locked
Role based authorization doesn't work with ADFS user in Asp.Net MVC 5 RRS feed

  • Question

  • User559435292 posted

    Hi,

    I am working with an application developed in Asp.Net MVC 5. I have applied RoleManager to manage contents based on user role applied. I want all authenticated (ADFS) user can create item but only user having admin role can see admin panel and edit buttons and few other contents. It is working fine with local AD but doesn't work with ADFS user. The user who doesn't have any role is seeing everything. Please guide me how can I resolve it, here is my codes:

    ## web.config
    <roleManager cacheRolesInCookie="true" defaultProvider="RoleProvider" enabled="true"> <providers> <clear /> <add name="RoleProvider" type="ProductAppWeb.Models.RoleProvider" /> </providers> </roleManager> <authorization> <deny users="?" /> </authorization>

    ## Layout.cshtml
    @if (User.IsInRole("administrator"))
    {
    @Html.ActionLink("Admin","Admin")
    }

    ## Controller
    [Authorize(Roles = "administrator")]
    Public ActionResult Index()
    {
    ...............
    }

     

    Friday, July 20, 2018 7:41 AM

Answers

  • User475983607 posted

    Sorry, probably I made the confusion. I mean, my application two setup, one is with local AD and another is with ADFS. The role manager is working fine with the local AD setup but not working with the ADFS setup. All necessary changes have been made for the ADFS setup already and the authentication is working fine as well. 

    Edit: Authentication through ADFS is SAML

    Windows authentication and ADFS are very different authentication protocols.  ADFS uses SAML, in your case, and Windows Authentication is integrated into the browser.  To implement mixed authentication you needed to implement forms authentication and craft code to populate an auth token and cookie. 

    There is no indication in your post how the current design works.  For example, you have not explained how you made "All the necessary changes" despite being asked several times.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Saturday, July 21, 2018 3:11 PM

All replies

  • User475983607 posted

    Make sure anonymous authentication is disabled in IIS.  Also, there is no indication how the role provider works or how the security is designed.  

    Friday, July 20, 2018 10:42 AM
  • User559435292 posted

    Hi mgebhard,

    Thanks for you reply. The user roles are assigned in a separate database table. The system is checking if the logged in user (by user id) is present in the assigned role table through a method the RoleProvider,cs class. If role is available for this logged user, it display controls accordingly. All other user cannot see the role applied controls.

    Please let me know if you need any further information. 

    Saturday, July 21, 2018 12:19 PM
  • User475983607 posted

    ADFS is a remote authentication protocol.  The user logins into the ADFS remote system and a token is passed back using redirects.   

    Are you moving to ADFS or are you combining ADFS and Windows Authentication?  Can you explain the design strategy?

    Saturday, July 21, 2018 12:32 PM
  • User559435292 posted

    I am using ADFS, not the combination of Windows and ADFS. I am just picking the user id from ADFS login and check with the roles in SQL DB.

    Saturday, July 21, 2018 12:39 PM
  • User475983607 posted

    I am using ADFS, not the combination of Windows and ADFS. I am just picking the user id from ADFS login and check with the roles in SQL DB.

    Now I'm confused your first post stated the role provider works with local AD.  So I assumed you are using mixed authentication.

    ADFS is a remote authentication service which should return all the claims needed for accessing resources.  At this point, is not clear why you are using a separate roles provider or how your are authenticating.  I assume OWIN?   If you want to assign claims manually using a local data store then you'll need to write code that adds the claims to the authentication cookie when ADFS redirects back to your application.    

    You can learn about ADFS here.

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-scenarios-for-developers

    Saturday, July 21, 2018 12:56 PM
  • User559435292 posted

    Sorry, probably I made the confusion. I mean, my application two setup, one is with local AD and another is with ADFS. The role manager is working fine with the local AD setup but not working with the ADFS setup. All necessary changes have been made for the ADFS setup already and the authentication is working fine as well. 

    Edit: Authentication through ADFS is SAML

    Saturday, July 21, 2018 1:13 PM
  • User475983607 posted

    Sorry, probably I made the confusion. I mean, my application two setup, one is with local AD and another is with ADFS. The role manager is working fine with the local AD setup but not working with the ADFS setup. All necessary changes have been made for the ADFS setup already and the authentication is working fine as well. 

    Edit: Authentication through ADFS is SAML

    Windows authentication and ADFS are very different authentication protocols.  ADFS uses SAML, in your case, and Windows Authentication is integrated into the browser.  To implement mixed authentication you needed to implement forms authentication and craft code to populate an auth token and cookie. 

    There is no indication in your post how the current design works.  For example, you have not explained how you made "All the necessary changes" despite being asked several times.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Saturday, July 21, 2018 3:11 PM