问题
Am currently setting up a web app hosted in Azure using Azure Active Directory for authentication, have almost worked all the kinks out but one issues remains. If a user has logged into a different Directory before hitting my sign-in page (in this case it is a University Office 365 login for email), the credential seems cached and Azure attempts to use it to log into my site, is there a way I can force the login screen on every sign-in and avoid re-use of a cached credential?
Project setup has been mainly standard, ASP.NET MVC architecture with default Azure Active Directory authentication settings.
Thanks!
A screenshot of the MS login page with error
回答1:
Discovered the solution as soon as I posted. Implemented a signout and self-redirect to the sign-in method. Code is below:
public void SignIn(bool? signedOut)
{
// Send an OpenID Connect sign-in request.
if (!Request.IsAuthenticated)
{
// If the user is currently logged into another directory, log them out then attempt to
// reauthenticate under this directory
if (signedOut == null || signedOut == false)
{
HttpContext.GetOwinContext().Authentication.SignOut(
new AuthenticationProperties { RedirectUri = Url.Action("SignIn", "Account", routeValues: new { signedOut = true }, protocol: Request.Url.Scheme) },
OpenIdConnectAuthenticationDefaults.AuthenticationType, CookieAuthenticationDefaults.AuthenticationType);
}
else
{
HttpContext.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/" },
OpenIdConnectAuthenticationDefaults.AuthenticationType);
}
}
}
Thanks anyway!
回答2:
There are two better ways to handle this. First, use the tenant-specific Azure AD endpoint for your app. Your authority should be https://login.microsoftonline.com/<name-of-your-tenant>. That will ensure only users from your tenant can sign-in. But, if a user tries to sign-in with an account from a different tenant (by selecting an existing session or starting a new one), they will receive the error you screenshotted. No way to prevent that.
If you want to make sure the user enters their username/password every time they sign into your app, you can send the query parameter prompt=login in the sign-in request. But realize that this will break SSO for your users.
来源:https://stackoverflow.com/questions/40241841/adal-azure-ad-authentication-users-login-cached-from-different-azure-ad-session