Feature/multidomain (#15)

### Release 23.07.2024 | Multidomain and custom identity attribute
#### New

- multidomain support: multiple domains can be specified via ';'

```
  <add key="multifactor:active-directory-domain" value="domain1.local;domain2.local" />
```

- Added the `use-attribute-as-identity` setting, which allows you to specify the attribute that will be used as an identifier when checking the second factor.
SHOULD use the new setting instead of `use-upn-as-identity`.

```xml
<!-- Use the specified attribute as the user identity when checking the second factor-->
<add key="multifactor:use-attribute-as-identity" value="mail"/>
```

Author: gelatincrypto

Configuration.cs

@@ -1,4 +1,5 @@
-using System;
+using MultiFactor.IIS.Adapter.Services;
+using System;
 using System.Collections.Specialized;
 using System.Configuration;
 using System.Linq;
@@ -7,22 +8,42 @@ namespace MultiFactor.IIS.Adapter
 {
     public class Configuration
     {
-        public string ApiKey { get; private set; }
-        public string ApiSecret { get; private set; }
-        public string ApiUrl { get; private set; }
-        public string ApiProxy { get; private set; }
+        private readonly string _activeDirectoryDomain;
+        public string[] ActiveDirectoryDomains =>
+            (_activeDirectoryDomain ?? string.Empty).Split(new[] { ';' }, StringSplitOptions.RemoveEmptyEntries)
+            .Distinct()
+            .ToArray();
+        
+        public string ApiUrl { get; }
+        public string ApiKey { get; }
+        public string ApiSecret { get; }
+        public string ApiProxy { get; }
+        
         public bool BypassSecondFactorWhenApiUnreachable { get; private set; }
 
         public string ActiveDirectory2FaGroup { get; private set; }
-        public TimeSpan ActiveDirectoryCacheTimout { get; private set; }        
-        public TimeSpan ApiLifeCheckInterval { get; private set; }        
-        public bool UseUpnAsIdentity { get; private set; }
-        public string[] PhoneAttributes { get; private set; } = new string[0];
+        public TimeSpan ActiveDirectoryCacheTimout { get; private set; }
+        public TimeSpan ApiLifeCheckInterval { get; private set; }
 
+        //Lookup for some attribute and use it for 2fa instead of uid
+        public bool UseIdentityAttribute => !string.IsNullOrWhiteSpace(TwoFaIdentityAttribute);
+        public string TwoFaIdentityAttribute { get; private set; }
+        public string[] PhoneAttributes { get; private set; } = new string[0];
+        
+        
         private static readonly Lazy<Configuration> _current = new Lazy<Configuration>(Load);
         public static Configuration Current => _current.Value;
+        
+        protected Configuration() {}
 
-        protected Configuration() { }
+        private Configuration(string activeDirectoryDomain, string apiUrl, string apiKey, string apiSecret, string apiProxy)
+        {
+            _activeDirectoryDomain = activeDirectoryDomain;
+            ApiUrl = apiUrl;
+            ApiKey = apiKey;
+            ApiSecret = apiSecret;
+            ApiProxy = apiProxy;
+        }
 
         protected static Configuration Load()
         {
@@ -34,35 +55,31 @@ protected static Configuration Load()
             var apiProxySetting = appSettings[ConfigurationKeys.ApiProxy];
 
             var activeDirectory2FaGroupSetting = appSettings[ConfigurationKeys.ActiveDirectory2FAGroup];
-            var useUpnAsIdentitySetting = appSettings[ConfigurationKeys.UseUpnAsIdentity];
+            var activeDirectoryDomain = appSettings[ConfigurationKeys.ActiveDirectoryDomain];
 
-            if (string.IsNullOrEmpty(apiUrlSetting))
+            var domain = GetDomain(activeDirectoryDomain);
+
+            if (string.IsNullOrWhiteSpace(apiUrlSetting))
             {
                 throw new Exception($"Configuration error: '{ConfigurationKeys.ApiUrl}' element not found or empty");
             }
-            if (string.IsNullOrEmpty(apiKeySetting))
+            if (string.IsNullOrWhiteSpace(apiKeySetting))
             {
                 throw new Exception($"Configuration error: '{ConfigurationKeys.ApiKey}' element not found or empty");
             }
-            if (string.IsNullOrEmpty(apiSecretSetting))
+            if (string.IsNullOrWhiteSpace(apiSecretSetting))
             {
                 throw new Exception($"Configuration error: '{ConfigurationKeys.ApiSecret}' element not found or empty");
             }
 
-            var config = new Configuration
-            {
-                ApiUrl = apiUrlSetting,
-                ApiKey = apiKeySetting,
-                ApiSecret = apiSecretSetting,
-                ApiProxy = apiProxySetting,
-                ActiveDirectory2FaGroup = activeDirectory2FaGroupSetting
-            };
+            var config = new Configuration(domain, apiUrlSetting, apiKeySetting, apiSecretSetting, apiProxySetting);
 
-            if (bool.TryParse(useUpnAsIdentitySetting, out var useUpnAsIdentity))
+            if (!string.IsNullOrWhiteSpace(activeDirectory2FaGroupSetting))
             {
-                config.UseUpnAsIdentity = useUpnAsIdentity;
+                config.ActiveDirectory2FaGroup = activeDirectory2FaGroupSetting;
             }
 
+            ReadTwoFaIdentityAttributeSetting(appSettings, config);
             ReadActiveDirectoryCacheTimoutSetting(appSettings, config);
             ReadPhoneAttributeSetting(appSettings, config);
             ReadBypassWhenApiUnreachableSetting(appSettings, config);
@@ -71,6 +88,43 @@ protected static Configuration Load()
             return config;
         }
 
+        private static void ReadTwoFaIdentityAttributeSetting(NameValueCollection appSettings, Configuration configuration)
+        {
+            var useUpnAsIdentitySetting = appSettings[ConfigurationKeys.UseUpnAsIdentity];
+            var twoFaIdentityAttributeSetting = appSettings[ConfigurationKeys.TwoFAIdentityAttribyte];
+            
+            // MUST be before 'use-upn-as-identity' check
+            if (!string.IsNullOrWhiteSpace(twoFaIdentityAttributeSetting))
+            {
+                configuration.TwoFaIdentityAttribute = twoFaIdentityAttributeSetting;
+            }
+
+            //legacy settings for 2fa identity
+            if (bool.TryParse(useUpnAsIdentitySetting, out var useUpnAsIdentity))
+            {
+                if (!string.IsNullOrWhiteSpace(twoFaIdentityAttributeSetting))
+                {
+                    throw new Exception("Configuration error: Using settings 'use-upn-as-identity' and 'use-attribute-as-identity' together is unacceptable. Prefer using 'use-attribute-as-identity'.");
+                }
+
+                Logger.Owa.Warn("The setting 'use-upn-as-identity' is deprecated, use 'use-attribute-as-identity' instead");
+                if (useUpnAsIdentity)
+                {
+                    configuration.TwoFaIdentityAttribute = "userPrincipalName";
+                }
+            }
+        }
+
+        private static string GetDomain(string activeDirectoryDomain)
+        {
+            if (!string.IsNullOrWhiteSpace(activeDirectoryDomain))
+            {
+                 return activeDirectoryDomain;
+            } 
+            
+            return System.DirectoryServices.ActiveDirectory.Domain.GetComputerDomain().Name;
+        }
+
         private static void ReadPhoneAttributeSetting(NameValueCollection appSettings, Configuration configuration)
         {
             var value = appSettings[ConfigurationKeys.PhoneAttribute];
@@ -80,7 +134,7 @@ private static void ReadPhoneAttributeSetting(NameValueCollection appSettings, C
             }
 
             var parsed = value.Split(new[] { ';' }, StringSplitOptions.RemoveEmptyEntries).Select(attr => attr.Trim()).ToArray();
-            if (parsed.Length != 0) configuration.PhoneAttributes = parsed;     
+            if (parsed.Length != 0) configuration.PhoneAttributes = parsed;
         }
 
         private static void ReadActiveDirectoryCacheTimoutSetting(NameValueCollection appSettings, Configuration configuration)
@@ -89,13 +143,13 @@ private static void ReadActiveDirectoryCacheTimoutSetting(NameValueCollection ap
 
             var legacyValue = appSettings[ConfigurationKeys.ActiveDirectory2FAGroupMembershipCacheTimeout];
             if (int.TryParse(legacyValue, out var legVal)) ttl = TimeSpan.FromMinutes(legVal);
-            
+
             var value = appSettings[ConfigurationKeys.ActiveDirectoryCacheTimeout];
             if (int.TryParse(value, out var val)) ttl = TimeSpan.FromMinutes(val);
-            
+
             configuration.ActiveDirectoryCacheTimout = ttl > TimeSpan.Zero ? ttl : TimeSpan.FromMinutes(15);
         }
-        
+
         private static void ReadApiLifeCheckIntervalSetting(NameValueCollection appSettings, Configuration configuration)
         {
             var defaultValue = TimeSpan.FromMinutes(15);
@@ -114,7 +168,7 @@ private static void ReadApiLifeCheckIntervalSetting(NameValueCollection appSetti
 
             configuration.ApiLifeCheckInterval = parsed > 0 ? TimeSpan.FromMinutes(parsed) : defaultValue;
         }
-        
+
         private static void ReadBypassWhenApiUnreachableSetting(NameValueCollection appSettings, Configuration configuration)
         {
             var value = appSettings[ConfigurationKeys.BypassSecondFactorWhenApiUnreachable];

ConfigurationKeys.cs

@@ -10,12 +10,14 @@ public static class ConfigurationKeys
         public static readonly string ApiProxy = $"{_prefix}:api-proxy";
         public static readonly string BypassSecondFactorWhenApiUnreachable = $"{_prefix}:bypass-second-factor-when-api-unreachable";
 
+        public static readonly string ActiveDirectoryDomain = $"{_prefix}:active-directory-domain";
         public static readonly string ActiveDirectory2FAGroup = $"{_prefix}:active-directory-2fa-group";
         public static readonly string ActiveDirectory2FAGroupMembershipCacheTimeout = $"{_prefix}:active-directory-2fa-group-membership-cache-timeout";
         public static readonly string ActiveDirectoryCacheTimeout = $"{_prefix}:active-directory-cache-timeout";
         public static readonly string ApiLifeCheckInterval = $"{_prefix}:api-life-check-interval";
 
         public static readonly string UseUpnAsIdentity = $"{_prefix}:use-upn-as-identity";
+        public static readonly string TwoFAIdentityAttribyte = $"{_prefix}:use-attribute-as-identity";
         public static readonly string PhoneAttribute = $"{_prefix}:phone-attribute";
     }
 }

Extensions/FullyQualifiedDomainNameExtensions.cs

@@ -17,7 +17,7 @@ public static string GetDn(this FullyQualifiedDomainName domain)
             if (domain is null) throw new ArgumentNullException(nameof(domain));
 
             var name = domain.Value;
-            var portIndex = domain.Value.IndexOf(":");
+            var portIndex = domain.Value.IndexOf(":", StringComparison.Ordinal);
             if (portIndex > 0)
             {
                 name = name.Substring(0, portIndex);

MsDynamics365/Module.cs

@@ -109,7 +109,7 @@ private void ProcessMultifactorRequest(HttpContextBase context)
                 return;
             }
 
-            var executor = MfaApiRequestExecutorFactory.CreateIIS(context);
+            var executor = MfaApiRequestExecutorFactory.CreateCrm(context);
             executor.Execute(url, GetWebAppRoot());
         }
 
@@ -126,7 +126,7 @@ private string GetWebAppRoot()
                 context.Request.Url.Host :
                 context.Request.Url.Authority;
 
-            host = string.Format("{0}://{1}", context.Request.Url.Scheme, host);
+            host = $"{context.Request.Url.Scheme}://{host}";
 
             if (context.Request.ApplicationPath != "/")
             {

MultiFactor.IIS.Adapter.csproj

@@ -72,6 +72,7 @@
     <Compile Include="MsDynamics365\Module.cs" />
     <Compile Include="Constants.cs" />
     <Compile Include="Core\HttpModuleBase.cs" />
+    <Compile Include="Services\Ldap\Profile\AttributeKeyComparer.cs" />
     <Compile Include="Services\MfaApiRequestExecutor.cs" />
     <Compile Include="Services\MfaApiRequestExecutorFactory.cs" />
     <Compile Include="Owa\UserRequiredSecondFactor.cs" />
@@ -84,9 +85,9 @@
     <Compile Include="Extensions\FullyQualifiedDomainNameExtensions.cs" />
     <Compile Include="Services\Ldap\LdapConnectionAdapter.cs" />
     <Compile Include="Services\Ldap\Profile\ILdapProfile.cs" />
-    <Compile Include="Services\Ldap\Profile\ILdapProfileBuilder.cs" />
     <Compile Include="Services\Ldap\Profile\LdapProfile.cs" />
     <Compile Include="Services\Logger.cs" />
+    <Compile Include="Services\MfTraceIdFactory.cs" />
     <Compile Include="Services\MultiFactorApiClient.cs" />
     <Compile Include="Services\Ldap\Profile\ProfileLoader.cs" />
     <Compile Include="Services\AccessUrl.cs" />

Owa/Module.cs

@@ -2,7 +2,6 @@
 using MultiFactor.IIS.Adapter.Extensions;
 using MultiFactor.IIS.Adapter.Services;
 using System;
-using System.IO;
 using System.Linq;
 using System.Security.Principal;
 using System.Web;
@@ -39,6 +38,7 @@ public override void OnBeginRequest(HttpContextBase context)
         public override void OnPostAuthorizeRequest(HttpContextBase context)
         {
             var path = context.Request.Url.GetComponents(UriComponents.Path, UriFormat.Unescaped);
+
             //static resources
             if (WebUtil.IsStaticResourceRequest(context.Request.Url))
             {
@@ -125,7 +125,6 @@ public override void OnPostAuthorizeRequest(HttpContextBase context)
 
         private void ProcessMultifactorRequest(HttpContextBase context)
         {
-            Logger.Owa.Info($"Process MFA request");
             //check if user session timed-out
             if (!context.User.Identity.IsAuthenticated)
             {

Services/AccessUrl.cs

@@ -13,20 +13,23 @@ public AccessUrl(ActiveDirectoryService activeDirectory, MultiFactorApiClient ap
             _api = api ?? throw new ArgumentNullException(nameof(api));
         }
 
-        public string Get(string rawUsername, string postbackUrl) 
+        public string Get(string rawUsername, string postbackUrl)
         {
             var identity = rawUsername;
             var profile = _activeDirectory.GetProfile(Util.CanonicalizeUserName(identity));
-            if (Configuration.Current.UseUpnAsIdentity)
+            if (profile == null)
             {
-                if (!identity.Contains("@"))
-                {
-                    identity = profile.UserPrincipalName;
-                }
+                // redirect to (custom?) error page
+                throw new Exception($"Profile {rawUsername} not found");
+            }
+            if (Configuration.Current.UseIdentityAttribute && !string.IsNullOrEmpty(profile.TwoFAIdentity))
+            {
+                Logger.API.Info($"Applying 2fa identity attribute: {identity}->{profile.TwoFAIdentity}");
+                identity = profile.TwoFAIdentity;
             }
 
-            var multiFactorAccessUrl = _api.CreateRequest(identity, rawUsername, postbackUrl, profile);
+            var multiFactorAccessUrl = _api.CreateRequest(identity, rawUsername, postbackUrl, profile?.Phone);
             return multiFactorAccessUrl;
-        }    
+        }
     }
 }