DotNet Core with Shibboleth
One of the more difficult and painful changes while migrating our enterprise applciations to DotNet Core has been supporting Shibboleth authentication and consequently, implementing our group based authorization system.
There are a few main things we have to implement in our applications in order to leverage Shibboleth.
- Grab the current logged in users login name, in our case it is a custom username called eName
- Establish a local cookie based login scheme for the dot net app
Additionally, we use a custom group based authorization system that accepts an eName and returns a list of groups associated with that user. This list may include groups that have nothing to do with our application, so the local app must take this list of group names and then do something with it to give our users access to various parts of our appliction.
I’ve included the gist below that should contain all you need to setup your application to work with a hosted shibboleth server.
In general, this is what is going on.
- Configure the application to use Cookie authentication. This is done inside of Startup.cs This allows us to control the actual app login after shib auth.
- IShibClaim and ShibClaim actually set the claims principal, which is a new pattern to .Net applications that should take some time to understand.
- AuthController - The controller that actually handles auth into the local app. This is mostly transparent to the user, they will get booted over to the auth controller the first time they try to access a restricrted resource and then get redirected back.