How To Integrate DNN with ADFS Without Writing a New Authentication

 

I lately went via the discomfort of attempting to integrate ADFS with DNN. I hope to spare an individual else the pain I went through.

My companion organization already had ADFS setup. My purpose was to have the partner organization authenticate the user after which have DNN automatically recognize the user, not obtaining to enter any far more credentials. From there we wanted to manage the groups and permissions by way of the standard DNN portal.

I was initially beneath the misconception that I couldn’t make use of the present DNNMembershipProvider and I’d have to generate a whole new Authentication Provider and gather the credentials and pass them to my partner organization.

What I have figured out is that you can use the existing DNNMembership provider, but you’ve got to make the user ahead of the request gets towards the DNNMembership provider making use of the info offered by ADFS.

Note: This approach is really a straight pass-through from ADFS to DNN. No measures are taken to authenticate the user or to check any from the inputs from ADFS.

As an aside, this method performs not just with ADFS but in addition any other external 3rd-party Authentication approach that sends user info in headers or cookies. Change the context_AuthenticateRequest approach to suit your requirements.

0ffHFL1

Right here are the pre-conditions to this article. I expect:

  • Your partner organization has ADFS up and running
  • You have your ADFS proxy up and running and it talks to the partner organization.
  • ADFS Web Agent is installed on the server you are running.

Let’s get begin.
HTTPModule

What you’ve to complete is produce an HTTPModule that will intercept the AuthorizeRequest events ahead of DNN does. An over-simplified definition of an HTTPModule is, it is a piece of code that runs ahead of any web page gets hit. You can listen for a large amount of distinct events. For much more data, click right here.

To make the HTTPModule you’ll need to:

  • Open Visual Studio and produce a brand new class library.
  • Generate a brand new class and copy the code attached to this blog.
  • Add References to the following DLLs
    • DotNetNuke
    • System.Web
    • System.Web.Security.SingleSignOn
    • System.Web.Security.SingleSignOn.ClaimsTransform
    • System.Web.Security.SingleSignOn.Permissions
  • Compile the solution
  • The DLL that is created will need to be placed in the bin directory of your website.
  • Make changes to your web.config (explained in a later section).

I will walk through a bit of the code. Here is the first snippet of code. We start listening for the AuthenticateRequest event. All other events pass through untouched.

Now, what do we do when this event is fired off? To shorten the namespace I added the statement

 First off, we need to get the information that ADFS has sent us by casting the User.Identity into the ADFS object SingleSignOnIdentity.

 At this point you will have access to the user’s Identity and any claims coming from the ADFS server. You can access them through id.SecurityPropertyCollection. You can use them to populate the new user account. You can iterate through the claims with the following code

 Subsequent, we check to determine in the event the use currently exists within the database by utilizing the DNN API function GetUserByName. If it doesn’t, then the user is created by the common DNN API function CreateUser and logged in. If the user does exist currently then we log them in automatically. The user will automatically be added to the Registered Users and Subscribers security groups.

 Here is the LetsLogUserIn function:

 Web.Config

We need to make several changes to the web.config. First we need to make the changes necessary for ADFS and then we need to make changes for our HTTPModule.

The ADFS changes are the standard web.config changes you would do for any ADFS claims-aware site. You first need to add the section groups to your web.config.

 Then you need to add the actual section. The <returnurl> needs to be EXACTLY what is put into ADFS. Remember, this URL needs to have a / at the end to prevent ADFS from posting to a directory listing. The <fs> element needs to be changed to reflect the name of your server.

 If you would like to have logging (and who doesn’t like loggingJ) you will need to add the following section at the end of your web.config

 Ultimately, you need to add the HTTPModules for ADFS and our HTTPModule. Order matters a good deal for the HTTPModules. We require the ADFS Web Agent to become listed first, to ensure that any request will likely be redirected to our partner’s logon screen. Right away following the Web Agent should be our HTTPModule. This will make sure that we’ll automatically log them on just before DNN even see it.

 I hope this article helpful for you :)