Merge pull request #2 from Azure-Samples/andret-Review-2

jmprieur · web-flow · commit 9337a3cb3cc1 · 2018-05-02T10:17:49.000+02:00
Update to readme.md file keeping the SingleOrg instructions
diff --git a/README.md b/README.md
@@ -10,66 +10,69 @@ endpoint: AAD V2
 
 ![Build badge](https://identitydivision.visualstudio.com/_apis/public/build/definitions/a7934fdd-dcde-4492-a406-7fad6ac00e17/514/badge)
 
-This sample shows how to build a .NET Core MVC Web app that uses OpenID Connect to sign in users with their Work and School or Microsoft personal account (formerly live accounts). It leverages the ASP.NET Core OpenID Connect middleware.
+This sample shows how to build a .NET Core MVC Web app that uses OpenID Connect to sign in personal accounts (including outlook.com, live.com, and others) as well as work and school accounts from any company or organization that has integrated with Azure Active Directory. It leverages the ASP.NET Core OpenID Connect middleware.
 
 ![Sign-in with Azure AD](ReadmeFiles/sign-in.png)
 
-For more information on how the protocols work in this scenario and other scenarios, see [Authentication Scenarios for Azure AD](http://go.microsoft.com/fwlink/?LinkId=394414).
-
 ## How to run this sample
 
 To run this sample:
 
-- Install .NET Core (for example for Windows) by following the instructions at [.NET and C# - Get Started in 10 Minutes](https://www.microsoft.com/net/core). In addition to developing on Windows, you can develop on [Linux](https://www.microsoft.com/net/core#linuxredhat), [Mac](https://www.microsoft.com/net/core#macos), or [Docker](https://www.microsoft.com/net/core#dockercmd).
-- An Azure AD tenant. For more information on how to obtain an Azure AD tenant, see [How to get an Azure AD tenant](https://azure.microsoft.com/documentation/articles/active-directory-howto-tenant/).
+> Pre-requisites: Install .NET Core (for example for Windows) by following the instructions at [.NET and C# - Get Started in 10 Minutes](https://www.microsoft.com/net/core). In addition to developing on Windows, you can develop on [Linux](https://www.microsoft.com/net/core#linuxredhat), [Mac](https://www.microsoft.com/net/core#macos), or [Docker](https://www.microsoft.com/net/core#dockercmd).
 
 ### Step 1: Register the sample with your Azure AD tenant
 
-1. Sign in to the [Application registration portal](https://apps.dev.microsoft.com) either a personal or work or school Microsoft account
-1. Look at your list of Microsoft apps
-1. Click **Add an app**, and give it a name. Then press **Create**. The portal will assign your app a globally unique Application ID that you'll use later in your code.
-1. Click on **Add Platform**, and in the dialog press the **Web** icon.
+1. Sign in to the [Application registration portal](https://apps.dev.microsoft.com/portal/register-app) either using a personal Microsoft account (live.com or hotmail.com) or work or school account.
+1. Give a name to your Application, make sure that the *Guided Setup* option is **Unchecked**. Then press **Create**. The portal will assign your app a globally unique *Application ID* that you'll use later in your code.
+1. Click **Add Platform**, and select **Web**.
 1. In the Redirect URLs field, add `http://localhost:5000/` and `http://localhost:5000/signin-oidc`
 
-> [!NOTE]
-> The base address in the **Sign-on URL** and **Logout URL** settings is `http://localhost:5000`. This localhost address allows the sample app to run insecurely from your local system. Port 5000 is the default port for the [Kestrel server](https://docs.microsoft.com/aspnet/core/fundamentals/servers/kestrel). Update these URLs if you configure the app for production use (for example, `https://www.contoso.com/signin-oidc` and `https://www.contoso.com/signout-oidc`).
+> Note: The base address in the **Sign-on URL** and **Logout URL** settings is `http://localhost:5000`. This localhost address allows the sample app to run insecurely from your local system. Port 5000 is the default port for the [Kestrel server](https://docs.microsoft.com/aspnet/core/fundamentals/servers/kestrel). Update these URLs if you configure the app for production use (for example, `https://www.contoso.com/signin-oidc` and `https://www.contoso.com/signout-oidc`).
 
-### Step 2: Create the sample
+### Step 2: Download/ Clone this sample code or build the application using a template
 
-This sample was created from the dotnet core 2.0 template [dotnet new mvc](https://docs.microsoft.com/dotnet/core/tools/dotnet-new?tabs=netcore2x) template with `SingleOrg` authentication, and then tweaked to let it support tokens for the Azure AD V2 endpoint. You can create the sample from the command line or clone/download this repository:
+This sample was created from the dotnet core 2.0 [dotnet new mvc](https://docs.microsoft.com/dotnet/core/tools/dotnet-new?tabs=netcore2x) template with `SingleOrg` authentication, and then tweaked to let it support tokens for the Azure AD V2 endpoint. You can clone/download this repository or create the sample from the command line:
 
-#### To create the sample from the command line
+#### Option 1: Download/ clone this sample
 
-- Execute the following command:
+You can clone this sample from your shell or command line:
 
   ```console
-  dotnet new mvc --auth SingleOrg --client-id <CLIENT_ID_(APP_ID)>
+  git clone https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnetcore.git
   ```
 
-  Use the value that you recorded from the Azure portal for \<CLIENT\_ID\_(APP\_ID)>.
+  In the **appsettings.json** file, replace the `ClientID` value with the *Applicaiton ID* from the application you just registered in Application Registration portal on *Step 1*.
+
+#### Option 2: Create the sample from the command line
 
-- Then:
+1. Run the following command to create a sample from the command line using the `MultiOrg` template:
+    ```console
+    dotnet new mvc --auth SingleOrg --client-id <Enter_the_Application_Id_here>
+    ```
+
+    > Note: Replace *`Enter_the_Application_Id_here`* with the *Application Id* from the application Id you just registered in the Application Registration Portal.
 
-  - Modify the `Configure` method in `Extensions\AzureAdAuthenticationBuilderExtensions.cs` file. This method show be as follows (the changed lines are the lines containing  `Authority`, and `ValidateIssuer`)
+2. Open **Extensions\AzureAdAuthenticationBuilderExtensions.cs** file and replace the `Configure` method with:
 
     ```CSharp
     public void Configure(string name, OpenIdConnectOptions options)
     {
         options.ClientId = _azureOptions.ClientId;
-        options.Authority = $"{_azureOptions.Instance}common/v2.0";   // V2 specific
+        options.Authority = $"{_azureOptions.Instance}common/v2.0";   // V2 Endpoint
         options.UseTokenLifetime = true;
         options.RequireHttpsMetadata = false;
         options.TokenValidationParameters.ValidateIssuer = false;     // accept any tenant
     }
     ```
-  - Modify `Views\Shared\_LoginPartial.cshtml` to have the following content:
+
+3. Modify `Views\Shared\_LoginPartial.cshtml` to have the following content:
 
     ```CSharp
     @using System.Security.Claims
 
     @if (User.Identity.IsAuthenticated)
     {
-        var identity = User.Identity as ClaimsIdentity; // V2 specific
+        var identity = User.Identity as ClaimsIdentity; // Azure AD V2 endpoint specific
         string preferred_username = identity.Claims.FirstOrDefault(c => c.Type == "preferred_username")?.Value;
         <ul class="nav navbar-nav navbar-right">
             <li class="navbar-text">Hello @preferred_username</li>
@@ -84,27 +87,61 @@ This sample was created from the dotnet core 2.0 template [dotnet new mvc](https
     }
     ```
 
-    This change is needed because the claims are different in the Azure AD V1 and Azure AD V2 tokens. Here the 'preferred_username' claim is used, which turns out to be the user's email address.
+    > Note: This change is needed because certain token claims from Azure AD V1 endpoint (on which the original .NET core template is based) are different than Azure AD V2 endpoint.
 
-#### To clone / download the sample
+### Step 3: Run the sample
 
-- Execute the following command from your shell or command line:
+1. Build the solution and run it.
 
-  ```console
-  git clone https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnetcore.git
-  ```
+2. Open your web browser and make a request to the app. The app immediately attempts to authenticate you via the Azure AD v2 endpoint. Sign in with your personal account or with work or school account.
 
-  In the **appsettings.json* file, provide values for the `Domain`, `TenantId`, and `ClientID` that you recorded earlier from the Azure portal.
+## Optional: Restrict sign-in access to your application
 
-### Step 3: Run the sample
+By default, when you use the dotnet core template with `SingleOrg` authentication option and follow the instructions in this guide to configure the application to use the Azure Active Directory v2 endpoint, both personal accounts - like outlook.com, live.com, and others - as well as Work or school accounts from any organizations that are integrated with Azure AD can sign in to your application. This is typically used on SaaS applications.
 
-Build the solution and run it.
+To restrict who can sign in to your application, use one of the options:
 
-Make a request to the app. The app immediately attempts to authenticate you via Azure AD. Sign in with the username and password of a user account that is in your Azure AD tenant or your microsoft personal account.
+### Option 1: Restrict access to a single organization (single-tenant)
 
-## About The code
+You can restrict sign-in access for your application to only user accounts that are in a single Azure AD tenant - including *guest accounts* of that tenant. This scenario is a common for *line-of-business applications*:
 
-### ASP.NET Core middleware
+1. Open **appsettings.json** and replace the line containing the `TenantId` value with the domain of your tenant, for example, *contoso.onmicrosoft.com* or the guid for the Tenant Id:
+
+    ```json
+    "TenantId": "[Enter the domain of your tenant, e.g. contoso.onmicrosoft.com or the Tenant Id]",
+    ```
+
+2. In your **Extensions\AzureAdAuthenticationBuilderExtensions.cs** file, replace the `Configure` method with:
+
+    ```CSharp
+    public void Configure(string name, OpenIdConnectOptions options)
+    {
+        options.ClientId = _azureOptions.ClientId;
+        options.Authority = $"{_azureOptions.Instance}{_azureOptions.TenantId}/v2.0";   // V2 Endpoint
+        options.UseTokenLifetime = true;
+        options.RequireHttpsMetadata = false;
+        options.TokenValidationParameters.ValidateIssuer = true;     // Validate the tenant
+    }
+    ```
+
+### Option 2: Restrict access to a list of organizations
+
+You can restrict sign-in access to only user accounts that are in a specific list of Azure AD organizations:
+
+1. In your **Extensions\AzureAdAuthenticationBuilderExtensions.cs** file, set the `ValidateIssuer` argument to **`true`**
+2. Add a `ValidIssuers` `TokenValidationParameters` parameter containing the list of allowed organizations.
+
+### Option 3: Use a custom method to validate issuers
+
+You can implement a custom method to validate issuers by using the **IssuerValidator** parameter. For more information about how to use this parameter, read about the [TokenValidationParameters class](https://msdn.microsoft.com/library/system.identitymodel.tokens.tokenvalidationparameters.aspx) on MSDN.
+
+### Variations
+
+You can also decide which types of user accounts can sign in to your Web App by changing the Authority. The picture below shows all the possibilities
+
+![Variations](ReadmeFiles/v2-variations.png)
+
+## About The code
 
 This sample shows how to use the OpenID Connect ASP.NET Core middleware to sign in users from a single Azure AD tenant. The middleware is initialized in the `Startup.cs` file by passing it the Client ID of the app and the URL of the Azure AD tenant where the app is registered, which is read from the `appsettings.json` file. The middleware takes care of:
 
@@ -130,26 +167,3 @@ return SignOut(
 ```
 
 The middleware in this project is created as a part of the open-source [ASP.NET Security](https://github.com/aspnet/Security) project.
-
-### What is specific to Azure AD V2?
-
-ASP.NET Core creates Web applications for the V1 endpoint. It's easy, however to update the code to let users sign-in with both work and school accounts and Microsoft personal accounts. It's also possible to restrict the accounts used to sign-in
-
-#### Modified code
-
-The specific Azure AD V2 code is in `Configure(string name, OpenIdConnectOptions options)`:
-
-```CSharp
-    options.Authority = $"{_azureOptions.Instance}common/v2.0";   // V2 specific
-    options.TokenValidationParameters.ValidateIssuer = false;     // accept any tenant
-```
-
-The first line tells the middleware to let sign-in users with the Azure AD V2 endpoint, that is with their work and school account or Microsoft personal account.
-
-The second line tells the middleware to not validate the tenants. If you want to validate the tenants, you can set `ValidateIssuer` to true, and add a delegate as the `options.TokenValidationParameters.IssuerValidator` property.
-
-#### Variations
-
-You can decide which user accounts can sign-in to your Web App by changing the Authority. The picture below shows all the possibilities
-
-![Variations](ReadmeFiles/v2-variations.png)
