1

I am trying to add support for SAML authentication to an ASP.NET Core MVC application with ASP.NET Core Identity (not IdentityServer). The flow "works" when testing with StubIdp - the SAMLResponse is POSTed to /Saml2/Acs and I'm redirected to the app with an Identity.External cookie, but my ClaimsPrincipal is empty and unauthenticated. Even if I use the NameID of a user who already exists in the database, the claims are completely empty.

I also see the following in the console log:
Sustainsys.Saml2.AspNetCore2.Saml2Handler: Information: Successfully processed SAML response Microsoft.IdentityModel.Tokens.Saml2.Saml2Id and authenticated JohnDoe

I installed the Sustainsys.Saml2.AspNetCore2 package, and added the service configuration to startup.cs as follows: 

services.AddAuthentication()
                .AddSaml2(async options =>
                {
                    var azureServiceTokenProvider = new AzureServiceTokenProvider();
                    var keyVaultClient = new KeyVaultClient(
                        new KeyVaultClient.AuthenticationCallback(
                            azureServiceTokenProvider.KeyVaultTokenCallback));

                    var certificateSecret = await keyVaultClient.GetSecretAsync($"https://{Configuration["KeyVaultName"]}.vault.azure.net/", Configuration["ServiceProviderCertName"]);
                    var privateKeyBytes = Convert.FromBase64String(certificateSecret.Value);

                    options.SPOptions.EntityId = new EntityId(Configuration["BaseUrl"] + "/Saml2");
                    options.SPOptions.ReturnUrl = new Uri(Configuration["BaseUrl"]);

                    IdentityProvider idp = new IdentityProvider(
                            new EntityId("https://stubidp.sustainsys.com/Metadata"), options.SPOptions)
                    {
                        LoadMetadata = true,
                        MetadataLocation = "https://stubidp.sustainsys.com/Metadata",
                        AllowUnsolicitedAuthnResponse = true
                    };

                    options.IdentityProviders.Add(idp);

                    options.SPOptions.ServiceCertificates.Add(new X509Certificate2(privateKeyBytes));
                });

Configuration["BaseUrl"] is the base URL of my app, in this case a localhost port.

I'm obviously missing something, but I can't figure out what. Do I need to somehow explicitly connect/map the Saml2 service to ASP.NET Core Identity?

ChiefMcFrank
  • 721
  • 4
  • 18

1 Answers1

1

Was able to resolve this based on comments in this GitHub issue.

My comment explaining how I was able to implement the workaround: https://github.com/Sustainsys/Saml2/issues/1030#issuecomment-616842796

ChiefMcFrank
  • 721
  • 4
  • 18
  • I have a similar issue with IdP-initiated login. For my setup, see https://stackoverflow.com/questions/63853661/authenticateresult-succeeded-is-false-with-okta-and-sustainsys-saml2. I am not using a sign-in manager, but am directly calling await HttpContext.AuthenticateAsync(ApplicationSamlConstants.External), and it has no information. (Works for SP-initiated, though). AuthenticateResult.None is true. Any thoughts? – JRS Sep 15 '20 at 22:30
  • @JRS are you still having trouble? I wasn't sure between your question and the GitHub comments. – ChiefMcFrank Sep 16 '20 at 01:54
  • Thanks for responding. Yes, I'm still stuck. For the most current information, please see https://stackoverflow.com/questions/63911084/idp-initiated-login-with-sustainsys-saml2-authenticateresult-has-no-informatio Note that I'm not using any manager, but am directly calling await HttpContext.AuthenticateAsync(ApplicationSamlConstants.External), so I don't think your solution for the manager class (which makes this call internally, if I understand correctly) is relevant. – JRS Sep 16 '20 at 16:06
  • Ok, I'll warn you that I'm a pretty inexperienced developer with limited exposure to SAML2, but I'll look around and see if anything catches my eye. What does your production server configuration look like? I assume IIS? – ChiefMcFrank Sep 17 '20 at 00:41
  • Yes. See my response in the SO ticket. – JRS Sep 17 '20 at 12:57