Support for separate user accounts and internal organizational accounts via ADFS in MVC5

We've built a new (near successful pilot) .NET web application that uses individual accounts. All identity management is working fine. The app is intended for company employees only, but it must be accessible to them from outside. Identity roles (security levels) and claims (user attributes) are managed in the application.

Requirements now apply to SSO if the user is on a Windows machine (and is logged on to a domain) and has the ability to sign in to the application and authenticate to Active Directory if he has not already registered through windows (or on a window device). Log in with external accounts like facebook is not active (although OWIN is installed).

Just to be aloof from goals: The user account exists in the application, and roles and claims are managed by the application owner from the application, not in AD using IT. If the user is already on their Windows computer, the credentials are recognized by the application and the login page is not required. If the user is not in windows (vpn is not available or on a windowless device), they are redirected to a login page that is authenticated to Active Directory.

The application uses all the latest versions of MVC 5.2, EF 6.1 and Identity 2.1.

I found information about setting up Azure and also about using in-place with ADFS and a proxy, but I still don't have complete information on how to merge user credentials and claims from AD while still using my local user account Roles and claims.

How do I set up authentication? What links an individual user account to an AD account?

Any links and specific setup steps are greatly appreciated.


source to share

2 answers

In the case of using ADFS, it replaces your login page. Think of it as if it was a facebook login. When the user comes from outside, the ADFS server will not get Windows authentication, so it will present its own login page. You don't have to implement anything.

The only important parts are: The adfs servers web interface needs to be published to the internet, and both, your application and adfs login website need SSL.

Your entire application is redirected to and from adfs server. Same as default facebook login.

Also consider the new owin federated login middleware. This makes it a lot easier than the old web.config monster way that the project template uses. Secondary software works the same way as social logins.



Btw: you can also use auth0 if you want to implement a few more complex login scripts without all the headaches that come with it.

They provide a very cool service. Though I don't like to rely on a third party web service for such an important piece of my software. If the web service is not available, my application does nothing. So it might be better to go the extra mile and implement it yourself.



All Articles