I'd like to delegate login/logout functionality to one web application instead of having this in all application. This is how I'd like to set it up:
1) User navigates to app "foo"
2) User is not logged in, so is redirected to app "authorization"
3) App "authorization" uses Azure AD as Identity provider (IDP) and redirects to a a microsoft login page.
4) The user enters username and password
5) User is redirected to "authorization"
6) User is redirected to app "foo" and is logged in
This works up till step 6. Here the claims set by the IDP are lost, which is sane since only app "authorization" is registered in the IDP.
But is there a way to accomplish this scenario? Cheers!
As @MohammadNiazmand suggested, consider IdentityServer4. In your flow above "authorization" is the IdentityServer 4 service (but the user really doesn't interact directly with it, it's all redirects). The advantage here is that you can still use external providers (AD) with IS4 -- but then once AD has authenticated the user and redirects back to IS4, you can then insert your own custom claims using the ProfileService extension point if needed (http://docs.identityserver.io/en/latest/reference/profileservice.html). Then all of your web apps just need to be setup to use IS4 for identity and everything is centralized and a single set of claims will be available to all apps. IS4 supports Asp.Net Core Identity out of box (http://docs.identityserver.io/en/latest/quickstarts/6_aspnet_identity.html).