Created
May 8, 2017 19:52
-
-
Save ErikHen/3820f44df188a2421bad0f3a0e7d6437 to your computer and use it in GitHub Desktop.
Episerver mixed-mode authentication
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
namespace MyNamespace.Web | |
{ | |
public class Startup | |
{ | |
const string LogoutUrl = "/util/logout.aspx"; | |
public void Configuration(IAppBuilder app) | |
{ | |
// Add CMS integration for ASP.NET Identity | |
app.AddCmsAspNetIdentity<ApplicationUser>(); | |
//federated authentication | |
app.SetDefaultSignInAsAuthenticationType(WsFederationAuthenticationDefaults.AuthenticationType); | |
app.UseCookieAuthentication(new CookieAuthenticationOptions | |
{ | |
AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType | |
}); | |
app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions() | |
{ | |
//URL to federation server meta data | |
MetadataAddress = "https://myadfsserver.com/FederationMetadata/2007-06/FederationMetadata.xml", | |
//Value of Wtrealm must *exactly* match what is configured in the federation server | |
Wtrealm = ConfigurationManager.AppSettings["AdfsWtRealm"], | |
Notifications = new WsFederationAuthenticationNotifications() | |
{ | |
RedirectToIdentityProvider = (ctx) => | |
{ | |
//To avoid a redirect loop to the federation server send 403 when user is authenticated but does not have access | |
if (ctx.OwinContext.Response.StatusCode == 401 && ctx.OwinContext.Authentication.User.Identity.IsAuthenticated) | |
{ | |
ctx.OwinContext.Response.StatusCode = 403; | |
ctx.HandleResponse(); | |
} | |
return Task.FromResult(0); | |
}, | |
SecurityTokenValidated = (ctx) => | |
{ | |
//Ignore scheme/host name in redirect Uri to make sure a redirect to HTTPS does not redirect back to HTTP | |
var redirectUri = new Uri(ctx.AuthenticationTicket.Properties.RedirectUri, UriKind.RelativeOrAbsolute); | |
if (redirectUri.IsAbsoluteUri) | |
{ | |
ctx.AuthenticationTicket.Properties.RedirectUri = redirectUri.PathAndQuery; | |
} | |
//Sync user and the roles to EPiServer in the background | |
ServiceLocator.Current.GetInstance<ISynchronizingUserService>().SynchronizeAsync(ctx.AuthenticationTicket.Identity); | |
return Task.FromResult(0); | |
} | |
} | |
}); | |
// local Episerver authentication | |
app.UseCookieAuthentication(new CookieAuthenticationOptions | |
{ | |
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, | |
LoginPath = new PathString("/Login"), | |
Provider = new CookieAuthenticationProvider | |
{ | |
// Enables the application to validate the security stamp when the user logs in. | |
// This is a security feature which is used when you change a password or add an external login to your account. | |
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager<ApplicationUser>, ApplicationUser>( | |
validateInterval: TimeSpan.FromMinutes(30), | |
regenerateIdentity: (manager, user) => manager.GenerateUserIdentityAsync(user)) | |
} | |
}); | |
//Add stage marker to make sure WsFederation runs on Authenticate (before URL Authorization and virtual roles) | |
app.UseStageMarker(PipelineStage.Authenticate); | |
//Remap logout to a federated logout | |
app.Map(LogoutUrl, map => | |
{ | |
map.Run(ctx => | |
{ | |
ctx.Authentication.SignOut(); | |
return Task.FromResult(0); | |
}); | |
}); | |
//Tell antiforgery to use the name claim | |
AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Name; | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment