Active Directory authentication for Back Office (not Azure AD)
We are setting up an Umbraco site (version 11) as our company's intranet. I've managed to get autologin working with Active Directory for members on the front end, but now I'm trying to figure out how to accomplish the same for the back office.
I'm currently using the BackOfficePasswordChecker as a way to just check if the account username exists and if so, log that person in. This is fine while we are in development and only our devs are accessing the backend, but we'll need something better once we start having other members of our staff using the back office.
My ideal way would be a true auto-login where as long as there was a backoffice user already created for the staff member, they would go straight to the back office. Alternatively, if there is a way to populate the user's email into the textbox on the login page, I would be ok with that showing up pre-populated, so that all the user had to do was click the login button.
I don't know if this is still relevant to you, but I created such a login mechanism for Umbraco 8. I've just updated it for Umbraco 11.
You'll need to install an OpenID server - I've made one with OpenIddict here. You'll need to customize it. In particular since I didn't want to return every group a user might be a member of I do some group filtering before attaching them to the OpenID claims. You can list out every active directory group that matters, or use wildcards. My intranet server isn't configured to use SSL, so you'll maybe want to remove DisableTransportSecurityRequirement() in IdentityServer.cs if yours is.
Next, I posted a gist here containing the code you'll need to add OpenID SSO to Umbraco 11. You will need App_Code\IdentityServerAuthenticationExtension.cs and App_Code\IdentityServerProviderOptions.cs. Again, I don't have SSL configured, so I commented the place in IdentityServerAuthenticationExtension where it matters.
You will also need to install the nuget package Microsoft.AspNetCore.Authentication.OpenIdConnect.
There are a few things to be aware of. In IdentityServerProviderOptions, the main thing it does is try to match Umbraco groups by name to Active Directory groups. If there's a match, it adds the user to the Umbraco group. If the user ends up with no Umbraco groups, they cannot login. If a user without any valid groups tries to login using IdentityServer, they still get an account made for them in the back office, but are in a disabled state and thus cannot login.
The settings in the IdentityServer section I added to Umbraco's appsettings.json are as follows:
Authority = the path you installed IdentityServer
Name = your organization's name
ClientId = identifying name for the client (which is Umbraco). IdentityServer doesn't care so it can be whatever.
ClientSecret = a shared secret for the client, per OpenID protocol. Since IdentityServer doesn't care, it can be whatever.
AutoRedirectLoginToExternalProvider = whether or not you want a login form displayed. Set to true and Umbraco will attempt to bypass the login form and login the user to the back office via IdentityServer.
In Startup.cs, add .AddIdentityServerBackofficeAuthentication(_config) after .AddBackOffice(). In order to make cookies work correctly in a non-SSL environment, I have to set SameSite mode to Strict.
Active Directory authentication for Back Office (not Azure AD)
We are setting up an Umbraco site (version 11) as our company's intranet. I've managed to get autologin working with Active Directory for members on the front end, but now I'm trying to figure out how to accomplish the same for the back office.
I'm currently using the BackOfficePasswordChecker as a way to just check if the account username exists and if so, log that person in. This is fine while we are in development and only our devs are accessing the backend, but we'll need something better once we start having other members of our staff using the back office.
I did find this topic https://our.umbraco.com/forum/using-umbraco-and-getting-started/109117-active-directory-windows-authentication-for-umbraco-9 that shows a better way of using the password checker to actually verify that the information typed in matches the windows login, but I would prefer our staff not have to re-enter anything.
My ideal way would be a true auto-login where as long as there was a backoffice user already created for the staff member, they would go straight to the back office. Alternatively, if there is a way to populate the user's email into the textbox on the login page, I would be ok with that showing up pre-populated, so that all the user had to do was click the login button.
Thanks for any help, Owen
I don't know if this is still relevant to you, but I created such a login mechanism for Umbraco 8. I've just updated it for Umbraco 11.
You'll need to install an OpenID server - I've made one with OpenIddict here. You'll need to customize it. In particular since I didn't want to return every group a user might be a member of I do some group filtering before attaching them to the OpenID claims. You can list out every active directory group that matters, or use wildcards. My intranet server isn't configured to use SSL, so you'll maybe want to remove
DisableTransportSecurityRequirement()
inIdentityServer.cs
if yours is.Next, I posted a gist here containing the code you'll need to add OpenID SSO to Umbraco 11. You will need
App_Code\IdentityServerAuthenticationExtension.cs
andApp_Code\IdentityServerProviderOptions.cs
. Again, I don't have SSL configured, so I commented the place in IdentityServerAuthenticationExtension where it matters.You will also need to install the nuget package Microsoft.AspNetCore.Authentication.OpenIdConnect.
There are a few things to be aware of. In IdentityServerProviderOptions, the main thing it does is try to match Umbraco groups by name to Active Directory groups. If there's a match, it adds the user to the Umbraco group. If the user ends up with no Umbraco groups, they cannot login. If a user without any valid groups tries to login using IdentityServer, they still get an account made for them in the back office, but are in a disabled state and thus cannot login.
The settings in the IdentityServer section I added to Umbraco's appsettings.json are as follows:
In Startup.cs, add
.AddIdentityServerBackofficeAuthentication(_config)
after.AddBackOffice()
. In order to make cookies work correctly in a non-SSL environment, I have to set SameSite mode to Strict.Lastly, I have a complete example posted here: https://github.com/auroris/Umbraco11SSO
I hope this is helpful to someone.
is working on a reply...