Hi there.

What mechanism are you using to authenticate through? Thinking of ASP.NET Identity w. OWIN (Federated Authentication) vs. ASP.NET Membership. That helps us guide you towards a solution - e.g. if your claims are part of the Principal or not.

/Casper Aagaard Rasmussen

We are using Okta which authenticate user from AD

Which Okta product are you using, if its SIngleSigon/MultiFactor then it's an Owin-openid. Can you please confirm

It is SingleSignOn 

You may have a class inheriting from SynchronizingUserService in your solution, to synchronise your user's roles. 

Most probably code will be assigning the client URL in Owin Startup class.

You may have to add your logic in a redirection URL, where you could check the role of your authenticated user and redirect to most related URL.

(Not sure, this is the best solution, but in theory, this will work)

Hi there.

Instead of (ab)using the ISyncronizingUserService, which is for a different purpose, we normally rely on the SecurityTokenValidated event within OpenIdConnect. After having retrieve the identity, resolved the role (from the claim collection), you'll want to do something similar to this:

                UrlBuilder urlBuilder = new UrlBuilder(url);
                urlBuilder.QueryCollection.Add(Signup.TicketQueryParameterName, signupTicket);

                notification.Response.Redirect(urlBuilder.Uri.OriginalString);
               
                notification.State = NotificationResultState.HandledResponse;

                return Task.FromResult(0);

The url variable holds where you want to redirect too. Notification is of the type Microsoft.Owin.Security.Notifications.SecurityTokenValidatedNotification<Microsoft.IdentityModel.Protocols.OpenIdConnectMessage, Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationOptions> and is an argument within your event handler.

/Casper Aagaard Rasmussen

+1 Rasmussen :)