Search code examples
itfoxtec-identity-saml2

How to update a User Claim after on a active SAML Session in .Net Core?

Is it possible to update a User Claim during a active SAML Session without a complete relogging to the application? I want to change a specific claim (activeSite) that we use for authorization in backend and for filtering in queries. I'm working with an .Net Core API and a Angular/Ionic frontend.

The code we use is from the TestWebAppCoreAngularApi Project with a little adoption by setting some custom user claims.

[Route("AssertionConsumerService")]
public async Task<IActionResult> AssertionConsumerService()
{       
  var binding = new Saml2PostBinding();
  var saml2AuthnResponse = new Saml2AuthnResponse(config);

  binding.ReadSamlResponse(Request.ToGenericHttpRequest(), saml2AuthnResponse);
  if (saml2AuthnResponse.Status != Saml2StatusCodes.Success)
  {
    throw new AuthenticationException($"SAML Response status: {saml2AuthnResponse.Status}");
  }
  binding.Unbind(Request.ToGenericHttpRequest(), saml2AuthnResponse);

  var relayStateQuery = binding.GetRelayStateQuery();

  var activeSite = relayStateQuery.ContainsKey(relayStateActiveSite) ? relayStateQuery[relayStateActiveSite] : Url.Content("-1");
  AddCustomClaims(saml2AuthnResponse, Int32.Parse(activeSite));

  await saml2AuthnResponse.CreateSession(HttpContext, claimsTransform: (claimsPrincipal) => ClaimsTransform.Transform(claimsPrincipal));

  var returnUrl = relayStateQuery.ContainsKey(relayStateReturnUrl) ? relayStateQuery[relayStateReturnUrl] : Url.Content("~/");
  return Redirect(returnUrl);
}

Is it even possible to update that active claim (activeSite) during a active session?
And if so how can I update the claim in .Net?
I tryed something like removing and adding the claim with new value but this seems not to work correctly.

     var principle = (ClaimsIdentity)User.Identity;
     principle.RemoveClaim(claim);
     principle.AddClaim(claim);
Solution

  • It is NOT possible to change claims after a successfully authentication flow. Changing claims require a re-login.

    Hovewer, it is possible to change claims after user login in the authentication flow, by calling the ClaimsTransform.Transform, and the ClaimsTransform class.