Multi Portal Enhancements
Opened this issue · 3 comments
I have an ideal for enhancing the way the system works with multiple portals. I think the easiest way to explain what I am trying to accomplish is with an example. Let's assume you have a company with multiple portals like company.com, accounting.company.com, hr.company.com, portal.company.com (intranet for all employees) etc. If all the portals use the same Azure AD (Use Global Settings = true) then you could surface two other settings both portal specific:
- Automatically add authenticated user to this portal portal.
- Required AAD group to automatically add user to this portal.
This way, if the first setting was true and the second was blank, when you authenticated through Azure AD you would automatically be added to the portal, even if you were already a user on another portal. So for example, I am a user on company.com and I login using AAD to portal.company.com the AzureClient adds me to the userportals table for that portal and adds appropriate roles.
If the first setting is true and the second is non-blank, when you authenticate through Azure AD it would verify you have the AAD group associated with the second setting before either adding you to portal or authorizing you.
So in the example:
company.com: 1 = true, 2 = null
accounting.company.com: 1 = true, 2 = "accounting staff"
hr.company.com: 1 = true, 2 = "hr staff"
portal.company.com: 1 = true, 2 = null.
So user 1 with "accounting staff" AAD group can login to company.com, accounting.company.com, portal.company.com but not hr.company.com.
Hopefully, this makes sense. I have modified the code in AzureClient.cs and have it working correctly, but have not tried to add these settings to the UI they are just hard coded into AzureClient.cs at the moment. I have never really worked with open source before and have not worked with the persona bar/ react components. I would be willing to learn and finish this option out if it is something you are interested in, but didn't want to proceed too far if it does not fit with your plans.
After a little more thought, I have decided it doesn't really need the first setting mentioned above (Automatically add authenticated user to this portal). I believe if the provider is enabled for the portal and Use Global Settings is true, it should automatically add authenticated users to the portal. if these conditions are met, it simply needs to verify if a Required Azure AD Group exist for this portal and check it before authenticating and adding the user to the portal if needed.
I have this functioning along with the UI for the setting. It now meets the needs I have of allowing users to use multiple portals and controlling their access via Azure AD Groups. I will create a pull request for your review.
I am adding on here, as I'm trying to have multiple portals use the same AAD authentication for single users. When authenticating for the first time the user is created (along with the authentication token record in UserAuthentication) and a record is created in UserPortals. But when attempting authentication in another portal in the installation (that has dnn.azureadprovider configured) the authentication returns but DNN errors with "this user does not exist in this portal ([portalId])." Does the provider add AAD authenticated users to the UserPortal table on successful authentication originating from another portal? Does this need to be added manually? And how does this impact Profile claims and Role mapping?
@djh146 - I actually created a pull request to address your specific issue, but it was ignored. I don't know if I did something wrong or if it just didn't fit with the plans. My code is now too far behind to be useful but if you are interested in how I did it you can look at my commit: 1f654a2#diff-16406b618ac815f5457ef1646dd94d09a514cf7ee8c9b6552e8daf1edbc8b4f8R591.