We are planning the use multi-tenancy by using the URI to decide which IDP we’re going to use.
We use the following code:
[AllowAnonymous]
[Route(“saml/{idp}/ssoservice”)]
public async Task SsoServiceForBrin(string idp, [System.Web.Http.FromBody] string samlrequest)
{
var configurationId = _configuration.GetConfigurationIdFromProviderId(idp);
SAMLController.ConfigurationID = configurationId;
// ConfigurationID is set in Redis with the provided configurationID
SAMLIdentityProvider.ReceiveSSO(Request, out var partnerSp);
// ConfigurationID is now gone in Redis
return RedirectToAction(“SsoServicePostLogin”, new { sid = temporarySessionId });
}
[Authorize]
public async Task SsoServicePostLogin(string sid)
{
SAMLController.ConfigurationID = RetrieveSession(sid);
// ConfigurationID is set in Redis with the provided configurationID
// → AND removing the pending authentication request
SAMLIdentityProvider.SendSSO(Response, nepri, attributes);
// An error is shown “There is no pending service provider authentication request”
// Which makes sense because it’s overwritten with the ConfigurationID
return new EmptyResult();
}
// Load configuration at runtime.
private GetConfigurationIdFromProviderId(string idp)
{
var samlConfiguration = new SAMLConfiguration
{
ID = providerId,
LocalIdentityProviderConfiguration = new LocalIdentityProviderConfiguration
{
Name = GetEntityIdForProviderId(providerId),
Description = $“Tenant {providerId}”,
LocalCertificateFile = locationPath,
LocalCertificatePassword = password,
},
PartnerServiceProviderConfigurations = SAMLConfigurationFile.Load(“config/saml-idp.config”).First().Value.PartnerServiceProviderConfigurations // Loading them from the configuration file
};
SAMLController.Configurations.Add(providerId, samlConfiguration);
}
We store these sessions in Redis. Without setting the SAMLController.ConfigurationID it is working for a single tenant.
It returns an error that there is no pending service provider authentication request.
What are we doing wrong? I expected that the ConfigurationID is stored in the pending authentication request.
We user version 2.8.0
Thanks in advance.
René Bosma
Hi René,
Setting the SAMLController.COnfigurationID should’t cause this error. Instead, it occurs if you call SAMLIdentityProvider.SendSSO with no prior call to SAMLIdentityProvider.ReceiveSSO or the SAML session state used to remember the previous SAMLIdentityProvider.ReceiveSSO isn’t present. In version 2.8.0 the SAML session state is stored in the ASP.NET session. Is it possible the ASP.NET session has been cleared? Are you using a web farm and, if so, are you either using a central store for the ASP.NET sessions or a load balancer with sticky sessions? If not, the ReceiveSSO and SendSSO calls could be occurring on different servers.
If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
We have an implementation of the AbstractSSOSessionStore for Redis. Setting it at SAMLController.SSOSessionStore.
I am running this locally on my development machine.
I will create a trace. Thanks
Ok, thanks.
I’ve found the problem. We had an implementation of the AbstractSSOSessionStore. Apparently only for a single tenant. We did nothing with the type. That’s why it was overwritten. public override object Load(Type type)
public override object Load(Type type){}
public override void Save(object ssoSession){}
That was a gotcha! It makes sense now. Do you have documentation that addresses this?
Thanks
Thanks for the update and the comments regarding the documentation. I’ll see that we make this clearer in a future documentation update.