2

I've read a lot of blog posts concerning the Identity way to handle Role Management in MVC5 but most of them seem to integrate registration systems and the such. I want to know if I can simply use the Roles.

I have an existing MVC5 project where I pull my users from Active Directory and store them in a custom User model class. Is it possible to integrate Identity Role management with such a project?

I'm fairly new the ASP.Net MVC and so far this has caused me a few headaches. Will I have to use a model class which extends IdentityUser? If so, can I still use my active directory users and simply map the GUID, email, name, etc to that new class and then on use the Roles to limit access to my application views?

Orphu.of.io
  • 125
  • 1
  • 16

1 Answers1

1

While I'm not using ASP.NET Identity in production yet (perhaps in a few months) I do have a test project put together that authenticates against active directory for internal users. You will have to roll your own implementation to make this work though.

Here are some shortened samples to show how I am hitting active directory in different methods:

Roles

public async Task<IList<string>> GetRolesAsync(User user) {
    List<string> roles = new List<string>();

    //Active Directory Roles
    if (user.Email.Contains("@mycompany")) {
        var directory = new CompanyDirectory();

        var adGroups = directory.GetGroupsByUser(user.Email);

        if (adGroups != null && adGroups.Count > 0) {
            roles.AddRange(adGroups);
        }
    }

    //SQL Server Roles
    var dbRoles = await _context.Users
        .Where(u => u.UserName == user.UserName)
        .SelectMany(u => u.Roles)
        .Select(r => r.Name)
        .ToListAsync();

    roles.AddRange(dbRoles);

    return roles;
}

Auth

public override async Task<User> FindAsync(string userName, string password) {
    var identityUser = await base.FindByNameAsync(userName);

    if (identityUser != null) {
        if (userName.EndsWith("@mycompany.net")) {
            var directory = new CompanyDirectory();
            var isValidated = directory.ValidateUser(userName, password);

            if (isValidated) {
                return identityUser;
            }
        } else {
            //SQL Server Auth
        }
    }

    return null;
}

You don't need to extend the IdentityUser class as that is actually the default class used by the Entity Framework implementation (even though I use SQL Server, my database schema is much different than the default ASP.NET Identity implementation so I use my own models). At the very least what you need to implement is IUser (this is actually what the IdentityUser implements). Here is how I am implementing it:

public partial class User : IUser<Guid> {

}

I have another partial class with the same name which contains all the properties and information used by the Entity Framework.

Justin Helgerson
  • 24,900
  • 17
  • 97
  • 124
  • Thanks for the answer. I'm not sure I totally understand though. My users are already stored in my DB (they did originally come from Active directory) but they are copied over to my User Model. I want to create my own Roles (they aren't defined in AD). I create a Role model with things like Admin, Developper, NormalUser. Would the code you pasted above work for this kind of situation? Thanks again for the help. – Orphu.of.io Apr 05 '14 at 15:05
  • 1
    Sure, the point that I'm making is that the underlying data store could be whatever you like. You just need to implement the interfaces to go after the right data. – Justin Helgerson Apr 07 '14 at 14:18