I am working on an ASP.NET MVC 5 application, .NET version 4.8. I am trying to implement SSO using Azure AD and OIDC. The application currently uses AuthenticationMode.Forms, and the SSO implementation requires AuthenticationMode.None.
So, in the Web.config, commenting out the Forms mode and leaving None breaks the current username/password login implementation, and the SSO doesn't work the other way around:
<!--<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>-->
<authentication mode="None"></authentication>
Changing the Web.confing programatically in Controller actions works, kinda, but the Web.config is a shared resource, and I can't just change it whenever I like:
var configuration = WebConfigurationManager.OpenWebConfiguration("~");
var section = (AuthenticationSection)configuration.GetSection("system.web/authentication");
section.Mode = AuthenticationMode.Forms;
section.Forms.LoginUrl = "~/Account/Login";
configuration.Save();
SSO and current authentication actions are in completely different controllers.
Is there a way to specify the authentication mode for a Controller or on a request basis?
I actually solved it while staying in Forms mode. I just needed to suppress Forms authentication redirect before initiating the SSO process, like so:
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult ExternalLogin()
{
HttpContext.Response.SuppressFormsAuthenticationRedirect = true;
// Request a redirect to the external login provider
return new ChallengeResult("OpenIdConnect", Url.Action("ExternalLoginCallback", "AccountSSO"));
}
I've found the solution in this SO answer.