0

I have been working on a project where I have a simple web page integrated with AD FS. The authentication and website are working as expected. I am using VS 2015. My goal is to limit what users can access at the site, "roles" from what I have read and researched. If the logged on user is an admin, grant full access, but if logged on as a regular user limit what pages are available.

Here is the scenario, go to my project URL which is redirected to AD FS sign on, after successful sign on you are at my website. Not much to it.

I have read so much online about different ways to achieve my goal that I am unsure which course is best or simplest to configure. What are my best options here? Keep in mind I have never developed in asp or any other code for that matter. Any help would be appreciated.

Deep Kakkar
  • 5,831
  • 4
  • 39
  • 75
kow1969
  • 1
  • 1

2 Answers2

2

There is policy based authorization that is probably the current best practice, however it sounds like role based authorization may be sufficient for you.

To perform role based authorization you'll first need to setup a claim rule in your ADFS for the Relying Party Trust of your application that sends the Role claim type "http://schemas.microsoft.com/ws/2008/06/identity/claims/role". The claim rule would look like this,

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => add(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";tokenGroups;{0}", param = c.Value);

Then when your roles arrive at your application in these claims, you'll process them with Windows Identity Foundation (WIF), which is integrated into .NET Framework 4.5+. I believe referencing System.Security.Claims is sufficient to get WIF in your project for processing roles. This "processing" however is done for you by WIF.

At this point you should be able to simply decorate controllers and methods like the following to perform role based authorization, with these Roles equating to the names of groups you are a member of in Active Directory.

[Authorize(Roles = "Administrators")]
public class AdminController : Controller
{
}
Gilligan
  • 451
  • 1
  • 5
  • 14
  • Was not aware of policy based authorization, I need to start reviewing this in detail. Another question about the "decorate controllers and methods", where should these be placed in my ASP application? the Startup.cs or for each page of my site? Meaning each page has a particular group, administrators or users. Apologies but very new to this. – kow1969 Apr 04 '17 at 15:38
  • If you're using ASP.NET MVC or Web API this would be on your AdminController class or a method within that class. If you're using Web Forms however, @nzpcmad recommendations would probably be best bet. For IsInRole you can do something like this, if(Thread.CurrentPrincipal.IsInRole("Administrators")) //Do Something – Gilligan Apr 04 '17 at 20:10
1

Just for interest, there are other ways to do this.

Once you have the roles, you can use IsInRole(role).

You can also use the web.config e.g.

<location path="Page.aspx">
    <system.web>
      <authorization>
        <allow roles="Admin, OtherAdmin" />
        <deny users="*" />
      </authorization>
    </system.web>
rbrayb
  • 46,440
  • 34
  • 114
  • 174