locked
Supporting multiple simultaneous authentication models RRS feed

  • Question

  • User1907354026 posted

    I'm tasked with modifying an existing MVC application to support both ADFS and Okta.

    The app will expose two endpoints, visiting one (there could be two controllers for example) will force the visitor to be authenticated by ADFS but visiting the other would force the visitor to be authenticated by Okta.

    Each endpoint will be supplied to a different "customer" (an external organization) and the customer will supply their authentication service URL (one would supply ADFS details and the other would supply Okta details).

    This could be done more easily by having two instances of the same app of course but I'm interested in supporting this as one instance (we could add further customers too).

    What do people think about this and is it easy to do this? 

    Thanks

    Monday, June 10, 2019 9:37 PM

All replies

  • User1724605321 posted

    Hi Korporal ,

    One option is to  use Identity Server 3/4  or other STS and federate with ADFS ,  the user can choose which identity provider he wants to login with , AD or other IDP using OpenID Connect .

    Best Regards,

    Nan Yu

    Tuesday, June 11, 2019 5:29 AM
  • User1907354026 posted

    Hi,

    I've been told that we cannot present that question to users, cannot change the current site interface or appearance. Instead we tell each customer (company) that their users must use a specific URL that is "hard wired" for a specific authentication system.

    I hate this but it's what's being asked of me.

    Tuesday, June 11, 2019 2:32 PM
  • User1907354026 posted

    OK we've created two empty MVC .Net Framework apps.

    One has been developer to support ADFS authentication against our own internal ADFS/AD system.

    The other has been developed to support Okta using a test/dev account we setup.

    Comparing these give some hint at what's going on; the Okta app's Startup.cs leverages: OktaMiddlewareExtension (UseOktaMvc) which can be seen here.

    The ADFS app performs a similar/equivalent step in its Startup.cs by leveraging WsFederationAuthenticationExtensions (UseWsFederationAuthentication) but the source is unavailable to me.

    So a key question for me is: is it possible/rational to have an app who's Startup.cs calls BOTH of these and if one did that, how would it behave? 

    Is it possible to move that code out of Startup.cs and put it somewhere else, like in a controller constructor? The one could have one controller leverage ADFS and the other leverage Okta...

    What do people think?

    Thanks

    Tuesday, June 11, 2019 8:00 PM
  • User475983607 posted

    ASP.NET Core supports multiple authentication schemes.

    https://docs.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme?view=aspnetcore-2.2&tabs=aspnetcore2x

    Keep in mind that your requirement is a bit vague so it hard to answer the question.  If all you need is authentication services and you are building a browser based application then all you need are two different login pages.   Simply create an Auth Cookie after a successful authentication.

    If you need authorization services or you need to secure remote API then it can be a bit more complex.

    Tuesday, June 11, 2019 8:29 PM
  • User1907354026 posted

    mgebhard

    ASP.NET Core supports multiple authentication schemes.

    https://docs.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme?view=aspnetcore-2.2&tabs=aspnetcore2x

    Keep in mind that your requirement is a bit vague so it hard to answer the question.  If all you need is authentication services and you are building a browser based application then all you need are two different login pages.   Simply create an Auth Cookie after a successful authentication.

    If you need authorization services or you need to secure remote API then it can be a bit more complex.

    Hi, this is rather helpful, and I apologize if I've been vague (please ask me if there's anything I can clarify) - do you know - is that option you linked to available for non .Net Core (like conventional .Net Framework app) because ultimately we need to modify an existing app (that so far has never used/needed these kinds of auth).

    The [Authorize] attribute for .Net core supports the string arg (which as in your link, can be a concatenation of schemes) but the same attribute for the .Net Framework has no such constructor...

    Thanks

    Tuesday, June 11, 2019 8:51 PM
  • User475983607 posted

    is that option you linked to available for non .Net Core (like conventional .Net Framework app) because ultimately we need to modify an existing app (that so far has never used/needed these kinds of auth).

    Multiple authentication is pretty standard these days.  I don't see any reason why you can have ADFS and Okta in a single project.  You'll need to read the documentation.  Again, authentication is generally not an issue with an browser based application because the application (your code) will issue an Auth Cookie after authenticating.  

    Authorization can be tricky if you have different roles/claims in each system.  That's something you'll need to figure out.

    Tuesday, June 11, 2019 9:14 PM