ADFS for multi-sites

Vote:
 

Hi,

I'm working on the SSO by using Federated Security connecting to ADFS server: http://world.episerver.com/documentation/Items/Developers-Guide/Episerver-CMS/9/Security/federated-security/ 

Here, I found the limitation: 

Limited multi-site support

The OWIN provider for WS Federation does not support multi-tenancy so each site must run in it's own web application for authentication to work on all URL's (the WtRealm configuration specified in the example below cannot vary per request). The OWIN provider for OpenID connect can work with multiple URL's, see integration with Azure Active Directory.

I could make it work with single site but for multiple domains ( on the same intance in EPiServer DXC), the WtRealm is only configured one time when the application started.

Not sure if you guys have any suggestion regarding this so I could work with different sites ( domains ) - mysite.com, mysite.se,... ?

Many thanks,

#174302
Jan 24, 2017 9:55
Vote:
 

I know you can solve it by putting Auth0 in the middle. You can do WS-Fed between ADFS and Auth0 and OpenID connect between Auth0 and DXC app.

Another option would be get a Azure AD setup and sync the ADFS there. Then you would do OpenID connect to it as in the later link you posted.

#174415
Jan 25, 2017 22:55
Vote:
 

Thanks Johan!

We are in a bit hurry situation to roll out the sites then which options do you think will be more feasible.

For ADFS connect to Auth0, if great if you could point out some documentation or sample code. I trying to look for that option.

Updated: I think I see some more links about the first option: https://auth0.com/docs/connections/enterprise/adfs and it seem clearer to me now :)

Regards, 

#174424
Edited, Jan 26, 2017 8:07
Vote:
 

Both has a cost depending on the amount of users. Both options are cloud subscriptions so you don't need any new hosting infrastructure.

Auth0 has a lot more than what Azure AD has currently (but a lot of new stuff is in the pipeline for Azure AD I've seen).

Auth0 will probably make it a lot easier and faster to add new auth providers. And they got Impersonate functionality which is really nice unless it conflicts with security policy which then could make it a deal breaker.

The link you updated is what you need. Their docs are always great.

#174428
Jan 26, 2017 9:29
Vote:
 

I have solved OWIN for multiple sites by setting the Wreply property to the actual site URL before redirecting to ADFS.
You also have to specify all sites as Endpoints in the ADFS Relying Party Trust configuration för the installation. 
This way we can have only one IIS site for multiple EPiServer sites using ADFS.
All sites will use the same Relying Party Trust definition in ADFS som the same set of claims will be issued for all sites.

Snipplet from public void Configuration(IAppBuilder app) in Startup.cs:

RedirectToIdentityProvider = (ctx) =>
                    {
                        //To avoid a redirect loop to the federation server send 403 when user is authenticated but does not have access
                        if (ctx.OwinContext.Response.StatusCode == 401 && ctx.OwinContext.Authentication.User.Identity.IsAuthenticated)
                        {
                            ctx.OwinContext.Response.StatusCode = 403;
                            ctx.HandleResponse();
                        }

                        ctx.ProtocolMessage.Wreply = SiteDefinition.Current.SiteUrl.ToString();

                        return Task.FromResult(0);
                    }

Edit:

I think Wreply is new in ADFS 3 because I didn't got it to work with ADFS 2. 

#174443
Edited, Jan 26, 2017 13:15
Vote:
 

Great thanks! 

It seems to work with our ADFS server. 

Just one thing that we use have the scenario one site defintion but different doamains/languages, for example mysite.se -> sv-SE, mysite.com -> en-GB and mysite.fi -> fi-FI so I replace the wreply with HttpContext.Current.Request.Url.AbsoluteUri and it works.

Best regards.

#174656
Feb 01, 2017 15:13
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.