Setting up Azure Active Directory Single Sign On on a ASP.NET (.NET 4.5) web app using OpenIdConnect (Cookies based)

Install following NuGet packages on your project.

Create a Startup.cs in your root of your web application.

Create a Startup.Auth.cs in your App_Start folder. and this is how it looks like.

app.UseCookieAuthentication(new CookieAuthenticationOptions());

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
ClientId = ClientId,
Authority = Authority,
PostLogoutRedirectUri = PostLogoutRedirectUri,
TokenValidationParameters =
NameClaimType = CustomClaimTypes.UserName,
Notifications = new OpenIdConnectAuthenticationNotifications
SecurityTokenValidated = SecurityTokenValidated,
AuthenticationFailed = AuthenticationFailed

private Task SecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
var user = ValidateUserAndUpdateClaims(context);

return Task.FromResult(0);

private static UserInfo ValidateUserAndUpdateClaims(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
var claimsIdentity = context.AuthenticationTicket.Identity;
var email = claimsIdentity.FindFirst(System.Security.Claims.ClaimTypes.Name).Value;

var user = GetUserAndRoles(email);
if (user != null && user.UserRoles.Count > 0)

UpdateClaims(claimsIdentity, user, email);
throw new SecurityTokenValidationException(“Please check if your login is configured in configuration to access this website.”);

return user;

private static void UpdateClaims(ClaimsIdentity claimsIdentity, UserInfo user, string email)
claimsIdentity.AddClaim(new Claim(“”, user.UserName));
claimsIdentity.AddClaim(new Claim(“”, user.DisplayName));
claimsIdentity.AddClaim(new Claim(System.IdentityModel.Claims.ClaimTypes.Email, email));

foreach (var role in user.UserRoles)
claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, role.Role.Name));

private static void ValidateTenant(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
var tenant = context.AuthenticationTicket.Identity.Claims.FirstOrDefault(o => o.Type == “”””);
if (tenant == null)
throw new SecurityTokenValidationException(“Active directory tenant not found.”);

var tenantId = tenant.Value;
IEnumerable approvedTenantIds = new List

if (!approvedTenantIds.Contains(tenantId))
throw new SecurityTokenValidationException(“Active directory tenant is not configured to access this web site.”);

No in order to protect your controllers you simply add [Authorize] attribute. Like below

Leave a comment