Search code examples
owinsustainsys-saml2

No redirect to SingleSignOnService location when challenge occurs in Web Forms project

I've taken over a project and some package upgrading was necessary for other things so I went from these where things worked...

<package id="Kentor.AuthServices" version="0.18.0" targetFramework="net452" />
<package id="Kentor.AuthServices.Owin" version="0.18.0" targetFramework="net452" />
<package id="Microsoft.Owin" version="3.0.1" targetFramework="net452" />
<package id="Microsoft.Owin.Host.SystemWeb" version="3.0.1" targetFramework="net452" />
<package id="Microsoft.Owin.Security" version="3.0.1" targetFramework="net452" />
<package id="Microsoft.Owin.Security.Cookies" version="3.0.1" targetFramework="net452" />

To these...

<package id="Sustainsys.Saml2" version="2.2.0" targetFramework="net472" />
<package id="Sustainsys.Saml2.Owin" version="2.2.0" targetFramework="net472" />
<package id="Microsoft.Owin" version="4.0.0" targetFramework="net472" />
<package id="Microsoft.Owin.Host.SystemWeb" version="4.0.0" targetFramework="net472" />
<package id="Microsoft.Owin.Security" version="4.0.0" targetFramework="net472" />
<package id="Microsoft.Owin.Security.Cookies" version="4.0.0" targetFramework="net472" />

I followed the migration guide but fail to get a redirect to the SingleSignOnService location when a challenge occurs in my Web Forms project.

My Web.config has the following structure...

<sustainsys.saml2 entityId="https://demo.local/AuthServices"
        returnUrl="https://demo.local"
        publicOrigin="https://demo.local"
        modulePath="/AuthServices">
    <serviceCertificates>
        <add fileName="~/somename.pfx"
            use="Signing" />
    </serviceCertificates>
    <identityProviders>
        <add entityId="My-IDP"
            allowUnsolicitedAuthnResponse="true"
            loadMetadata="true"
            metadataLocation="https://some-saml2-idp.com/metadata" />
    </identityProviders>
</sustainsys.saml2>

And my Owin startup...

var defaultSignInAsAuthType = "Cookies";

app.SetDefaultSignInAsAuthenticationType(defaultSignInAsAuthType);

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = defaultSignInAsAuthType,
    ReturnUrlParameter  = "returnUrl",
    LoginPath = new PathString("/login"),
    LogoutPath = new PathString("/logout")
});

var saml2Options = new Saml2AuthenticationOptions(true);
app.UseSaml2Authentication(saml2Options);
app.UseStageMarker(PipelineStage.Authenticate);

AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Name;

I've tried triggering a challenge in a path mapping...

ctx.Authentication.Challenge(new AuthenticationProperties()
{
    RedirectUri = "https://demo.local"
});

My questions are if I upgraded the Owin packages too far and if someone has some troubleshooting hints?

Solution

  • The default setting for active/passive has changed. Previously the middleware was active by default, which meant it listened to any Challenge call. Now it is passive, so you have to use the Challenge overload that specifies an authentication scheme and set it to "Saml2".

    The reason for the change is to better follow best practice for how middleware for external authentication should behave.