I've an MVC app that I'm trying to get it to use salesforce as the sso idp. I'm able to get it to redirect to salesforce for login. But after I've logging in, the following do not work as I expected: 1) The User.Identity.IsAuthenticated remains false. So, the index page is displaying "You are not login yet." even if I've login. 2) If I click on About link, it redirect me to the index page if I've already signin. If not, it takes me to salesforce to login and then takes me to the index page, which will display "You are not login yet".
Below are some info about my MVC app, would appreciate any help.
Web.config:
<sustainsys.saml2 entityId="http://xxxx.xxxx.com/SAML2" returnUrl="http://localhost:51048/Home/Index" authenticateRequestSigningBehavior="Never">
<nameIdPolicy allowCreate="true" format="Persistent" />
<metadata cacheDuration="PT1H" validDuration="7.12:00:00" wantAssertionsSigned="true">
<organization name="xxxx Inc" displayName="xxxx" url="https://www.xxxx.com" language="en" />
<contactPerson type="Support" email="[email protected]" />
<requestedAttributes>
<add friendlyName="User Name" name="urn:Username" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true" />
<add name="Minimal" />
</requestedAttributes>
</metadata>
<identityProviders>
<add entityId="https://xxxx.my.salesforce.com" signOnUrl="https://xxxx.xxx.my.salesforce.com/idp/login?app=xxxxxxxxxxx" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
<signingCertificate fileName="~/App_Data/SelfSignedCert_10Oct2017.crt" />
</add>
</identityProviders>
</sustainsys.saml2>
Home Controller:
public class HomeController : Controller
{
public ActionResult Index()
{
return View();
}
[Authorize]
public ActionResult About()
{
ViewBag.Message = "Your application description page.";
return View();
}
public ActionResult Contact()
{
ViewBag.Message = "Your contact page.";
return View();
}
}
Index page:
@{
ViewBag.Title = "Home Page";
}
<div class="row">
@if (User.Identity.IsAuthenticated)
{
<div class="col-md-4">
<h2>Hello @User.Identity.Name</h2>
<p>
Welcome.
</p>
</div>
}
else
{
<div class="col-md-4">
<h2>Hello</h2>
<p>
You are not login yet. Click <a href="@Url.Content("~/Saml2/SignIn")">here</a> to login
</p>
</div>
}
</div>
About Page:
@{
ViewBag.Title = "About";
}
<h2>@ViewBag.Title.</h2>
<h3>@ViewBag.Message</h3>
<p>Use this area to provide additional information.</p>
I found the cause of the issue. It was caused by me putting the wrong acs link when setting up connected app in salesforce. The acs link has to be /Saml2/Acs for it to work (for example:http://mysite/Saml2/Acs). This fixed my "User.Identity.IsAuthenticated remains false" issue. But I encountered two additional issues after that was fixed.
One is related to salesforce using SHA1 encryption that is unacceptable for saml2. For that I added the minIncomingSigningAlgorithm="SHA1" attribute to the sustainsys.saml2 element in web.config to by pass the issue:
<sustainsys.saml2 .... minIncomingSigningAlgorithm="SHA1">
The other issue is related to salesforce not including InResponseTo element in the response. For this, I added the ignoreMissingInResponseTo attribute to by pass the error:
<sustainsys.saml2 ....>
....
<compatibility ignoreMissingInResponseTo="true">
</compatibility>
....
</sustainsys.saml2>