Finally, after quite hectic months with all big events are happening in Melbourne, Australia & Globally (Dynamics 365 Saturday, UG Summit and Global Hackathon), I’m going to finalise this series of authentication with Dynamics 365 Portal or should we call it PowerApps Portal now 😉
So, without further ado, here are some tips & tricks in authentication implementation for Dynamics 365 portal:
- Set Login Session Timeout
As part of the security policy sometimes we need to set the login session timeout. When I was trying to configure this, usually the Identity Provider will have the configuration of the token lifetime.
So, my first thought was to use the Open ID Connect settings to set the cookie timeout: “Authentication/OpenIdConnect/[provider]/UseTokenLifetime”
Well, after some testing, that doesn’t change the timeout. So, to properly change the session timeout apparently, I need to set the following configuration:
- Use default Login Provider
When we configure the external login, sometimes it is a specific direction, to only allow a specific login method for the portal audience. To achieve this, you just need to set the following configuration:
Set the value as the same value of the ‘Authority’ of the Authentication Provider URL is:
e.g: if your “Authentication/OpenIdConnect/[provider]/Authority” is “https://login.somewhere.com” put the same value on this setting. This will “force” the login process using the specified provider.
- Claim Mapping – Resolve basic contact mapping
When we configured the external Authentication Provider, once we are able to login, usually it will prompt us with the email, then creating new contact record if the record doesn’t exist, or it will complain about the duplicate contact exist and stopped the process, which sometimes frustrating and causing orphaned records…
So, to make it a more seamless experience:
- Set the “Authentication/OpenIdConnect/[provider]/RegistrationEnabled” to true
- Set the “Authentication/OpenIdConnect/Auth0/RegistrationClaimsMapping” to reflect the mapping. Commonly we would like to set the First Name, Last Name and Email Address: “firstname=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname,lastname=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname,emailaddress1=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email”
More detail of the claim mapping:
And the options on what we can use from the identity provider:
- Force Login when accessing pages other than the Home page
In my recent scenario, there is a requirement to make the other web pages not available for non-authenticated users. I can apply the “Authentication Required” on each page on my site. However, this is not an efficient process. In particular around the maintainability of the portal. So to achieve this in an efficient way:
- Navigate to Web Page -> Home
- Navigate to the Access Control Rules section
- Create a new Rule as follows:
Make sure you select to the scope to Exclude direct child web files, otherwise the portal scripts and css will be blocked as well.
- Add the “Authenticated User” under the Web Role:
That’s all the tips & tricks related to the Dynamics 365 Portal authentication. I hope this helps!