We are evaluating ComponentSpace IDP, and we use its low-level API as we have our own 'auth' middleware. At anytime, when the user hits (through re-direction) IDP, he is already authenticated by our rest of the system. I want to add small security enforcement, to deny access to user, that can happen to visit the IDP in a non-standard path - where he is not authenticated by our middleware. So, how I can achieve that in the 'Else' section of SingleSignOnService method, or that of SingleSignOnServiceCompletion ?
namespace ExampleIdentityProvider.Controllers { public class SamlController : Controller { private readonly ISamlIdentityProvider _samlIdentityProvider; private readonly SignInManager<ApplicationUser> _signInManager;
public SamlController(ISamlIdentityProvider samlIdentityProvider, SignInManager<ApplicationUser> signInManager) { _samlIdentityProvider = samlIdentityProvider; _signInManager = signInManager; }
public async Task<ActionResult> SingleSignOnService() { // Receive the authn request from the service provider (SP-initiated SSO). await _samlIdentityProvider.ReceiveSsoAsync();
// If the user is logged in at the identity provider, complete SSO immediately. // Otherwise have the user login before completing SSO. if (User.Identity.IsAuthenticated) { await CompleteSsoAsync();
return new EmptyResult(); } else { return RedirectToAction("SingleSignOnServiceCompletion"); } }
[Authorize] public async Task<ActionResult> SingleSignOnServiceCompletion() { await CompleteSsoAsync();
return new EmptyResult(); }
|