November Happy Hour will be moved to Thursday December 5th.

The Edit Page icon doesn't show up even though federated login works

Vote:
 
Hi,
I have configured SAML2 for login, and it works but "Edit page" doesn't show up. Going from login page ([Authorize] in the controller), redirecting to AD FS IDP, back to /Saml2/Acs and then to the login page. The login page shows normally, but no "Edit page" button shows.
I can see that I have valid claims (in the controller) via:
var userClaims = User.Claims.Select(c => new { c.Type, c.Value }).ToList();
In Optimizely admin "Set Access Rights", I have a bunch of roles, and they match those in my user claims.
In my configuration I have:
.AddCookie(options =>
	{
		options.ExpireTimeSpan = TimeSpan.FromDays(2);
		options.Events.OnSignedIn = async ctx =>
		{
			if (ctx.Principal?.Identity is ClaimsIdentity claimsIdentity)
			{
				var synchronizingUserService = ctx
				  .HttpContext
				  .RequestServices
				  .GetRequiredService<ISynchronizingUserService>();

				await synchronizingUserService.SynchronizeAsync(claimsIdentity);
			}
		};
	}
)

I am assuming the above code cookie-code would synchronize the claims I have from the AD FS server with the access rights in Optimizely. Claims I have from server has admin priveleges in "Access rights" in Optimizely.

The code is up on server on DXP, so I have limited logging capabilities (there are no errors logged). Anyone has a hunch of what could be wrong or how to troubleshoot in a effective way?
/ Tony
#321272
Apr 30, 2024 7:39
Vote:
 

In Optimizely admin "Set Access Rights", I have a bunch of roles, and they match those in my user claims.

Do you have the user in WebEditors/CmsEditors (or WebAdmins/CmsAdmins) (either directly, or mapped via Virtual Role )? I believe that's what gives access to the CMS.

#321289
Apr 30, 2024 22:01
Tony Mattsson - May 02, 2024 15:22
I had to write a log in page and the user gets logged in in the controller:.
Vote:
 

Hi Tony

Do you have AddCmsAspNetIdentity configured in your solution as well? If yes, try to remove it to see if it's working. 

#321326
May 01, 2024 1:52
Vote:
 

I solved it by creating a login page and logging in the user in the controller:

if (user == null)
{
	var optimizelyUser = await _userProvider.FindUsersByEmailAsync(User.Identity.Name, 0, int.MaxValue).FirstOrDefaultAsync();

	if (optimizelyUser != null)
	{
		// Check if the user has the necessary claim
		if (User.Identity.IsAuthenticated &&
			userClaims.Any(c => // c.Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" &&
								c.Value == "claim_from_claims") &&
			User.Identity.Name == optimizelyUser.Email)
		{
			// Get the user by their email
			user = await _userManager.FindByEmailAsync(User.Identity.Name);

			if (user != null)
			{
				// Check if the user is a member of the necessary groups
				var userRoles = await _userManager.GetRolesAsync(user);
				if (userRoles.Contains("WebAdmins") && userRoles.Contains("Administrators"))
				{
					// Sign in the user
					await _signInManager.SignInAsync(user, isPersistent: false);
					
					return Redirect(Request.Path);
				}
			}
		}
	}
}
#321404
May 02, 2024 15:25
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.