Content Approvals With Azure AD

Vote:
 

We have Azure AD set up using the standard setup https://world.episerver.com/documentation/developer-guides/CMS/security/integrate-azure-ad-using-openid-connect/ and we have our Front End Users set up using Asp.NET Identity. This is all working fine but how are we supposed to setup content approvals?

At the moment the selection list for users/groups is only showing our asp.net identity users, how is this supposed to list Azure AD users as that's where our CMS editors are coming from?

#199186
Nov 19, 2018 17:11
Vote:
 

Hey Scott

As far as I was aware users are cached in a table in SQL when they first log in (along with their claims) to allow selection in the UI. Has anyone ever logged in via Azure AD? Can't remember the table name but I am sure you can find it :)

David

#199251
Nov 21, 2018 16:17
Vote:
 

Hi David, yes I looked in to the code and saw the User and Group syncronization classes, we also have the code

ServiceLocator.Current.GetInstance<ISynchronizingUserService>().SynchronizeAsync(ctx.AuthenticationTicket.Identity);

Within the UseOpenIdConnectAuthentication code for our login. 

I've checked the [SJA_Development_Episerver].[dbo].[AspNetUsers] but I can't see any of the AzureAD users in there. We use Asp.NET Identity for the front end of the site so have both configured in our startus.cs class. We see all the front end user logins but nothing seem to either being in the table or in the user admin UI.

#199252
Nov 21, 2018 16:22
Vote:
 

David this seems to be an issue affecting others https://world.episerver.com/forum/developer-forum/-Episerver-75-CMS/Thread-Container/2018/11/tag-user-in-project-comment-not-working-when-using-external-authentication-provider/?pageIndex=1#reply 

I've seen that the users are in the [tblSynchedUser] table but they aren't appearing in some of the more modern UI users pickers such as project comments and content approvals

#199314
Nov 22, 2018 14:57
Vote:
 

I've dug around to hell in the assemblies and tracked through the NotificationUserStore and the problem seems to be around IQueryableNotificationUsers

This is the service interface that gets the users and is implemented by both AspNetIdentitySecurityEntityProvider and DefaultSynchronizedUsersRepository and when getting the IQueryableNotificationUsers service this seems to be coming back as the AspNetIdentitySecurityEntityProvider which is returning the wrong users. I need to swap it but the DefaultSynchronizedUsersRepository seems to be an internal only class.

@David is there any configuration you know of that can sort this out, I'm so close but just need this last step?

#199319
Nov 22, 2018 15:29
Vote:
 

I think it's a bug, I've posted a work around here https://world.episerver.com/blogs/scott-reed/dates/2018/11/working-around-iqueryablenotificationusers-when-using-external-claims-based-cms-users/

#199328
Nov 22, 2018 15:58
Vote:
 

Thanks for posting your work around Scott :)! And thanks for raising as a bug to bring it to dev support's attention!

#199357
Nov 23, 2018 10:25
Vote:
 

Thanks David forf your help, I think if we were just able to make the DefaultSynchronizedUsersRepository public then developers can register it in the dependency configuration and even extend it if needed, either way the documentation on the security section should be updated so users know if the future how to set it up whatever way you guys go.

#199361
Nov 23, 2018 11:38
Vote:
 

David/Scott, was this considered to be an official bug? If so, is there a planned fix?

Thanks

#199818
Dec 12, 2018 13:49
Vote:
 

I have some posts on the need for customizing this as well.

https://world.episerver.com/forum/developer-forum/-Episerver-75-CMS/Thread-Container/2017/11/making-content-approval-approver-selector-usable/

(there's another link inside there as well...)

Would be great if more people laid pressure.

#200335
Jan 09, 2019 10:14
Vote:
 

@Erik I added it to the bugs area of the forum and I think David raised it offically. No word on it tho

#200336
Jan 09, 2019 10:22
Vote:
 

Sorry Scott, I thought you raised it as a bug already...

#200352
Jan 09, 2019 14:52
Vote:
 

Apologies in had only raised it before we said in the https://world.episerver.com/forum/developer-forum/Problems-and-bugs/ section of the forum not in the support portal.

#200358
Jan 09, 2019 15:23
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.