Authenticating with AD FS in Umbraco
… and syncing AD groups to Umbraco groups
This is an update on how to setup AD FS authentication with Umbraco making use of new features that became available in Umbraco 7.8. It will allow us to sync permissions every time a user logs in and and match an AD group directly with an Umbraco Group.
How to setup your AD FS
I started my own journey of setting up the AD FS integration with Umbraco with this excellent Article:
One thing you need to add in that process of configuring AD FS is to add an additional Claim Type & Rule to map the provide the user role as a claim.
Otherwise I have nothing to add in regards to setting up your AD FS and I will just refer you to that article and focus on the Umbraco side of things here.
Install Packages
Make sure you have Umbraco V7.8+ installed
Install the packages below:
Install-Package UmbracoCms.IdentityExtensions
Install-Package Microsoft.Owin.Security.WsFederation
Install-Package Kentor.OwinCookieSaverSetup Custom OWIN Startup
Now that the required packages are here we have to setup a custom OwinStartup.
Go ahead and create a class as such:
Now you have to make sure your UmbracoCustomOwinStartup class is actually getting called. And while we’re here we add a few more ADFS configuration settings. So please go ahead and add the following entries:
Now we can go back to our UmbracoCustomOwinStartup.cs and start adding the AD configuration, by just overriding the Configuration method:
This is mostly boilerplate stuff, so let’s add the actual AD FS configuration. Here we’re just pulling out the four configuration settings out of the web.config and applying them to the WsFederationAuthenticationOptions:
The crucial bit here is the SetExternalSignInAutoLinkOptions!!
Here you can setup hooks that will get called every time a user gets created through auto linking. That is when a AD FS user logs in for the first time. Umbraco will take care of creating the user itself. You just get a chance to apply any customization. In my case I just need to apply the AD groups, which is the same as what I want to do with any consecutive login so I’ll just relay this to the OnExternalLogin method:
OnExternalLogin is the new bit that was added in Umbraco 7.8.
Here we will extract the group names that come through as claims. I’m using four constants that I will explain in short:
- ClaimsTypeRole: Is the namespace that is used to indicate a group: “http://schemas.xmlsoap.org/claims/Group”
- ActiveDirectoryRolePrefix: This is a prefix that filters the groups. Since a lot of users might have hundreds of groups assigned to their users we just want to filter the relevant subset. Probably something you want to customize for your needs.
- GroupAliasPrefix: This is a prefix for the Umbraco group alias, so that any group that is auto created by Umbraco will have this string prepended.
- GroupLabelPrefix: Same as above except for the group label.
We just need a couple of help methods to add / remove groups:
That’s it! Press F5, to see where it fails ;)
Please let me know if you have any trouble in case I missed anything.
Thanks to Monkii
… for generously providing time and support to investigate this and submit the necessary pull request. :)
