Search code examples
c#.netsingle-sign-onsaml-2.0itfoxtec-identity-saml2

Handling authentication without a cookie

Our team is using Itfoxtec as the saml2 handler in our SP as follows:

  1. A client clicks on the link of the login API.
  2. The API redirects the user to the IdP login page.
  3. On successful login, The API gets a SAML2 response to the ASC route.
  4. We fetch the claims from the response.
  5. If the user is good to go, we generate a JWT token to be used in next requests to other services using the Authorization header, otherwise we send unauthorized response.

Here is the configuration of the handler:

builder.Services
.AddAuthentication("saml2")    
.AddCookie("saml2", cookieAuthenticationOptions =>
{
    cookieAuthenticationOptions.SlidingExpiration = true;
    cookieAuthenticationOptions.LoginPath = new PathString("/saml/request");
    cookieAuthenticationOptions.Cookie.SameSite = SameSiteMode.None;
    cookieAuthenticationOptions.Cookie.SecurePolicy = CookieSecurePolicy.Always;
    Task UnAuthorizedResponse(RedirectContext<CookieAuthenticationOptions> context) =>
        Task.FromResult(context.Response.StatusCode = (int)HttpStatusCode.Unauthorized);
    cookieAuthenticationOptions.Events.OnRedirectToAccessDenied = UnAuthorizedResponse;
    cookieAuthenticationOptions.Events.OnRedirectToLogin = UnAuthorizedResponse;
});

As we can see that the use of Itfoxtec is done in the initial login process only, where the user either gets unauthorized response, or gets JWT token and no additional calls to the SP is done.

Note that when I remove the Cookie related configurations, I get an exception thrown while fetching the claims and creating a session on the following line:

customClaims = await saml2AuthnResponse.CreateSession(HttpContext, claimsTransform: GetCustomClaimsPrincipal);

Our question is, is there any way else to use the Itfoxtec as a SAML2 handler but without using Cookies?

Solution

  • You do not need to use session cookies. If you do not use session cookies you should not call the CreateSession method which create the cookie based .NET session.

    The SAML 2.0 Authn request is validated in the Unbind method and you can thereafter safely read the users claims in saml2AuthnResponse.ClaimsIdentity.Claims.

    FoxIDs use the ITfoxtec Identity SAML 2.0 component without using the cookie based .NET session, you can see how the SAML 2.0 Authn request is validated in the AuthnResponseAsync method.