I am pretty new to MVC but have implemented ComponentSpace SAML2 SSO in Webforms. In learning MVC I am just trying to create a simple SP and IdP in MVC C# utilizing code structure I got from the examples and our previous Webforms applications.
One issue has been killing me this afternoon and evening. Once the IdP’s SAML controller redirects to it’s login controller I seem to lose the pending authentication request that am pretty sure I was able to successfully get initially. When I am back at the SAML controller and SSOService action I get the error in subject when I send the SSO. With a few tests checking the IsSSOCompletionPending() goes from true to false as soon as I leave the initial action. Any ideas? I don’t know if I am doing something boneheaded as an MVC newbie but it seems the received request is not being stored in session as I assumed it would be by default.
Here is the SAML Controller. I would be happy to post more if it’s helpful
[left]
public class SAMLController : Controller
{
private const string ssoPendingSessionKey = “ssoPending”;
[AllowAnonymous]
public ActionResult SSOService()
{
// Is an authorization request pending?
bool ssoPending = Session[ssoPendingSessionKey] != null && (bool)Session[ssoPendingSessionKey] == true;
//ControllerContext.HttpContext.Response.Write("Session: " + ssoPending.ToString() + “
”);
if (!(ssoPending && User.Identity.IsAuthenticated))
{
//Receive the authn request from the service provider (SP-initiated SSO).
SAMLIdentityProvider.ReceiveSSO(Request, out string partnerSP);
//If the user isn’t logged in at the identity provider, force the user to login.
if (! User.Identity.IsAuthenticated)
{
Session[ssoPendingSessionKey] = true;
return RedirectToAction(“Login”, “Login”);
}
}
Session[ssoPendingSessionKey] = null;
//ControllerContext.HttpContext.Response.Write("Session: " + ssoPending.ToString() + “
”);
// The user Is logged in at the identity provider.
// Respond to the authn request by sending a SAML response containing a SAML assertion to the SP.
// Use the configured Or logged in user name as the user name to send to the service provider (SP).
// Include some user attributes.
string userName = User.Identity.Name;
Dictionary<string, string> attributes = new Dictionary<string, string>
{
[“username”] = userName,
[“hbid”] = “hb12345”,
[“BSEGroup”] = “banker”,
[“firstName”] = “Michael”,
[“lastName”] = “Viglianco”,
[“email”] = “mviglianco@test.com”
};
SAMLIdentityProvider.SendSSO(Response, userName, attributes);
return new EmptyResult();
}
}
}
[/left]
Follow up. Is the ComponentSpace session somehow different or hidden from standard session? If not then I see nothing being stored in session. If so is there something that needs to be enabled for this to work? I am also including the two saml configs below.
SP Config
[left]
<?xml version="1.0"?>
<ServiceProvider Name=“<a href=“http://Kyushu””>http://Kyushu"
Description=“Sample MVC Service Provider for White Clay Consulting”
LocalCertificateFile=“SAML\Certificates\sp.pfx”
LocalCertificatePassword=“password”
AssertionConsumerServiceUrl=“~/SAML/CompleteSAMLLogin” />
<PartnerIdentityProvider Name=“<a href=“http://SampleMVCIdP””>http://SampleMVCIdP"
Description=“Sample MVC Indentity Provider for White Clay Consulting”
SignAuthnRequest=“true”
SingleSignOnServiceUrl=“/MVCIdP/SAML/SSOService”
SingleSignOnServiceBinding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
SingleLogoutServiceUrl=“/MVCIdP/SAML/SLOService”
PartnerCertificateFile=“SAML\Certificates\idp.cer”/>
[/left]
IdP Config
[left]
<IdentityProvider Name=“<a href=“http://SampleMVCIdP””>http://SampleMVCIdP"
Description=“Sample MVC Identity Provider for White Clay Consulting”
LocalCertificateFile=“SAML\Certificates\idp.pfx”
LocalCertificatePassword=“password”/>
<PartnerServiceProvider Name=“<a href=“http://kyushu””>http://kyushu"
Description=“Sample MVC Service Provider for White Clay Consulting”
WantAuthnRequestSigned=“true”
SignSAMLResponse=“true”
SignAssertion=“false”
EncryptAssertion=“false”
AssertionConsumerServiceUrl=“/Kyushu/SAML/SSOCompletionService”
SingleLogoutServiceUrl=“/Kyushu/SAML/SLOService”
PartnerCertificateFile=“SAML\Certificates\sp.cer”/>
[/left]
We store the SAML session state in a separate “SAML_SessionId” cookie.
By default this cookie is marked as secure.
In the current release, if you’re using HTTP rather than HTTPS the browser won’t send the cookie and therefore the session information is being lost.
I suspect that might be what’s happening here.
To turn off the secure flag, set the ComponentSpace.SAML2.Data.SessionIDDelegates.SecureSAMLCookie property to false at application start-up.
If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
NB. In an upcoming release we don’t set the secure flag if HTTP is being used. Of course, we recommend using HTTPS in production.
By default this cookie is marked as secure.
In the current release, if you're using HTTP rather than HTTPS the browser won't send the cookie and therefore the session information is being lost.
I suspect that might be what's happening here.
To turn off the secure flag, set the ComponentSpace.SAML2.Data.SessionIDDelegates.SecureSAMLCookie property to false at application start-up.
If there's still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
NB. In an upcoming release we don't set the secure flag if HTTP is being used. Of course, we recommend using HTTPS in production.
This makes sense as the working versions I have use https. I changed that for this version while I was getting everything else worked out. Thanks. I will get back to this soon and return if I have further questions.
You’re welcome.