I have implemented the ITFoxtec Identity SAML2 package in a ASP.NET Core 2.2 application, and it's working great!
One of our application requirements is that the claims of a user (what roles they are in, etc) should be updated when an administrative user changes their role membership - thereby "invalidating" the claims in their cookie so that they must be updated. I've been researching the subject and most of the information I can find pertains to the ASP.NET Identity UserManager/RoleManager/SecurityStamp/SignInManager way of managing users - we do not use this method and do not intend to use this method given that we use Saml2 instead.
Do you have any suggestions on how to trigger a claims refresh once a person is logged in via ITFoxtec-Identity-Saml2, without forcing them to actually re-login?
Much appreciated!
I'am afraid that your scenarie is not supported by the SAML 2.0 standard(s). Basically, SAML 2.0 require the user to re-authenticate to load the new claims.
Depending on which IdP you are using you can either force the user to re-authenticate and thereby load the new claims.
Force login:
var authnRequest = new Saml2AuthnRequest(saml2Config)
{
ForceAuthn = true,
...
};
OR passive login which is a smooth solution, if the IdP load the updated claims on a passive login request without re-authentication. Then the IdP is called but the user never discovers it.
Passive login request:
var authnRequest = new Saml2AuthnRequest(saml2Config)
{
IsPassive = true,
...
};
Alternatively, you need to implement a custom solution where the application call an endpoint, secured by the SAML token. The endpoint query the users claims in eg. a database and return the updated claims. If the claims are updated the application can do a re-login, I think it is possible without a logout.
Something like this:
var principal = new ClaimsPrincipal(...);
await httpContext.SignInAsync(Saml2Constants.AuthenticationScheme, principal,
new AuthenticationProperties
{
IssuedUtc = ...,
ExpiresUtc = ..,
});