Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / Passing additional par...
Microsoft Dynamics CRM (Archived)

Passing additional parameters to authorize endpoint for external authentication with customer portal

(0) ShareShare
ReportReport
Posted on by Community Member Microsoft Employee

Hi,

I am new to Dynamics 365, and I have been tasked with configuring external openid connect authentication on a customer portal with our corporate single sign on application. The SSO app has been built on top of IdentityServer3.

I have got the portal and the IdentityServer working together by creating the following portal site settings:

  • Authentication/OpenIdConnect/IdentityServer/Authority
  • Authentication/OpenIdConnect/IdentityServer/Caption
  • Authentication/OpenIdConnect/IdentityServer/ClientId
  • Authentication/OpenIdConnect/IdentityServer/ClientSecret
  • Authentication/OpenIdConnect/IdentityServer/MetadataAddress
  • Authentication/OpenIdConnect/IdentityServer/Scope
  • Authentication/OpenIdConnect/IdentityServer/RoleClaimType

And I have created a hybrid client in my Identity Server configuration with matching values. This has enabled me to login to the customer portal using an account in my Corporate Identity Server.

I have inspected the sign in page HTML and the network traffic and have derived the following process:

  • /SignIn, click the "Login with Identity Server" button:
    • Form posts to https://{{portal url}}/Account/Login/ExternalLogin?ReturnUrl=%2Fsupport%2Fcreate-case%2F
    • Submit button contains the value={{Authentication/OpenIdConnect/IdentityServer/Authority}}
  • Account/Login/ExternalLogin
    • Looks up openid settings for the IdentityServer provider using the value submitted eg: {{Authentication/OpenIdConnect/IdentityServer/Authority}}
    • Hits the IdentityServer openid config endpoint to look up the authorization endpoint url
    • Constructs an authorization url and returns a 302 redirecting to this url
  • 302 redirect
    • {{Identity Server authorize endpoint}}?client_id={{portal client id}}&response_mode=form_post&response_type=code%20id_token&scope=openid%20roles%20profile%20email&state=OpenIdConnect.AuthenticationProperties%3Dazh4lUj7407fEISgN3lnxgdUrSV4DtcgLbco0n1mplH1-YRG6qioyI8_IaLX3Din2TieJy-scXR4YFNpeXFCUQaVTC3YmAAfTd1LTw-C05HndSwTERGPE5skay3mrvFkHlmIAm7EGN2hY9Yr1I8wMEcMePQDoELbMxA9x-cYgV9_ceIpjYZKTO5i-i3wXheYuEjjknRQ20IHM7jHL1ILpP_qceimN6LtWLrmHIjtUsa086Tr65sYcZ8KGIEJIbt-UKo7SHOhHM866HTa_9KYxA&nonce=636479778110580666.Y2VhZDIzNzEtMWRlMC00NzA3LTkyNmQtNjlhYzlkNzExNWRlYjA2MTBhMmItN2MwMS00MjYzLWExY2QtOTk0YzRkYjFkYmNi&redirect_uri={{client redirect uri}}
  • Identity Server
    • Receives this request
    • Constructs a signin message
    • Redirects to the identity server login page

My next task is to try and pass some additional query string parameters in the authorization request that gets sent by the customer portal to the IdentityServer, so I need to somehow tap into the Account/Login/ExternalLogin method to do this.

Anyone got any ideas how this can be done?

*This post is locked for comments

  • rise to distinction Profile Picture
    rise to distinction 170 on at
    RE: Passing additional parameters to authorize endpoint for external authentication with customer portal

    I am in sort of similar situation ... have to set a RedirectUri where hostname is not same as portal, i.e, an azure hosted custom webapp that provides a sort of custom MFA. However portal when making "GET /connect/authorize ... " request to openid provider changes the hostname of redirecturi to portal's hostname :( ... I think MS should do something about this, so one could provide trusted companion apps in portal settings and then use those for such purposes. Does any of you portals champs know if this is possible today and i am overlooking ?

  • Suggested answer
    oliver.rodrigues Profile Picture
    oliver.rodrigues 4,052 on at
    RE: Passing additional parameters to authorize endpoint for external authentication with customer portal

    Hi.. we were able to find a solution for this using the On-Prem Community Portals

    in the LoginController class, locate the ExecuteResult method and change the following:

    context.HttpContext.GetOwinContext().Authentication.Challenge(properties, LoginProvider);


    to:

    IOwinContext owinContext = context.HttpContext.GetOwinContext();
owinContext.Environment.Add("<your additional param>", <additional param value>); 
owinContext.Authentication.Challenge(properties, LoginProvider);
  • oliver.rodrigues Profile Picture
    oliver.rodrigues 4,052 on at
    RE: Passing additional parameters to authorize endpoint for external authentication with customer portal

    hi Weltzy, are you using the Community Portals?

    where exactly did you make the changes? I added my additional parameter in the StartupSettingsManager class, but I can't really find where to include it in the URL, can you guide me where it is?

    thanks

  • Community Member Profile Picture
    Community Member Microsoft Employee on at
    RE: Passing additional parameters to authorize endpoint for external authentication with customer portal

    I raised a ticket with Microsoft in December, and they told me that this was not possible (then).

    I ended up storing some claims in Identity Server and associating these with the client, then just looking up these values in my code. This way I got around having to pass any additional info in my request.

  • Montana Programmer Profile Picture
    Montana Programmer on at
    RE: Passing additional parameters to authorize endpoint for external authentication with customer portal

    Any update? We're looking to achieve the same goal.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Announcing Our 2025 Season 1 Super Users!

A new season of Super Users has arrived, and we are so grateful for the daily…

Vahid Ghafarpour – Community Spotlight

We are excited to recognize Vahid Ghafarpour as our February 2025 Community…

Tip: Become a User Group leader!

Join the ranks of valued community UG leaders

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 292,516 Super User 2025 Season 1

#2
Martin Dráb Profile Picture

Martin Dráb 231,321 Most Valuable Professional

#3
nmaenpaa Profile Picture

nmaenpaa 101,156

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans