Single sign on (SSO), mixed auth. mechanism howto

koki · November 20, 2015, 10:43pm

How to set SSO in Active Directory (AD) environment, so every user can skip the login page and access directly the application. Is there a possibility to have mixed authentication mechanism - AD + OrigamUserManagement? This should by helpful, when you have internal users with AD account and external users without AD account.

tvavrda · November 25, 2015, 1:27pm

In order to set up a mixed authentication you need to install 2 (or even more) ORIGAM instances, each with a different authentication configuration but same application configuration (e.g. database connections).

You will tell your internal users to login through the AD configured instance and external users will access the OrigamUserManagement configured server.

Topology

Let’s have two servers:
AD Auth Server – will authenticate against Active Directory
OUM Auth Server – will authenticate using OrigamUserManagement

URL

AD – myapp.local/ad
OUM – myapp.local/oum

Startup.cs

AD
In order to use active directory you need to configure ASP.NET Identity to use the ASP.NET Membership, for which we already have AD adapter.

public class Startup
{
    ...
    public void Configuration(IAppBuilder app)
    {
        ...
        AbstractUserManager.RegisterCreateUserManagerCallback(
            CreateUserManagerWithDomain);
        ...
    }

    private static AbstractUserManager CreateUserManagerWithDomain()
    {
        NetMembershipUserManager userManager = (NetMembershipUserManager)
            NetMembershipUserManager.Create();
        userManager.InjectDomain = "MYDOMAIN";
        return userManager;
    }
}

Here you need to set the InjectDomain property to your AD domain so the user does not have to include the domain name in the user name field (so instead of MYDOMAIN\username the user will only need to login with username).

OUM
For OrigamUserManager you will use the configuration flavour of your choice, e.g.:

public class Startup
{
    ...
    public void Configuration(IAppBuilder app)
    {
        ...
        AbstractUserManager.RegisterCreateUserManagerCallback(
            CreateUserManagerWithPasswordSettings);
        ...
    }

    private static AbstractUserManager CreateUserManagerWithPasswordSettings()
    {
        OrigamModelUserManager manager = 
            (OrigamModelUserManager)OrigamModelUserManager.Create();
        manager.MinimumPasswordLength = 4;
        manager.NumberOfRequiredNonAlphanumericCharsInPassword = 0;
        manager.NumberOfInvalidPasswordAttempts = 3;
        return manager;
    }
}

web.config

AD
Here you will need to set up the .NET Membership provider for AD.

<system.web>
  <membership defaultProvider="AdMembershipProvider">
    <providers>
      <clear />
      <add 
        name="AdMembershipProvider" 
        type="cz.advantages.asap.hosting.utils.LDAPMembershipProvider, LDAPMembershipProvider" />
    </providers>
  </membership>
</system.web>

OUM
There is no other configuration needed.

Business Partner Table

AD
The Active Directory users will only have entries in BusinessPartner. You need to create the entry manually (e.g. from the Users screen) and enter the appropriate user name (including the domain, e.g. MYDOMAIN\username).

OUM
A record needs to be there together with the user name and an e-mail address. You should create entries here using the **Add User **sequential workflow.

OrigamUser Table

AD
There will be no record in this table for AD.

OUM
An appropriate record will be stored here with the user’s information.

koki · December 4, 2015, 12:13am

Thanks for the guide.
How to login with AD account bypassing the login screen - direct login into application with cached credentials in operating system?

tvavrda · December 8, 2015, 1:34pm

That’s not AD, that would be pure Windows authentication. @Kit4it could you please share your config?

Kit4it · January 4, 2016, 1:48pm

Enable only Windows Authentication in IIS (Sites > Site > Authentication)

Edit Startup.cs

Comment or delete the section:

// app.UseCookieAuthentication(new CookieAuthenticationOptions
//{
//      AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
//      LoginPath = new PathString("/Login"),
//      ExpireTimeSpan = System.TimeSpan.FromMinutes(10)
//});

Optionally, after line “AsapEngine.ConnectRuntime();” add this code
(it turns user management buttons off):

IParameterService parameterService = ServiceManager.Services.GetService(
    typeof(IParameterService)) as IParameterService;
parameterService.SetFeatureStatus("IDENTITY_USER_MANAGEMENT", false);

Assign Windows User

Enter the proper full local or domain login (domain\username) into BusinessPartner.UserName
If it is the first user, grant a Super User (Built-in) role to this local user in BusinessPartnerAsapRole