How can IDP send "Access Denied Page" towards user

raju · August 8, 2018, 5:03pm

We are evaluating ComponentSpace IDP, and we use its low-level API as we have our own ‘auth’ middleware.
At anytime, when the user hits (through re-direction) IDP, he is already authenticated by our rest of the system.
I want to add small security enforcement, to deny access to user, that can happen to visit the IDP in a non-standard path - where he is not authenticated by our middleware.
So, how I can achieve that in the ‘Else’ section of SingleSignOnService method, or that of SingleSignOnServiceCompletion ?

namespace ExampleIdentityProvider.Controllers
{
public class SamlController : Controller
{
private readonly ISamlIdentityProvider _samlIdentityProvider;
private readonly SignInManager _signInManager;

public SamlController(ISamlIdentityProvider samlIdentityProvider, SignInManager signInManager)
{
_samlIdentityProvider = samlIdentityProvider;
_signInManager = signInManager;
}

public async Task SingleSignOnService()
{
// Receive the authn request from the service provider (SP-initiated SSO).
await _samlIdentityProvider.ReceiveSsoAsync();

// If the user is logged in at the identity provider, complete SSO immediately.
// Otherwise have the user login before completing SSO.
if (User.Identity.IsAuthenticated)
{
await CompleteSsoAsync();

return new EmptyResult();
}
else
{
return RedirectToAction(“SingleSignOnServiceCompletion”);
}
}

[Authorize]
public async Task SingleSignOnServiceCompletion()
{
await CompleteSsoAsync();

return new EmptyResult();
}

ComponentSpace · August 8, 2018, 6:54pm

The return RedirectToAction(“SingleSignOnServiceCompletion”); forces the user to authenticate locally if they’re not already.
If instead the user should already be authenticated through your middleware and you want to fail the SSO attempt you have a couple of choices.
You could simply redirect the user to an error page and display a suitable error message.
The alternative is to return a SAML response with an error status to the SP.
The SP will then most likely display an error page.
The following code demonstrates returning an error status.

_samlIdentityProvider.SendSsoAsync(new Status(SamlConstants.PrimaryStatusCodes.Requester, “Access Denied”));

raju · August 10, 2018, 12:33am

thank you. I tried this but finding SP(google) that happens to diplay a blank page when I send this Status. Investigating on it

ComponentSpace · August 10, 2018, 12:44am

It’s possible Google doesn’t handle the error status very well.
You’re welcome to report your findings here.