Closed ghilios closed 9 years ago
I'm close I think. If I wipe my cookies and not use Fiddler for the initial request, it goes through login.windows.net each time. It doesn't ultimately redirect back to the originating Web Api endpoint though (/SampleApp/api/Values). Rather, it goes back to /StsWithAdfs/auth and redirects to /StsWithAdfs/auth/callback where it ends. Below is a summary
Ok, I see you have disabled local login.... so now you are getting back to IdentityServer from AAD, yes? So perhaps your katana middleware in the RP simply isn't monitoring the callback URL being submitted to.
Ahh I finally figured this out. The issue is in the InMemoryUserService. When authorizing the external user, it looks for a "name" claim. Azure AD only returns givenname and surname claims, so the authorization fails. I got around this by providing my own IUserService implementation that uses the oid claim instead, which I'll then use in GetProfileAsync to query Graph API for the email address and other claims.
Thanks for looking!
Hey, I'm having one hell of a time trying to this scenario to work. I am trying to set up IdentityServer v3 to use Azure AD as the only IdentityProvider, transform and enrich claims (ie, by calling GraphAPI) and then using that token instead.
My setup: 1) Relying Party app hosting a Web Api. https://localhost/SampleApp 2) Identity Server instance hosted on https://localhost/StsWithAdfs/auth (ignore the Adfs naming) 3) An Azure AD instance. I added an Application with App URI https://msedge.corp.microsoft.com/SDK that redirects to https://localhost/StsWithAdfs/auth/.
When I issue a request to /SampleApp/api/Values, it redirects to /StsWithAdfs/auto/wsfed?wtrealm... and then to /StsWithAdfs/auth/login?signin=... At no point does it seem to redirect to Azure AD. I always get stuck at an IdentityServer login screen asking for user name and password (ie, not my Azure AD creds). Is it also possible to get this to passively authenticate with Azure AD without any interaction from the user? In case it helps, below is the code I've been cobbling together. Perhaps I'm mixing my "Client" and "RelyingParty" concepts also, but I've tried various combinations to no avail.
Thanks for any help you can provide. I've been bashing my head against the desk for 3 days now!
Code for /StsWithAdfs
Code for /SampleApp