I have App1 and App2, doing SSO using IdentityServer3 with Active Directory.
Each app has its own users and roles. I created a ClaimsTransformation OWIN middleware, get user/roles, serialize into cookie, then bring back on subsequent calls. That works well.
But where do I handle initial user enroll? I can't do it in authentication, because if an App1 user logon, then go to App2 as new, he will skip authentication.
If I do this in the middleware, when I try redirect user to enroll/profile page, that redirect is hit by the middleware again, causing a redirect loop.
Any suggestions? Thanks.
Never mind, did it all wrong. For .NET using Owin.Security.OpenIdConnect, App initialization should be done in SecurityTokenValidated. The skipping authentication issue was because I didn't set cookie name.
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOption
{
SignInAsAuthenticationType = "Cookies",
Notifications = new OpenIdConnectAuthenticationNotification
{
SecurityTokenValidated = n => { ... }