Forums, Documentation & Knowledge Base - ComponentSpace

SamlAuthenticationHandler Challenge redirectUri

By jasonquanumworkplace - 12/5/2018


I am in the process of implementing SAML auth with Identity Server 4 as a Service Provider.  I have everything setup and working properly except for the handling of the External Login callback after authenticating with and external idp.

It seems no matter what I pass in the AuthenticationProperties object that is passed to the ChallengeResult, after I successfully login with the Idp I am always redirected to the default callback url which is: /Identity/Account/ExternalLogin?handler=Callback.

Here is my code for setting up the AuthenticationProperties and ChallengeResult:   

   var props = new AuthenticationProperties()
      RedirectUri = Url.Action("ExternalLoginCallback"),
      Items =
       { "returnUrl", returnUrl },
       { "scheme", provider }
    return new ChallengeResult(provider, props);

based on that code I see the following in the HandleChallengeAsync method of the SamlAuthenticationHandler for the AuthenticationProperties object:
{[.redirect, /account/ExternalLoginCallback]}
{[returnUrl, /connect/authorize/callback....}
{[scheme, saml2-okta-idsrv]}

And the redirectUri is "/account/ExternalLoginCallback".

Not only am I not getting redirected back to the right callback url, but the Items I provided in the authentication properties (scheme and returnUrl) are not available either.

When I put in a route for the default callback url I am able to inspect the authentication result with this code:

var result = await HttpContext.AuthenticateAsync(_appConfiguration.Value.ExternalCookieAuthenticationSchemeEnvironment)

That result comes back with Succeeded = true and I see that the claims from the principal are correct.  But the result properties has the following:
redirectUri = /Identity/Account/ExternalLogin?handler=Callback
{[LoginProvider, saml2-okta-idsrv]}
{[.redirect, /Identity/Account/ExternalLogin?handler=Callback]}
{[.issued, Thu, 06 Dec 2018 00:03:46 GMT]}
{[.expires, Thu, 20 Dec 2018 00:03:46 GMT]}

Shouldnt the authentication properties include the proper redirect and the extra items I provided when passed into the ChallengeResult?

Here is my code where I am setting up the saml provider

  externalIdentityProviderModel.DisplayName ?? "",
  options =>
   options.SignInScheme = configurationOptions.Value.ExternalCookieAuthenticationSchemeEnvironment;
   options.PartnerName = () => externalIdentityProviderModel.SamlConfig.Name;

I know that I can provide a LoginCompletionUrl setting in the options as well, and while that does override the default url and redirect me to where I want to go, it still does not have the extra Items that I provided in the AuthenticationProperties (returnUrl, and scheme).

In my search for answers I also came across this forum post that seems to be the same issue as I am having, if it helps any.

Can you tell me if this is a bug or if I am doing something wrong.

Let me know if you need any other information from me.

By ComponentSpace - 9/2/2019

You're very welcome.