Since the beginning of time, or at least since I had my first Episerver experience (Episerver 4.62), it has been possible to use the Multiplex membership- and roleprovider. The multiplex-providers lets you use more than one membership- and roleprovider. A common scenario is to enable logins for both users that are saved in Episerver´s local SQL database, and Active Directory users. Even though the membership/role-providers are still around, there are scenarios when you want, or need, to use ASP.Net Identity and OWIN instead. That was the case when I needed to create a solution that made it possible to log in to Episerver edit mode using both ADFS and Asp.Net Identity. The ADFS part of the solution is described here. This post is about adding a second authentication provider. At time of writing I was using Episerver 10.8.0.
Changes to Startup.cs
Episerver has some documentation on mixed-mode authentication, but in that example both type of users would be redirected to the ADFS login page when not authenticated. Probably a bit confusing. In my version of Startup.cs I’ve added the local Episerver configuration after the ADFS configuration, so that a user that is not authenticated gets redirected to the login page I have created, not the login page on the ADFS server.
Create custom login
I created a custom login page where editors can choose to either log in by entering username/password for a local Episerver user, or log in using their AD account.
The configuration in Startup.cs will make unauthenticated users to be redirected to the path “/Login”. Now I need to create a controller and view for that path. But first I need to make sure that requests to /Login gets routed to my Login controller. That can be done by overriding RegisterRoutes in Global.asax.cs (shown below). But best practice is to register routes in an initialization module.
The controller has three actions:
- The default action that just presents the Login view.
- An action that handles the posted login form and tries to log in an ASP.Net Identity user.
- An action that will redirect the user to the ADFS login page.
Here’s an example of how the login view could be implemented.
And the LoginViewModel I used:
That’s it! Happy coding 🙂
4 thoughts on “Mixed-mode OWIN authentication for Episerver editors”
When I try to log in as an SQL-user (using your sample code published here), the log-on works fine. However, I can never log on as an Azure AAD-user. Do I need to make any changes to the Web.Config-file?
Yes. You need to make sure that forms authentication isn’t used anymore. See top of this page: http://world.episerver.com/documentation/developer-guides/CMS/security/configuring-mixed-mode-owin-authentication/
Thanks for this nice article. The implementation seems having an issue for sign out. Apparently, all sign out will redirect user to adfs sign out page and stay on this page. Is there a way to handle user being redirected upon on the user authentication method, e.g. if user logs in via ASP.NET identity method, instead adfs sign out redirect, I would like to take user back to home page?
Thanks in advance
Hi Vincent. I think it is possible by configuring something, somewhere 🙂 Sorry for not being of any help, it was a long time ago I did this. I don’t remember having that issue. There seems to be other with the same issue though…