AndersAbel
commented
4 months ago I don't understand what you are trying to do here. Can you please elaborate?
Closed hans9025 closed 2 months ago
AndersAbel
commented
4 months ago I don't understand what you are trying to do here. Can you please elaborate?
hans9025
commented
4 months ago As we are moving from .net framework to .net core, we implemented SSO but the issue is now we are not able to make user logout when session is timeout, I feel something in handler i need to try, not sure though,
services.AddAuthentication(opt => { opt.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; opt.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; opt.DefaultChallengeScheme = Saml2Defaults.Scheme; opt.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme; }) .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme) .AddSaml2(opt => {
opt.SPOptions.EntityId = new EntityId(samlSettings.EntityId);
opt.SPOptions.ServiceCertificates.Add(new X509Certificate2(samlSettings.SigningCertificateFile,
samlSettings.SigningCertificatePassword, X509KeyStorageFlags.MachineKeySet));
var swedish = CultureInfo.GetCultureInfo("en-US").ToString();
var organization = new Organization();
organization.Names.Add(new LocalizedName(samlSettings.OrganizationName, swedish));
organization.DisplayNames.Add(new LocalizedName(samlSettings.OrganizationName, swedish));
organization.Urls.Add(new LocalizedUri(new Uri("https://www.mazdausa.com"), swedish));
opt.SPOptions.AuthenticateRequestSigningBehavior = SigningBehavior.Always;
opt.SPOptions.WantAssertionsSigned = true;
//opt.SPOptions.Logger= AspNetCoreLoggerAdapter(logger)
// opt.SignInScheme = Saml2Defaults.Scheme;
var spOptions = new SPOptions
{
EntityId = new EntityId(samlSettings.EntityId),
ReturnUrl = new Uri(samlSettings.ReturnUrl),
Organization = organization,
AuthenticateRequestSigningBehavior = SigningBehavior.Always,
MinIncomingSigningAlgorithm = samlSettings.MinIncomingSigningAlgorithm
};
var attributeConsumingService = new AttributeConsumingService
{
IsDefault = true
};
attributeConsumingService.RequestedAttributes.Add(
new RequestedAttribute("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")
{
FriendlyName = "UserName",
IsRequired = true,
NameFormat = RequestedAttribute.AttributeNameFormatUri
});
attributeConsumingService.RequestedAttributes.Add(
new RequestedAttribute("Minimal"));
spOptions.AttributeConsumingServices.Add(attributeConsumingService);
spOptions.ServiceCertificates.Add(new X509Certificate2(samlSettings.SigningCertificateFile,
samlSettings.SigningCertificatePassword, X509KeyStorageFlags.MachineKeySet));
var idp = new IdentityProvider(new EntityId(samlSettings.IdPEntityId), spOptions)
{
WantAuthnRequestsSigned = true,
AllowUnsolicitedAuthnResponse = true,
Binding = Saml2BindingType.HttpRedirect,
SingleSignOnServiceUrl = new Uri(samlSettings.SingleSignOnDestination),
SingleLogoutServiceUrl = new Uri(samlSettings.ReturnUrl),
};
idp.SigningKeys.AddConfiguredKey(
new X509Certificate2(samlSettings.SignatureValidationCertificateFile ??
throw new InvalidOperationException(
$"Missing Idp Signing Key: ")));
var option = new Options(spOptions);
opt.IdentityProviders.Add(idp);
var federation = new Federation(samlSettings.IdPMetadata, true, option);
opt.Notifications.AcsCommandResultCreated = (commandResult, response) =>
{
// Grab the signature algorithm from the XML
//todo need to uncomment once deploying on epitest, stage and prod
//var signatureMethod = response.XmlElement
// ["Signature", SignedXml.XmlDsigNamespaceUrl]!
// ["SignedInfo", SignedXml.XmlDsigNamespaceUrl]!
// ["SignatureMethod", SignedXml.XmlDsigNamespaceUrl]!
// .GetAttribute("Algorithm");
var signatureMethod = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
// Get ClaimsIdentity
var identity = commandResult.Principal.Identities.Single();
identity.AddClaim(new Claim("SignatureAlgorithm", signatureMethod));
// Change claim type by removing and adding. This is useful e.g. if we want
// modern/OIDC-style "sub" claim and not http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
var nameIdClaim = identity.FindFirst(ClaimTypes.NameIdentifier)
?? throw new InvalidOperationException(
"There should always be a NameId in a Saml2 response...");
// identity.RemoveClaim(nameIdClaim);
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, nameIdClaim.Value));
identity.AddClaim(new Claim(ClaimTypes.Name, nameIdClaim.Value));
identity.AddClaim(new Claim("sub", nameIdClaim.Value));
identity = GetEpiWSLUserClaims(identity, samlSettings.IdPEntityId);
var httpCtx = ServiceLocator.Current.GetInstance<IHttpContextAccessor>();
// identity.AddClaim(new Claim("idp", nameIdClaim.Issuer));
var synchronizingUserService = httpCtx.HttpContext.RequestServices
.GetRequiredService<ISynchronizingUserService>();
var claimIdentity = claimsHelper.Service.SyncClaims(
httpCtx.HttpContext, identity, samlSettings.IdPEntityId,
samlSettings.CookieDomain, samlSettings.SingleLogoutDestination).Result;
var claimPriciple = new ClaimsPrincipal(claimIdentity);
synchronizingUserService.SynchronizeAsync(claimIdentity);
};
});It looks like you would need hands on support with your specific deployment. I do offer that as commercial consulting services, ie you are interested, please reach out to support@sustainsys.com.
hans9025
commented
3 months ago do you see any bug in code?
eg from .net framework 4.8,
