I'm trying to integrate the SustainSys library as part of a single-sign-on integration I'm doing for an older .NET Framework (4.8) WebForms app. I'm using the HttpModule instructions located here: .html
I've been able to use the instructions here...
...to get to the point where I can use Azure to act as the identity provider and it even calls my website's ACS page with some kind of SAML packet. The problem is I don't know how to do the next step. I need to know if the SAML packet is valid and, if so, look up the user and log them into the website. I'm assuming SustainSys is doing the validation, but I don't see how I'm supposed to know what it's doing.
I guess my first question really is... is the SystainSys library expecting that I'm using the .NET Identity system? Because I'm not. But I noticed that some of the modules you have to add as part of the web.config instructions seem to be identity modules.
Assuming I don't need to use .NET Identity, how do I proceed from here? I see several Saml2 cookies in the response from Azure, but how do I extract the assertions from the packet, etc.?
Edit: some additional info:
I was able to enable logging, and during the auth request to Azure I see the following log messages:
Expanded Saml2Url AssertionConsumerServiceUrl: https://localhost:44333/Saml2/Acs SignInUrl: https://localhost:44333/Saml2/SignIn LogoutUrl: https://localhost:44333/Saml2/Logout ApplicationUrl: https://localhost:44333/
Initiating login to /<MY APP GUID>
Sending message over Http Redirect Binding <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ...
And I get a Saml packet back from Azure on my ACS page, which I can base64 decode and it all looks fine and includes the attributes I'm expecting. I also see a cookie called "Saml2." but I have no idea what's in it. Does that come from Azure or is that something SustainSys is creating?
In any case, I'm still confused about the next step. The user is still unathenticated and I don't know how to extract the attributes from the Saml response so I can log them in. THe other thing that seems strange is that there was no logging from SystainSys when the Acs page loaded. I only see logging during the AuthNRequest part. Does that mean I missed a step somewhere?
I'm trying to integrate the SustainSys library as part of a single-sign-on integration I'm doing for an older .NET Framework (4.8) WebForms app. I'm using the HttpModule instructions located here: https://saml2.sustainsys/en/v2/configuration.html
I've been able to use the instructions here...
https://prabhasinamdar.medium/secure-saml-authentication-using-sustainsys-net-library-da9557fbc7cd
...to get to the point where I can use Azure to act as the identity provider and it even calls my website's ACS page with some kind of SAML packet. The problem is I don't know how to do the next step. I need to know if the SAML packet is valid and, if so, look up the user and log them into the website. I'm assuming SustainSys is doing the validation, but I don't see how I'm supposed to know what it's doing.
I guess my first question really is... is the SystainSys library expecting that I'm using the .NET Identity system? Because I'm not. But I noticed that some of the modules you have to add as part of the web.config instructions seem to be identity modules.
Assuming I don't need to use .NET Identity, how do I proceed from here? I see several Saml2 cookies in the response from Azure, but how do I extract the assertions from the packet, etc.?
Edit: some additional info:
I was able to enable logging, and during the auth request to Azure I see the following log messages:
Expanded Saml2Url AssertionConsumerServiceUrl: https://localhost:44333/Saml2/Acs SignInUrl: https://localhost:44333/Saml2/SignIn LogoutUrl: https://localhost:44333/Saml2/Logout ApplicationUrl: https://localhost:44333/
Initiating login to https://sts.windows/<MY APP GUID>
Sending message over Http Redirect Binding <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ...
And I get a Saml packet back from Azure on my ACS page, which I can base64 decode and it all looks fine and includes the attributes I'm expecting. I also see a cookie called "Saml2." but I have no idea what's in it. Does that come from Azure or is that something SustainSys is creating?
In any case, I'm still confused about the next step. The user is still unathenticated and I don't know how to extract the attributes from the Saml response so I can log them in. THe other thing that seems strange is that there was no logging from SystainSys when the Acs page loaded. I only see logging during the AuthNRequest part. Does that mean I missed a step somewhere?
Share Improve this question edited Mar 18 at 18:14 Phil asked Mar 17 at 23:50 PhilPhil 235 bronze badges 01 Answer
Reset to default 0Well I realized yesterday the stupid thing I did that was causing a lot of my confusion. I thought I was supposed to create a page at /saml/acs to handle the response from the idP. Once I renamed that page to something else, the HttpModule handled everything for me and parsed/validated the response. It also authenticates the user using "Federated" cookie authentication, which I am not familiar with.
Edit: removing the question I had about using Forms auth. I realized I don't need to do that. Federation authentication works just fine.