Search code examples
samlsustainsys-saml2

Idp initiated SAML sustainsys

I'm trying to setup a client which is IDP initiated and our application is using Sustainsys framework for all the SAML setup in our IdentityServer3. I'm using this article as reference Idp initiated using Sustainsys

Here there are some code snippets of how is my current impl:

var samlIdp = new Sustainsys.Saml2.IdentityProvider(new EntityId("https://<Client's IDP>"), saml2Options())
{
    MetadataLocation = "https://<client metadata>",
    LoadMetadata = true,
    AllowUnsolicitedAuthnResponse = true
};

private Saml2AuthenticationOptions saml2Options()
{
    // My clientId is for example if I'm setting up Okta, then ClientId = okta
    var spOptions = new SPOptions
    {
        ModulePath = "/<ClientId>",
        EntityId = new EntityId("https://<My identity app>/<Client Id>"),
        ReturnUrl = new Uri("https://<my Identity app>/idpinitiated?idp=<ClientId>")
    };

    return  new Saml2AuthenticationOptions(false)
    {
        SPOptions = spOptions,
        AuthenticationType = "<ClientId>",
        Caption = "<ClientId>"
    };
}

Problems I'm having are:

  1. Client is sending us the saml package already, but our current implementation is trying to communicate back with their IDP entityID sending a SAML request (they're not expecting that). So I need to stop sending them something and just go straight to the validation
  2. Need to perform some validations based on the saml package they're sending to us (not really sure how to do this)

I'm very very new working with this so any help will be very very appreciated. Thanks

Solution

  • IdentityServer3, does not support IDP initiated. There's a workaround for making Idsrv3 to support it, that can be done handling the AcsCommandResultCreated event (using the Sustainsys saml framework)

    private void AcsCommandResultCreated(CommandResult commandResult, Saml2Response saml2Response)
{
    var httpContext = _httpContextAccessor.HttpContext;

    var target = httpContext.Request.Query["target"].SingleOrDefault();

    if(!string.IsNullOrEmpty(target))
    {
        // Avoid an open redirect. Note that on a shared host with multiple applications running
        // in different subdirectories this check is not enough. 
        var targetUri = new Uri(target, UriKind.Relative);

        // A protocol relative url is relative, but can still redirect to another host. Block it.
        if(target.StartsWith("//"))
        {
            throw new InvalidOperationException("Protocol relative URLs are not allowed.");
        }

        commandResult.Location = targetUri;
    }
}

    Full sample: https://github.com/Sustainsys/AspNetcoreIdpInitiated