SSO Url not mapping in .Net 5

[IhaleCMN]

I have only seen that there is support for .Net 3.x for this project. Using .Net 5 I am able to get the authentication to work but the SSO redirect url is not being mapped in the project. This results in a 404 error since the controller and action don't actually exist in the project.

Is support for .Net 5 upcoming or do you know of any work arounds that we could use in the mean time.

` var oktaConfig = builder.Configuration.GetSection("Okta");

            builder.Services.Configure<OktaOptions>(oktaConfig);

            builder.Services
                .AddAuthentication(options =>
                {
                    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;

                    options.DefaultChallengeScheme = Saml2Defaults.Scheme;
                    options.DefaultSignOutScheme = Saml2Defaults.Scheme;
                })
                .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
                .AddSaml2(options =>
                {
                    var baseUrl = appConfig[nameof(ApplicationOptions.AppBaseUrl)];

                    options.SPOptions.EntityId = new EntityId(baseUrl + "AuthServices/Acs");
                    options.SPOptions.ReturnUrl = new Uri(baseUrl + "/dashboard");

                    options.SPOptions.AttributeConsumingServices.Add(
                        // Name = "AuthServices"
                        new AttributeConsumingService()
                        {
                            IsDefault = true
                        }
                    );

                    options.Notifications.AcsCommandResultCreated = (result, response) =>
                    {
                        // If they have not impersonated a valid user yet, redirect them to the identity change page
                        if (String.IsNullOrEmpty(result.Principal.GetEmployeeNumber()))
                        {
                            result.Location = new Uri("/identity?returnUrl=" + System.Net.WebUtility.UrlEncode(result.Location.PathAndQuery), UriKind.Relative);
                        }
                    };

                    var idp = new IdentityProvider(new EntityId(oktaConfig[nameof(OktaOptions.EntityId)]), options.SPOptions)
                    {
                        AllowUnsolicitedAuthnResponse = true,
                        Binding = Saml2BindingType.HttpRedirect,
                        SingleSignOnServiceUrl = new Uri(oktaConfig[nameof(OktaOptions.ServiceUrl)])
                    };

                    idp.SigningKeys.AddConfiguredKey(new X509Certificate2(
                        Path.Combine(builder.Environment.ContentRootPath, Convert.ToBoolean(oktaConfig[nameof(OktaOptions.UsePreview)]) ? "Security/okta.cert" : "Security/okta.cert")
                    ));

                    options.IdentityProviders.Add(idp);
                });` 

[IhaleCMN]

Update: after changing the EntityId to baseUrl + "/Saml2" I no longer get the 404 error. However Okta never redirects it just hangs on the log in animation. Examining the XML from the SAML panel Chrome extension it is getting a success but it never seems to redirect to anything. And instead it downloads an xml file..

[AndersAbel]

The library is confirmed to work with .NET 5. This looks like a configuration issue.

There is also not any controller representing the /Saml2 endpoint - those are handled by the authentication handler.

[IhaleCMN]

@AndersAbel I don't see in the docs or examples how to set up the Authentication handler. In the old version we would pass it in and assign it like this spOptions.SystemIdentityModelIdentityConfiguration.ClaimsAuthenticationManager = authManager; but I no longer see that as an option.

Update: This is done in the DI you don't have to manually wire this up.

[IhaleCMN]

If anyone else stumbles down this path here was the issue that plagued us: The old library allowed a custom path for Authentication Handler stuff (I think). in the code snippet above you will see this expectation we had as: options.SPOptions.EntityId = new EntityId(baseUrl + "AuthServices/Acs"); But in reality that is mapping to Restricted Audience in Okta and can be set to anything as long as it matches in Okta. Doesn't have to be a URL, it can be Bannanaramma if you want. Just has to match.

What you do need to do is change the SSO URL in Okta to {Youraddress}/Saml2/Acs (ex. https://localhost:44383/Saml2/Acs) and then it will work correctly. This is in .Net Core 5 not sure if other environments experience this.

The Identity Provider Entity Id, I should note, does have to be the Identity "Provider Issuer:" value from Okta and can be found on the page that gives you the cert and SSO URL in Okta.

[AndersAbel]

@IhaleCMN The ClaimsAuthenticationManager belonged to System.IdentityModel which is only availabe in the 1.x versions that depend on that library. For 2.x, please use the AcsCommandResultCreated notification instead.