Private registration and login after admin authorization

Question

Private registration and login after admin authorization

Closed this issue 3 years ago · 6 comments

DNN 9.9.0
DDN Azure AD Provider 4.0.4

Hi @davidjrh ,
I set private registration on my portal. It's work properly because not existing users are created with no authorization (new setting from v4.0.4). They receive the message about admin authorization and close the browser window.
Admin authorize the user, the user open browser window, go to site and the site ask immediatly to choose login account without click on button. It happens on Chrome, Firefox and Edge

Is correct? If yes, can you explain me why?

PS: I've tried to power off the PC but no way to click on button. It's seems browser keep something persistent...

Answer 1 · 2021-05-21T07:26:48.000Z

There is AzureUserToken cookie than enable "auto login"

Can I modify it?

Answer 2 · 2021-05-21T08:31:54.000Z

Hi, the Azure AD auth cookie is set on the browser and it is alive for 1h (60min by default, you can change it on Azure AD settings). So if the user access the site again, with the same browser that was already opened, it won't ask to login. This is expected because the cookie will remain there for 1h.

Note that if you have Windows 10 with users logged in with Azure AD credentials and using Edge, the browser will automatically do a SSO, so the login screen won't appear unless you explicitly do a logoff or open the browser in a private session. But this only in Edge.

Answer 3 · 2021-06-15T10:25:32.000Z

Ok, thanks @davidjrh . The cookie can be edited only in Azure Premium

Is there a way to notify user that login is refused because he is unauthorization? I do this through DNN, correct?

Answer 4 · 2021-06-20T11:22:04.000Z

On v4.0.4 I added an option for the cases where an AzureAD auth error ocurred (i.e. the user can sign in into Azure AD, but the app registration in Azure AD is setup for manual assignment, so the user can't login into the website because is not authorized). In that case, you can use this setting:

My approach is to authorize the users at Azure AD level by using manual assignment to Azure AD users and/or groups through the Azure portal, so then I normally leave the "Auto-Authorize Users After Login" to true because that reason.

If you want to manage authorization at DNN level, you would need to start playing with the "Unauthorized Users" role and setup redirections, but I prefer the other one above because management centralization on Azure AD.

Answer 5 · 2021-06-20T11:47:20.000Z

BTW, I normally create the page "/auth-error" including a Razor Host module that comes with the DNN Platform installation with the following template:

@{ var errorMsg = Request["error"]; }
@{ var errorDesc = Request["error_description"]; }
<style>
.dnnFormMessage { display: none; }
.dropdown.profile-element { display: none; }
</style>
<h1>:( User not authorized</h1>
<p>Contact with the site admin to verify your permissions to this portal.</p>

<br /><br />
<h5>ADMIN DETAILS</h5>
<p><strong>Error: </strong>@errorMsg<br/><strong>Description: </strong><pre>@errorDesc</pre></p>

Answer 6 · 2021-06-21T07:26:49.000Z

Thank you David for your exhaustive example