Azure Active Directory Authentication + OWIN: Where is the Provider to use in Startup.Auth?

Question

Hello,

I have a webapp that was created in VS2013, which is fully updated, and targets .NET451.  Authentication is provided by Azure Active Directory, and it is working properly.  I need to add two custom claimtypes into the identity of authenticated users of the webapp.  With Owin, it seems that things have changed, and I can do something like the following code, rather than writing a custom claim handler. Unfortunately, it seems that there is no Provider defined when using WsFederationAuthentication, so I may not be able to use this simple code change.  I'd really appreciate being told how to accomplish adding a few custom claimtypes in a modern webapp built with Owin and using Azure Active Directory for authentication.

Thank you for your time and suggestions,

Mike

        // From Startup.Auth.cs
        public void ConfigureAuth(IAppBuilder app)
        {
            app.SetDefaultSignInAsAuthenticationType(WsFederationAuthenticationDefaults.AuthenticationType);

            app.UseCookieAuthentication(
                new CookieAuthenticationOptions
                {
                    AuthenticationType =
                       WsFederationAuthenticationDefaults.AuthenticationType
                });

            app.UseWsFederationAuthentication(
                new WsFederationAuthenticationOptions
                {
                    MetadataAddress = "https://login.windows.net/expirationtrax.com/federationmetadata/2007-06/federationmetadata.xml",
                    Wtrealm = "http://localhost:63191/",

                    Provider = new ??????????????????Provider // WHAT SHOULD WE USE HERE FOR AZURE ACTIVE DIRECTORY'S PROVIDER?
                    {
                        OnAuthenticated = (context) =>
                        {
                            context.Identity.AddClaim(new Claim("http://schemas.aboh/identity/claims/accountid", "123", "ET"));
                            context.Identity.AddClaim(new Claim("http://schemas.aboh/identity/claims/userid", "1234", "ET"));
                        }
                    }

            });
        }

Answer 1

After a lot of searching and research, I've cobbled together the following code and it seems to work.  I'd appreciate a sanity check as to its correctness.

Thanks,

Mike

        public void ConfigureAuth(IAppBuilder app)
        {
            app.SetDefaultSignInAsAuthenticationType(WsFederationAuthenticationDefaults.AuthenticationType);

            app.UseCookieAuthentication(
                new CookieAuthenticationOptions
                {
                    AuthenticationType =
                       WsFederationAuthenticationDefaults.AuthenticationType // Okay, or should it be CookieAuthenticationDefaults.AuthenticationType
                });

            app.UseWsFederationAuthentication(
                new WsFederationAuthenticationOptions
                {
                    MetadataAddress = "https://login.windows.net/abcd.com/federationmetadata/2007-06/federationmetadata.xml",
                    Wtrealm = "http://localhost:63191/",
                    //SignOutWreply = ConfigurationManager.AppSettings["owin:SignOutWreply"],

                    Notifications = new WsFederationAuthenticationNotifications()
                    {
                        SecurityTokenValidated = notification =>
                        {
                            notification.AuthenticationTicket.Identity.AddClaim(new Claim("http://schemas.aboh/identity/claims/accountid", "123", "ET"));
                            notification.AuthenticationTicket.Identity.AddClaim(new Claim("http://schemas.aboh/identity/claims/userid", "321", "ET"));

                            return Task.FromResult(0);
                        }
                    }

                });
        }

Answer 2

Glad you find a solution, I am wondering why are you using federation instead of OpenIDConnect?

Also regarding adding extra claims.. can you provide code that would allow such claims to be updated later on?  and ideally from within the OWIN pipeline?

---

Jose.

Answer 3

I'm marking the above post as answer since there was no response from couple of days. Click “Unmark as Answer” if a marked post does not actually answer your question. We would be glad to assist further on this Issue.

Regards,

Sadiqh Ahmed