Confused by AssertionConsumerService reply URL


We are totally new to SAML and testing Componentspace middleware inside an core 2.1 webapp so sorry for the newbie Q.

For sometime we have been using other authentication methods (eg Google and Microsoft) without a problem and they require the reply URL (AssertionConsumerService) to be (for example) They all need to “signin-” bit.

As we are using Componentspace middleware with Microsoft Identity we assume it requires the same format as the return URL otherwise we don’t understand how the standard “ExternalLogin.cshtml.cs” file gets called when redirected back from, in this instance, Microsoft Azure.

What confuses us further is that in the middleware demo it happily shows the reply URL as “<a href=“https://localhost:44374/SAML/AssertionConsumerService” “=””><a href=“https://localhost:44374/SAML/AssertionConsumerService” “=”“><a href=“https://localhost:44374/SAML/AssertionConsumerService””>https://localhost:44374/SAML/AssertionConsumerService" yet we cannot see any custom classes dealing with this return page.

Essentially the question is, how do we get our “ExternalLogin.cshtml.cs” called so we can then use our existing logic because at the moment we are simply seeing a 404 following the redirect from Azure after successfully logging into Azure.


It seems Azure is correctly sending us back to https://localhost:44335/SAML/AssertionConsumerService with a SAMLResponse and receicing a HTTP 302 sttaus code, but our application is forwarding to our error page as SAML/AssertionConsumerService seems not being handled.

We have this is the startup.cs class:

.AddSaml(options =>
options.PartnerName = () => Configuration[“PartnerName”];

and also

services.AddSaml(config => ConfigureSaml(config));

So not sure why ComponentSpace is not handling the response.


Hope that makes sense?!


By default, the SAML authentication handler expects the SAML response to be received at the SAML/AssertionConsumerService endpoint. We use this URL as it describes its function in the terminology of the SAML specification (ie an assertion consumer service). If required, this can be changed through the SamlAuthenticationOptions.AssertionConsumerServicePath.

The SAML authentication handler will receive and process the SAML response from the partner identity provider. If the SAML response is processed successfully, it will sign-in the user using the configured sign-in scheme. This defaults to Identity.External but can be changed through the SamlAuthenticationOptions.SignInScheme.

It then redirects to the login completion URL specified through the SamlAuthenticationOptions.LoginCompletionUrl. To tie in with Microsoft Identity, this defaults to “/Identity/Account/ExternalLogin?handler=Callback”.

If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to mentioning your forum post.