We've implemented SAML2 authentication with the Sustainsys.Saml2 library, this is on a webforms project with .Net 4.7.2
The configuration of Sustainsys is in the web.config file, we can't change anything about the identity provider
After loggin in, we can read the unique identifier that we need for the current user:
var claims = System.Security.Claims.ClaimsPrincipal.Current.Claims;
var name = claims.First(c => c.Type == "urn:oid:0.9.2342.19200300.100.1.1").Value;
but we would like that it would be present also in HttpContext.Current.User.Identity.Name
Is there a way to configure Sustainsys (keeping the app as a webform, with the OWIN integration) so that it can read that specific claim as the User.Name when it performs the authentication?
Some configuration attribute for web.config or code for global.asax?
Related
Context
I have a Service Provider (SP) based on IdentityServer 4 and Sustainsys.Saml2.AspNetCore2 that is configured to use Azure as an IdP (SAML2).
I also have a SPA with an api that connects to my SP (with oidp) to identify my user. The api then creates a JWT for my user to use.
I can login my user correctly.
Question
My issue comes with the logout. I want to use the logout url parameter of Azure to notify my SP about the logout. I manage to see the SAML Logout Request as a string when I configure an endpoint of mine but I can't exploit it and parsing it manually does't seem right.
Is there an existing endpoint that would come with my dependencies that I missed?
The goal here is to revoke all my user's application sessions (the apps to which my user is connected throug my SP).
Configuration
Idp configuration in the SP (called in Startup.cs).
The Saml2AuthModel comes from a config file.
public static AuthenticationBuilder AddSaml2Auth(this AuthenticationBuilder builder, Saml2AuthModel saml2AuthModel)
{
builder.AddSaml2(saml2AuthModel.Scheme, saml2AuthModel.DisplayName ?? saml2AuthModel.Scheme, options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.SignOutScheme = IdentityServerConstants.SignoutScheme;
options.SPOptions.EntityId = new EntityId(saml2AuthModel.ServiceProviderEntityId);
options.SPOptions.ModulePath = "/" + saml2AuthModel.ModulePath ?? saml2AuthModel.Scheme ?? options.SPOptions.ModulePath;
var idp = new IdentityProvider(
new EntityId(saml2AuthModel.IdentityProviderEntityId),
options.SPOptions
);
idp.MetadataLocation = saml2AuthModel.IdentityProviderMetadataLocation;
options.IdentityProviders.Add(idp);
});
return builder;
}
The Sustainsys.Saml2 library has support for single logout. To enable it, you need to set up a service signing key. The reason is that logout requests and responses should be signed. So the library doesn't expose the logout endpoints if it has no signing keys available.
In my IS4's Startup.cs:
services.AddAuthentication()
.AddMicrosoftAccount(o =>
{
o.SignInScheme = IdentityServer4.IdentityServerConstants.ExternalCookieAuthenticationScheme;
o.ClientId = "clientId";
o.ClientSecret = "clientSecret";
});
I have defined the scope:
openid
profile
And I get the error after I tried to login:
unauthorized_client: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.
It's a web app. So what am I doing wrong here:
I assume the client ID is this:
And my client secret is this:
I have also set up the redirect URI:
The error means the Supported account types are not set for the personal account(Microsoft account in your case).
To solve the issue, navigate to the Manifest of your App registration, set the two properties accessTokenAcceptedVersion and signInAudience like below.
"accessTokenAcceptedVersion": 2,
"signInAudience": "AzureADandPersonalMicrosoftAccount"
When you save the setting, make sure your app meets the requirement of the validation, otherwise there will be some errors.
I'm currently trying to get Okta to work with our MVC based application. Unfortunatly I am not the original designer or author of original code. However after some digging I have found that my predecessors work was based on the sustainsys example app "SampleOwinApplication" and this certainly seems to provided the functionality that we require. So I have based my query on this sample that can be obtained from https://github.com/Sustainsys/Saml2
This works with the sustainsys saml stub but now a genuine authentication provider (in this case Okta)
If I configure the application to use the sustainsys stub authentication provider and using Chrome with a plugin to view SAML tokens. I can see the SAML token come back and is presented to the call back as expected:
public async Task<ActionResult> ExternalLoginCallback(string returnUrl)
{
var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync();
and when it runs loginInfo gets filed in and all works as expetced.
However when I change to configuration to use my Okta app, I get redirected to log in to Okta (as expecected) and I can see successful authentication and a SAML token comes back to my application (as seen in the Chrome plugin). However the above consumer for the callback ends up with a null value in loginInfo.
Further digging into the issue shows that in the Statup.Auth.cs there is the following code:
// Enable the application to use a cookie to store information for the signed in user
// and to use a cookie to temporarily store information about a user logging in with a third party login provider
// Configure the sign in cookie
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
and then the Saml2 authentication is added
app.UseSaml2Authentication(CreateSaml2Options());
So it looks like cookie authentication is being used rather than saml2. If I check for cookies from the sustainsys site I can see them added to the browser and authentication works as expected. However, if I use Okta for authentication, no such cookies get set and the authentication fails.
Removing all the cookie authentication references results in:
A default value for SignInAsAuthenticationType was not found in IAppBuilder Properties. This can happen if your authentication middleware are added in the wrong order, or if one is missing.
So clearly this is required, shifting the call to app.UseSaml2Authentication(CreateSaml2Options()); before app.UseCookieAuthentication in the vain hope of it changing the priority and therefore picking up the SAML token fails and whilst the code runs authentication and the call to AuthenticationManager.GetExternalLoginInfoAsync, always results in a null value being returned regardless of the authentication provider.
So I either need to completely remove the cookie authentication so it is forced to use the saml packet, get Okta to set the necessary cookies or be able to parse the saml 2 token independently rather than relying on AuthenticationManager.GetExternalLoginInfoAsync to do the work.
Any clues/advice is appreciated
See the working configuration I am currently using successfully with Okta for a service provider initiated login:
AuthenticateResult.Succeeded is false with Okta and Sustainsys.SAML2
Unfortunately, it is still not working with an identity provider initiated login.
See: IdP Initiated Login with Sustainsys.SAML2 - AuthenticateResult Has No Information
My SignalR Hub requires users to be authenticated and the following line gives me user's Id:
var userId = Context.UserIdentifier;
Similarly, I can get the whole set of claims with:
var user = Context.User.Claims;
This works fine if I use SignalR locally but if I switch to Azure SignalR Service, I get a null value in Context.UserIdentifier. I also get no claims.
Here's what I'm changing in my Startup.cs:
In the ConfigureServices() method, I use
services.AddSignalR().AddAzureSignalR(Configuration["AzureSignalR:ConnectionString"]);
instead of
services.AddSignalR();
And in the Configure() method, I use:
app.UseAzureSignalR(routes =>
{
routes.MapHub<Hubs.MyHub>("/chat");
});
instead of:
app.UseSignalR(routes =>
{
routes.MapHub<Hubs.MyHub>("/chat");
});
Do I need anything else in Azure SignalR configuration to make sure I get user's claims? Any idea why this one change prevents claims from coming through?
P.S. I'm using Azure AD B2C for user authentication and as I said, if I use SignalR locally, everything works which means the code that handles grabbing JWT token from QueryString is working fine.
SignalR service will automatically inherit the claims from your authenticated user, no special configuration is needed. I just tried Azure AD B2C sample with SignalR service and the claims can be get from HubCallerContext.
Could you please check the SignalR access token returned from negotiation to see whether the claims are returned from server at the first place? (Decode it from base64 then you'll see the claims)
I am using identity server 4 for authentication to my ASP.Net Core solution. And it is working well with Facebook, Google and other external identity provider.
And now I am trying to add SAML 2.0 authentication to the identity server using Sustainsys.Saml2 from https://github.com/Sustainsys/Saml2 and making it work as an external identity provider. (Customers to our site want to login using their SAML identity provider using our Identity Server in the same way they can login via Facebook, Google, etc)
And what I have now is the
sign in URL - https://sso.domain.com/saml/idp/profile/redirectorpost/sso
sign out URL - https://sso.domain.com/saml/idp/profile/post/sls
CRT certificate
for the SAML based identity provider of our customer.
However, I cannot find the document that describes how to setup the configuration of SAML 2.0 in identity server 4 startup.cs file.
I think the configuration should look like the following based on the sample available at:
https://github.com/Sustainsys/Saml2/blob/master/Samples/SampleAspNetCore2ApplicationNETFramework/Startup.cs
services.AddAuthentication()
.AddSaml2(options =>
{
options.SPOptions.EntityId = new EntityId("...");
options.IdentityProviders.Add(
new IdentityProvider(
new EntityId("..."), options.SPOptions)
{
LoadMetadata = true,
});
options.SPOptions.ServiceCertificates.Add(new X509Certificate2("..."));
}
);
In the sample there are two url's
https://localhost:44342/Saml2
http://localhost:52071/Metadata
What do these represent?
Can somebody tell me how to setup all the options for SAML2 in identity server 4?
is the entity id of your application - corresponding to client id in open id connect.
is the entity id of the upstream idp.
There is a sample IdSrv4 in another branch: https://github.com/Sustainsys/Saml2/tree/netstandard/Samples/SampleIdentityServer4
The sample uses the preview version for .NET Core, but the config is basically the same.
There are working IdentityServer4 samples in https://github.com/Sustainsys/Saml2/tree/master/Samples