Search code examples
.netforms-authenticationsaml-2.0sustainsys-saml2

ACS doesn't process SAML response in a sub-application

I'm struggling to find the cause of this behavior. I have a simple MVC application with the SustainSys package configured. I've tried configuring it for both our internal SecureAuth server and also the https://stubidp.sustainsys.com test server.

It all works on localhost and when it's the root application of our internal IIS server.

When I place it in an IIS sub-application folder, it redirects to the sso server login, comes back to the ~/Saml2/Acs route with the authentication info (I see it in fiddler2), but the Acs doesn't seem to process it at that point and I remain unauthenticated and therefore it heads back to the login page and I start looping.

I'm aware of sub-app web.config inheritance, so I've even removed the web.config from the root so nothing is conflicting with the one in the sub-app. I've played with the returnURL parameter to no effect (with or without sudirectory included).

The applications in IIS (root and sub-app) are configured the same for authentication.

I'm running out of ideas to test. Anyone have any thoughts?

<sustainsys.saml2 entityId="https://apps.xxxxx.com" returnUrl="https://apps.xxxxx.com/yyyyy">
    <identityProviders>
        <add entityId="https://sso.xxxxx.com/SecureAuthXX" signOnUrl="https://sso.xxxxx.com/SecureAuthXX" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
            <signingCertificate fileName="~/App_Data/SecureAuth03VM.xxxxx.com.cer" />
        </add>
    </identityProviders>
    <federations>
        <add metadataLocation="https://apps.xxxxx.com/Federation" allowUnsolicitedAuthnResponse="true" />
    </federations>
</sustainsys.saml2>
<system.identityModel.services>
    <federationConfiguration>
        <cookieHandler requireSsl="true" name="CookieAuth" />
    </federationConfiguration>
</system.identityModel.services>
Solution

  • I solved the problem and I wanted to post what fixed it as maybe it might help someone else one day.

    The issue was not with the SAML response or the Sustainsys library, but rather an attribute missing the from the web.config. After adding "path='/'" to the cookiehandler element in the federation configuration (see below), it begin persisting the authorization state in the System.Security.Principal and now works perfectly in the root application as well as all sub-applications.

    <system.identityModel.services>
    <federationConfiguration>
        <cookieHandler requireSsl="true" name="FedAuth" path="/" />
    </federationConfiguration>
</system.identityModel.services>