Custom Login Screen - Integrated Windows Auth with fall back

Question

I want to create a custom login screen that will attempt to authenticate a user via integrated Windows Authentication (using SPNEGO or whatever) and if that attempt fails, fall back to a forms based approach.

The process would ideally work like this...

User Logged in as Valid AD User

1. User attempts to access application and is redirected to IdentityServer.
2. Custom logic attempts to validate user using AD credentials and succeeds.
3. User is authenticated and redirected...

User Not Logged in as Valid AD User

1. User attempts to access application and is redirected to IdentityServer.
2. Custom logic attempts to validate user using AD credentials and fails.
3. User is presented with a form to enter username and password.
4. User is authenticated and redirected...

I was hoping to create a custom IUserService implementation to achieve this, but from reading the documentation it's not obvious how this would be done.

Am I going to have to create a custom identity provider to achieve this?

Any guidance would be greatly appreciated.

Answer 1

I think, it's not so much the custom IUserService you have to worry about. The IUserService looks up a user once IdSrv3 has collected credentials from the user. So your integration needs to occur earlier.

What's tricky is falling back. If you have a page that is protected by windows auth, it's the client that decides if it can authenticate or not. if it can't authenticate the user it will usually prompt the user for credentials & try to submit these. It won't automagiclly know what to do.

The approach with probably the best user experience is to show a page & allow the user to choose how to login, much like you can choose to login with Google, etc. You can then hook this up as an external provider.