Progress will discontinue Telerik Platform on May 10th, 2018. Learn more

Linking or Unlinking AD FS Users

Linking or Unlinking AD FS Users

You can link an AD FS user account to a Telerik Platform user account, allowing the user to log in with either. You can unlink the AD FS user account at any time, keeping the Telerik Platform user management functionality.

See the coverage in Introduction to Active Directory Federation Services Integration for more details.

You need the AD FS access token for the user to perform linking. The way you obtain the token depends on whether you are implementing active federation or passive federation.

Linking with an AD FS Account

You link an AD user account to an existing Telerik Platform user account using the LinkAdfsAccount() method. It takes as argument the userId of the Telerik Platform user account that you want to link to, and the acquired SAML token. Don't forget to log in the user first or use MasterKey authorization.

public async Task LinkUser(EverliveApp app, Guid userId, string accessToken)
{
    await app.WorkWith().Users().LinkAdfsAccount(userId, accessToken).ExecuteAsync();
}

The method returns an error if a Telerik Platform user account is already linked to an AD user account. To link it to a new AD user account, first unlink it from the previous one and then reinvoke LinkAdfsAccount() with the new SAML token.

These are important points you need to know about linking:

  • The user who you are linking must be logged in to their Telerik Platform account (in other words, you need the Telerik Platform access token to perform linking).
  • Users who have linked their AD identity to their Telerik Platform account can log in using either of them.
  • The AD user profile is stored as an object in the user account's Identity.ADFS field. It is visible only when using MasterKey authentication or when using Bearer authentication but the access token is issued for the same user.
  • If the Telerik Platform user account's Email is empty and the AD user profile contains an email, then it is stored in the user account's Email field.
  • You cannot link a single AD account to multiple Telerik Platform user accounts. If you try this, you receive an error.

Unlinking from an AD FS Account

You unlink an AD user account from an existing Telerik Platform user account using the UnlinkAdfsAccount() method. It takes as argument the userId of the Telerik Platform user account that you want to unlink. For example:

public async Task UnlinkUser(EverliveApp app, Guid userId)
{
    await app.WorkWith().Users().UnlinkAdfsAccount(userId).ExecuteAsync();
}

If the user is not linked, you receive an error.

These are important points you need to know about unlinking:

  • The user who you are unlinking must be logged in to their Telerik Platform account (in other words, you need the Telerik Platform access token to perform unlinking).
  • Telerik Platform deletes the user's AD profile by setting Profile.ADFS to null in the user account object.
  • After a user has been unlinked you can relink them.
  • The users can unlink only their own AD account. They cannot unlink other users' AD accounts, even if they have update permissions for the Users content type. This restriction is not present when using MasterKey authentication.
  • You can only unlink user accounts that existed before linking them to an AD account.

See Also

Contact us: +1-888-365-2779
sales@telerik.com
Copyright © 2016-2017, Progress Software Corporation and/or its subsidiaries or affiliates. All rights reserved.