Five New Optimizely Certifications are Here! Validate your expertise and advance your career with our latest certification exams. Click here to find out more

Separate admin login when using OpenIdConnect

Vote:
 

Hi!

Is it possible to have some kind of separate login for admin users in episerver, when using OpenIdConnect? We only want the OpenIdConnect for the end users, not editors or admins.

#199143
Nov 16, 2018 13:35
Vote:
 

Hi Torunn 

You still have the issue? 
Are you using the owin implementation and have followed the instructions  https://world.episerver.com/documentation/developer-guides/commerce/security/support-for-openid-connect-in-episerver-commerce/? 

Where are your editors and admins located, are they not in same AD endusers? 

#199511
Edited, Nov 29, 2018 8:17
Vote:
 

Hi!

This is an external identity provider. Normally, the users log in with the sqlmembershipprovider. Since I had to remove the membership provider to be able to use the openidConnect, the only way to log in is through this external service. 

This is not a commerce solution. 

#199629
Dec 04, 2018 8:49
Vote:
 

Hello Torunn

Its possible to configure multiple identity providers for your solution. The following links are useful to find out how:

David

#199643
Dec 04, 2018 11:20
Vote:
 

Hi!

I managed to get this working locally. But in staging I get this error: EPiServer.Web.RoutingUrlRewriteModule: Url is not valid for rewrite. Returning URL /Util/login.aspx?ReturnUrl...

Any idea what I am doing wrong?

#202262
Mar 21, 2019 10:11
Vote:
 

Hi!

So I've gotten past the problem above.

What I really want, is to keep the regular episerver login, but have a openidconnect login for end users that should not log in to episerver. 

Current status, is that I have managed to have two separate logins. I can log in with openidconnect, and I can log in to episerver with username and password. The latter one is solved by manually logging in the user.

EPiServer.Security.PrincipalInfo.CurrentPrincipal = EPiServer.Security.PrincipalInfo.CreatePrincipal(username);
System.Web.Security.FormsAuthentication.SetAuthCookie(username, true);

The regular login form doesn't work, even though I have setup up the multiplexing membership/roleprovider in web.config and <authentication> to forms. When I log in with the custom code, I can't find any of the roles or users. I can create new ones, but they are of type "EPi_AspNetIdentityUserProvider". 

Another problem, is that it doesn't always redirect me to the IdentityServer. Sometimes it takes me to the regular epi login page.

My startup.cs looks like this:

ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;
      app.AddCmsAspNetIdentity<ApplicationUser>();
      app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

      app.UseCookieAuthentication(new CookieAuthenticationOptions());

      //Open id authentication
      app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
      {
        ClientId = OicClientId,
        Authority = OicAuthority,
        PostLogoutRedirectUri = OicPostLogoutRedirectUri,
        ResponseType = OicResponseType,
        Scope = OicScopes,
        RequireHttpsMetadata = false,
        RedirectUri = redirectUri,
        
        TokenValidationParameters = new TokenValidationParameters
        {
          ValidateIssuer = false,
          NameClaimType = ClaimTypes.NameIdentifier,
          RoleClaimType = ClaimTypes.Role
        },
        Notifications = new OpenIdConnectAuthenticationNotifications
        {
          AuthenticationFailed = context =>
          {
            context.HandleResponse();
            context.Response.Write(context.Exception.Message);
            return Task.FromResult(0);
          },
          RedirectToIdentityProvider = context =>
          {
            if (context.ProtocolMessage.RedirectUri == null)
            {
              var currentUrl = SiteDefinition.Current.SiteUrl;
              context.ProtocolMessage.RedirectUri = new UriBuilder(
                currentUrl.Scheme,
                currentUrl.Host,
                currentUrl.Port,
                HttpContext.Current.Request.Url.AbsolutePath).ToString();
            }

            //Unathorized
            if (context.OwinContext.Response.StatusCode == 401 && context.OwinContext.Authentication.User.Identity.IsAuthenticated)
            {
              context.OwinContext.Response.StatusCode = 403;
              context.HandleResponse();
            }
            return Task.FromResult(0);
          },
          SecurityTokenValidated = ctx =>
          {
            var redirectUri = new Uri(ctx.AuthenticationTicket.Properties.RedirectUri,
              UriKind.RelativeOrAbsolute);
            if (redirectUri.IsAbsoluteUri)
              ctx.AuthenticationTicket.Properties.RedirectUri = redirectUri.PathAndQuery;

            ServiceLocator.Current.GetInstance<OicSynchronizingUserService>()
              .SynchronizeAsync(ctx.AuthenticationTicket.Identity);
            Logger.Current.LogDebug("Synchronizing: " + ctx.AuthenticationTicket.Identity.IsAuthenticated + ", " + ctx.AuthenticationTicket.Identity.RoleClaimType);

            return Task.FromResult(0);
          },
          SecurityTokenReceived = ctx =>
          {
            return Task.FromResult(0);
          }
        }
      });

      app.UseStageMarker(PipelineStage.Authenticate);

      app.Map(UrlLogin, config =>
      {
        config.Run(ctx =>
        {
          if (ctx.Authentication.User == null || !ctx.Authentication.User.Identity.IsAuthenticated)
            ctx.Response.StatusCode = 401;
          else
            ctx.Response.Redirect("/");
          return Task.FromResult(0);
        });
      });

      app.Map(UrlLogout, config =>
      {
        config.Run(ctx =>
        {
          ctx.Authentication.SignOut();
          return Task.FromResult(0);
        });
      });

      //Tell antiforgery to use the name claim
      AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Name;
#204294
May 24, 2019 13:02
Vote:
 

The solution is to have AspNetIdentity for editor/admin login, and OpenIdConnect for end users:

https://world.episerver.com/blogs/K-Khan-/Dates/2017/10/migrate-from-sql-membership-to-asp-net-identity/

I used this for migrating users from SqlServer to AspNetIdentity:

https://gist.github.com/khurramkhang/f9110994e6dd771db87e0e26a394c557

#204457
Edited, Jun 03, 2019 12:04
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.