ComponentSpace

Forums



SSO from ASP.NET Login Form


SSO from ASP.NET Login Form

Author
Message
Idayn
Idayn
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Forum Members
Posts: 4, Visits: 13
Hi,

I need to implement SSO functionality of one of our sites with a pre-existing authentication method. I have set up the site as a new service provider with our corporate IdP.
The corporate IdP is already in use by other subsystems. Certificates are in place, and we have configured POST Binding on both sides.

Not all users that log on said new service provider are known to the IdP, so I need to build kind of a hybrid solution. I have a simple asp.net form with a username and password input, and a login button. The Code behind on the button
at the moment just calls  

      SAMLServiceProvider.InitiateSSO(Response, returnUrl, partnerIdP);


My goal is to have only one login form. The logic I'm trying to implement is as follows:

1. User enters credentials in the ASP.net form (username + password)
2. entered credentials are checked against the IdP
3a. if IdP says credentials are valid, redirect user to the desired site
3b. if IdP says credentials are invalid, check them against to our existing authentication method and act accordingly

So the Identification always initiated by the Service Provider
Now I don't fully understand SAML yet since I'm new to this topic, so I have a couple of questions.

  1. Is this even possible, our does it break the SAML spec in some way ?
  2. Where does InitiateSSO know the username to send from the IdP from ?
  3. Can I send username and password within the saml request for authentication ?
Thanks in advance.










ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
In SAML SSO the user authentication always occurs at the IdP site. The SAML specification permits you to send the username in the SAML authn request but you cannot send the password. Also, not all IdPs support receiving the username and some may ignore this.

You could simply give the user the option to either login locally at the SP site or SSO to the IdP. This seems like the simplest and best approach.

Alternatively, if the IdP site supports querying whether a user exists, you could prompt for the username at the SP, call the IdP to see if this is a known user and if so initiate SSO. If not, prompt the user to login locally at the SP. Querying whether a user is known is outside the SAML specification and would require some custom code.   

Regards
ComponentSpace Development
Idayn
Idayn
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Forum Members
Posts: 4, Visits: 13
ComponentSpace - 8/26/2020
In SAML SSO the user authentication always occurs at the IdP site. The SAML specification permits you to send the username in the SAML authn request but you cannot send the password. Also, not all IdPs support receiving the username and some may ignore this.

You could simply give the user the option to either login locally at the SP site or SSO to the IdP. This seems like the simplest and best approach.

Alternatively, if the IdP site supports querying whether a user exists, you could prompt for the username at the SP, call the IdP to see if this is a known user and if so initiate SSO. If not, prompt the user to login locally at the SP. Querying whether a user is known is outside the SAML specification and would require some custom code.   

Thanks for the reply. That made things much more clear.

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You're welcome.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search