New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Idp-initiated SSO w/ AspNetCore2 Handler #1030
Comments
This needs debugging. |
This is due to how With an Idp-initiated sign on, there is no relayData. So you need to make your own implementation of |
Thank you, Anders for looking into this. I'll try to implement custom logic for GetExternalLoginInfoAsync like you suggested. |
@sai450 Well, I just had to implement it myself for a customer :) It's mostly a matter of copying the existing code and removing the provider check. Then you somehow have to find out the provider key - can be hard coded if Saml2 is the only external provider. |
@AndersAbel can you expand on that? And then what value did you use to hardcode the provider key? Edit: I was able to figure this out. Posting the steps I took for reference. Remove
Then hardcode (or figure out a better way to substitute) the value of the
At this point, authentication should work. New logins will still be prompted to register with an email, - and confirm that email - but they are authenticated. |
@mickey-stringer Thanks for taking the time to post the how-to! |
@AndersAbel thank you for pointing me in the right direction! |
@mickey-stringer and @AndersAbel As you can see from the code samples on SO, I am not using a sign-in manager, but am directly calling: Can either of you offer any advice? |
Update, just FYI: |
I have captured the following debugging information (from the production VM): |
Would it be possible to have both implementations at the same time? Thanks for the input! |
@Narshe1412 Yes. The setting to allow Idp initiated is per Idp. |
Apologies, I meant both implementations of the Signing Manager :) |
@Narshe1412 you'd still need to use a custom SignInManager in order to handle the IDP-initiated flow, you just need to make it more resilient/flexible so that your SP-initiated methods are still supported. Basically, you'll treat IDP-initiated flow as a fallback. Use duck typing to determine if the auth attempt is IDP-initiated (e.g. |
var provider = "Saml2"; //items[LoginProviderKey] as string; - LoginProviderKey isn't present in Idp-initiated flow I see that provider value was hard coded, but in my case I do have mutiple Idp-initiated logins. @mickey-stringer Is there a way to obtain the provider key dynamically, depending on the external provider? |
@IAMHK90 It's been a while since I've worked with this package, but since you register different IDPs based on their metadata and signing keys and such, there is a way to access which provider a login is coming from. I just don't recall exactly how/where to do that, and I no longer have access to the repository where I implemented it. Sorry I can't be of more help. Good luck! |
@IAMHK90 - It varies by implementation and requirements but one way to figure out the provider it is to define a unique ReturnUrl under SP Options for each unique IDP (in our case the ReturnUrl is naturally dynamic and varies per client due to a multi-tenant setup). Then, in the custom SignInManager, you can figure out the LoginProviderKey value based on the requested path. (you would still need to debug line by line like @mickey-stringer mentioned to find the setup that best works for you) |
Idp-Initiated SSO (Unsolicited SSO) Auth does not seem to work when using AspNetCore2 Handler
I used SSOCircle as the identity provider and AspNetCore2 sample to test. Apart from the default settings, I have set ReturnUrl to "/account/externallogin?handler=callback" and set AllowUnsolicitedAuthnResponse to true
Observation:
When the execution reaches OnGetCallbackAsync handler (ExternalLogin.cshtml.cs) via Idp Initiated SSO, call to the following line of code returns null (where as the same line of code successfully retrieves ExternalLoginInfo with UserPrincipal and Claims for SP Initiated Logins).
var info = await _signInManager.GetExternalLoginInfoAsync();
Prior to reaching ExternalLogin Callback handler, Logs indicate "Successfully processed SAML response" and "Identity.External signed in", however the callback handler fails to retrieve ExternalLoginInfo.
Library/Framework Versions:
TargetFramework: net472
Sustainsys.Saml2.AspNetCore2: 2.0.0
I believe this could be a bug (Unless I'm missing something). Any help is appreciated.
The text was updated successfully, but these errors were encountered: