The Gist: SSO has been around for some time through technologies such as SAML and LDAP. But Azure AD integration with Visual Studio 2019 makes the task of incorporating enterprise SSO into your external (non-intranet) web applications even easier.
It’s in the default template
From the moment that you launch Visual Studio 2019 and are presented with the Start Window, you will be “guided” through a series of dialogs and options, getting you started with your desired project type and security model.
Click “Create a new project” and you will be presented with the following window. Our plan is to create a web application and secure it using Azure AD, so for this let’s select ASP.NET Core Web Application.
You will be prompted for the project name, a default location will be mapped, but can be changed to a local or network shared folder of your choice. Finally, you are prompted for a solution name which I left the same. Click “Create”.
Next you will be prompted to choose the type of ASP.NET Core Web Application you would like to create. This could be based on a framework such as Angular or a use case such as a Web API. I chose the Web Application (Model-View-Controller), or MVC for short, as the template to use because it is one of my favorite web application frameworks.
Note the section the window below has a section outlined in red. This is where we indicate how users will authenticate with the application which is the overall point of this post. Clicking “Change” will launch a dialog box displaying the different options to choose from.
The authentication options selected below, determine which artifacts will be loaded into your application in order to build out it’s security model. Because I would like to demonstrate Azure AD authentication, I selected Work or School Accounts. Then in the drop down, I selected Cloud – Single Organization (which is the default), and finally for the convenience of this walk-through, I selected the checkbox “Read directory data”. By checking this option, more information about the user account is surfaced from Microsoft Graph. If this box is left unchecked, then your application will only have the claims information such as username and email address for the user available to the application. After making these selections, click “OK”.
Finally with the appropriate security options selected, click “Create” back on the main menu and Visual Studio 2019 builds the application from the template, incorporating the appropriate modules based on your selections.
Once the application is created and you can see the application files in the Solution Explorer, click “F5” to build and run your application for the first time. After updating a few packages, your web application will load in the browser and you will see the familiar Microsoft login dialog. Enter your username for your organization and click “Next”.
The next dialog prompts for your password. Enter it and click “Next”.
Because at the moment, the app publisher is unknown, the user is presented with a dialog to approve access for the application to sign in and read the user’s profile. Also, because we checked the box “Read directory data”, the user must approve this as well.
In this walk-through, we used the standard template files so after successful authentication the application navigates to the default home page with a welcome message next to the user’s username.
Now if you’re wondering where all of this magic comes from, then look no further than the Startup.cs file for the application. The ConfigureServices method below shows how the authentication service is added to the services collection. You can also see where the AuthorizationPolicy is adding the AuthorizeFilter to the application controllers.
The final component of Azure AD security implementation in your ASP.NET Core Web Application will be the appsettings.json file. The appsettings.json file contains the AzureAD domain and tenant identifier information that ASP.NET Core uses to call the authentication services for Azure AD.
There are just a couple of additional things that I would like to mention about this. Azure AD authentication settings are configurable within the Microsoft Azure Portal. So things such as the company logo, and two-factor authentication can be configured at the Azure AD level and require no additional coding on your part. That is just awesome!