ComponentSpace

Forums



SP initiated login via IdentityServer4 Integration returning to wrong page after SAML authentication...


SP initiated login via IdentityServer4 Integration returning to wrong...

Author
Message
scotru
scotru
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)

Group: Forum Members
Posts: 6, Visits: 19
Greetings,

I have followed the instructions here for setting up Component Space with Identity Server using the ServiceStack IdentityServer4 demo as a base.  The ServiceStack demo works fine for authentication including with external providers such as Google--and most of the SAML Authentication also works fine.  I am trying to test it with ComponentSpace SAML use the ComponentSpace ExampleIdentityProvider to test against. 

Clicking on the "SAML" button on the external providers page takes me to the IdP login page and I'm able to login.  The logs show that the SAML authentication was successful.  


2019-06-13 22:07:24.113 -07:00 [DBG] The SAML assertion has passed all security checks.
2019-06-13 22:07:24.113 -07:00 [DBG] The name identifier from the SAML assertion is: [email protected]
2019-06-13 22:07:24.113 -07:00 [DBG] SSO session state for saml-session-0e64442a-98c6-44a4-b6f8-088178b60672-SamlState is being saved to the distributed cache.
2019-06-13 22:07:24.113 -07:00 [DBG] SAML session state (0e64442a-98c6-44a4-b6f8-088178b60672):
SP state:
SSO session state:
Partner name: https://ExampleIdentityProvider
Name ID: <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">[email protected]</saml:NameID>
Session index: _ada27727-fc95-4d18-8539-06226f3dca2f

2019-06-13 22:07:24.113 -07:00 [DBG] An SSO response from the partner identity provider https://ExampleIdentityProvider has been successfully received.
2019-06-13 22:07:24.113 -07:00 [DBG] The SAML authentication handler is signing in [email protected].
2019-06-13 22:07:24.114 -07:00 [INF] AuthenticationScheme: idsrv.external signed in.
2019-06-13 22:07:24.113 -07:00 [DBG] An SSO response from the partner identity provider https://ExampleIdentityProvider has been successfully received.
2019-06-13 22:07:24.113 -07:00 [DBG] The SAML authentication handler is signing in [email protected].
2019-06-13 22:07:24.114 -07:00 [INF] AuthenticationScheme: idsrv.external signed in.


However, I then get a 404 when redirected to the following page: http://localhost:5000/Identity/Account/ExternalLogin?handler=Callback
Instead of being redirected back to my application after login.

On the URL of the IdentityServer4 Login Page was:
ReturnUrl=/connect/authorize/callback?client_id=mvc
&redirect_uri=http://localhost:5002/signin-oidc

On the URL of the ExampleIdentityProvider page was:
https://localhost:44313/Identity/Account/Login?ReturnUrl=/Saml/SingleSignOnServiceCompletion

I can't figure out what I'm doing wrong here.    Any help much appreciated.  

Thanks!


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
By default the SAML authentication handler redirects to "/Identity/Account/ExternalLogin?handler=Callback" after SSO has completed and the user has been signed in. This works well if you're using Microsoft Identity.
You can change this value by setting the SamlAuthenticationOptions.LoginCompletionUrl. For example:


services.AddAuthentication().AddSaml(options =>
{
  options.LoginCompletionUrl = (relayState) => "put the return URL here";
});


If your application is initiating the challenge/SSO, you have the option of specifying an AuthenticationProperties.RedirectUri which will be used instead of the LoginCompletionUrl.

Regards
ComponentSpace Development
scotru
scotru
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)

Group: Forum Members
Posts: 6, Visits: 19
ComponentSpace - 6/14/2019
If your application is initiating the challenge/SSO, you have the option of specifying an AuthenticationProperties.RedirectUri which will be used instead of the LoginCompletionUrl.

I do specify the RedirectUri in the AuthenticationProperties when I initiate the SSO.   I'm just using the QuickStart UI from IdentityServer as shown below:


     // start challenge and roundtrip the return URL and scheme
      var props = new AuthenticationProperties
      {
       RedirectUri = Url.Action(nameof(Callback)),
       Items =
       {
        { "returnUrl", returnUrl },
        { "scheme", provider },
       }
      };
      return Challenge(props, provider);


Setting a break point and showing the RedirectUri before the Challenge call shows a value of:
"/External/Callback"
I tried setting a full Url explicitly before the Challenge call with:

      props.RedirectUri = "http://localhost:5000/External/Callback";


But there was no change, I am still redirected to:  http://localhost:5000/Identity/Account/ExternalLogin?handler=Callback

I am wondering if I'm having the same issue described here:  https://www.componentspace.com/Forums/9518/SamlAuthenticationHandler-Challenge-redirectUri ?
But I'm not quite following the solution.




ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Please enable SAML trace and send the complete log file as an email attachment to [email protected] mentioning your forum post.
When we receive the challenge we log the AuthenticationProperties.RedirectUri.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search