We have configured Client App to use IdentityServer3 authentication via OpenID Connect protocol (it's ASP.NET MVC App that uses OWIN middleware to support OIDC).
The IdentityServer3 itself is configured to use both local login and external login (Azure AD, for instance).
In the regular flow once App need to authenticate user it redirects him to the IdentityServer3 login screen - it's fine. But in some cases, on per-request basis, I want to bypass login screen by somehow letting IdentityServer3 know that user want to login with specific external identity provider right away.
Is that possible to do?
Just found the solution in the IdentityServer3's Authorization/Authentication Endpoint documentation!
acr_values (optional) allows to pass additional authentication related information to the user service - there are also values with special meaning: idp:name_of_idp bypasses the login/home realm screen and forwards the user directly to the selected identity provider (if allowed per client configuration) tenant:name_of_tenant can be used to pass a tenant name to the user service
How to pass additional parameters using OWIN OpenID Connect middleware: https://katanaproject.codeplex.com/workitem/325
Here is the sample of the authorization request:
I know this is old but thought I'd still put this here to help someone out if they want to automatically redirect to an external login:
public override Task PreAuthenticateAsync(PreAuthenticationContext context)
{
context.SignInMessage.IdP = "windows";
return base.PreAuthenticateAsync(context);
}
You can basically override the PreAuthenticateAsync on UserServiceBase and change the property IdP on the context.SignInMessage to be the external providers name that has been setup in your startup. And this will redirect.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With