ComponentSpace

Forums



Idp Initiated Single Sign On


Idp Initiated Single Sign On

Author
Message
jasonquanumworkplace
jasonquanumworkplace
New Member
New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)

Group: Forum Members
Posts: 7, Visits: 39
Hello,

I have a Service Provider built with Identity Server and am trying to get Idp initiated login working.

If I initiate the Sign On Process to any Idp I have configured everything seems to work ok.  But when I initiate the login from the Idp itself, the authentication type always seems to be coming from the first Idp I have configured.  I will try to explain a bit.

I have 2 Idps configured:
Idp 1: Idp 2:
Any time I initiate a login via Idp 2, the resulting Authentication Result is using the first Idp configured (Idp 1).

Here is how I am adding each Idp via configuration:

  public static AuthenticationBuilder AddSamlIdentityProviders(this AuthenticationBuilder builder, ILogger logger)
   {
    foreach (var externalIdentityProviderModel in providers)
    {
      logger.LogDebug(
       "Adding authentication: {authenticationScheme} - {providerName}:{entityId}:{displayName}",
       externalIdentityProviderModel.AuthenticationScheme,
       externalIdentityProviderModel.IdentityProviderName, externalIdentityProviderModel.SamlConfig.Name,
       externalIdentityProviderModel.DisplayName);
     
      builder.AddSaml(externalIdentityProviderModel.AuthenticationScheme,
       externalIdentityProviderModel.DisplayName ?? "",
       options =>
       {
        options.SignInScheme = configurationOptions.Value.ExternalCookieAuthenticationSchemeEnvironment;
        options.PartnerName = () =>
        {
          return externalIdentityProviderModel.SamlConfig.Name;
        };
        options.LoginCompletionUrl = (param) =>
        {
          return string.Format(configurationOptions.Value.SsoSpConfiguration.RedirectUrl,
           externalIdentityProviderModel.AuthenticationScheme);
        };
        options.AssertionConsumerServicePath = configurationOptions.Value.SsoSpConfiguration.AssertionConsumerServicePath;
        options.SingleLogoutServicePath = configurationOptions.Value.SsoSpConfiguration.SingleLogoutServicePath;
        options.SignOutScheme = configurationOptions.Value.ExternalCookieAuthenticationSchemeEnvironment;
        
       });
    }

    return builder;
   }


When the Login process is initiated from Idp 2, the resulting LoginCompletionUrl redirects with a query string parameter pointing to Idp 1.  When inspecting the Authentication Result properties, that seems to be coming from Idp 1 as well:

{
"Items": {
  "LoginProvider": "saml2-okta-idsrv",
  ".redirect": "https://auth.local.quantumworkplace.com/Account/IdpLogin?idp=saml2-okta-idsrv",
  ".issued": "Thu, 31 Jan 2019 16:42:17 GMT",
  ".expires": "Thu, 14 Feb 2019 16:42:17 GMT"
},
"Parameters": {},
"IsPersistent": false,
"RedirectUri": "https://auth.local.quantumworkplace.com/Account/IdpLogin?idp=saml2-okta-idsrv",
"IssuedUtc": "2019-01-31T16:42:17+00:00",
"ExpiresUtc": "2019-02-14T16:42:17+00:00"
}


It seems no matter what Idp initiates the login, the first Idp configured will be what the authentication result contains.

Can you tell me if I am doing something wrong in the configuration?  Or am missing anything else?

Thanks

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Is the AssertionConsumerServicePath different for each SAML authentication handler?
If you have two SAML authentication handlers configured and both use the same AssertionConsumerServicePath, the first will process the SAML response.
Could you please explain your requirements including the need for two SAML authentication handlers?
Is this to distinguish between different identity providers by the authentication scheme? If so, what is your processing with respect to these different authentication schemes?

Regards
ComponentSpace Development
jasonquanumworkplace
jasonquanumworkplace
New Member
New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)

Group: Forum Members
Posts: 7, Visits: 39
ComponentSpace - 1/31/2019
Is the AssertionConsumerServicePath different for each SAML authentication handler?
If you have two SAML authentication handlers configured and both use the same AssertionConsumerServicePath, the first will process the SAML response.
Could you please explain your requirements including the need for two SAML authentication handlers?
Is this to distinguish between different identity providers by the authentication scheme? If so, what is your processing with respect to these different authentication schemes?

No my AssertionConsumerServicePath is the the same for each Idp.  I thought it was needed to have a SAML Authentication Handler for each Idp so that I could assign an authentication scheme for each.  Are you saying that no matter how many Idps are configured with my SP, that I only need one SAML Authentication Handler to process them?

My processing for each Idp is this to match the username with the Idp that they are using to login.  Can I do that with just one Authentication Handler and Authentication Scheme?  Or can the Idp be determined when they both have the same authentication scheme?
jasonquanumworkplace
jasonquanumworkplace
New Member
New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)

Group: Forum Members
Posts: 7, Visits: 39
jasonquanumworkplace - 1/31/2019
ComponentSpace - 1/31/2019
Is the AssertionConsumerServicePath different for each SAML authentication handler?
If you have two SAML authentication handlers configured and both use the same AssertionConsumerServicePath, the first will process the SAML response.
Could you please explain your requirements including the need for two SAML authentication handlers?
Is this to distinguish between different identity providers by the authentication scheme? If so, what is your processing with respect to these different authentication schemes?

No my AssertionConsumerServicePath is the the same for each Idp.  I thought it was needed to have a SAML Authentication Handler for each Idp so that I could assign an authentication scheme for each.  Are you saying that no matter how many Idps are configured with my SP, that I only need one SAML Authentication Handler to process them?

My processing for each Idp is this to match the username with the Idp that they are using to login.  Can I do that with just one Authentication Handler and Authentication Scheme?  Or can the Idp be determined when they both have the same authentication scheme?

Just to elaborate a bit... I am using the ServiceProvider Middleware via the AddSaml() method.  For each partner Idp I have configured in my database, I have an authentication scheme assigned to it.  This allows me to initiate a login from my Service provider via triggering an authentication request for the selected Partner Idp authentication scheme.  This works fine and I am able to use this setup as long as the authentication request is initiated by my service provider.  But once the login is initiated from one of the External Partner Idps, that is where I always get the first Idp configured as the Login Provider, even though the login was initiated from my second Idp configured.

Hope this helps
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Each authentication handler listens for messages on its particular endpoint.
If two SAML authentication handlers are configured with the same AssertionConsumerServicePath, only the first will ever see SAML messages as these will be processed and not passed onto the next SAML authentication handler.
You could configured different AssertionConsumerServicePaths through the SAML authentication handler options and have the IdPs send to the appropriate URL.
However, I think a better option would be if the SAML authentication handler returned the partner IdP name back to your application in the authentication properties.
That way, as well as the user claims etc, you'll also know which partner IdP initiated the SSO.
This will require an update. Please contact us to access a beta.

Regards
ComponentSpace Development
jasonquanumworkplace
jasonquanumworkplace
New Member
New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)

Group: Forum Members
Posts: 7, Visits: 39
ComponentSpace - 2/1/2019
Each authentication handler listens for messages on its particular endpoint.
If two SAML authentication handlers are configured with the same AssertionConsumerServicePath, only the first will ever see SAML messages as these will be processed and not passed onto the next SAML authentication handler.
You could configured different AssertionConsumerServicePaths through the SAML authentication handler options and have the IdPs send to the appropriate URL.
However, I think a better option would be if the SAML authentication handler returned the partner IdP name back to your application in the authentication properties.
That way, as well as the user claims etc, you'll also know which partner IdP initiated the SSO.
This will require an update. Please contact us to access a beta.

Hi,
Yes I think that should work.  If I know the Partner Idp or the Authentication Scheme then I can properly locate the user that has authenticated in our system.  Having access to one or both via the Authentication Properties of the in the AuthenticationResult would allow me to do that.

I will reach out about accessing a beta.

Thanks
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Thank you.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search