Implementing impersonation in Single Sign On Between CRM and enternal Web Interface

Use Case

After we have implemented Single Sign On between CRM and external web interface, we need to impersonate the request to a particular CRM user.

  1. CRM uses record level security settings, this means that an user will have access to only those records whom its security role permits. The below screenshots show two users, each having access to specific Contact records.

1 2

 

 

 

  1. We have created an aspx page and have added SSO with the Azure active directory. In the code I have created an organization proxy and is retrieving the contact records from CRM from FetchContacts method.

protected void Page_Load(object sender, EventArgs e)

{

  FetchContacts();          

}

public void FetchContacts()

{

   ClientCredentials Credentials = new ClientCredentials();

   Credentials.UserName.UserName = “administrator2@crmazureintegration.onmicrosoft.com”;

   Credentials.UserName.Password = “pass@word1”;

   EntityCollection products = null;

 ————————–       

  1. Not being impersonated, it will ask for credentials to access the page. If I enter the credentials of any valid user, the following records will be displayed.

3

As you can see it displays records which the user should not have access to. This is because, as illustrated by the previous code, the Contact records are being fetched based upon the username specified for creating the organization proxy.

protected void Page_Load(object sender, EventArgs e)

{

  ClaimsPrincipal cp = ClaimsPrincipal.Current;

  string fullname = string.Format(“{0} {1}”,  cp.FindFirst(System.Security.Claims.ClaimTypes.GivenName).Value,

 cp.FindFirst(System.Security.Claims.ClaimTypes.Surname).Value);

 this.Label1.Text = this.Label1.Text + ” ” + fullname;

 Guid userid = FetchContextUserID(fullname);

 ImpersonatedFetchContacts(userid);

}

public Guid FetchContextUserID(string username)

{

           // Fetch userid based upon the username

}

public void ImpersonatedFetchContacts(Guid userid)

{

 ClientCredentials Credentials = new ClientCredentials();

 Credentials.UserName.UserName = “administrator2@crmazureintegration.onmicrosoft.com”;

Credentials.UserName.Password = “pass@word1”;

EntityCollection products = null;

using (OrganizationServiceProxy serviceProxy = new OrganizationServiceProxy(new      Uri(“https://crmazureintegration.api.crm.dynamics.com/XRMServices/2011/Organization.svc”), null, Credentials, null))

{

                serviceProxy.CallerId = userid;

 ——————

  1. As shown in the code we have set the callerid field while creating the organization service proxy object. This will result in fetching only the records that the logged in user has access to.

4

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s