTypes.Upn);
        var roles = id.FindAll(ClaimTypes.Role);
        // create new identity and set name and role claim type
        var nid = new ClaimsIdentity(
        var emailclaim = new Claim(ClaimTypes.Email, email.Value);
        notification.AuthenticationTicket = new AuthenticationTicket(nid, notification.AuthenticationTicket.Properties);

    Here all the values are correct, i.e. name, email etc,

  • Daniel Martins 2 posts 22 karma points
    May 10, 2021 @ 09:42
    Daniel Martins

    Having the same issue, any updates?

Please Sign in or register to post replies

Write your reply to: