0

To add ADFS 3.0 authentication in our SPA we use the javascript sample and one (wsfed) external identityprovider, and we also add a local api for the SPA client

We also added a custom view to the login process, where the user could "Select WorkingContext" and we could set an additional claim.

Problem: How to add and retrive that additional claim?

Since we simply need the a few of the claim from ws federation, we've made a super simple callback where we just do the following (I'm answering the questions from the docs)

Handling the callback and signing in the user

  1. inspect the identity returned by the external provider.
    • Yes, we get correct claims from wsfed
  2. make a decision how you want to deal with that user. This might be different based on the fact if this is a new user or a returning user. New users might need additional steps and UI before they are allowed in.
    • No additional steps required
  3. probably create a new internal user account that is linked to the external provider.
    • No, we don't need the user, we just need the a few of the claims from wsfed, so we just return a TestUser based on the wsfed sub in FindUserFromExternalProvider
  4. store the external claims that you want to keep.
    • Do we need to store the claims, will the claims not be embedded in the jwt token, and the token simply validated?
  5. delete the temporary cookie
    • ok
  6. sign-in the user
    • Here we would like to show a custom ui where the user should select a "workingcontext", and we could add the "workingcontext" as an additional claim.

Assuming the above is valid, how can we in step 6 add the extra claim?

await _events.RaiseAsync(new UserLoginSuccessEvent(provider, providerUserId, user.SubjectId, user.Username, true, context?.ClientId)); doesn't seem to give any ways to add claims.

This is how we try to pass the additional claims through the login process:

    var isuser = new IdentityServerUser(user.SubjectId)
            {
                DisplayName = user.Username,
                IdentityProvider = provider,
                AdditionalClaims = additionalLocalClaims
            };


            await HttpContext.SignInAsync(isuser, localSignInProps);
Larsi
  • 4,654
  • 7
  • 46
  • 75

1 Answers1

0

We just need to implement the IProfileService, that's all.

Larsi
  • 4,654
  • 7
  • 46
  • 75