We use Auth0 to authenticate users of an ASP.NET & IIS web application via WS-Fed and a custom Rule. I’m looking into migrating the Rule to an Action but I’m not sure if what we require is currently supported with an Action.
The Rule sets the following samlConfiguration
options:
// exclude the upn claim creation (defaults to true)
context.samlConfiguration.createUpnClaim = false;
// exclude the identities array (defaults to true)
context.samlConfiguration.mapIdentities = false;
// exclude claims that were not explicitly mapped (defaults to true)
context.samlConfiguration.passthroughClaimsWithNoMapping = false;
context.samlConfiguration.mappings = {
'http://schemas.microsoft.com/ws/2008/06/identity/claims/nameidentifier': 'user_id',
'http://schemas.microsoft.com/ws/2008/06/identity/claims/emailaddress': 'email',
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'user_metadata.druuiid',
'http://schemas.microsoft.com/ws/2008/06/identity/claims/givenname': 'given_name',
'http://schemas.microsoft.com/ws/2008/06/identity/claims/surname': 'family_name',
'http://schemas.microsoft.com/ws/2008/06/identity/claims/upn': 'upn',
'http://schemas.microsoft.com/ws/2008/06/identity/claims/role': 'app_metadata.roles',
};
We then call an external web service to retrieve a user ID and list of roles based on their email; this information is then added to the user.user_metadata
and user.app_metadata
objects which are used by the above mappings.
I’d like to understand if what we’re currently doing is currently achiveable via an Action, if not if there is an alternative or whether we need to wait on new functionality to be added to Actions?
Edited web.xml
with only relevant sections for reference:
<configuration>
<configSections>
<section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
</configSections>
<appSettings>
<add key="FederationMetadataLocation" value="https://TENANT.eu.auth0.com/wsfed/FederationMetadata/2007-06/FederationMetadata.xml" />
</appSettings>
<system.identityModel>
<identityConfiguration>
<securityTokenHandlers>
<add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
<remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</securityTokenHandlers>
</identityConfiguration>
</system.identityModel>
<microsoft.identityModel>
<service>
<audienceUris>
<add value="https://example.com/" />
</audienceUris>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="https://TENANT.eu.auth0.com/wsfed" realm="https://example.com/" requireHttps="false" reply="https://example.com/map/" />
<cookieHandler name="fedauth_001" requireSsl="false" />
</federatedAuthentication>
<applicationService>
<claimTypeRequired>
<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
</claimTypeRequired>
</applicationService>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" name="urn:auth0TENANT" />
</trustedIssuers>
</issuerNameRegistry>
<certificateValidation certificateValidationMode="None" />
</service>
</microsoft.identityModel>
</configuration>