Search code examples
asp.net-coresaml-2.0itfoxtec-identity-saml2

SAML Service Provider redirects to IDP login page

I'm trying to build an IdP using ITfoxtec. From the Service Provider's site, it will generate SAML requests and redirects them to the IdP. Now I'm on an IdP's login page, but I'm trying to understand how the ITfoxtec codes work.

[Route("Login")]
        public IActionResult Login()
        {
            var requestBinding = new Saml2RedirectBinding();
            var relyingParty = ValidateRelyingParty(ReadRelyingPartyFromLoginRequest(requestBinding));

            var saml2AuthnRequest = new Saml2AuthnRequest(config);
            try
            {
                requestBinding.Unbind(Request.ToGenericHttpRequest(), saml2AuthnRequest);

                // ****  Handle user login e.g. in GUI ****
                // Test user with session index and claims
                var sessionIndex = Guid.NewGuid().ToString();
                var claims = CreateTestUserClaims(saml2AuthnRequest.Subject?.NameID?.ID);
                var response = LoginResponse(saml2AuthnRequest.Id, Saml2StatusCodes.Success, requestBinding.RelayState, relyingParty, sessionIndex, claims);

                return response;
            }
            catch (Exception exc)
            {
#if DEBUG
                Debug.WriteLine($"Saml 2.0 Authn Request error: {exc.ToString()}\nSaml Auth Request: '{saml2AuthnRequest.XmlDocument?.OuterXml}'\nQuery String: {Request.QueryString}");
#endif
                return LoginResponse(saml2AuthnRequest.Id, Saml2StatusCodes.Responder, requestBinding.RelayState, relyingParty);
            }
        }

How come this Login() method receives a SAML request from SP and returns SAML response right away in one method? When SP redirects to IdP, I'm expecting to land on IdP's login page with username/password fields that authenticate against my own database. Then return SAML response to SP if successful.

Please let me know if I'm misunderstanding the concept or guide me on how to implement this.

Solution

  • You are correct about the flow and that the SAML 2.0 Authn Response are generated right away. You need to implement the login dialog and username/password validation your self as you can see in my comment // **** Handle user login e.g. in GUI ****.

    Meaning that you need to cut the Login method in half. After the first half of the Login method you need to start some kind of sequence insight the IdP where the user is authenticated. And then return to the second half of the Login method which issues the SAML 2.0 Authn Response.