Upgrade from ABP 4 to ABP 8 single sign on user for new user #9681

7 Answer(s)

• 

  0

  AI-Bot created one month ago

  Support Team ABP Agent

  • When you create a new user via the admin UI in ABP, the user is registered in the ABP identity system, but there is no external login mapping (such as Azure AD) in the AbpUserLogins table for that user. When the user attempts to log in via Azure AD SSO, ABP tries to find a user with a matching external login (provider key and provider name). If it doesn't find one, it treats the login as a new external user and redirects to the registration page.

  • For existing users, the AbpUserLogins table already contains the mapping between the ABP user and the Azure AD provider, so SSO works as expected.

  Solution: To enable SSO for new users created via the admin UI, you must ensure that an entry is created in the AbpUserLogins table for the Azure AD provider when the user is created. This is not done automatically by ABP when you create a user via the admin UI.

  How to fix:

  1. After creating a user via the admin UI, you need to manually associate the Azure AD login with the user. This can be done by:

     • Having the user log in once via Azure AD, which will create the mapping (but will prompt for registration if not found).
     • Or, programmatically insert a record into the AbpUserLogins table for the user, specifying the correct provider name (e.g., "AzureAD") and provider key (the Azure AD user's unique identifier).

  2. Alternatively, you can customize the user creation process to allow an admin to specify the external login provider and key when creating a user, and insert the mapping at that time.

  References:

  • How to Setup Azure Active Directory and Integrate ABP Angular Application
  • How to Use the Azure Active Directory Authentication for MVC / Razor Page Applications

  ---

  This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  Save Cancel
• 

  0

  DominaTang created one month ago

  Can you write a code that capture UserCreated Event and programmatically insert a record into the AbpUserLogins table

  Save Cancel
• 

  0

  maliming created one month ago

  Support Team Fullstack Developer

  hi

  Does your single sign on user have the same email as the existing user?

  the application is navigated to user registration page.

  Does the app get your single sign on user email on the register page?

  Thanks.

  Save Cancel
• 

  0

  DominaTang created one month ago

  Yes.

  Save Cancel
• 

  0

  maliming created one month ago

  Support Team Fullstack Developer

  hi

  Does the app get your single sign on user email on the register page?

  If the registration page can get your email address. That means externalUser is null.

  var externalUser = await UserManager.FindByEmailAsync(email);

  You can override the Login page to debug the OnGetExternalLoginCallbackAsync method.

  
  [ExposeServices(typeof(OpenIddictSupportedLoginModel), typeof(LoginModel))]
  public class MyLoginModel : OpenIddictSupportedLoginModel
  {
      [UnitOfWork]
      public override async Task<IActionResult> OnGetExternalLoginCallbackAsync(string remoteError = null)
      {
          if (remoteError != null)
          {
              Logger.LogWarning($"External login callback error: {remoteError}");
              return RedirectToPage("./Login");
          }
  
          await IdentityOptions.SetAsync();
  
          var loginInfo = await SignInManager.GetExternalLoginInfoAsync();
          if (loginInfo == null)
          {
              Logger.LogWarning("External login info is not available");
              return RedirectToPage("./Login");
          }
  
          var result = await SignInManager.ExternalLoginSignInAsync(
              loginInfo.LoginProvider,
              loginInfo.ProviderKey,
              isPersistent: true,
              bypassTwoFactor: true
          );
  
          if (result.IsNotAllowed || result.IsLockedOut || result.RequiresTwoFactor)
          {
              Logger.LogWarning($"External login failed with status: {result}");
              return RedirectToPage("./Login");
          }
          //TODO: Handle other cases for result!
  
          var email = loginInfo.Principal.FindFirstValue(AbpClaimTypes.Email) ?? loginInfo.Principal.FindFirstValue(ClaimTypes.Email);
          if (email.IsNullOrWhiteSpace())
          {
              return RedirectToPage("./Register", new {
                  isExternalLogin = true,
                  externalLoginAuthSchema = loginInfo.LoginProvider,
                  returnUrl = ReturnUrl,
                  returnUrlHash = ReturnUrlHash,
                  linkTenantId = LinkTenantId,
                  linkUserId = LinkUserId,
                  linkToken = LinkToken
              });
          }
  
          var externalUser = await UserManager.FindByEmailAsync(email);
          if (externalUser == null)
          {
              return RedirectToPage("./Register", new {
                  isExternalLogin = true,
                  externalLoginAuthSchema = loginInfo.LoginProvider,
                  returnUrl = ReturnUrl,
                  returnUrlHash = ReturnUrlHash,
                  linkTenantId = LinkTenantId,
                  linkUserId = LinkUserId,
                  linkToken = LinkToken
              });
          }
  
          await SignInManager.SignInAsync(externalUser, false , loginInfo.LoginProvider);
          
          return RedirectSafely(ReturnUrl, ReturnUrlHash);
      }
  }
  

  Thanks

  Save Cancel
• 

  0

  DominaTang created one month ago

  We don't want user navigate to register page, when create user via App admin page, user can login without registration.

  Save Cancel
• 

  0

  maliming created one month ago

  Support Team Fullstack Developer

  hi

  If you can get email and externalUser, you will not be redirected to the Register page.

  Please debug to see these values.

  Thanks.

  Save Cancel