How do you manually set a logged in Identity User?

Question

I am using ASP.NET Identity with an ADFS server. For development purposes, I want to avoid using the ADFS server when I'm in a network environment where I can't reach the ADFS server. That's why I added a simple controller action in my HomeController that manually sets the currently logged in user:

#if DEBUG
    [AllowAnonymous]
    public ActionResult LogIn()
    {
        var claims = new List<Claim>();
        claims.Add(new Claim(ClaimTypes.NameIdentifier, "tester"));

        System.Web.HttpContext.Current.User = new ClaimsPrincipal(new ClaimsIdentity(claims));
        System.Threading.Thread.CurrentPrincipal = System.Web.HttpContext.Current.User;

        return Redirect("Home/Index");
    }
#endif

And the Owin Configuration method:

public void Configuration(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions() { });

        app.UseWsFederationAuthentication(
            new WsFederationAuthenticationOptions
            {
                Wtrealm = realm,
                MetadataAddress = adfsMetadata
            });
    }

Commenting out the part where I use WsFederation Authentication is no problem, that way there is no link to my current ADFS server.

The problem: When I'm redirected to the Home/Index action (that has the Authorize attribute), ASP.NET Identity doesn't recognize my ClaimsPrincipal as a valid login, so I'm redirected to the Home/Login action, which creates a loop between Home/Login and Home/Index constantly.

My question: how do I make ASP.NET accept the ClaimsPrincipal created above as a valid login?

Answer 1

Problem with you approach - the cookie is not set, so the user information is not preserved across the HTTP requests. Your approach works only within a single call (there are uses for that, but not for you)

You can still use IAuthenticationManager from OWIN to set the cookie:

#if DEBUG
    [AllowAnonymous]
    public ActionResult LogIn()
    {
        var identity = new ClaimsIdentity("ApplicationCookie", ClaimsIdentity.DefaultNameClaimType, ClaimsIdentity.DefaultRoleClaimType);
        identity.AddClaim(new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", "Active Directory"));
        identity.AddClaim(new Claim(ClaimTypes.Name, "Testy McTestface"));
        identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, "testUser"));

        IAuthenticationManager authenticationManager = HttpContext.GetOwinContext().Authentication;
        authenticationManager.SignOut("ApplicationCookie");
        authenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = false }, identity);

        return Redirect("Home/Index");
    }
#endif

You will need nuget packages Microsoft.Owin.Security.Cookies, Microsoft.Owin.Host.SystemWeb. See more explanations in my blog-post about authentication with AD

You will also need to make sure CookieAuthenticationMiddleware is configured correclty:

 public void Configuration(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = "ApplicationCookie",
            LoginPath = new PathString("/Home/Login"),
            Provider = new CookieAuthenticationProvider(),
            CookieName = "ApplicationCookie",
            CookieHttpOnly = true,
            ExpireTimeSpan = TimeSpan.FromHours(1),
        });

        app.UseWsFederationAuthentication(
            new WsFederationAuthenticationOptions
            {
                Wtrealm = realm,
                MetadataAddress = adfsMetadata
            });
    }

Especially pay authentication to AuthenticationType value - it must match the value in ClaimsIdentity constructor. Otherwise cookie will not be set, or you won't be able to log-out.