Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

WebForms authentication against Azure AD

I have a WebForms site that has been running on an internal server and authenticating users against our internal Active Directory. Due to some new features that we are implementing, this site needs to be moved to an external server and then authentication changed so that it authenticates users against our Office 365 accounts. To this end I have:

  1. Created a new WebForms site (not using MVC)
  2. Set up a new application in Azure.
  3. Modified the Startup.Auth.cs as follows:

        public void ConfigureAuth(IAppBuilder app)
    {
        app.CreatePerOwinContext(ApplicationDbContext.Create);
        app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
        app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);
    
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),
            Provider = new CookieAuthenticationProvider
            {
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(30),
                    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
            }
        });
    
        app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions { ClientId = "MyApplicationGUID", Authority = "https://login.windows.net/MyDomain.com" });
    

When I go to the default page and click Log On, it takes me to the correct Login page and the button for OpenID is shown. If I click the button, I am taken to the Microsoft Login page where I am able to enter my credentials. However, at that point, I am redirected back to my site's login page where it is still asking for a username/password.

What I would like to have happen is to set the site up so that if a user is not authenticated, they are redirected directly to the Microsoft login page and upon successful login are redirected back to the page they requested originally. Failing this, I would be satisfied with getting the default login page working so that when I click OpenID I'm not redirected back to the login page.

I don't have time to learn MVC at this point and port the whole thing over so going that route is not an option at this time.

I don't know enough about this process, so if my question doesn't make sense or if you need more information, please let me know and I'll be glad to try and find what you need to assist me in this.

like image 635
Dirk Dastardly Avatar asked Mar 11 '15 15:03

Dirk Dastardly


People also ask

Can you use Azure AD for authentication?

Azure AD provides secure authentication and authorization solutions so that customers, partners, and employees can access the applications they need. With Azure AD, conditional access, multi-factor authentication, single-sign on, and automatic user provisioning make identity and access management easy and secure.

Can we use Kerberos on Azure AD for authentication?

This allows Azure AD users to access Azure file shares using Kerberos authentication. This configuration uses Azure AD to issue the necessary Kerberos tickets to access the file share with the industry-standard SMB protocol.


1 Answers

Maybe I'm missing something, but I don't see why you need the custom login page or the external signin cookie. A typical Startup.Auth for OIDC/AAD looks something like this:

app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());

app.UseOpenIdConnectAuthentication(
    new OpenIdConnectAuthenticationOptions
    {
        ClientId = "AppGUID",
        Authority = "https://login.windows.net/MyDomain.com",

        // After authentication return user to the page they were trying
        // to access before being redirected to the Azure AD signin page.
        Notifications = new OpenIdConnectAuthenticationNotifications()
        {
            RedirectToIdentityProvider = (context) =>
                {
                    string currentUrl = context.Request.Scheme + "://" + context.Request.Host + context.Request.Path;
                    context.ProtocolMessage.RedirectUri = currentUrl;

                    return Task.FromResult(0);
                }
        }
    });

The cookie auth is just to keep from going to AAD for every single request. All the real work happens in the OpenIdConnectAuthentication.

Here's an example of WebForms, Azure AD, and OpenID Connect:

http://www.cloudidentity.com/blog/2014/07/24/protecting-an-asp-net-webforms-app-with-openid-connect-and-azure-ad/

like image 78
BenV Avatar answered Sep 22 '22 15:09

BenV