Optionally provide private feedback to help us improve this article...

Thank you for your feedback!


Configuring ASP.NET Identity

By default InstantForum uses ASP.NET forms authentication to persist user authentication however InstantForum also offers optional out the box support for the newer ASP.NET Identity authentication model.This article describes how to enable ASP.NET Identity within InstantForum & how to configure the ASP.NET Identity offered by InstantForum 

If your integrating InstantForum within a MVC application or 3rd party framework that uses ASP.NET Identity and wish to provide a single sign on experience between InstantForum and your ASP.NET Identity application this article should help.

Enabling ASP.NET Identity

First you'll need to instruct InstantForum to use ASP.NET Identity for user authentication. You can do this by changing the default user identity provider within the InstantForum web.config to use the "OwinIdentityProvider" provided by InstantForum as shown below...

<userIdentity defaultProvider="OwinIdentityProvider">
<providers>
  <add name="InstantASPIdentityProvider" type="InstantASP.InstantKB.Providers.UserIdentity.InstantASPUserIdentityProvider, InstantASP.InstantKB" />
  <add name="OwinIdentityProvider" type="InstantASP.InstantKB.Providers.UserIdentity.OwinUserIdentityProvider, InstantASP.InstantKB" />
</providers>
</userIdentity>    

Once you've changed the default provider save & close your InstantForum web.config.

NOTE
If you change the user identity provider within the InstantForum web.config whilst logged into your InstantForum installation you will likely need to login again once you save your web.config file. We would suggest only changing this setting once before deployment to ensure users are not unexpectedly logged out.

Configuring the ASP.NET Identity authentication cookie

Unlike the forms authentication cookie which is configured via the InstantForum web.config file the ASP.NET Identity cookie must be configured via the "App_Code/Startup.Auth.cs" code file found within the root of your InstantForum installation.

The full code for the StartUp.Auth.cs file is shown below...

using Microsoft.AspNet.Identity;
using Microsoft.Owin;
using Microsoft.Owin.Security.Cookies;
using Owin;

[assembly: OwinStartup(typeof(Startup))]

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        // For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=316888
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Logon.aspx"),
            CookieName = "InstantASPOwin"
        });
    }
}
 

You can see in the code example above the name for the cookie that will store our ASP.NET Identity  information is called "InstantASPOwin". We don't specify any "CookieDomain" by default so the cookie will only be accessible from the top level domain that issued the cookie.

Single Sign On With ASP.NET Identity

If your web site already issues an ASP.NET Identity cookie during login and you wish to share this with InstantForum to provide a single sign on experience you will need to ensure the various cookie settings within the InstantForum "App_Code/StartUp.Auth.cs" file match your existing web sites "App_Code/StartUp.Auth.cs" settings. The key settings to consider are described below...

CookieName

You should ensure the "CookieName" is identical within all App_Code/StartUp.Auth.cs files that you wish to share the ASP.NET identity cookie with.

CookieDomain

Whilst we don't specify a "CookieDomain" by default within the InstantForum App_Code/StartUp.Auth.cs file it's important to specify this if you wish to share the ASP.NET Identity cookie across sub domains.

For example say your main web site is installed at https://www.mysite.com/ and your InstantForum installation is installed at https://forum.mysite.com. In this scenario to ensure the ASP.NET Identity cookie can be read by your main web site and your InstantForum installation on a sub-domain you should specify a the top level domain for the cookie of "mysite.com" like so...

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Logon.aspx"),
CookieName = "InstantASPOwin",
CookieDomain = "mysite.com"
});

Specifying the top level domain ensures the ASP.NET Identity cookie can be accessed by any sub-domain off your main web site for example "forum.mysite.com".  If you don't specify the top level domain the ASP.NET Identity cookie will only be accessible on the same domain that issued the cookie.

Sign In With ASP.NET Identity

InstantForum uses the following claims within the ASP.NET Identity cookie to store the current users username and email address. The SignIn method when ASP.NET Identity is enabled is shown below. The highlighted claims are important as your main web site must also store the same information within these claims for the single sign on to work between your main web site and InstantForum.

public static void SignIn(Components.User user, bool isPersistent)
{

// OWIN / ASP.NET Identity claims based approach
List<Claim> claims = new List<Claim>();
claims.Add(new Claim(ClaimTypes.Name, user.Username));
claims.Add(new Claim(ClaimTypes.Email, user.EmailAddress));

var identity = new ClaimsIdentity(claims, DefaultAuthenticationTypes.ApplicationCookie);

var ctx = System.Web.HttpContext.Current.GetOwinContext();
var authManager = ctx.Authentication;
authManager.SignOut(DefaultAuthenticationTypes.ExternalCookie);
authManager.SignIn(new AuthenticationProperties() { IsPersistent = isPersistent }, identity);

}

Creating InstantForum User Accounts

Once you successfully share the ASP.NET Identity cookie with your main web site and InstantForum for single sign on to work correctly it's important that the user with the username or email address stored within the ASP.NET Identity claims also exists within the InstantForum database tables.

The easiest way to do this is to simply add users to the InstantForum database during the registration process on your main web site using the InstantForum .NET API. You will first need to reference the InstantForum assemblies and then you'll need to create users programmatically from your web sites registration page.

For example lets say you have a MVC Register Action within your controller you would add code similar to that shown below to create the user within the InstantForum database tables.

[HttpPost]
public virtual async Task<ActionResult> Register(RegisterViewModel model)
{
 
double timeZoneOffSet = InstantASP.Common.Application.SettingsController.Instance().TimeZoneOffset;
InstantASP.Common.Components.RoleInfo role =  InstantASP.Common.Business.Roles.SelectRole( InstantASP.Common.Enumerations.EnumRequiredRoles.Member);
 
int userId = InstantASP.InstantForum.Business.User.InsertUpdateUser(
 new InstantASP.InstantForum.Components.User()
 {
 Username = model.UserName,
 EmailAddress = model.EmailAddress,
 TimeZoneOffset = timeZoneOffSet,
 PrimaryRoleID = (role.RoleID != null ? role.RoleID : 0)

 });

if (userId > 0) {

// everything was OK with adding the new forum user
InstantASP.InstantForum.Components.User createdUser =
new InstantForum.Components.User(userId);


} else {

if (userId == -1) 
{
// username already exists
}                    
else if (userId == -2) 
{
// email already exists
}

}
 

}

​A Note On User Passwords

If you handling the authentication of users via your main web sites login page and this page is responsible for checking the users login credentials again your main web site users table you do not need to store a user password within the InstantForum database.

InstantForum simply requires that the user exists within the InstantASP_Users and InstantForum_Uses database tables with the same username and email address as the account within your main users table.The ASP.NET Identity cookie indicates authentication was successful via your main web sites login page so no user password is necessary within the InstantForum database.​