Vulnerability in EPiServer.Forms
We've gotten this sample app working with our client's Office 365 account and I'm now investigating on how we can utilize their Azure Active Directory as at least the authority for membership in their EPi 7.1 intranet.
Just begun this and not on top of it yet but other options could be ASP.NET Identity 2.0 and possibly the upcoming Office 365 plugin. Or maybe something else...
Anyone have gotten Azure AD working with EPi and have any pointers?
We are currently finishing a story about making sure EPiServer runs with federated authentication. It is primarly targeted ADFS, but I have tried it with Azure AD as well and it works fine. One thing that differs when running against the Azure AD (compared to ADFS) is that roles are not part of the SecurityToken. One approach (that I found in forums) is to have an own ClaimsAuthenticationManager and there override Authenticate method and get the roles for the user using Graph API and add them as Role claims for the user.
Regarding Office365 I have not tried it but our suggested setup is using Owin and there is Middleware for Office365 (see https://auth0.com/authenticate/aspnet-owin/office365) so it should be possible. I do not know how roles are handled in that scenario though.