asp.netasp.net-mvcazure-active-directoryfederated-identity

Claim data missing for authenticated users

We have an ASP.NET (Framework v4.7.2) website that uses federated login, via Azure Active Directory, for SSO purposes, to authenticate users.

The website expects a user to be in a certain Active Directory group, in order to access the site. Myself and another user are in the same group, but when we both access the site, we get a different result. I am able to access the site, but my colleague gets a "401 unathorised" error page (which is returnedvia the AuthorizeAttribute).

Looking deeper into this, I can that the AD group that I belong to is included as a claim in this collection

System.Security.Claims.ClaimsPrincipal.Current.Claims

but for my colleague that same group claim is missing.

I have some debug code which does this...

foreach (var claim in System.Security.Claims.ClaimsPrincipal.Current.Claims)
{
    if (string.Equals("the-object-id-of-the-group", claim.Value))
    {
        // User has the group claim...
    }
}

When I log in, I see a log meesage stating that I have that group claim, but my colleague does not see that message when they log in.

When viewing our requests, in Chrome DevTools, to the site, I can see a difference in a bunch of set-cookie details. For example, my reuqests include many more AdminFedAuth set-cookie calls than my colleague, and the overall content length for my colleague is much shorter.

Although my colleague is a member of more AD groups then me, that makes no difference since other people was can access the site are members of many more groups than myself. So I thought it may have been an issue with the number of groups a person is associated with, but that is not the case.

I'm stuck on what else to investigate in order to diagnose what the problem is. any suggestions would be appreciated.

Solution

  • The answer was that I had to change the manifest for the app registration in Azure Active Directory.

    In the Manifest I changed

    "groupMembershipClaims": "SecurityGroup"

    to

    "groupMembershipClaims": "ApplicationGroup"

    Using SecurityGroup resulted in inconsistent group claims data being returned to the website. By using ApplicationGroup all the group claims specific to the application are returned, and thus has fixed the issue of some authenticated users not being able to acces the site.

    For reference...

    Configure the Azure AD Application Registration for group attributes

    EDIT:

    Another good reference is this StackOverflow question...

    Azure AD does not emit group claims