SSO with Azure ADFS and OWIN

Question

Thank you for providing help. I have a site that can authenticate with Active Directory Federated Services for Single Sign On. Currently, the way my site works is that, by default, when a user hits my site, my code attempts to log then into SSO (I use the OWIN library for this). If the user is not on our network, it fails to authenticate, and they are redirected to my companies login page, where they can provide their company credentials.

I would like to change this behavior, though. Instead, when the user hits my page, if they authenticate, it should continue as normal and they should be redirected to my site. But, if they do not authenticate, I do not want them redirected to our login page. instead, I want them to be redirected back to my site, where my code will determine what they can and cannot do on the site. I then would want to provide a link, so that they could decide to go to the login page.

I want this behavior because the majority of users of this site will not be a part of the companies network and will not be able to authenticate. SO, they should, by default, just see our home page. But, there may be times when a company member might be working from home, so wont be on our network to auto authenticate. In this case, they would then use the link that sends them to the Azure login page.

Here is the code that I am currently using (site is ASP.net, form web page (not MVC)):

Startup.Auth.vb:

Partial Public Class Startup
    Dim appSettings = ConfigurationManager.AppSettings

    Private realm As String
    Private aadInstance As String
    Private tenant As String
    Private metadata As String
    Private authority As String

    Public Sub ConfigureAuth(app As IAppBuilder)
        Try
            Dim appSettings = ConfigurationManager.AppSettings
            If (appSettings("releaseVersion") = "DEBUG") Then
                realm = ConfigurationManager.AppSettings("test_ida:RPIdentifier")
                aadInstance = ConfigurationManager.AppSettings("test_ida:AADInstance")
                tenant = ConfigurationManager.AppSettings("test_ida:Tenant")
            ElseIf (appSettings("releaseVersion") = "PROD") Then
                realm = ConfigurationManager.AppSettings("ida:RPIdentifier")
                aadInstance = ConfigurationManager.AppSettings("ida:AADInstance")
                tenant = ConfigurationManager.AppSettings("ida:Tenant")
            End If

            metadata = String.Format("{0}/FederationMetadata/2007-06/FederationMetadata.xml", aadInstance)
            authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant)

            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType)
            app.UseCookieAuthentication(New CookieAuthenticationOptions())
            Dim authOption As WsFederationAuthenticationOptions = New WsFederationAuthenticationOptions()

            Dim fn = Function(context)
                         context.HandleResponse()
                         context.Response.Redirect("Home/Error?message=" + context.Exception.Message)
                         Return Task.FromResult(0)
                     End Function

            Dim auth_not As WsFederationAuthenticationNotifications = New WsFederationAuthenticationNotifications() With {
                    .AuthenticationFailed = fn
                 }

            Dim auth_opt As WsFederationAuthenticationOptions = New WsFederationAuthenticationOptions() With {
                 .Wtrealm = realm,
                 .MetadataAddress = metadata,
                 .Notifications = auth_not
               }
            If (Not auth_opt.Wtrealm Is Nothing) Then
                app.UseWsFederationAuthentication(auth_opt)
            Else

            End If

        Catch ex As Exception
            Throw ex
        End Try

    End Sub


End Class

Then, on my Default.aspx.vb page load event, I do this:

  If (Not Request.IsAuthenticated) Then
        Try
            Dim newAuth As AuthenticationProperties = New AuthenticationProperties()
            newAuth.RedirectUri = "/"
            HttpContext.Current.GetOwinContext().Authentication.Challenge(newAuth, WsFederationAuthenticationDefaults.AuthenticationType)

        Catch ex As Exception
            Throw ex
        End Try

    End If

The problem is, I do not know how to attempt to authenticate the user, determine if they are authenticated, and redirect them accordingly. Any help would be greatly appreciated.

thanks

Answer 1

There is not solid/correct way how to check if anonymous user is inside your network(or I am not aware of one). Possible way is to check IP address (range) users inside your network have publicly on the Internet. This is something you can check with network administrator(s). They may tell you public IP address (range).

Once you know public IP address (range) you can check incoming request to compare if the request is coming from the known reange of IP address (range) inside RedirectToIdentityProvider function.

Dim redirectToIdentityProvider = Function(context)
    Dim isCompanyNetworkUser = companyIPAddress == context.Request.RemoteIpAddress
    ' Or relevant check for range
    ' Dim isCompanyNetworkUser = (companyIPAddressRangeStart < context.Request.RemoteIpAddress AndAlso companyIPAddressRangeEnd > context.Request.RemoteIpAddress

    If Not isCompanyNetworkUser Then
        context.State = NotificationResultState.Skipped
        context.HandleResponse()
    End If

End Function

Dim auth_not As WsFederationAuthenticationNotifications = New WsFederationAuthenticationNotifications() With {
                    .AuthenticationFailed = fn
                    .RedirectToIdentityProvider = redirectToIdentityProvider
    }

You may want to tweak it a bit as I didn't try it, but may point you to right direction.