If you’re developing Azure App Service i.e. ASP.NET MVC application and there is a requirement to authenticate current user against Azure AD Security Group you need to consider some steps:
In th Startup.cs as the part of UseOpenIdConnectAuthentication add/change Notifications
Notifications = new OpenIdConnectAuthenticationNotifications()
{
RedirectToIdentityProvider = (context) =>
{
string appBaseUrl = ConvertToSsl(context.Request.Scheme) + “://” +
context.Request.Host + context.Request.PathBase;
context.ProtocolMessage.RedirectUri = appBaseUrl;
context.ProtocolMessage.PostLogoutRedirectUri = appBaseUrl;
return Task.FromResult(0);
}
}
ConvertToSsl helps ensuring appBaseUrl starts with https protocol.
The Azure AD Application provided as a ClientId in OpenIdConnectAuthenticationOptions should have some adjustement in the manifest. Please refer to manifest guideline.
The change in the manifest is by adding / replacing line:
“groupMembershipClaims” : “SecurityGroup”
This is crutial to have desired authentication working properly.
Obviously, there is one action pending – how to auhtorize user. Let’s commit we’re going to use a filter approach by creating custom attribute class which inherits from AuthorizeAttribute, i.e.:
public class AuthorizeBySg: AuthorizeAttribute
and override AuthorizeCore function, i.e.:
protected override bool AuthorizeCore(HttpContextBase context)
{
if (!base.AuthorizeCore(context)) return false;
return ClaimsPrincipal.Current.Claims.Any(c => c.Type == “groups” && mygroupId == c.Value);
}
mygroupId is an object ID of restricted Azure AD Security Group.
Finally, decorate your Controller or methods in your Controller with newly created AuthorizeBySg attribute class.