I have the following property:
IDP: Azure
Service Provider: .Net core 6
Client: Vue 3
and following code:
var samlConfiguration = GetConfiguration<SamlConfiguration>(configuration);
serviceCollection.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = Saml2Defaults.Scheme;
})
.AddCookie()
.AddSaml2(Saml2Defaults.Scheme, options =>
{
options.SPOptions.EntityId = new EntityId(samlConfiguration.ServiceProviderEntityId);
options.SPOptions.ReturnUrl = new Uri(samlConfiguration.AssertionConsumerServiceUrl);
options.SPOptions.PublicOrigin = new Uri(samlConfiguration.PublishOrigin);
var idp = new IdentityProvider(new EntityId(samlConfiguration.IdentityProviderEntityId),
options.SPOptions)
{
LoadMetadata = true,
AllowUnsolicitedAuthnResponse = true,
MetadataLocation = samlConfiguration.MetadataLocation
};
options.IdentityProviders.Add(idp);
});
[Route("[controller]")]
[ApiController]
public class Saml2Controller : ControllerBase
{
private readonly SamlConfiguration _samlConfiguration;
private readonly ILogger<Saml2Controller> _logger;
public Saml2Controller(IOptions<SamlConfiguration> options, ILogger<Saml2Controller> logger)
{
_logger = logger;
_samlConfiguration = options.Value;
}
[HttpGet]
public IActionResult Initiate()
{
var authenticationProperties = new AuthenticationProperties
{
RedirectUri = _samlConfiguration.RedirectUri,
};
return Challenge(authenticationProperties, Saml2Defaults.Scheme);
}
[HttpPost("Acs")]
public async Task AssertionConsumerService()
{
try
{
_logger.LogInformation("-------begin AssertionConsumerService-------");
var result = await HttpContext.AuthenticateAsync(Saml2Defaults.Scheme);
if (!result.Succeeded)
{
throw new Exception("SAML authentication failed.");
}
_logger.LogInformation("-------set claims-------");
var claims = new List<Claim>();
claims.AddRange(result.Principal.Claims);
_logger.LogInformation("-------create ClaimsIdentity-------");
var identity = new ClaimsIdentity(claims, "saml");
var principal = new ClaimsPrincipal(identity);
_logger.LogInformation("-------begin SignIn-------");
await HttpContext.SignInAsync(principal);
_logger.LogInformation("-------end SignIn-------");
}
catch (Exception exception)
{
_logger.LogError("in {@className}\n--Exception: {@exception}\n--StackTrace: {@stackTrace}",
nameof(Saml2Controller), exception.Message, exception.StackTrace);
}
}
[HttpGet("logout")]
public IActionResult Logout()
{
HttpContext.SignOutAsync(Saml2Defaults.Scheme).Wait();
return Redirect("/");
}
}
The Saml Configuration is as follows:
"SamlConfiguration": {
"ServiceProviderEntityId": "https://sp.example.com/Saml2",
"IdentityProviderEntityId": "https://sts.windows.net/{tenantId}/",
"SingleSignOnServiceUrl": "https://login.microsoftonline.com/{tenantId}/Saml2",
"AssertionConsumerServiceUrl": "https://sp.example.com/Saml2/Acs",
"MetadataLocation": "https://login.microsoftonline.com/{tenantId}/federationmetadata/2007-06/federationmetadata.xml?appid={appId}",
"PublishOrigin": "https://sp.example.com",
"RedirectUri": "https://vue3.example.com"
}
When client reach to 401 then redirect to "https://sp.example.com/Saml2" and then Service Provider redirect to iDP and after login returns to "https://sp.example.com/Saml2/Acs" and finally we need to pass the Saml Response to Client and Client prosses that response.
My Problem is route "Saml2/Acs" is reserved for Sustainsys.saml2 library because we get the 404 Error when we call that route ("Saml2/Acs") via Postman or manually.
What can be do to solve this issue?
Your design is wrong. The server side application processes the Saml response and stores the resulting identity in a cookie (by calling SignInAsync on the configured authentication scheme). The recommendation for javascript applications is to use a backend for frontend pattern where the session is handled on the server side, see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps