1

We have an MVC 5 web app that uses ADFS 4 authentication. I'm trying to find the best place where I can add additional claims into the ClaimsPrincipal, after authentication has been completed.

Are there any events I can access, like OnAuthenticated? How do I access this kind of event?

This is what I intend to use once I can access the event:

IOwinContext context = Request.GetOwinContext();

if (appRoles != null)
{
    ClaimsIdentity claimsIdentity = new ClaimsIdentity(System.Web.HttpContext.Current.User.Identity);

    foreach (var role in appRoles)
    {
        claimsIdentity.AddClaim(new Claim("http://schemas.microsoft.com/ws/2008/06/identity/claims/role", role));
    }

    context.Authentication.AuthenticationResponseGrant = new AuthenticationResponseGrant
        (new ClaimsPrincipal(claimsIdentity), new AuthenticationProperties { IsPersistent = true });
}

EDIT: This is what my App_Data\Startup.Auth.cs file looks like:

public partial class Startup
{
    private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
    private static string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"];

    public void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            CookieManager = new SystemWebCookieManager()
        });

        app.UseWsFederationAuthentication(
            new WsFederationAuthenticationOptions
            {
                Wtrealm = realm,
                MetadataAddress = adfsMetadata
            });
    }
}
joym8
  • 4,014
  • 3
  • 50
  • 93
  • This project was created several years ago. Never had this need until couple of weeks ago. And it seems OWIN/Katana is no longer in the buzz. Maybe we need to switch over to another client side authentication library? https://learn.microsoft.com/en-us/aspnet/core/security/authentication/community?view=aspnetcore-3.1 – joym8 Jan 30 '20 at 17:57

1 Answers1

0

I encountered similar problem and managed to find a way to add additional claims after ADFS login in my MVC 5 app. More info can be found on msdn link.

Here is code from that link. Firstly create the new ClaimsAuthenticationManager class and inside set additional claims:

class SimpleClaimsAuthenticatonManager : ClaimsAuthenticationManager
{
    public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal)
    {
        if (incomingPrincipal != null && incomingPrincipal.Identity.IsAuthenticated == true)
        {
            ((ClaimsIdentity)incomingPrincipal.Identity).AddClaim(new Claim(ClaimTypes.Role, "User"));
        }
        return incomingPrincipal; 
    }
}

Afterwards specify this class in web.config file, under identityConfiguration element:

<system.identityModel>  
   <identityConfiguration>  
     <claimsAuthenticationManager type="ENTER YOUR NAMESPACE HERE.SimpleClaimsAuthenticatonManager, ENTER PROJECT NAME HERE" />  
     ...  
   </identityConfiguration>  
</system.identityModel>
Ognjen Babic
  • 727
  • 1
  • 4
  • 14
  • Tried this but it didn't add the claim to the list of claims. At least it didn't show up in `@foreach (System.Security.Claims.Claim claim in System.Security.Claims.ClaimsPrincipal.Current.Claims)` Also - I did not have `system.identityModel` in my web.config. It used to be in my older projects but VS did not add it in new project. So I simply added it manually. – joym8 Feb 09 '20 at 03:51
  • 1
    Not sure about your logic for getting claims for the current user, never used it before. Here is what im using: var identity = (ClaimsIdentity)User.Identity; IEnumerable claims = identity.Claims; – Ognjen Babic Feb 09 '20 at 19:26
  • `var identity = (ClaimsIdentity)User.Identity; IEnumerable claims = identity.Claims;` gives the same result. I'm guessing it has to do with how authentication is set up in my project. Did you see my edit? – joym8 Feb 10 '20 at 00:13