Where to handle app initialization in SSO situation?

Question

I have App1 and App2, doing SSO using IdentityServer3 with Active Directory.

Each app has its own users and roles. I created a ClaimsTransformation OWIN middleware, get user/roles, serialize into cookie, then bring back on subsequent calls. That works well.

But where do I handle initial user enroll? I can't do it in authentication, because if an App1 user logon, then go to App2 as new, he will skip authentication.

If I do this in the middleware, when I try redirect user to enroll/profile page, that redirect is hit by the middleware again, causing a redirect loop.

Any suggestions? Thanks.

score 0 · Accepted Answer · answered Sep 19 '16 at 22:37

Never mind, did it all wrong. For .NET using Owin.Security.OpenIdConnect, App initialization should be done in SecurityTokenValidated. The skipping authentication issue was because I didn't set cookie name.

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOption
  {
     SignInAsAuthenticationType = "Cookies",
     Notifications = new OpenIdConnectAuthenticationNotification 
     {
         SecurityTokenValidated = n => { ... }

Where to handle app initialization in SSO situation?

1 Answers1