Problem Applying Groups to CMS 11.15 via OpenID Connect Roles

Vote:
 

Hi, i've managed to set up OpenID Connect authentication from 2 AAD roles - WebAdmins & WebEditors, applied to a couple of security groups on an Enterprise App.

My requirement is to mimic our existing CMS setup that restricts access to specific nodes under the Start page, by group x, y.

However, this doesn't seem possible via the solution provided by EPiServer, as I cannot get role/group information to synchronise automatically with the CMS database, only the users (after login).

Without injecting each new virtual role as they are required into the web.config, how do I set up claims to ensure that I can security trim page nodes within the CMS with groups, as before?

Thanks for your time.

#247826
Edited, Jan 28, 2021 15:54
Vote:
 

Hey George,

It is going to depend on how you set up your AAD. Are you going to pass in AAD Roles for the users or are you going to try to use AAD Groups.  Both will be similar in that you will need to do the following:

  • Validate the claimb being returned by AAD
  • Add a new claim that maps the user to an already establised virtual role
  • Sync the user and roles to Episerver

Take a look at my post where I had to authenticate against both AAD roles and AAD Groups for a a single site Episerver Authentication with multiple Azure AD Instances. The key in what you are looking for will be in the SecurityTokenValidated  callback function in OpenIdConnectAuthenticationNotifications.

Hope this helps. 

#248352
Feb 08, 2021 19:00
Vote:
 

Hi @DavidLewis,

thanks for your reply. I have since managed to get this to work before you'd posted but had additional issues beyond the token configuration which I'd wanted to resolve before tying up this post. As you point out, you do need to ensure that you submit the appropriate claim via an AAD role to EpiServer. However, your post (whilst a technically comprehensive solution for multitenant users) doesn't really answer the basic question that I had as a total AAD noob. Namely, how do I go about getting the AAD role to register in EPiServer's DB?

The answer to this was to check the 'Emit groups as roles claims' option in the AAD token configuration section of the app registration, selecting 'sAMAccoutName'. 

Once I had this set up, and the appropriate AAD groups assigned to the appropriate AAD roles (named identically, to avoid confusion between platforms and users), the role would appear in the EPiServer groups list, via the 'Set Access Rights' option from /episerver/cms/admin. Without doing this, I found there was no way to get EPiServer to pick up the claim and authenticate the user via the official article's startup.cs.

Additionally, I had issues with IDX21323 nonce error on edge chromium and chrome which was a symptom of not running an https development environment, and not having the setting

<httpCookies requireSSL="true" />

applied to a non-localhost web.config. Again, no blogs I had reviewed alluded to this, so it's another pitfall for people coming at this fresh.

I will mark your reply as answered however, since it does point users in the direction of a codebase that looks like it would actually address the claim (if not how to set it up properly). Also, answered questions on this subject seem few and far between on the internet and hopefully between both our responses, others find this thread helpful.

George.

#248627
Feb 15, 2021 10:46
Vote:
 

Hey George, 

Sorry I left out the AAD Setup part from the blog and didnt include it as part of my response.  I misunserstood and thought that you had the AD group being passed as a claim already but were having issue mapping it into Episerver.  That was one that I had to dig for a while to get as well and glad that posted the resolution to that in this post. Glad you got it figured out!!

#248659
Feb 15, 2021 16:44
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.