Authentication using IdentityServer

BREAKING CHANGES

This provider was removed in the 5.19 release, you can use the SAML2 provider instead to authenticate with an IdentityServer idp.

The information below is only valid for IV < 5.19

This SecurityModule uses federated authentication and is tested against an IdentityServer3 test site.

IdentityServer

To be able to use authentication using IdentityServer you will need an IdentityServer service provider.

Setup a service provider

ImageVault UI

To activate IdentityServer authentication the following changes must be done in web.config.

Authentication

When using IdentityServer authentication, the authentication mode must be set to None.

<system.web>
    <authentication mode="None"/>

ConnectionStrings

To use IdentityServer with ImageVault add/modify the connection string named ImageVaultSecurityManager.

<connectionStrings>
    <add name="ImageVaultSecurityManager"
         providerName="ImageVault.IdentityServer.Providers.IdSrvSecurityManager,ImageVault.IdentityServer.Providers"
         connectionString="clientId=imagevault.local;clientSecret=********;authority=https://identity3.imagevault.se/IdSrv3;redirectUri=http://imagevault.local;responseType=code id_token;scope=openid email names roles;useTokenLifetime=true;signInAsAuthenticationType=Cookies;cookieName=.idsrvsession;idClaimType=sub"/>
</connectionStrings>

name

Must be ImageVaultSecurityManager for the UI to detect which connection string that should be used for the SecurityManager

providerName

Tells ImageVault.UI which SecurityManager it will use (See the ISecurityManager for more information)

For IdentityServer, use the following providerName: ImageVault.IdentityServer.Providers.IdSrvSecurityManager,ImageVault.IdentityServer.Providers

connectionString

This is a key value string where key and value are separated by equals (=) and each pair is terminated with a semicolon (;)

Here comes a list of the possible keys (keys are case-insensitive)

clientId

This is the name of a client, defined in IdentityServer.

clientSecret

This is the clients password.

ivBaseUrl

The base Url of the Imagevault instance.

authority ???

This is the Application ID for the application. You find it as a GUID when opening the applications tab.

Optional connectionString keys

The following configuration options all have default values and only needs to be adjusted if you need to change the default behavior.

redirectUri

Redirection Url after successful authentication.

The default endpoint is {ivBaseUrl}/signin-oidc.

responseType

The expected response type.

Default response type is code id_token token.

scope

The expected scope.

Default scope is openid profile.

useTokenLifetime

Set this to accept token renewals.

Default is true

signInAsAuthenticationType

Set the authentication type ot use.

Default is Cookies

cookieName

Set the name of the authentication cookie.

Default name is .idsrvsession

roleClaimType

Claim name to map as a role claim.

Default role type is http://schemas.microsoft.com/ws/2008/06/identity/claims/role

nameClaimType

Claim name to map as a name claim.

Default name type is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name.

idClaimType

Claim nameidentifier to map as a ID claim.

Default nameidentifier type is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier.