Skip to main content Skip to docs navigation

Local Accounts (ASP Identity)

Learn how to use your local ASP Identity accounts with the myMLA SSO platform.

Working with local ASP Identity accounts requires some additional information added to he Program.cs file. Using the method below you can authenticate a user using the myMLA SSO platform and then assign the claims to the user based on their local ASP Identity profile.

The OnTokenValidated event is raised when the user has been authenticated by myMLA SSO, but before the UserPrincipal has been issued. This is the perfect time to inject the local user profile into the UserPrincipal.

Please see the sample application for a more detailed implementation.

            
    builder.Services.AddAuth0WebAppAuthentication(options =>
    {
        options.Domain = builder.Configuration["myMLA:Domain"];
        options.ClientId = builder.Configuration["myMLA:ClientId"];
        options.Scope = "openid profile email";
        options.OpenIdConnectEvents = new OpenIdConnectEvents
        {
            OnTokenValidated = async (context) =>
            {
                var ssoId = context.Principal?.FindFirst(ClaimTypes.NameIdentifier)?.Value;

                var dbContext = context.HttpContext.RequestServices
                                            .GetRequiredService<ApplicationDbContext>();

                var linkedAccount = await dbContext.SsoLinks
                                            .FirstOrDefaultAsync(x => x.SsoId == ssoId);

                if (linkedAccount is null)
                {
                    var email = context.Principal?.Claims
                                            .Where(x => x.Type == ClaimTypes.Email)
                                            .Select(x => x.Value)
                                            .FirstOrDefault();

                    var user = await dbContext.Users.FirstOrDefaultAsync(u => u.Email == email);

                    // if there is no local user, redirect to error page
                    if (user is null)
                    {
                        var errorMessage = $"Autolink no local user found for {email}";
                        context.HandleResponse();
                        context.Response.Redirect("/account/AccessDenied?error=" + errorMessage);
                        return;
                    }


                    linkedAccount = new SsoLink() {SsoId = ssoId, LocalUserId = user.Id};

                    dbContext.SsoLinks.Add(linkedAccount);
                    await dbContext.SaveChangesAsync();
                }
 
                var signinManager = context.HttpContext.RequestServices
                                            .GetRequiredService<SignInManager<IdentityUser>>();
                var identityUser = await signinManager.UserManager
                                            .FindByIdAsync(linkedAccount.LocalUserId);
                context.Principal = await signinManager.CreateUserPrincipalAsync(identityUser);

                context.Success();
            }
        };
    });

Although you are not using ASP Identity to authenticate your users, you will still need to configure the Program.cs file to include the ASP Identity services.

Please note: you must use AddIdentityCore to configure ASP Identity. The standard AddIdentity includes cookie middleware that clashes with Auth0/myMLA SSO.

            
    builder.Services.AddIdentityCore<IdentityUser>()
        .AddRoles<IdentityRole>()
        .AddSignInManager()
        .AddEntityFrameworkStores<ApplicationDbContext>();