Base solution for your next web application
Open Closed

Authentication/authorization platform using Identity Server #5401


User avatar
0
Web2workNL created

Hello,

We are currently working on a project that uses IdentityServer and ASP.NET Zero. This is the first time I am using these techniques and I am not sure whether I understand these concepts correctly.

Our goal is to provide an authentication/authorization platform for clients in which users can use their authentication cookie of an external identity provider to check whether they have a valid license. These licenses are managed in our portal. The workflow would look like something like this:

  • At the (external) client website, a user wants to open a part of the website that requires a valid license.
  • The client website contacts our platform and navigates to the IdentityServer.
  • The IdentityServer redirects to the external identity provider (uses SAML2).
  • The external IDP authenticates the user and returns a cookie that contains the (external) user identifier.
  • Using the user identifier in this cookie, the user gets authenticated in ABP (this user already exists, as they are imported using a background job and are assigned to licenses. This import also sets the AbpUserLogin with the correct provider and provider key).
  • With the authenticated user, it is possible to retrieve the assigned licenses. These are added to the result as claims.
  • The clients retrieves a response from the IdentityServer including the license claims.

I have started experimenting with the startup template of ASP.NET Zero but my lack of experience with these concepts makes it difficult to determine whether I am on the right track. I am able to use a MVC client to contact the IdentityServer of the ABP project and am successfully getting authenticated using the external Idp (using the SAML2 package of Sustainsys) but am unable to authenticate in Abp. Also, I am not sure how this authentication is related to the External Login Providers that Abp already provides (the social logins for Google, Facebook etc.). Should I somehow add a new provider? I have tried to build an ExternalAuthenticateModel and use the ExternalAuthenticate method in the TokenAuthController to authenticate but am not sure if this is the way to go.

I hope that there is someone here who has a little more experience with this and can tell me if I'm on the right track.

Kind regards, Nick


3 Answer(s)
  • User Avatar
    0
    tteoh created

    Hi Nick,

    Could you be more specific on which ASP.Net Zero template you are using, please check: [https://aspnetzero.com/Documents/Version-Differences])

    As you can that IdentityServer is only part of ASP.Net Core template. Would like to confirm your question.

    I am having a similar requirement to authenticate with external system when logging into ASP.Net Zero (MVC5AJ1 template) and if external authentication is successful, then allow access to the application else login fails.

    The other scenario would "First-time Login" of the user. I am thinking to allow existing flow of using Social user account. To automatically insert the user account in AbpUser table and then grant the access if the external authentication succeeds.

    Look forward to further guidance from Support.

    Thanks. /Tommy

  • User Avatar
    0
    alper created
    Support Team

    <cite>tteoh: </cite> Hi Nick,

    Could you be more specific on which ASP.Net Zero template you are using, please check: [https://aspnetzero.com/Documents/Version-Differences])

    As you can that IdentityServer is only part of ASP.Net Core template. Would like to confirm your question.

    I am having a similar requirement to authenticate with external system when logging into ASP.Net Zero (MVC5AJ1 template) and if external authentication is successful, then allow access to the application else login fails.

    The other scenario would "First-time Login" of the user. I am thinking to allow existing flow of using Social user account. To automatically insert the user account in AbpUser table and then grant the access if the external authentication succeeds.

    Look forward to further guidance from Support.

    Thanks. /Tommy

    hi,

    you can authenticate via "External Authentication" feature.

  • User Avatar
    0
    tteoh created

    Hi Nick,

    Did you manage to make further progress on this?

    Thanks. /tommy