Configure Umbraco to use Azure AD for Back Office user authentication

Authentication In Umbraco

Umbraco CMS (v7.9.2) features a well known and standard username/password scenario for handling authentication. This can be fine but corporate Umbraco adapters would probably not be to happy when we ask them to remember one more password as well as giving up centralized user account management.

Corporations who’s IT is Microsoft based will often have security matters handled by Active Directory – and if taking IT serious these days –  have Federation Services configured and synchronization with Azure Active Directory in place.

I wrote a post regarding the business value and importance of SSO when using Umbraco in a Microsoft infrastructure based on Azure here.

When Umbraco CMS is added to the Corporate Azure mix – corporations will require or rather should require that matters of Authentication should be handled by Azure Active Directory.

This post  is a tutorial on how to make this setup work in practice. Its easy ones you invested  hours on making all the pieces fit – and here is what I have learned, so that you don’t have to.

No plug and play solution found

I was unable to find a “plug and play” solution that enables Azure AD authentication for Umbraco Back Office Users. I might be wrong – so please send me a comment if that is the case.

Existing official Solution

There is some documentation to be found in the configuration files when  Umbraco is installed and the  Umbraco’s community site does describe necessary steps needed to enable external login providers. They eaven provide a tutorial on how to enable Google Authentication in Umbraco.

There is a  2 year old (from 2015) NuGet package available named UmbracoCms.IdentityExtensions.AzureActiveDirectory. It basically generates some C# files in you project – helping you configuring Umbraco to use Azure AD authentication. (source code on github).  by configuring OWIN.

The problem was that I could not get it to work out of the box. I really do not know why – but browsing Azures AD documentation and tutorials – I discovered the generated C# files added to my project were missing some settings.

We are not going to use the above mentioned NuGetPackage.

Install NuGet Packages

We need to install two NuGet Packages to enable OpenId to your project:

Using version 3.1.0 of all of the above keeps you safe 🙂

Allot of dependencies will be installed, so be warned. Here is a I got when installing UmbracoCms.IdentityExtensions on Umbraco Cloud 7.10.4:

Open Web Interface for .NET

Umbraco embraces Open Web Interface for .NET (OWIN) being the standard method of handling authentication in ASP.NET.  To get started you’ll need to create an App Registration using the Azure Portal.  If you are unfamiliar to the process there is exellent guide here.

When the app has been registered, you will need to write down and understand a couple of values:

ClientId / ApplicationId

The ClientId (ApplicationId on the Azure Portal) uniquely identifies the app towards Azure AD.

AADInstance

Azure Active Directory Instance is always: “https://login.microsoftonline.com/” and identifies “public Azure” – this value might be something else if you are on a private cloud, but I have never seen such a private cloud in action.

Tenant ID

Tennant id is a Guid value uniquely identifying your Azure tenant.

Adding code

The App Settings section in Umbraco’s web.config should include the above mentioned values from Azure’s App Registration:

<add key="ida:ClientId" value="" />
<add key="ida:AADInstance" value="https://login.microsoftonline.com/" />
<add key="ida:TenantId" value="" />
<add key="ida:PostLoginUrl" value="https://localhost/umbraco" />

Also add a class named UmbracoAzureActiveDirectoryExtensions to serve as extension method for the IAppBuilder we later will call during startup. Continue reading “Configure Umbraco to use Azure AD for Back Office user authentication”