Supporting Individual User Accounts AND Organizational Accounts in MVC5 / ASP.Net Identity 2

Question

I\'ve created an ASP.Net MVC5 application, in which I have configured (and have working fine) Individual User Accounts via Google, Facebook, etc.

What I\'d like to do is

Answer 1

I managed to implement this by doing the following:

First, adding a reference to the Microsoft.Owin.Security.OpenIdConnect Nuget package.

Second, configuring it in my Startup.Auth.cs:

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    ClientId = "From the Azure Portal (see below)",
    Authority = "https://login.windows.net/.onmicrosoft.com",
    Notifications = new OpenIdConnectAuthenticationNotifications
    {
        RedirectToIdentityProvider = (ctx) =>
        {
            if (ctx.Request.Path.Value.EndsWith("ExternalLogin"))
            {
                string appBasePathUrl = ctx.Request.Scheme + "://" + ctx.Request.Host + ctx.Request.PathBase;
                ctx.ProtocolMessage.RedirectUri = appBasePathUrl + "/";
                ctx.ProtocolMessage.PostLogoutRedirectUri = appBasePathUrl;
            }
            else
            {
                ctx.State = NotificationResultState.Skipped;
                ctx.HandleResponse();
            }

            return Task.FromResult(0);
        }
    },
    Description = new AuthenticationDescription
    {
        AuthenticationType = "OpenIdConnect",
        Caption = "SomeNameHere"
    }
});

Third, I setup the application in the Azure Portal (classic):

Fourth, I added a separate logon page for admin users:

@using (Html.BeginForm("ExternalLogin", "Home"))
{
    @Html.AntiForgeryToken()
    

        

            

                
                    
                    My Org Name
                
            
        
    
}

Fifth, the ExternalLogin action doesn't need to change - we just let OWIN middleware redirect us to the external login page. The flow would then direct the user back to the ExternalLoginCallback action.

Finally, in the ExternalLoginCallback action, I check the incoming claims to determine that the login was via Azure AD, and instead of calling into ASP.NET Identity, I construct my own ClaimsIdentity, which has all my (application specific) claim information which my application recognises as an admin user.

Now, admin users navigate to https://example.com/admin, click the login button, are redirected to the Azure AD login, and windup back at the application as an admin user.