CODEWITHSUNDEEP
owinsaml-2.0kentor-authservices
Rasshme
Rasshme

Reputation: 1641

How to correctly configure SAML 2.0 SP in OWIN flow

I am trying to use SAML using Kentor auth services in my OWIN web site. But there is something wrong with the configuration i think, as SAML return Url is not same as what i configured. There must something wrong i am doing.

Here is the configuration

<kentor.authServices entityId="https://admin.mercedes-forms.ggg.com.au" returnUrl="http://admin.mercedes-forms.ggg.com.au/Callback/Saml2">    
    <identityProviders>
      <add entityId="https://int.smfed.extranet.daimler.com/" 
           signOnUrl="https://cdiwl-appstest.i.daimler.com/affwebservices/public/saml2sso" 
           allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
        <signingCertificate fileName="~/App_Data/int.smfed.extranet.daimler.com.cer" />
      </add>
    </identityProviders>
    <federations>
      <add metadataLocation="http://admin.mercedes-forms.ggg.com.au/Federation" allowUnsolicitedAuthnResponse="true" />
    </federations>
    <serviceCertificates>
      <add fileName="~/App_Data/Kentor.AuthServices.StubIdp.cer" />
    </serviceCertificates>
  </kentor.authServices>

Here is the authentication request

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="idaa4b00c6cd334f5c927526106a6da12f" Version="2.0" IssueInstant="2017-04-05T00:18:45Z" Destination="https://cdiwl-appstest.i.daimler.com/affwebservices/public/saml2sso" AssertionConsumerServiceURL="https://admin.mercedes-forms.ggg.com.au/AuthServices/Acs">
  <saml2:Issuer>https://admin.mercedes-forms.ggg.com.au</saml2:Issuer>
</saml2p:AuthnRequest>

Thanks in advance.

Upvotes: 1

Views: 1231

Answers (1)

Steve P
Steve P

Reputation: 19377

ReturnUrl is used after the SAML is processed by AuthServices in your application. So it is correct that your ReturnUrl value is not reflected in the AssertionConsumerServiceURL you see in the authentication request. If you want to customize the location of that, the ModulePath parameter is more what you are looking for: https://github.com/KentorIT/authservices/blob/master/doc/Configuration.md#modulepath-attribute

For example, the typical flow might be something like this:

  1. Use requests /somesecurepath in your application
  2. Your authentication sytem, involving AuthServices, redirects them to the identity provider, saving the value of /somesecurepath for step 4
  3. The identity provider posts the SAML back to the Assertion Consumer Service located at /AuthServices/Acs (unless you have customized this location with ModulePath option)
  4. AuthServices redirects to the original requested location from step 1

The ReturnUrl value only comes into play if there is no original requested location saved, e.g. for an unsolicited/idp-initiated flow.

Upvotes: 3

Related Questions