Developer forum

Forum » CMS - Standard features » Azure ad map properties

Azure ad map properties

E-mail notifications
Andreas Pettersson
Reply
Posted on 02/10/2023 13:13:39

Hi,

We want to use azure ad login provider for frontend users. 
I need to map the user on Email to see if it exists in dw database and if exists login to frontend application. But I can't see anyway to map properties from azure ad to dw user? 

I guess i should use the ´<a href="/Admin/Public/Social/ExternalLogin.aspx?action=login&amp;providerID=2" class="colorBlue mt-10">Logga in</a>´ to login thru my azure ad provider?

Regards
Andreas


Replies

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 23/10/2023 17:26:43
Reply

Yes, just that link.

We get back an identifyer which is the email and map the user like that. If the user is not there, we create it on signup.

 
Andreas Pettersson
Posted on 24/10/2023 07:23:28
Reply

Thank you for information. 

Right now we have some problem with our azure ad setup. But will try as soon as we get it working.

 
Andreas Pettersson
Posted on 15/11/2023 14:45:02
Reply

Can i map the user on the email field in DW instead of the username field? 
Because the username field is not the email in our case. So when we login now using Azure ad it creates a new account because no user with my email exists in the username field. 

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 16/11/2023 10:48:45
Reply

Hi Andreas

When we get the auth token back from Azure, it contains various information in the claim - Dynamicweb uses "preferred_username" to map the user - see https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference - so the value in that field is what we try to match on the username. Username in Dynamicweb is the 'key' which is why we look at that column.

To make it look at the email field on a Dynamicweb user, we have to make a fallback in our external authentication handling that if we do not locate a user using the returned username (preferred_username field in the claims) we try to locate the user by looking at the email and use that instead. That would be a minor change from our side. Issue with this is that email is not immutable, meaning that the user can change their email address in the AD and then their login will start to fail - also 2 users in Azure could have the same email on them - i.e. info@something.com - and then when each of them login they would get the same user account in Dynamicweb. Both rare situations, but that would be the consequence.

Alternative to the above is to copy email to username field in DW - either by default or when a user starts an external login.

What are your thoughts?

 
Andreas Pettersson
Posted on 29/08/2024 11:57:49
Reply

Hi, 

I have 2 accounts with the same username (emailadress), one is active and the another is not active. When i login using azure ad it looks like it takes the inactive user and login using that. 
Is there any check on azure ad login to only match active users? In this case it not seems like that?

Regards
Andreas

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 29/08/2024 16:17:22
Reply

Hi Andreas

The user in DW is mapped to your external user in AD using records in AccessUserExternalLogin table. My guess is you can update the records in that table to hit the correct user.

BR Nicolai

 

You must be logged in to post in the forum