How to validate a user using service principal name (SSO) and provide role base access

Question

0.00/5 (No votes)

See more:

Hi All,

I am absolutely new on Single Sign On and Azure App Proxy.

As per the requirement we need to implement Single Sign on (using Service Principal name) for our web portal and access via Azure app proxy which is hosted in the Azure environment.

As of now I have configured SPN for host name in Dev environment using set spn command.

I do not know how to proceed further from here. I need to authenticate the users using this SPN (not sure if its possible???). I think I need to read this SPN using C# code but how will this help me to authenticate the user???

Also after authenticating the user, I need to provide them the role based access to the menu items.

Any help and code provided would be appreciated. Please let me know if any further details required.

Note: I am using C# and MVC to develop this application.

Thanks
Rahul

What I have tried:

I have tried the below link but was not able to achieve the requirement:
Insight into Security Model using Principal and Identity Objects in .NET[^]

Posted 18-Oct-16 8:06am

Pareek Rahul

Updated 18-Oct-16 11:04am

ZurdoDev

v2

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Foothill · Answer 1 · 2016-10-18T11:04:00

The service principal is used for saving application connection information in Active Directory so that an application can know where to connect from anywhere in your network to without having to manage locally stored settings. It is not used for authentication or authorization.

To perform authenrication or authorization in MVC, you'll need something along these lines:

C#

using System.DirectoryServices.AccountManagement;
namespace MyWebApp.Controllers
{
 public class MyLandingPage : Controller
 {
  public ActionResult Index()
  {
   if (!User.Identity.IsAuthenticated) // test if the user is connecting with Windows Authentication
   {
    return new RedirectToAction("AutheticationFailure", "ErrorController");
   }

   var adContext = new PricipalContext(ContextType.Domain); // this tells it use your network AD

   Pricipal user = Principal.FindByIdentity(adContext, User.Identity.Name));

   if (user == null)
   {
     // redirect to not authenticated page
   }

   GroupPrincipal group = GroupPricipal.FindByIdentity(context, "MyWebAppUserGroup"); // use the samAccountName or UPN

   if (group == null)
   {
     // redirect to OOPS page as somebody deleted your security group or you typed it wrong
   }

   if (user.IsMemberOf(group))
   {
     // at this point, user is authenticated and passed authorization check.  Okay to proceed.
   }
   else
   {
     // redirect to Not Authorized page
   }
  }
 }
}

You'll need to add the reference to the DirectoryServices.AccountManagement dll.

***EDIT
Wait, I just confused Service Pricipals with Service Connections. Let me read up a bit and adjust the code.

***EDIT REDUX
If I am understanding what you are trying to do, you have configured an SPN to know where to connect. You don't use SPNs for authorization, so the above code still stands.

Additional Points:
Web applications are stateless so you will need to authorize the users with each web call.
For privilege based menus, you can determine user permissions and add their permission level into a model that you pass to the view and use that in the Razor view engine to include/exclude menus based on individual users.