How to enable role management using federation ?

Question

User-1490494432 posted

Hello,

My goal is to use role access defined in the sitemap but with federation authentication.

I have implemented the following solution  to add role claim based on user Group

here my custom transformation

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Security.Principal;
using System.Security.Claims;

namespace MyClaimsTransformationModule
{
    public class ClaimsTransformationModule : ClaimsAuthenticationManager
    {
        public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal)
        {
            bool isAdmin = false;

            if (incomingPrincipal != null && incomingPrincipal.Identity.IsAuthenticated == true)
            {
                foreach (Claim claim in incomingPrincipal.Claims)
                {
                    if (claim.Type == "http://schemas.xmlsoap.org/claims/Group" && claim.Value == "net\\!VAL ADMIN")
                    {
                        ((ClaimsIdentity)incomingPrincipal.Identity).AddClaim(new Claim(ClaimTypes.Role, "Admin"));
                        isAdmin = true;
                        break;
                    }  
                }

                if (!isAdmin)
                {
                    ((ClaimsIdentity)incomingPrincipal.Identity).AddClaim(new Claim(ClaimTypes.Role, "User"));
                }
            }

            return incomingPrincipal;
        }
    }
}

And I can see the Admin/User claim role display in my default page based on the group I set in the if condition.

now I don't know how to link role claims to the roles defined in the sitemap and make things works

I want for sample to enable both Admin and User role in the default page

<siteMapNode title="Settings" url="Default.aspx" description="Manage advanced CODA settings" roles="Admin,User">

do you think that it's possible ?

Answer 1

User-1151753377 posted

Hi

Welcome to the ASP.NET forum.

Yes, I think it is possible to set tow roles for page.

something like this in web.config file.

<allow roles="Admin,User"/>

More information please refer to the links below and hope them will give you some ideas.

http://forums.asp.net/t/1177624.aspx?Roles+SiteMap

http://msdn.microsoft.com/en-us/library/ms178428(v=vs.100).aspx

Other information about Federated security.

http://world.episerver.com/documentation/Items/Developers-Guide/EPiServer-CMS/75/Security/federated-security/

Best Regards,

Summer

Answer 2

User-1490494432 posted

I have added the site map provider and allow roles

  <system.web>    
    <httpRuntime requestValidationMode="2.0" />
    <authorization>
      <deny users="?" />
      <allow roles="Admin,User" />
    </authorization>
    <authentication mode="None" />
    <customErrors mode="Off" />
    <compilation debug="true" targetFramework="4.5" />
    <pages controlRenderingCompatibilityVersion="4.5" />    
    <siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
      <providers>            
        <add name="XmlSiteMapProvider" 
            description="SiteMap provider which reads in .sitemap XML files."
            type="System.Web.XmlSiteMapProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
            siteMapFile="web.sitemap"
            securityTrimmingEnabled="true"/>
      </providers>
    </siteMap>
  </system.web>

but now I need from the role claim to update the current user role

how can I do that ?

Answer 3

User-1151753377 posted

Hi

Please try to the Membership.UpdateUser Method

http://msdn.microsoft.com/en-us/library/system.web.security.membership.updateuser(v=vs.110).aspx

Other information please refer to the link below and hope it could helpful for you.

http://www.asp.net/web-forms/overview/older-versions-security/roles/assigning-roles-to-users-cs

Summer

Answer 4

User-1490494432 posted

Roles are based on membership table that I don't have and that I don't want to setup

I want to setup the current user role dynamically based on the Group claims I get and then allow pages access based on sitemap and roles

It seems that I can't use roles without setting up membership table to store user details.

Answer 5

User-1490494432 posted

I did some checks and my claimsPrincipal as the role Admin or User based on the Claim  group I check in my Authenticate()

So the in my Page_Load() of my default page the claimsPrincipal.IsInRole("Admin") return true when I set a Group that I own.

But the Sitemap is not handle

I found this post that handle the subject, but now I get another error:
Could not load type 'XmlSiteMapDefaultProvider'

I have added the class in my project and added the Sitemap node in the web config:

<siteMap enabled ="true" defaultProvider="XmlSiteMapDefaultProvider">
  <providers>
    <add name="XmlSiteMapDefaultProvider" type="XmlSiteMapDefaultProvider" siteMapFile="Web.sitemap" securityTrimmingEnabled="true" />
  </providers>
</siteMap>

Should I missed something somewhere ?

Answer 6

User-1490494432 posted

I finally found the issue.

It was the namespace that has been added to my XmlSiteMapDefaultProvider class when I have created it.

so I have updated the Provider Type in the web config by adding the namespace and now it works like a charm with the Sitemap handle like I want.

<siteMap enabled ="true" defaultProvider="XmlSiteMapDefaultProvider">
  <providers>
    <add name="XmlSiteMapDefaultProvider" type="namespace.XmlSiteMapDefaultProvider" siteMapFile="Web.sitemap" securityTrimmingEnabled="true" />
  </providers>
</siteMap>

Thanks all for your help