Forums, Documentation & Knowledge Base - ComponentSpace

SamlAuthenticationHandler Challenge redirectUri


http://componentspace.com/Forums/Topic9518.aspx

By jasonquanumworkplace - 12/5/2018

Hello,

I am in the process of implementing SAML auth with Identity Server 4 as a Service Provider.  I have everything setup and working properly except for the handling of the External Login callback after authenticating with and external idp.

It seems no matter what I pass in the AuthenticationProperties object that is passed to the ChallengeResult, after I successfully login with the Idp I am always redirected to the default callback url which is: /Identity/Account/ExternalLogin?handler=Callback.

Here is my code for setting up the AuthenticationProperties and ChallengeResult:   

   var props = new AuthenticationProperties()
    {
      RedirectUri = Url.Action("ExternalLoginCallback"),
      Items =
      {
       { "returnUrl", returnUrl },
       { "scheme", provider }
      }
    };
    return new ChallengeResult(provider, props);


based on that code I see the following in the HandleChallengeAsync method of the SamlAuthenticationHandler for the AuthenticationProperties object:
Items: 
{[.redirect, /account/ExternalLoginCallback]}
{[returnUrl, /connect/authorize/callback....}
{[scheme, saml2-okta-idsrv]}

And the redirectUri is "/account/ExternalLoginCallback".

Not only am I not getting redirected back to the right callback url, but the Items I provided in the authentication properties (scheme and returnUrl) are not available either.

When I put in a route for the default callback url I am able to inspect the authentication result with this code:

var result = await HttpContext.AuthenticateAsync(_appConfiguration.Value.ExternalCookieAuthenticationSchemeEnvironment)


That result comes back with Succeeded = true and I see that the claims from the principal are correct.  But the result properties has the following:
redirectUri = /Identity/Account/ExternalLogin?handler=Callback
Properties.Items:
{[LoginProvider, saml2-okta-idsrv]}
{[.redirect, /Identity/Account/ExternalLogin?handler=Callback]}
{[.issued, Thu, 06 Dec 2018 00:03:46 GMT]}
{[.expires, Thu, 20 Dec 2018 00:03:46 GMT]}

Shouldnt the authentication properties include the proper redirect and the extra items I provided when passed into the ChallengeResult?

Here is my code where I am setting up the saml provider

builder.AddSaml(externalIdentityProviderModel.AuthenticationScheme,
  externalIdentityProviderModel.DisplayName ?? "",
  options =>
  {
   options.SignInScheme = configurationOptions.Value.ExternalCookieAuthenticationSchemeEnvironment;
   options.PartnerName = () => externalIdentityProviderModel.SamlConfig.Name;
  });


I know that I can provide a LoginCompletionUrl setting in the options as well, and while that does override the default url and redirect me to where I want to go, it still does not have the extra Items that I provided in the AuthenticationProperties (returnUrl, and scheme).

In my search for answers I also came across this forum post that seems to be the same issue as I am having, if it helps any.
https://www.componentspace.com/Forums/9181/RelayState-is-overwritten-by-SamlAuthenticationHandler

Can you tell me if this is a bug or if I am doing something wrong.

Let me know if you need any other information from me.

Thanks
By ComponentSpace - 9/2/2019

You're very welcome.