I'm working on the SSO by using Federated Security connecting to ADFS server: http://world.episerver.com/documentation/Items/Developers-Guide/Episerver-CMS/9/Security/federated-security/
Here, I found the limitation:
The OWIN provider for WS Federation does not support multi-tenancy so each site must run in it's own web application for authentication to work on all URL's (the WtRealm configuration specified in the example below cannot vary per request). The OWIN provider for OpenID connect can work with multiple URL's, see integration with Azure Active Directory.
I could make it work with single site but for multiple domains ( on the same intance in EPiServer DXC), the WtRealm is only configured one time when the application started.
Not sure if you guys have any suggestion regarding this so I could work with different sites ( domains ) - mysite.com, mysite.se,... ?
I know you can solve it by putting Auth0 in the middle. You can do WS-Fed between ADFS and Auth0 and OpenID connect between Auth0 and DXC app.
Another option would be get a Azure AD setup and sync the ADFS there. Then you would do OpenID connect to it as in the later link you posted.
We are in a bit hurry situation to roll out the sites then which options do you think will be more feasible.
For ADFS connect to Auth0, if great if you could point out some documentation or sample code. I trying to look for that option.
Updated: I think I see some more links about the first option: https://auth0.com/docs/connections/enterprise/adfs and it seem clearer to me now :)
Both has a cost depending on the amount of users. Both options are cloud subscriptions so you don't need any new hosting infrastructure.
Auth0 has a lot more than what Azure AD has currently (but a lot of new stuff is in the pipeline for Azure AD I've seen).
Auth0 will probably make it a lot easier and faster to add new auth providers. And they got Impersonate functionality which is really nice unless it conflicts with security policy which then could make it a deal breaker.
The link you updated is what you need. Their docs are always great.
I have solved OWIN for multiple sites by setting the Wreply property to the actual site URL before redirecting to ADFS.You also have to specify all sites as Endpoints in the ADFS Relying Party Trust configuration för the installation. This way we can have only one IIS site for multiple EPiServer sites using ADFS.All sites will use the same Relying Party Trust definition in ADFS som the same set of claims will be issued for all sites.
Snipplet from public void Configuration(IAppBuilder app) in Startup.cs:
RedirectToIdentityProvider = (ctx) =>
//To avoid a redirect loop to the federation server send 403 when user is authenticated but does not have access
if (ctx.OwinContext.Response.StatusCode == 401 && ctx.OwinContext.Authentication.User.Identity.IsAuthenticated)
ctx.OwinContext.Response.StatusCode = 403;
ctx.ProtocolMessage.Wreply = SiteDefinition.Current.SiteUrl.ToString();
I think Wreply is new in ADFS 3 because I didn't got it to work with ADFS 2.
It seems to work with our ADFS server.
Just one thing that we use have the scenario one site defintion but different doamains/languages, for example mysite.se -> sv-SE, mysite.com -> en-GB and mysite.fi -> fi-FI so I replace the wreply with HttpContext.Current.Request.Url.AbsoluteUri and it works.