Search code examples
c#.net-coresaml-2.0asp.net-core-3.1itfoxtec-identity-saml2

How can I watch a package called ITFoxTec and figure out how it's being called?

I am using a wonderfully clean and simple .Net SAML package called ITFoxTec.

It works great, but my problem is, I have no idea how it's working.

When I added the library to my project, I added the following to the ConfigureServices section of my Startup.cs code file:

services.Configure<Saml2Configuration>(Configuration.GetSection("Saml2"));
    services.Configure<Saml2Configuration>(saml2Configuration =>
    {
        var entityDescriptor = new EntityDescriptor();
        entityDescriptor.ReadIdPSsoDescriptorFromUrl(new Uri(Configuration["Saml2:IdPMetadata"]));
        if (entityDescriptor.IdPSsoDescriptor != null)
        {
            saml2Configuration.AllowedIssuer = entityDescriptor.EntityId;
            saml2Configuration.SingleSignOnDestination = entityDescriptor.IdPSsoDescriptor.SingleSignOnServices.First().Location;
        }
        else
        {
            throw new Exception("IdPSsoDescriptor not loaded from metadata.");
        }
    });

    services.AddSaml2();

Then I added an AuthController.cs class that I found on the ITFoxTec site.

It works great but I have no idea how it's working.

I stepped through the project in Visual Studio, and it somehow goes to the Login route ([Route("Login")] in the AuthController.

Then it automatically takes me to the URL I set for SingleSignOnDestination in my appSettings.json file.

But I can't figure out how it gets there.

The reason I'm asking, is because I don't want it to automatically go there when the user hits the site, I only want it to go there if the user presses a LOGIN button.

Could anyone help?

Thanks!

Solution

  • it automatically takes me to the URL I set for SingleSignOnDestination in my appSettings.json file.

    But I can't figure out how it gets there.

    The reason I'm asking, is because I don't want it to automatically go there when the user hits the site, I only want it to go there if the user presses a LOGIN button.

    There are different ways to handle this, but I expect in your app it's through attributes. Look in your controllers, and if a controller has the [Authorize] attribute it will require the user to be logged in before they can continue. If you want to allow anonymous access to certain areas, you can remove the [Authorize] attribute from those areas. You should also be aware of the [AllowAnonymous] attribute, which can be used on individual actions within an authenticated controller.