Comments (4)
AndersAbel
commented on August 19, 2024
I don't understand what you are trying to do here. Can you please elaborate?
from saml2.
hans9025
commented on August 19, 2024
As we are moving from .net framework to .net core, we implemented SSO but the issue is now we are not able to make user logout when session is timeout, I feel something in handler i need to try, not sure though,
services.AddAuthentication(opt =>
{
opt.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
opt.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
opt.DefaultChallengeScheme = Saml2Defaults.Scheme;
opt.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
.AddSaml2(opt =>
{
opt.SPOptions.EntityId = new EntityId(samlSettings.EntityId);
opt.SPOptions.ServiceCertificates.Add(new X509Certificate2(samlSettings.SigningCertificateFile,
samlSettings.SigningCertificatePassword, X509KeyStorageFlags.MachineKeySet));
var swedish = CultureInfo.GetCultureInfo("en-US").ToString();
var organization = new Organization();
organization.Names.Add(new LocalizedName(samlSettings.OrganizationName, swedish));
organization.DisplayNames.Add(new LocalizedName(samlSettings.OrganizationName, swedish));
organization.Urls.Add(new LocalizedUri(new Uri("https://www.mazdausa.com"), swedish));
opt.SPOptions.AuthenticateRequestSigningBehavior = SigningBehavior.Always;
opt.SPOptions.WantAssertionsSigned = true;
//opt.SPOptions.Logger= AspNetCoreLoggerAdapter(logger)
// opt.SignInScheme = Saml2Defaults.Scheme;
var spOptions = new SPOptions
{
EntityId = new EntityId(samlSettings.EntityId),
ReturnUrl = new Uri(samlSettings.ReturnUrl),
Organization = organization,
AuthenticateRequestSigningBehavior = SigningBehavior.Always,
MinIncomingSigningAlgorithm = samlSettings.MinIncomingSigningAlgorithm
};
var attributeConsumingService = new AttributeConsumingService
{
IsDefault = true
};
attributeConsumingService.RequestedAttributes.Add(
new RequestedAttribute("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")
{
FriendlyName = "UserName",
IsRequired = true,
NameFormat = RequestedAttribute.AttributeNameFormatUri
});
attributeConsumingService.RequestedAttributes.Add(
new RequestedAttribute("Minimal"));
spOptions.AttributeConsumingServices.Add(attributeConsumingService);
spOptions.ServiceCertificates.Add(new X509Certificate2(samlSettings.SigningCertificateFile,
samlSettings.SigningCertificatePassword, X509KeyStorageFlags.MachineKeySet));
var idp = new IdentityProvider(new EntityId(samlSettings.IdPEntityId), spOptions)
{
WantAuthnRequestsSigned = true,
AllowUnsolicitedAuthnResponse = true,
Binding = Saml2BindingType.HttpRedirect,
SingleSignOnServiceUrl = new Uri(samlSettings.SingleSignOnDestination),
SingleLogoutServiceUrl = new Uri(samlSettings.ReturnUrl),
};
idp.SigningKeys.AddConfiguredKey(
new X509Certificate2(samlSettings.SignatureValidationCertificateFile ??
throw new InvalidOperationException(
$"Missing Idp Signing Key: ")));
var option = new Options(spOptions);
opt.IdentityProviders.Add(idp);
var federation = new Federation(samlSettings.IdPMetadata, true, option);
opt.Notifications.AcsCommandResultCreated = (commandResult, response) =>
{
// Grab the signature algorithm from the XML
//todo need to uncomment once deploying on epitest, stage and prod
//var signatureMethod = response.XmlElement
// ["Signature", SignedXml.XmlDsigNamespaceUrl]!
// ["SignedInfo", SignedXml.XmlDsigNamespaceUrl]!
// ["SignatureMethod", SignedXml.XmlDsigNamespaceUrl]!
// .GetAttribute("Algorithm");
var signatureMethod = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
// Get ClaimsIdentity
var identity = commandResult.Principal.Identities.Single();
identity.AddClaim(new Claim("SignatureAlgorithm", signatureMethod));
// Change claim type by removing and adding. This is useful e.g. if we want
// modern/OIDC-style "sub" claim and not http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
var nameIdClaim = identity.FindFirst(ClaimTypes.NameIdentifier)
?? throw new InvalidOperationException(
"There should always be a NameId in a Saml2 response...");
// identity.RemoveClaim(nameIdClaim);
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, nameIdClaim.Value));
identity.AddClaim(new Claim(ClaimTypes.Name, nameIdClaim.Value));
identity.AddClaim(new Claim("sub", nameIdClaim.Value));
identity = GetEpiWSLUserClaims(identity, samlSettings.IdPEntityId);
var httpCtx = ServiceLocator.Current.GetInstance<IHttpContextAccessor>();
// identity.AddClaim(new Claim("idp", nameIdClaim.Issuer));
var synchronizingUserService = httpCtx.HttpContext.RequestServices
.GetRequiredService<ISynchronizingUserService>();
var claimIdentity = claimsHelper.Service.SyncClaims(
httpCtx.HttpContext, identity, samlSettings.IdPEntityId,
samlSettings.CookieDomain, samlSettings.SingleLogoutDestination).Result;
var claimPriciple = new ClaimsPrincipal(claimIdentity);
synchronizingUserService.SynchronizeAsync(claimIdentity);
};
});
from saml2.
AndersAbel
commented on August 19, 2024
It looks like you would need hands on support with your specific deployment. I do offer that as commercial consulting services, ie you are interested, please reach out to [email protected].
from saml2.
hans9025
commented on August 19, 2024
do you see any bug in code?
from saml2.
Related Issues (20)
- How to implement session timeout in asp.net core HOT 2
- Sustainsys.saml2: IDX10214: Audience validation failed. Did not match: validationParameters.ValidAudience HOT 5
- SAML authentication with different Active Directory HOT 2
- Support dynamically updating the ServiceCertificates during rollover (ASP.NET Core) HOT 1
- Hangs on return ASC
- Configuration to add User-Agent header for metadata HTTP request HOT 4
- Reference URI pointing to Response elmente and not the Assertion HOT 2
- Saml2 SLO in IFrames with 3rd party cookies disabled HOT 4
- How to create a saml2response HOT 1
- Wrap CommandResultExtensions.Apply with error checking to trap null object exceptions
- Thank you 💖 HOT 1
- Federated logout not possible, redirecting to post-logout HOT 2
- AspNetCore package for Blazor Server Side? HOT 2
- Redirect back to SP after Single Logout HOT 1
- Callback AuthenticateAsync external Succeeded always false HOT 1
- Dynamic Idp provider list sign out Issue HOT 1
- Could not load type 'Sustainsys.Saml2.WebSso.Saml2Module' from assembly 'Sustainsys.Saml2' HOT 3
- Using the library correctly
- Error loading metadata xml file on Firefox HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from saml2.