16

We have configured Client App to use IdentityServer3 authentication via OpenID Connect protocol (it's ASP.NET MVC App that uses OWIN middleware to support OIDC).

The IdentityServer3 itself is configured to use both local login and external login (Azure AD, for instance).

In the regular flow once App need to authenticate user it redirects him to the IdentityServer3 login screen - it's fine. But in some cases, on per-request basis, I want to bypass login screen by somehow letting IdentityServer3 know that user want to login with specific external identity provider right away.

Is that possible to do?

image

fourpastmidnight
  • 4,032
  • 1
  • 35
  • 48
Eugene D. Gubenkov
  • 5,127
  • 6
  • 39
  • 71
  • I've figured out that if Client restricted to single IdP then Login screen automatically skipped, but in case of multiple IdP (e.g. local login and Azure AD) the question is still open – Eugene D. Gubenkov Apr 29 '15 at 13:44
  • There is a sample how to se HRD feature [here](https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/CustomHrd). Maybe it will help you. – pepo Apr 29 '15 at 14:00
  • @pepo, thanks I'll definitely take a look on it! As far I as understand the "default" OWIN middleware for OpenID Connect not able to pass any additional information on Authentication challenge - https://github.com/aspnet/Security/issues/99. So not only Identity Server should support receiving information about user intention, but OWIN middleware should be able to send it and it can't out-of-the-box, right? – Eugene D. Gubenkov Apr 29 '15 at 15:34
  • I found [this article](http://www.cloudidentity.com/blog/2014/11/17/skipping-the-home-realm-discovery-page-in-azure-ad/). Don't have time to test it unfortunately so I don't know if it will work with IdentityServer. – pepo Apr 30 '15 at 22:41
  • @pepo, thanks! I've checked this and seems domain_hint takes no effect on IdentityServer3, but now I at least know how to pass any custom parameters over OpenID Connect middleware to Identity Server: https://katanaproject.codeplex.com/workitem/325. So if nothing is left the solution could be extending IdentityServer. – Eugene D. Gubenkov May 01 '15 at 08:56

3 Answers3

19

Just found the solution in the IdentityServer3's Authorization/Authentication Endpoint documentation!

acr_values (optional) allows to pass additional authentication related information to the user service - there are also values with special meaning: idp:name_of_idp bypasses the login/home realm screen and forwards the user directly to the selected identity provider (if allowed per client configuration) tenant:name_of_tenant can be used to pass a tenant name to the user service

How to pass additional parameters using OWIN OpenID Connect middleware: https://katanaproject.codeplex.com/workitem/325

Here is the sample of the authorization request:

sample request

Eugene D. Gubenkov
  • 5,127
  • 6
  • 39
  • 71
7

I know this is old but thought I'd still put this here to help someone out if they want to automatically redirect to an external login: 

public override Task PreAuthenticateAsync(PreAuthenticationContext context)
{
    context.SignInMessage.IdP = "windows";
    return base.PreAuthenticateAsync(context);  
}

You can basically override the PreAuthenticateAsync on UserServiceBase and change the property IdP on the context.SignInMessage to be the external providers name that has been setup in your startup. And this will redirect.

Manfred Radlwimmer
  • 13,257
  • 13
  • 53
  • 62
TheRock
  • 1,513
  • 1
  • 18
  • 19
0

When you configure identtyserver with external provider, In AuthenticationOptions you typically set AutheticationType to some string. Like below

           app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions
            {
                AuthenticationType = "Google",
                Caption = "Sign-in with Google",
                SignInAsAuthenticationType = signInAsType,

                ClientId = ConfigurationManager.AppSettings["google:clientid"],
                ClientSecret = ConfigurationManager.AppSettings["google:clientsecret"],
            });

Then in client application you can set the acrvalues to Authentication-type like below

        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {           

            Notifications = new OpenIdConnectAuthenticationNotifications
            {            

                RedirectToIdentityProvider = (n) =>
                {
                    if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.AuthenticationRequest)
                    {
                        if(n.Request.Uri == "someurl")
                         {
                        //set acrvalues. the value of the `idp`, (which is `Google` in this case) must match with the `AutheticationType` you set in IdentityServer
                        n.ProtocolMessage.AcrValues = "idp:Google"; 
                        }
                    }


                    return Task.FromResult(0);
                }
            }

Also note that the idp value is case sensitive.

The other option (which i have NOT tried). Instead of setting idp you set the tenant in client application.

   n.ProtocolMessage.AcrValues = "tenant:" + n.Request.Uri.ToString();

And as @TheRock mentioned, In IndentityServer check the tenant in SignInMessage and override Idp

public override Task PreAuthenticateAsync(PreAuthenticationContext context)
{
   if(context.SignInMessage.Tenant = "sometenant")
   {
      context.SignInMessage.IdP = "Google";
      return base.PreAuthenticateAsync(context);  
   }
}

In this way as you keep adding new external providers, you don't have to change code in client application. You only to update IndentityServer code. This especially help if you have multiple client applications connecting to same identity server.

LP13
  • 30,567
  • 53
  • 217
  • 400