1

I have both -

External users who authenticate in via ASP.Net Identity and Internal/Extranet users who authenticate via AzureAD which is backed by an ADFS deployment on-premises.

When a user clicks a link or navigates directly to a page in the web application I would like to detect if that user has already authenticated with our ADFS either through one of our Sharepoint sites, internally or similar. If true they should be directed to Azure AD with the correct domain_hint to enable seamless single sign-on, otherwise they should be directed to a Login Screen within the application.

Currently when the application receives an unauthorized request the user is directed to a login screen where they select an authentication workflow regardless of whether they have already authenticated with a trusted federated Azure AD tenant either through Sharepoint, internally or similar.

public class DetritusAuthorise : AuthorizeAttribute
{
    protected override void HandleUnauthorizedRequest(System.Web.Mvc.AuthorizationContext filterContext)
    {
        filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary
        {
            {"action", nameof(Controllers.AccountController.Login)},{"controller", "Account"}
        });
    }
}

Example Scenario

A user is logged into a share point site then clicks a link to the web application.

enter image description here

I am using OWIN OpenIDConnect and CookieAuthentication. I can see there are adfs.ourcompany.com, sharepoint.ourcompany.com etc cookies in the browser however I cannot access/detect them in the request processed by the AuthorizeAttribute.

How can I detect if a request is coming from a user who is already authenticated with our ADFS?

clD
  • 2,523
  • 2
  • 22
  • 38
  • 1
    from the ADFS authentication token you can check for the issuer . http://gavindraper.com/2013/01/31/ad-fs-token-based-authentication-in-code/ http://stackoverflow.com/questions/18701681/how-to-validate-adfs-saml-token – Aravind Aug 01 '16 at 12:41
  • @Aravind how do I get the ADFS authentication token from an incoming request in an `AuthorizedAttribute`? – clD Aug 01 '16 at 13:32
  • In the adfs login page the user will provide credentials , adfs server will validate and send a response to the browser. response will contain the SAML token. that SAML token will be posted to the claims based application which will then process the claims and do the necessary. this is the flow. You can check how to configure it in an asp.net MVC app here http://www.dotnetcurry.com/windows-azure/1158/using-adfs-azure-single-signon-aspnet-mvc – Aravind Aug 01 '16 at 15:26
  • @Aravind the user is logged into a our sharepoint site when they click a link to the web application the `AuthorizedAttribute` intercepts this, as they are not authorised they're redirected to the app login page. I dont want them to reenter credentials after clicking the link. When clicking the link from the sharepoint site how is the token then passed to the web application? The web app is registered in AzureAD. – clD Aug 01 '16 at 15:51
  • In this case both sharepoint and mvc app are relying parties right. after logging in sharepoint there will be app cookie and adfs cookie/token. when user lands on mvc app there won't be any app cookie so you would redirect to ADFS server where it would see the ADFS cookie/token and give you back ADFS cookie/token and a new app cookie and user will be able to login automatically. refer this link on implementing ADFS login using OWIN in a MVC app. http://www.cloudidentity.com/blog/2014/04/29/use-the-owin-security-components-in-asp-net-to-implement-web-sign-on-with-adfs/ – Aravind Aug 01 '16 at 16:30

0 Answers0