Last post Aug 18, 2019 04:25 PM by PatriceSc
Aug 16, 2019 04:19 PM|WilliamSnell|LINK
I'm not very knowledgeable about various forms of authentication, something I need to fix ASAP. In my application, users are automatically signed on from their Active Directory credentials, which are matched against the associated user from the application
database. The application has two basic entry points - logged-in users are routed to the correct dashboard based on their user groups, and anonymous users are routed to the application page. The flow goes like this:
A request has been made to allow users to log off and back in with an alternate email address, which is easy if users are either logged in or are required to log in, but I'm not sure how to accomplish this when I need to allow anonymous users to be sent
to a particular page that allows anonymous users. I suppose as part of my logoff method, I could set some value that identifies the current user as having just logged off, and load a log-in page based on that. Any suggestions?
Aug 18, 2019 04:25 PM|PatriceSc|LINK
First could you be more specific about which authentication method you are using ? You are using Azure Active Directory with ADFS (and so AD) behind the scene maybe ?
If I understood a user can sign in using multiple mail addresses and you want the user to be recognized as the same user when he logs out and log again with another mail address? And so it seems your intent is to do something while the user is anonymous
so that when he logs out/sign in again he is recognized as being the same user ?
I would have to check but instead I would reconsider using the mail address as my technical identifier. I would have to check but you should have a better claim that doesn't change (if I remember the NameIdentifier, the OnPremSid could be also useful).
Likely overkill but ASP.NET Identity and https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.identity.iuserloginstore-1?view=aspnetcore-2.2
is interesting to know about ie you could even built a system where a user could log using entirely different identity providers and still being recognized as the same user.