Search code examples
asp.net-identityws-federationasp.net-core-2.1

How to transfer claims from WS-Federation reply into Identity

I'm pretty new to .net core 2.1, I figured if I'm going to build/rebuild a project I might as well use the new thing. So I've been fighting the ASP.NET Core Identity for a while - the documentation sure leaves something to be desired.

I have successfully implemented authentication - I redirect out to my ADFS and back again and users are logged in.

Then I began to look through Authorization. First I tried Role-Based but I have read that roles are not in much use, and besides I couldn't work out why roles assigned to users were failing the authorization checks (ClaimsPrincipal.IsInRole and policies for razor pages).

I settled on using Claims-Based Authorization, figuring I could use the claims provided via WS-Federation - I'm sending a few (Name, Name ID, E-Mail Address, Group) where Group is the unqualified list of group memberships as strings - however, I don't see any of those claims on the ClaimsPrincipal (HttpContext.User) after login.

Breaking the flow during login I can see that call to

_signInManager.GetExternalLoginInfoAsync()

is definitely getting the expected claims from ADFS, but isn't apparently getting through into whatever happens after that.

Like I said, I'm pretty hazy on how it works internally and TBH I don't really wanna get too deep into understanding the nitty gritty I just need to know that I can authorize based on group claims from ADFS.

My project is more-or-less the standard default asp.net core 2.1 website with the individual accounts authorization selected, then I added in the modifications for WS-Federation and jury rigged the Login action to redirect straight out to ADFS rather than prompt for it.

Please let me know if you need clarification, but the gist of it is:

How do I get the group claims from ADFS into the ASP.NET Core Identity so I can reference them in this manner:

services.AddAuthorization(options =>
            {
                options.AddPolicy("RequireAdminGroup", policy =>
                    policy.RequireClaim("Group", "AD Admin Group Name")
                );
            });

Also, feel free to direct me at any answer I have missed. Been reading docs and searching the web for the entire day and not really progressed at all today!

Solution

  • Identitiy is working correctly. You just accessed the claims the wrong way. Try the following inside of a Razor Page.

    @inject UserManager<ApplicationUser> UserManager
@{

  var claims = await UserManager.GetClaimsAsync(await UserManager.GetUserAsync(User));
}

    For policies you can use the class ClaimTypes in Startup.cs to get well known Claims Ex.:

    policy.RequireClaim(ClaimTypes.WindowsAccountName));