Search code examples
asp.net-coresaml-2.0sustainsys-saml2

More than one IDP for SAML2 login with Sustainsys using .NET Core

We are using Sustainsys middleware with .NET Core to connect to an SAML2 IDP. It works well.

However, when we add more than one IDP in the Startup.cs we get in trouble. The user will select which IDP to login to and then the code should send a challenge to that IDP.

How to we specify which IDP in the code?

Using standard .NET Framework it is straight forward:

Context.GetOwinContext().Environment.Add("saml2.idp", new Entity(IDP2EntityId));

but there is no such construct in the .NET Core middleware.

Here is my code. Basically I add two IDPs during startup but I don't know how to specify which one during login/challenge? With this code IDP-1 is always selected because it was the first one added.

STARTUP.CS

    public void ConfigureServices(IServiceCollection services)
    {
        var authenticationBuilder = GetAuthenticationBuilder(services);
        string authenticationScheme = "saml2.idp"
        authenticationBuilder.AddSaml2(authenticationScheme, options =>
        {
            options.SPOptions = GetSPOptions();

            // Add IDP-1
            options.IdentityProviders.Add(
            new IdentityProvider(new EntityId(IDPEntityUrl1), options.SPOptions)
            {
                MetadataLocation = IDPMetadataUrl1
            });

            // Add IDP-2
            options.IdentityProviders.Add(
            new IdentityProvider(new EntityId(IDPEntityUrl2), options.SPOptions)
            {
                MetadataLocation = IDPMetadataUrl2
            });
        }
    }

LOGINCONTROLLER.CS

    string saml2AuthenticationScheme = "saml2.idp";
    var props = new AuthenticationProperties
    {
        RedirectUri = returnUrl,
        Items = { { "scheme", saml2AuthenticationScheme } }
    };
    return Challenge(properties: props, saml2AuthenticationScheme);

How do I specify which IDP to use in the LoginController?

Solution

  • I found the solution. We studied the Sustainsys code and found the undocumented (?) feature to specify the IDP in the AuthenticationProperties.Items with an "idp" item. Like this:

    LoginController.cs

    string saml2AuthenticationScheme = "saml2.idp";
var props = new AuthenticationProperties
{
    RedirectUri = returnUrl,
    Items = { { "scheme", saml2AuthenticationScheme }, { "idp", theSelectedIDPIdentityId } }
};
return Challenge(properties: props, saml2AuthenticationScheme);