ASP.net using OWIN for Azure Active Directory Federation Services Single Sign On

3
votes

I am working on a project, based on this solution: https://github.com/Azure-Samples/active-directory-dotnet-webapp-wsfederation

Currently, the way I have the user authenticate is by default. When the page loads, I call my login script:

Public Sub SignIn()
        If (Not Request.IsAuthenticated) Then
            Try
                Dim newAuth As AuthenticationProperties = New AuthenticationProperties()
                newAuth.RedirectUri = "/"

                HttpContext.Current.GetOwinContext().Authentication.Challenge(newAuth, WsFederationAuthenticationDefaults.AuthenticationType)
            Catch ex As Exception

            End Try

        End If
    End Sub

EDIT To add more context, here is my code for APP_START/Startup.Auth.vb:

Partial Public Class Startup

        Private realm As String = ConfigurationManager.AppSettings("ida:RPIdentifier")
        Private aadInstance As String = ConfigurationManager.AppSettings("ida:AADInstance")
        Private tenant As String = ConfigurationManager.AppSettings("ida:Tenant")
        Private metadata As String = String.Format("{0}/FederationMetadata/2007-06/FederationMetadata.xml", aadInstance)
        Private authority As String = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant)   


        Public Sub ConfigureAuth(app As IAppBuilder)
            Try
                app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType)
                app.UseCookieAuthentication(New CookieAuthenticationOptions())
                Dim authOption As WsFederationAuthenticationOptions = New WsFederationAuthenticationOptions()

                app.UseWsFederationAuthentication(New WsFederationAuthenticationOptions() With {
                     .Wtrealm = realm,
                     .MetadataAddress = metadata,                        
                     .Notifications = New WsFederationAuthenticationNotifications() With {
                     .AuthenticationFailed = Function(context)
                                                 context.HandleResponse()
                                                 context.Response.Redirect("Home/Error?message=" + context.Exception.Message)
                                                 Return Task.FromResult(0)
                                             End Function
                                        }
                        })
            Catch ex As Exception
                Throw ex
            End Try


        End Sub


    End Class

What I want to avoid, though, is if someone from outside our network views the site, I don't want them to be redirected to the Azure Single Sign On login page. I just want them to proceed to the website, where my code will handle what they can see and do. I will, eventually, add a login button that will take them to the login page, in the event they are just off site. But, for now, how do I skip the login page?

Second, I want to handle the possibility that Azure ADFS is down. In this case, I just want the user to be redirected to the website, as un-authenticated users. I test this by disconnecting from the Internets and running my app. I've tried using Try blocks, but I still get these errors:

The remote name could not be resolved: 'adfs.myCompany.com'

IOException: Unable to get document from: https://adfs.myCompany.com/FederationMetadata/2007-06/FederationMetadata.xml

[InvalidOperationException: IDX10803: Unable to create to obtain configuration from: 'https://adfs.myCompany.com/FederationMetadata/2007-06/FederationMetadata.xml'.]

Are these settings in Azure I should be making or in my code? Any help, with either of these issues, would be great. I needed, I can also add my Start.Auth.vb code, as well.

thanks

1
asp.netazureazure-active-directoryadfs
What are you trying to solve? What will be the benefit? How you can possibly check if someone is inside your network? Based on IP address range?dropoutcoder
@cloudikka The scenario I am trying to address is if someone views my webpage and is not auto Single Signed On. Usually, if the user is not on the network, they will be brought to a generic sign in page. I do not want that to happen. I want them to proceed to my website, where I will limit what they can see. I will then provide a link where they can go an sign in, if they wish. Not everyone who view my site will be a member of our network, so therefor should not be required to be redirected. Also, there are times when our Azure ADFS is not reachable, so I want to handle that error toojason
Auto-redirect to ADFS is happening whenever user is not authorize. So, I assume you have authorize attribute defined in global filters as you are saying users are redirected automatically to authentication provider. Correct?dropoutcoder

1 Answers

-1
votes

Unfortunately, using the samples Microsoft provides will enforce auto-sign on. That being said, there are two options:

  1. Choose a different authentication scheme
  2. Use a an Azure application with an oAuth code flow to sign in when a user clicks the login in link, then read the user's profile and determine their authorization rights.

If I misunderstood, please let me know. Hope this helps!