locked
Auto sign-on with Logoff button and anonymous users RRS feed

  • Question

  • User1314407993 posted

    I'm not very knowledgeable about various forms of authentication, something I need to fix ASAP. In my application, users are automatically signed on from their Active Directory credentials, which are matched against the associated user from the application database. The application has two basic entry points - logged-in users are routed to the correct dashboard based on their user groups, and anonymous users are routed to the application page. The flow goes like this:

    1. ActionFilter middleware retrieves the HttpContext.User.Identity.Name value, which is the primary email address of the Active Directory user signed on.
    2. Since a user might have one of several emails as their email in the database, the Graph API is queried for a list of that user's emails, and checks the logged-in user's email against that list. 
    3. If the user is anonymous, they're routed to the application page. 

    A request has been made to allow users to log off and back in with an alternate email address, which is easy if users are either logged in or are required to log in, but I'm not sure how to accomplish this when I need to allow anonymous users to be sent to a particular page that allows anonymous users. I suppose as part of my logoff method, I could set some value that identifies the current user as having just logged off, and load a log-in page based on that. Any suggestions? 

    Friday, August 16, 2019 4:19 PM

All replies

  • User753101303 posted

    Hi,

    First could you be more specific about which authentication method you are using ? You are using Azure Active Directory with ADFS (and so AD) behind the scene maybe ?

    If I understood a user can sign in using multiple mail addresses and you want the user to be recognized as the same user when he logs out and log again with another mail address? And so it seems your intent is to do something while the user is anonymous so that when he logs out/sign in again he is recognized as being the same user ?

    I would have to check but instead I would reconsider using the mail address as my technical identifier. I would have to check but you should have a better claim that doesn't change (if I remember the NameIdentifier, the OnPremSid could be also useful).

    Likely overkill but ASP.NET Identity and https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.identity.iuserloginstore-1?view=aspnetcore-2.2 is interesting to know about ie you could even built a system where a user could log using entirely different identity providers and still being recognized as the same user.

    Sunday, August 18, 2019 4:25 PM