Try our conversational search powered by Generative AI!

AI OnAI Off

WsFederation redirects to default login page and not to MetadataAddress

Tony Mattsson
Tony Mattsson
Vote:
 

Hi,

I am trying to set up a federated login scheme against AD in CMS12, .NET Core 8 using cookies, but I it redirects to the default yellow/white login screen /Util/Login?ReturnUrl=%2F both locally and on integration environment instead of redirecting to MetadataAddress. Before we ran OWIN but, now we are upgrading to latest CMS 12.

What I have done:

  • I set the start page controller to [Authorize] to trigger the login
  • Configuration defined in Startup.cs in ConfigureServices
  • services.AddAuthentication is configurated 
    • sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    • sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; 
    • sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
  • AddWsFederation has defined MetadataAddress and Wtrealm (checked in debug that they are correct values) and OnSecurityTokenValidated for processing the returned security token
  • AddCookie is defined with Cookie.Name, expiry and a few things to be done before login
  • In Configure section I have app.UseAuthentication(); and app.UseAuthorization();

In appsettings:

    {
      "EPiServer": {
        "Login": {
          "Wtrealm": "https://our.address",
          "MetadataAddress": "https://our.address/federationmetadata/2007-06/federationmetadata.xml"
        }
      }
    }

Has anyone had this behavior before? I am thinking I missed something easy :S

/ Tony

#320521
Apr 15, 2024 8:17
Vincent
Vincent
Vote:
 

Hi Tony

I think the reason you get redirect to /Util/login is you're not authenticating with `WsFederation` scheme. Two possible fixes

  1. Add scheme to `[Authorize]` attribute OR
  2. Remove Optimizely asp.net identity `.AddCmsAspNetIdentity<ApplicationUser>()`
#320523
Edited, Apr 15, 2024 13:11
MilosR
MilosR
Vote:
 

Hi Tony,

In order to replace built-in local login with Azure AD follow official documentation: Integrate Azure AD using OpenID Connect (optimizely.com).

I don't have an expirenece with WS-Federation but this article describes how to add it in .Net Core project: Authenticate users with WS-Federation in ASP.NET Core | Microsoft Learn

Be sure to also follow Vincent 2nd point and at the end you must manually synchronize user roles with Optimizely using: await synchronizingUserService.SynchronizeAsync(claimsIdentity);

#320725
Apr 19, 2024 10:30
Tony Mattsson
Tony Mattsson
Vote:
 

Thanks. Well I got configuration from IT services now and I was directed to use SAML2 instead, so I am devicing a configuration for that, but that page contains some new info.

#320728
Apr 19, 2024 11:24
Tony Mattsson
Tony Mattsson
Vote:
 

I switched to SAML2 instead, and moved the configuration to progam.cs instead of startup.cs. For some to me unknown reason the same configuration refused to work under startup.cs, but worked fine in program.cs. Maybe a timing issue.

/ Tony

#321271
Apr 30, 2024 5:28
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.