Forums, Documentation & Knowledge Base - ComponentSpace

after successful IDP initiate-sso , on the IDP end it does not redirect


https://componentspace.com/forums/Topic11894.aspx

By Johnny.ck6 - 10/30/2021


I have created an API Controller which gets called successfully 

    var partnerName = "TestServiceProvider";
    var relayState = "https://xxx/samltest.aspx";
  SAMLIdentityProvider.InitiateSSO(System.Web.HttpContext.Current.Response, userName, attributes, relayState, partnerName);

 the log shows ---
'Initiation of SSO to the partner service provider TestServiceProvider has completed successfully.'
however it does not redirect to the url i set in the relaysate

On the SP end i tried using an api controller and a aspx page to 'Receive-SSO'
public HttpResponseMessage AssertionConsumerService()
   {
    // Receive and process the SAML assertion contained in the SAML response.
    // The SAML response is received either as part of IdP-initiated or SP-initiated SSO.
    bool isInResponseTo;
    string partnerName;
    string authnContext;
    string userName;
    IDictionary<string, string> attributes;
    string relayState;

    SAMLServiceProvider.ReceiveSSO(System.Web.HttpContext.Current.Request
      ,
      out isInResponseTo,
      out partnerName,
      out authnContext,
      out userName,
      out attributes,
      out relayState);

     // now force a redirect!
      var response = Request.CreateResponse(HttpStatusCode.Moved);
      response.Headers.Location = new Uri(relayState);
      return response;

now the aspx version

protected void Page_Load(object sender, EventArgs e)
   {
    try
    {
      bool isInResponseTo = false;
      string partnerIdP = null;
      string authnContext = null;
      string userName = null;
      IDictionary<string, string> attributes = null;
      string targetUrl = null;

      // Receive and process the SAML assertion contained in the SAML response.
      // The SAML response is received either as part of IdP-initiated or SP-initiated SSO.
      SAMLServiceProvider.ReceiveSSO(Request, out isInResponseTo, out partnerIdP, out authnContext, out userName, out attributes, out targetUrl);

      if (string.IsNullOrEmpty(userName))
      {
       throw new ArgumentException("A SAML Name ID is expected to be returned by the identity provider.");
      }

      // If a target URL is supplied, ensure it's local to avoid potential open redirection attacks.
      if (targetUrl != null && !IsLocalUrl(targetUrl))
      {
       targetUrl = null;
      }

      // If no target URL is provided, provide a default.
      if (targetUrl == null)
      {
       targetUrl = "~/";
      }

      // Login automatically using the asserted identity.
      // This example uses forms authentication. Your application can use any authentication method you choose.
      // There are no restrictions on the method of authentication.
      //FormsAuthentication.SetAuthCookie(userName, false);

      // Save the attributes.
      Session[AttributesSessionKey] = attributes;

      // Redirect to the target URL.
      Response.Redirect(targetUrl, false);
    }

    catch (Exception exception)
    {
      // In production application, we recommend logging the exception and redirecting the user to a generic error page.
      throw exception;
    }
   }

I have updated the saml config on the IDP end  AssertionConsumerServiceUrl  and tried both SP end points and forced a RelayState in the confi
I have made sure the saml.config is correct on the SP end.
but the Redirect does not happen.

Do you have any troubleshooting , debug tips on the ServiceProvider end that it has hit the AssertionConsumerServiceUrl?
I will email you the IDP log file to [email protected]
thanks



By ComponentSpace - 11/2/2021

We don't have an example using ASP.NET. However, you could take a similar approach as that used with the ASP.NET Core example. The flow between the Angular app and the backend app would be the same. The difference is that the backend app would be implemented in ASP.NET rather than ASP.NET Core.