In my previous post I described how its possible to implement federated security in EPiServer using Auth0. However the steps described on allow users to log into your site with Auth0. It's not possible to log into the EPiServer UI using the described steps. The post describes how to extend the implementation to allow users logging in via Auth0 to use the EPiServer UI.
This is due to the fact that when using federated security EPiServer respects the http://schemas.microsoft.com/ws/2008/06/identity/claims/role claim to check access rights. However many providers do not issue these claims so we need an Auth0 rule to create some roles then do a little work in EPiServer to map them into http://schemas.microsoft.com/ws/2008/06/identity/claims/role claims.
First up we need to set up a rule in Auth0:
1. Browse to the rules section and click "New Rule":
2. Select empty rule:
3. Create a rule that will grant the roles to allow users to sign into EPiServer (note: rules are anything that can be written in node.js). For demo purposes I’m simply checking the name of the user and anyone with "Jones" in their name gets WebAdmins and WedEditors role:
Rules are powerful in Auth0 and gives the option of connecting to any data store or applying any logic you like that can be implemented in node.js.For more information on Auth0 please see the following: https://auth0.com/docs/rules.
Next up we need to extend and replace the EPiServer "SynchronizingUserService” with a custom service. This service allows us to map the http:/schemas.auth0.com/roles claims from Auth0 into http://schemas.microsoft.com/ws/2008/06/identity/claims/role claims which can be used internally in EPiServer. This is done as follows:
4. Replace this line:
5. With this line:
6. Implement the following class in your solution:
7. Sign as a user who will match the rule written in point 3. Note that you should now have access to EPiServer edit/admin mode.
This isn’t an extensive implementation and I haven’t tried it in a production scenario. So there may be some nuances to iron out. But I hope you have some fun trying out federated authentication with EPiServer!!