Greetings,
I have followed the instructions here for setting up Component Space with Identity Server using the ServiceStack IdentityServer4 demo as a base. The ServiceStack demo works fine for authentication including with external providers such as Google–and most of the SAML Authentication also works fine. I am trying to test it with ComponentSpace SAML use the ComponentSpace ExampleIdentityProvider to test against.
Clicking on the “SAML” button on the external providers page takes me to the IdP login page and I’m able to login. The logs show that the SAML authentication was successful.
2019-06-13 22:07:24.113 -07:00 [DBG] The SAML assertion has passed all security checks.
2019-06-13 22:07:24.113 -07:00 [DBG] The name identifier from the SAML assertion is: rudy@acme.com
2019-06-13 22:07:24.113 -07:00 [DBG] SSO session state for saml-session-0e64442a-98c6-44a4-b6f8-088178b60672-SamlState is being saved to the distributed cache.
2019-06-13 22:07:24.113 -07:00 [DBG] SAML session state (0e64442a-98c6-44a4-b6f8-088178b60672):
SP state:
SSO session state:
Partner name: https://ExampleIdentityProvider
Name ID: <saml:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>rudy@acme.com</saml:NameID>
Session index: _ada27727-fc95-4d18-8539-06226f3dca2f
2019-06-13 22:07:24.113 -07:00 [DBG] An SSO response from the partner identity provider https://ExampleIdentityProvider has been successfully received.
2019-06-13 22:07:24.113 -07:00 [DBG] The SAML authentication handler is signing in rudy@acme.com.
2019-06-13 22:07:24.114 -07:00 [INF] AuthenticationScheme: idsrv.external signed in.
2019-06-13 22:07:24.113 -07:00 [DBG] An SSO response from the partner identity provider https://ExampleIdentityProvider has been successfully received.
2019-06-13 22:07:24.113 -07:00 [DBG] The SAML authentication handler is signing in rudy@acme.com.
2019-06-13 22:07:24.114 -07:00 [INF] AuthenticationScheme: idsrv.external signed in.
However, I then get a 404 when redirected to the following page: http://localhost:5000/Identity/Account/ExternalLogin?handler=Callback
Instead of being redirected back to my application after login.
On the URL of the IdentityServer4 Login Page was:
ReturnUrl=/connect/authorize/callback?client_id=mvc
&redirect_uri=http://localhost:5002/signin-oidc
On the URL of the ExampleIdentityProvider page was:
https://localhost:44313/Identity/Account/Login?ReturnUrl=/Saml/SingleSignOnServiceCompletion
I can’t figure out what I’m doing wrong here. Any help much appreciated.
Thanks!
SP initiated login via IdentityServer4 Integration returning to wrong page after SAML authentication
By default the SAML authentication handler redirects to “/Identity/Account/ExternalLogin?handler=Callback” after SSO has completed and the user has been signed in. This works well if you’re using Microsoft Identity.
You can change this value by setting the SamlAuthenticationOptions.LoginCompletionUrl. For example:
services.AddAuthentication().AddSaml(options =>
{
options.LoginCompletionUrl = (relayState) => “put the return URL here”;
});
If your application is initiating the challenge/SSO, you have the option of specifying an AuthenticationProperties.RedirectUri which will be used instead of the LoginCompletionUrl.
[quote]
[/quote]
I do specify the RedirectUri in the AuthenticationProperties when I initiate the SSO. I'm just using the QuickStart UI from IdentityServer as shown below:
// start challenge and roundtrip the return URL and scheme
var props = new AuthenticationProperties
{
RedirectUri = Url.Action(nameof(Callback)),
Items =
{
{ "returnUrl", returnUrl },
{ "scheme", provider },
}
};
return Challenge(props, provider);
Setting a break point and showing the RedirectUri before the Challenge call shows a value of:
"/External/Callback"
I tried setting a full Url explicitly before the Challenge call with:
props.RedirectUri = "http://localhost:5000/External/Callback";
But there was no change, I am still redirected to: http://localhost:5000/Identity/Account/ExternalLogin?handler=Callback
I am wondering if I'm having the same issue described here: https://www.componentspace.com/Forums/9518/SamlAuthenticationHandler-Challenge-redirectUri ?
But I'm not quite following the solution.
Please enable SAML trace and send the complete log file as an email attachment to support@componentspace.com mentioning your forum post.
When we receive the challenge we log the AuthenticationProperties.RedirectUri.