ComponentSpace

Forums



How can IDP send "Access Denied Page" towards user


How can IDP send "Access Denied Page" towards user

Author
Message
raju
raju
New Member
New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)

Group: Awaiting Activation
Posts: 15, Visits: 60
We are evaluating ComponentSpace IDP, and we use its low-level API as we have our own 'auth' middleware.
At anytime, when the user hits (through re-direction) IDP, he is already authenticated by our rest of the system.
I want to add small security enforcement, to deny access to user, that can happen to visit the IDP in a non-standard path - where he is not authenticated by our middleware.
So, how I can achieve that in the 'Else' section of SingleSignOnService method, or that of SingleSignOnServiceCompletion ?


namespace ExampleIdentityProvider.Controllers
{
  public class SamlController : Controller
  {
   private readonly ISamlIdentityProvider _samlIdentityProvider;
   private readonly SignInManager<ApplicationUser> _signInManager;

   public SamlController(ISamlIdentityProvider samlIdentityProvider, SignInManager<ApplicationUser> signInManager)
   {
    _samlIdentityProvider = samlIdentityProvider;
    _signInManager = signInManager;
   }

   public async Task<ActionResult> SingleSignOnService()
   {
    // Receive the authn request from the service provider (SP-initiated SSO).
    await _samlIdentityProvider.ReceiveSsoAsync();

    // If the user is logged in at the identity provider, complete SSO immediately.
    // Otherwise have the user login before completing SSO.
    if (User.Identity.IsAuthenticated)
    {
      await CompleteSsoAsync();

      return new EmptyResult();
    }
    else
    {
      return RedirectToAction("SingleSignOnServiceCompletion");
    }
   }

   [Authorize]
   public async Task<ActionResult> SingleSignOnServiceCompletion()
   {
    await CompleteSsoAsync();

    return new EmptyResult();
   }
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The return RedirectToAction("SingleSignOnServiceCompletion"); forces the user to authenticate locally if they're not already.
If instead the user should already be authenticated through your middleware and you want to fail the SSO attempt you have a couple of choices.
You could simply redirect the user to an error page and display a suitable error message.
The alternative is to return a SAML response with an error status to the SP.
The SP will then most likely display an error page.
The following code demonstrates returning an error status.


_samlIdentityProvider.SendSsoAsync(new Status(SamlConstants.PrimaryStatusCodes.Requester, "Access Denied"));




Regards
ComponentSpace Development
raju
raju
New Member
New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)

Group: Awaiting Activation
Posts: 15, Visits: 60

thank you. I tried this but finding SP(google) that happens to diplay a blank page when I send this Status. Investigating on it
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
It's possible Google doesn't handle the error status very well.
You're welcome to report your findings here. 

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search