I have successfully authenticated by using IDP and I stored the SAML Response in my cookies, If I close the browser and re-open it , I will pass my SAMLResponse to the IDP and I need to get the User details linked to that SAMLResponse. so that I will not prompt for the login in IDP, I will not call InitiateSSO method, I will redirect to my default page based on the response I get by passing SAMLResponse to the IDP.
You shouldn’t store the SAML response or pass it to the IdP.
You should call SAMLServiceProvider.ReceiveSSO to receive and process the SAML response.
The API returns the user name and attributes to your application.
You should use this information to automatically login the user locally.
Usually this means an authentication cookie is set for your application.
You can store additional information in the user’s session if you wish but usually it’s sufficient to establish an authentication session.
Note that the IdP will also maintain a separate authentication session for the user which is independent of your SP authentication session.
If the IdP’s authentication session hasn’t expired, the user won’t have to login again.
If it has expired, the user will be prompted to login.
[quote][/quote]
You shouldn't store the SAML response or pass it to the IdP.
You should call SAMLServiceProvider.ReceiveSSO to receive and process the SAML response.
The API returns the user name and attributes to your application.
You should use this information to automatically login the user locally.
Usually this means an authentication cookie is set for your application.
You can store additional information in the user's session if you wish but usually it's sufficient to establish an authentication session.
Note that the IdP will also maintain a separate authentication session for the user which is independent of your SP authentication session.
If the IdP's authentication session hasn't expired, the user won't have to login again.
If it has expired, the user will be prompted to login.
You should call SAMLServiceProvider.ReceiveSSO to receive and process the SAML response.
The API returns the user name and attributes to your application.
You should use this information to automatically login the user locally.
Usually this means an authentication cookie is set for your application.
You can store additional information in the user's session if you wish but usually it's sufficient to establish an authentication session.
Note that the IdP will also maintain a separate authentication session for the user which is independent of your SP authentication session.
If the IdP's authentication session hasn't expired, the user won't have to login again.
If it has expired, the user will be prompted to login.
When iam trying to call SAMLServiceProvider.ReceiveSSO it is showing error as HTTP Post error, like "The message is not an HTTP POST."
To the IDP, Initially we are calling InitiateSSO method, Will IDP check the session and return back to us to the AssertionConsumer page??
The error indicates you’re receiving an HTTP Get at your assertion consumer service.
The SAML response is sent in an HTTP.
Do you have a dedicated assertion consumer service endpoint that’s only used for receiving SAML responses?
If so, is it possible a redirect is occurring to this URL?
On the IdP side, SAMLIdentityProvider.InitiateSSO constructs and sends a SAML response to the SP’s assertion consumer service URL.
The IdP application is responsible for determining whether the user is authenticated and, if not, getting them to login.
Once authenticated, the IdP application calls SAMLIdentityProvider.InitiateSSO to initiate SSO to the SP.
I recommend running the ExampleIdentityProvider and ExampleServiceProvider projects to see SSO in action and to understand how to call the API.
You’ll find these projects under the Examples\SSO\HighLevelAPI\WebForms folder.
They’re also described in the Examples Guide.
https://www.componentspace.com/Forums/9351/Examples-Guide
[quote][/quote]
The error indicates you're receiving an HTTP Get at your assertion consumer service.
The SAML response is sent in an HTTP.
Do you have a dedicated assertion consumer service endpoint that's only used for receiving SAML responses?
If so, is it possible a redirect is occurring to this URL?
On the IdP side, SAMLIdentityProvider.InitiateSSO constructs and sends a SAML response to the SP's assertion consumer service URL.
The IdP application is responsible for determining whether the user is authenticated and, if not, getting them to login.
Once authenticated, the IdP application calls SAMLIdentityProvider.InitiateSSO to initiate SSO to the SP.
I recommend running the ExampleIdentityProvider and ExampleServiceProvider projects to see SSO in action and to understand how to call the API.
You'll find these projects under the Examples\SSO\HighLevelAPI\WebForms folder.
They're also described in the Examples Guide.
https://www.componentspace.com/Forums/9351/Examples-Guide
The SAML response is sent in an HTTP.
Do you have a dedicated assertion consumer service endpoint that's only used for receiving SAML responses?
If so, is it possible a redirect is occurring to this URL?
On the IdP side, SAMLIdentityProvider.InitiateSSO constructs and sends a SAML response to the SP's assertion consumer service URL.
The IdP application is responsible for determining whether the user is authenticated and, if not, getting them to login.
Once authenticated, the IdP application calls SAMLIdentityProvider.InitiateSSO to initiate SSO to the SP.
I recommend running the ExampleIdentityProvider and ExampleServiceProvider projects to see SSO in action and to understand how to call the API.
You'll find these projects under the Examples\SSO\HighLevelAPI\WebForms folder.
They're also described in the Examples Guide.
https://www.componentspace.com/Forums/9351/Examples-Guide
Team,
I have set the start page as AssertionConsumer.aspx, Iam calling ReceiveSSO on the pageload, it is showing the same HttpPost Error.
Do you have a dedicated assertion consumer service endpoint that's only used for receiving SAML responses?
Yes, we have AssertionConsumer.aspx page to receive the SSO from the IDP.
If so, is it possible a redirect is occurring to this URL?
I have set the start page to the AssertionConsumer page, so that it will automatically redirect to the page, but iam facing the same error.
On the IdP side, SAMLIdentityProvider.InitiateSSO constructs and sends a SAML response to the SP's assertion consumer service URL.
In IDP, Do we have any method to check whether it is authenticated or not in IDP Level.
How to check the Session in IDP Level? What key is used to store and check the Sessions in IDP Level?
Iam using SP-Initiated SSO to login, and I no need to login if the Session exists in IDP.
Don’t set the AssertionConsumer.aspx page as the start page as that will cause it to receive an HTTP Get.
The AssertionConsumer.aspx page’s sole purpose is to receive HTTP Posts containing SAML responses.
Anything else will cause an error.
The IdP application is responsible for checking whether the user is authenticated locally at the IdP.
How you do this will depend on the authentication mechanism you use.
If you’re using forms authentication, your application would check if the user is authenticated by calling User.Identity.IsAuthenticated.
If you’re using OWIN/Microsoft Identity, you would check the User.Identity.IsAuthenticated property.
Our ExampleIdentityProvider and MvcExampleIdentityProvider projects demonstrates both these respectively.
Your application is responsible for handling the user authentication.
Our SAML API places no restrictions on the authentication mechanism you use.
[quote][/quote]
Don't set the AssertionConsumer.aspx page as the start page as that will cause it to receive an HTTP Get.
The AssertionConsumer.aspx page's sole purpose is to receive HTTP Posts containing SAML responses.
Anything else will cause an error.
The IdP application is responsible for checking whether the user is authenticated locally at the IdP.
How you do this will depend on the authentication mechanism you use.
If you're using forms authentication, your application would check if the user is authenticated by calling User.Identity.IsAuthenticated.
If you're using OWIN/Microsoft Identity, you would check the User.Identity.IsAuthenticated property.
Our ExampleIdentityProvider and MvcExampleIdentityProvider projects demonstrates both these respectively.
Your application is responsible for handling the user authentication.
Our SAML API places no restrictions on the authentication mechanism you use.
The AssertionConsumer.aspx page's sole purpose is to receive HTTP Posts containing SAML responses.
Anything else will cause an error.
The IdP application is responsible for checking whether the user is authenticated locally at the IdP.
How you do this will depend on the authentication mechanism you use.
If you're using forms authentication, your application would check if the user is authenticated by calling User.Identity.IsAuthenticated.
If you're using OWIN/Microsoft Identity, you would check the User.Identity.IsAuthenticated property.
Our ExampleIdentityProvider and MvcExampleIdentityProvider projects demonstrates both these respectively.
Your application is responsible for handling the user authentication.
Our SAML API places no restrictions on the authentication mechanism you use.
Thanks for the Quick response,
IDP and SP are two different Projects, From so many users the same IDP will be called to authenticate, Suppose user1 is logged in at at IDP level, again if user1 opens the same URL(SP) it hits to the IDP, we are not passing any user details, we just passing PartnerIDP, How IDP will authenticate the request is from user1 and how it will redirect to back to AssertionConsumerpage in SP.
I checked the Code, Maintaining the session[ssoPendingState] and the User.Identity.IsAuthenticated , based on the two values, it is redirecting to login page credentials, But for me, every time it is redirecting to Login page in IDP. Session is getting cleared and no value in the User.Identity.IsAuthenticated.
Please help me out from this.
Typically the IdP maintains the user’s authentication session with a browser cookie.
As long as the user is using the same browser session, the authentication cookie will be presented to the IdP.
The IdP will know that the user is already authenticated.
This is just standard user authentication session management and not specific to SAML SSO.
If the IdP is always redirecting to its login page, either the user isn’t in the same browser session or there’s an issue with the IdP application.
Our example IdPs work correctly in this regard.