Try our conversational search powered by Generative AI!

AI OnAI Off

WsFederation redirects to default login page and not to MetadataAddress

Tony Mattsson
Tony Mattsson
Vote:
 

Hi,

I am trying to set up a federated login scheme against AD in CMS12, .NET Core 8 using cookies, but I it redirects to the default yellow/white login screen /Util/Login?ReturnUrl=%2F both locally and on integration environment instead of redirecting to MetadataAddress. Before we ran OWIN but, now we are upgrading to latest CMS 12.

What I have done:

  • I set the start page controller to [Authorize] to trigger the login
  • Configuration defined in Startup.cs in ConfigureServices
  • services.AddAuthentication is configurated 
    • sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    • sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; 
    • sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
  • AddWsFederation has defined MetadataAddress and Wtrealm (checked in debug that they are correct values) and OnSecurityTokenValidated for processing the returned security token
  • AddCookie is defined with Cookie.Name, expiry and a few things to be done before login
  • In Configure section I have app.UseAuthentication(); and app.UseAuthorization();

In appsettings:

    {
      "EPiServer": {
        "Login": {
          "Wtrealm": "https://our.address",
          "MetadataAddress": "https://our.address/federationmetadata/2007-06/federationmetadata.xml"
        }
      }
    }

Has anyone had this behavior before? I am thinking I missed something easy :S

/ Tony

#320521
Apr 15, 2024 8:17
Vincent
Vincent
Vote:
 

Hi Tony

I think the reason you get redirect to /Util/login is you're not authenticating with `WsFederation` scheme. Two possible fixes

  1. Add scheme to `[Authorize]` attribute OR
  2. Remove Optimizely asp.net identity `.AddCmsAspNetIdentity<ApplicationUser>()`
#320523
Edited, Apr 15, 2024 13:11
MilosR
MilosR
Vote:
 

Hi Tony,

In order to replace built-in local login with Azure AD follow official documentation: Integrate Azure AD using OpenID Connect (optimizely.com).

I don't have an expirenece with WS-Federation but this article describes how to add it in .Net Core project: Authenticate users with WS-Federation in ASP.NET Core | Microsoft Learn

Be sure to also follow Vincent 2nd point and at the end you must manually synchronize user roles with Optimizely using: await synchronizingUserService.SynchronizeAsync(claimsIdentity);

#320725
Apr 19, 2024 10:30
Tony Mattsson
Tony Mattsson
Vote:
 

Thanks. Well I got configuration from IT services now and I was directed to use SAML2 instead, so I am devicing a configuration for that, but that page contains some new info.

#320728
Apr 19, 2024 11:24
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.