I'm coming back to Umbraco after having been away for several years. My company had been using DNN for its intranet, but we've grown sick of it and are beginning a long process of rebuilding in Umbraco. The first issue that we face is how to log in our staff on the front end using our on premise Active Directory. I've been looking around it seems as though most everything that I find is related to authenticating users to the back office.
As a follow up, I did find this topic that has some generalized steps in it. Can any one tell me if the steps in the answer from Kevin Jump would still be the same basic principles for v9?
I can't see the topic you are talking about, but if its the one i think it is (from quite a few years ago) then probably not 😔.
Authentication has changed quite a bit since v4/6 when i did some Active directory integration, from memory that method involved a bit of hackery around role providers and the auth that the browser sent.
I really haven't done much AD / External auth on the later versions, so i can't say what would be the best way to achive it now. but it probibly involves some form of OWIN authentication
there was an Umbraco Identity package for Umbraco 8 - but i think even that isn't the v9 way to do it, mainly because authentication is much more 'standard' asp.net core now.
this comment on the Umbraco Identity repo might have some good info in it :
I noticed it has some Auzue AD B2C auth setup in it so it might be a place to look?
I think the intention is that Umbraco works very much like any other asp.net core app, so if there is AD auth code out there for that, it might be you can use it for Umbraco ?
Sorry i couldn't help anymore - i've been out of the AD intergration world for quite a while now.
The more I read stuff, I certainly get the same impression, that if I can find anything about AD auth for a normal .net core app that it should apply to v9 as well.
Using that I was able to get to the point where I could see how to use the memberManager and siginInManager to hand the Windows authentication stuff off to Umbraco. So i ended up with this:
[HttpGet]
public async Task<IActionResult> MemberLogin()
{
var userName = User.Identity.Name; //Get username from Windows Authentication this will be in domain format PLCHNET\\username
var user = await _memberManager.FindByNameAsync(userName); //See if the username has an umbraco member account
if (user == null) {
throw new NotImplementedException("No member found");
}
await _signInManager.SignInAsync(user, false); //If the user account exists, sign in the user
var returnUrl = HttpContext.Request.Query["returnUrl"].ToString(); //get the return url from the query string
return new RedirectResult(returnUrl);
}
Then on the login page I just placed a JS redirect to the path for that controller and appended the referring page as the return URL.
Note that this only works if the member already has an account created in Umbraco. Scott's write up shows how to create members as well, which was a huge help but, I separated it out into different controllers because I'm running an AD sync task in Hangfire to create/update member accounts.
Hi mv, I'm sorry I'm just now getting back to you, I didn't see a notification that you replied. There really isn't much else to go along with that code. The only thing missing from it is the dependency injection. I hope you were able to work it out, if not let me know what you're stuck on and I'll be happy to try to help out.
I still can't see how to redirect to that action controller in the identity declaration in the umbraco project. That's why I'm requesting some full working sample, due to there are many things playing together.
All that is doing is redirecting to that controller and action, and then setting the return URL in the query string. That's really it as far as the actual login goes. As I mentioned above I also used Scott's blog to be able to create members so that this login would work. I chose to have that be a separate process, but you could just as easily have it create/update the members on login.
Active Directory in Umbraco 9
I'm coming back to Umbraco after having been away for several years. My company had been using DNN for its intranet, but we've grown sick of it and are beginning a long process of rebuilding in Umbraco. The first issue that we face is how to log in our staff on the front end using our on premise Active Directory. I've been looking around it seems as though most everything that I find is related to authenticating users to the back office.
Can anyone point me in the right direction?
As a follow up, I did find this topic that has some generalized steps in it. Can any one tell me if the steps in the answer from Kevin Jump would still be the same basic principles for v9?
Hi Owen,
I can't see the topic you are talking about, but if its the one i think it is (from quite a few years ago) then probably not 😔.
Authentication has changed quite a bit since v4/6 when i did some Active directory integration, from memory that method involved a bit of hackery around role providers and the auth that the browser sent.
I really haven't done much AD / External auth on the later versions, so i can't say what would be the best way to achive it now. but it probibly involves some form of OWIN authentication
there was an Umbraco Identity package for Umbraco 8 - but i think even that isn't the v9 way to do it, mainly because authentication is much more 'standard' asp.net core now.
this comment on the Umbraco Identity repo might have some good info in it :
https://github.com/umbraco/Umbraco-CMS/issues/10656#issuecomment-896245280
I noticed it has some Auzue AD B2C auth setup in it so it might be a place to look?
I think the intention is that Umbraco works very much like any other asp.net core app, so if there is AD auth code out there for that, it might be you can use it for Umbraco ?
Sorry i couldn't help anymore - i've been out of the AD intergration world for quite a while now.
Thanks Kevin! I'm apparently quite scattered brained and completely failed to link to the topic, but I'm sure that it is the one you are thinking of, but just in case, for anyone else that stumbles on this I was referencing this post: https://our.umbraco.com/forum/umbraco-7/using-umbraco-7/61329-Using-Active-Directory-for-Members-without-Login-Dialog
The more I read stuff, I certainly get the same impression, that if I can find anything about AD auth for a normal .net core app that it should apply to v9 as well.
Thanks again! Owen
I finally figured out how to do this thank in part to this excellent write up by Scott Brady: https://www.scottbrady91.com/umbraco/frontend-members-sso-openid-connect
Using that I was able to get to the point where I could see how to use the memberManager and siginInManager to hand the Windows authentication stuff off to Umbraco. So i ended up with this:
Then on the login page I just placed a JS redirect to the path for that controller and appended the referring page as the return URL.
Note that this only works if the member already has an account created in Umbraco. Scott's write up shows how to create members as well, which was a huge help but, I separated it out into different controllers because I'm running an AD sync task in Hangfire to create/update member accounts.
Hope this helps!
Owen
Hi Owen, I'm new in NetCore and Umbraco. Can you provide a full working example for Active Directory Authentication?
Hi mv, I'm sorry I'm just now getting back to you, I didn't see a notification that you replied. There really isn't much else to go along with that code. The only thing missing from it is the dependency injection. I hope you were able to work it out, if not let me know what you're stuck on and I'll be happy to try to help out.
Hi Owen
I still can't see how to redirect to that action controller in the identity declaration in the umbraco project. That's why I'm requesting some full working sample, due to there are many things playing together.
Regards
Hello mvbressler, I'm struggling with the same problem. Do you have a full working example with ad integration for the backend users?
Hi Klaus,
To call the login action I created a login template with the following code:
All that is doing is redirecting to that controller and action, and then setting the return URL in the query string. That's really it as far as the actual login goes. As I mentioned above I also used Scott's blog to be able to create members so that this login would work. I chose to have that be a separate process, but you could just as easily have it create/update the members on login.
Let me know if you have any questions!
Owen
is working on a reply...