Menu

Setting up Azure Active Directory Single Sign On on a ASP.NET (.NET 4.5) web app using OpenIdConnect (Cookies based)

Install following NuGet packages on your project.

Create a Startup.cs in your root of your web application.

Create a Startup.Auth.cs in your App_Start folder. and this is how it looks like.

app.UseCookieAuthentication(new CookieAuthenticationOptions());

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = ClientId,
Authority = Authority,
PostLogoutRedirectUri = PostLogoutRedirectUri,
TokenValidationParameters =
{
NameClaimType = CustomClaimTypes.UserName,
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = SecurityTokenValidated,
AuthenticationFailed = AuthenticationFailed
}
});
}

private Task SecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
{
ValidateTenant(context);
var user = ValidateUserAndUpdateClaims(context);

return Task.FromResult(0);
}

private static UserInfo ValidateUserAndUpdateClaims(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
{
var claimsIdentity = context.AuthenticationTicket.Identity;
var email = claimsIdentity.FindFirst(System.Security.Claims.ClaimTypes.Name).Value;

var user = GetUserAndRoles(email);
if (user != null && user.UserRoles.Count > 0)
{

UpdateClaims(claimsIdentity, user, email);
}
else
throw new SecurityTokenValidationException(“Please check if your login is configured in configuration to access this website.”);

return user;
}

private static void UpdateClaims(ClaimsIdentity claimsIdentity, UserInfo user, string email)
{
claimsIdentity.AddClaim(new Claim(“http://www.inoaspect.com.au/claims/UserName”, user.UserName));
claimsIdentity.AddClaim(new Claim(“http://www.inoaspect.com.au/claims/DisplayName”, user.DisplayName));
claimsIdentity.AddClaim(new Claim(System.IdentityModel.Claims.ClaimTypes.Email, email));

foreach (var role in user.UserRoles)
{
claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, role.Role.Name));
}
}

private static void ValidateTenant(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
{
var tenant = context.AuthenticationTicket.Identity.Claims.FirstOrDefault(o => o.Type == “”http://schemas.microsoft.com/identity/claims/tenantid””);
if (tenant == null)
throw new SecurityTokenValidationException(“Active directory tenant not found.”);

var tenantId = tenant.Value;
IEnumerable approvedTenantIds = new List
{
TenantId
};

if (!approvedTenantIds.Contains(tenantId))
throw new SecurityTokenValidationException(“Active directory tenant is not configured to access this web site.”);
}

No in order to protect your controllers you simply add [Authorize] attribute. Like below

Leave a comment