1

I followed this site to integrate WIF in my MVC web app: https://msdn.microsoft.com/en-us/library/hh291061.aspx

It works well, users can log in with SSO and anonymous users are forwarded to the SSO page.

I want to deny access to everyone but a certain AD group / user and I can't figure out where to place the rules.

I tried in system.web

<system.web>
    <authentication mode="None" />
    <authorization>
      <allow users="<domain>\<username>"/>
      <deny users="*" />      
    </authorization>
  </system.web>

But that doesn't seem to work, the specified allowed user is denied (401).

I tried in FederationMetadata and that didn't work either

<location path="FederationMetadata">
    <system.web>
      <authorization>
        <allow users="<domain>\<username>"/>
        <deny users="*"/>        
      </authorization>
    </system.web>
  </location>

I can't for the life of me figure this out. Any suggestions?

topher-j
  • 2,221
  • 5
  • 24
  • 35

1 Answers1

1

You could change the web.config back to:

<authorization>
    <allow users="*" />
</authorization>

And then perform your own authz, authn globally for the site in the HttpApplication.PostAuthenticateRequest.

mattman
  • 366
  • 1
  • 9
  • 1
    This is similar to what I ended up doing. Kept the original web.config permissions from the article and instead, made my own custom AuthorizationAttribute to check if the user was in the group, then applied that to a BaseController for all the controllers I needed it on. Used this link for help as well: http://stackoverflow.com/a/16746264/268566 Thanks for the suggestion! – topher-j Feb 18 '16 at 21:52