3

I have a .NET 6 web application which uses IdentityServer for logins. I want to extend that functionality and use Azure Active Directory (AAD) as an external login. I have the following code in my Program.cs which registers AAD as an external provider:

builder.Services.AddAuthentication()
        .AddOpenIdConnect("aad", "Sign-in with Azure AD", options =>
        {
            options.Authority = "https://login.microsoftonline.com/common";
            options.ClientId = "<clientID>";
            options.ClientSecret = "<clientSecret>";

            options.SignInScheme = IdentityConstants.ExternalScheme;
            options.SignOutScheme = IdentityServerConstants.SignoutScheme;

            options.ResponseType = "id_token";
            options.CallbackPath = "/signin-aad";
            options.SignedOutCallbackPath = "/signout-callback-aad";
            options.RemoteSignOutPath = "/signout-aad";

            options.TokenValidationParameters = new TokenValidationParameters
            {
                ValidateIssuer = false,
                ValidateAudience = false,
                NameClaimType = "name",
                RoleClaimType = "role"
            };
        });

I get redirected to the Azure portal, but after I select the appropriate account, I get the following error: Correlation Failed

Note: I have also used IdentityServerConstants.ExternalCookieAuthenticationScheme instead of IdentityConstants.ExternalScheme as a signIn scheme and the result is the same.

I have read a lot of blog posts and tried to reproduce multiple solutions found throughout the internet, but my result is always the same (the exception shown above). If anyone has any other suggestions what I might try in order to be able to sort this out, any tips would be highly appreciated. Thank you, Have a great day!

Calin
  • 81
  • 1
  • 9

1 Answers1

3

I ended up finding an answer with the help of some colleagues. The fix was adding the following code block above the builder.Services.AddAuthentication.

    builder.Services.Configure<CookiePolicyOptions>(options =>
    {
        options.Secure = CookieSecurePolicy.Always;
    });

Also, the following code has been modified. I have changed SameSiteMode to None and added the UseCookiePolicy

    app.UseCookiePolicy(new CookiePolicyOptions()
    {
        MinimumSameSitePolicy = SameSiteMode.None
    });

    app.UseCookiePolicy();

Hopefully this will help other people which might have the same issue in the future.

Calin
  • 81
  • 1
  • 9
  • Can you provide sample code for integrating external ad users. I am confused on implementation guide. Thanks – Umar Malik Dec 08 '22 at 15:42
  • @UmarMalik the code I have used is the one posted in my initial message. The only difference is the authority, which is set to "https://login.microsoftonline.com/" Everything else is the same. However, you will need to add the configurations in your Azure Portal, for the application you use for registration. Under Azure Active Directory -> App registrations -> Your app -> Authentication, you will need to add the redirect URI ( https:///signin-aad – Calin Dec 21 '22 at 09:12