I'm building a Web Application using ASP.Net and MVC4. This web application is going to be used by another company but we are hosting it. We were told that we had to use ADFS. We don't know what kind of information is going to come over to us in the authentication but we need to allow for users to have roles. I assume that when authenticated a username should be returned. So i'm thinking I would build a user table in the database for admins and super admins. When a user comes over, we will check if there username exist in the database and if so we would read their role from the database If they do not exist in the database they are public. All that being said here is my dilemma that I need to solve. How do I do this without writing custom code everywhere in the application to check for authorized and check for role? I would like to use the [AuthorizeAttribute(roles)]. Should I create a custom role provider? All ideas are welcome. BTW, we can not have the client manage the roles and pass it over because this company is a Fortune 100 company and they do not have time to handle these request.
1 Answers
I would recommend looking at some of Dominick Baier's work on securing MVC with claims. He's worked with some other developer's as well to build Thinktecture, which has both an Identity Server component and libraries for assisting in the processing of claims while abstracting some of the nitty-gritty details.
As for the roles portion of what you need to do, you can build a custom ClaimsAuthenticationManager and have that perform whatever transformations or additions to the users claim set at initial login. Dominick has a couple of excellent PluralSight courses that go into much more detail on this process. He also has this free video out there, which details the authorization portion around minute ~44.
I recently went through the effort of getting ADFS setup and authenticating some of the MVC apps at our company. The resources I have referenced were invaluable in helping me in that process.
- 1,077
- 1
- 8
- 16