Azure AD Authentication

This guide will show you how to configure Weavy to use Azure Active Directory as an identity provider.

Prerequisites

To continue this guide you should first follow Getting Started guide for the server SDK . It can also be helpful to read our article about OpenID Connect (which Azure AD authentication is based on).

You will also need to install the Microsoft.Owin.Security.OpenIdConnect Nuget package (if you don't have it already).

Configuration

The following settings are required for Weavy to use Azure AD authentication.

Web server

The Weavy website in IIS must be configured with the following settings:

Anonymous Authentication = Enabled
Forms Authentication = Disabled
Windows Authentication = Disabled

Web.config

The web.config file should have the following configuration:

<system.web>
    <authentication mode="None" />
</system.web>

Startup Configuration

First step in configuring Azure AD authentication is registering your application in the Azure portal. See Add sign-in with Microsoft to an ASP.NET web app for more details.

Once you have the ClientId and TenantId you should add them to your web.config file.

<appSettings>
    <!-- the application id for the app you registered -->
    <add key="AzureClientId" value="..." />
     <!-- the tenant id for your organization -->
    <add key="AzureTenantId" value="..." />
</appSettings>

Next you should add the following code to the Startup.cs file:

public partial class Startup {

    public void Configuration(IAppBuilder app) {
        app.UseWeavy();

        var azureClientId = ConfigurationManager.AppSettings["AzureClientId"];
        var azureTenantId = ConfigurationManager.AppSettings["AzureTenantId"];
        if (azureClientId != null && azureTenantId != null) {
            app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions {
                AuthenticationType = "Azure",
                AuthenticationMode = AuthenticationMode.Passive,
                Authority = $"https://login.microsoftonline.com/{azureTenantId}/v2.0",
                Caption = "Azure AD",
                ClientId = azureClientId,
                Notifications = new OpenIdConnectAuthenticationNotifications() {
                    RedirectToIdentityProvider = (context) => {
                        // this ensures that the address used for sign in and sign out is picked up dynamically (it must still be registered in the Azure portal)
                        context.ProtocolMessage.RedirectUri = WeavyContext.Current.ApplicationUrl;
                        return Task.CompletedTask;
                    },
                    SecurityTokenValidated = (context) => {
                        // add authentication_type claim
                        context.AuthenticationTicket.Identity.AddClaim(new Claim("authentication_type", context.Options.AuthenticationType, null, LoginService.LOCAL_AUTHENTICATION_TYPE));
                        return Task.CompletedTask;
                    },
                    AuthenticationFailed = (context) => {
                        context.OwinContext.Response.Redirect(WeavyContext.Current.ApplicationPath + "error/unauthorized");
                        context.HandleResponse();
                        return Task.CompletedTask;
                    }
                },
                Scope = "openid email profile",
            });
        }
    }
}

And that's it, Weavy will now display a button on the sign in page allowing your users to authenticate against your Azyre Active Directory.