Reputation: 111
How to manage .NET Core API as a ServiceProvider to an existing IdentityProvider with Saml2?
Hello all and thanks first,
I have a project that has .NET Core 2 API and Angular 8 Client application. I have implemented token based authentication between app and the api (without using IdentityUser or IdentityRole).
Now, I have to do authentication over SSO. I have a saml2 identity provider metadata and configured my api using this metadata using Sustainsys.Saml2.AspNetCore2 package.
Now I can create my own metadata and registered this metadata to IdentityProvider. Everything seems okay up to this point but when I try to login from IdentityProvider login page there is no change on my api.
Crazy questions in my mind
In Identity Provider's metadata there are only SSO and SLO redirect urls. There is no other method for authnrequests.(HTTP POST etc.) How will I login this Idp?
Idp has its own login page. If I will be have to redirect user to this login page, will I get any authentication token or cookie. Will my API be recognized about this login?
There should be an authentication data in any case(token, cooke, sessionid etc.). Where will I get this data to set Authorization header while sending requests to my API?
I have been trying for a while but my last attempt also does not work.
Can anybody help please?
Thanks a lot.
Upvotes: 1
Views: 1381
Answers (1)
Reputation: 773
You need to redirect to the identity provider, and it will then redirect back to your service provider api, from which you can set whatever security mechanisms you are using, and then redirect again to your local front-end (wherever you need to send your user).
Here are some resources I found helpful: 1) https://learn.microsoft.com/en-us/aspnet/core/security/authentication/?view=aspnetcore-3.1 (how authentication schemes work in .Net Core)
2) ASP.Net Core SAML authentication 1. https://github.com/Sustainsys/Saml2 (SAML 2.0 authentication package) 2. https://stubidp.sustainsys.com/ (Free IdP – can be used instead of local implementation, if desired. A local implementation would require deployment of the “Sustainsys.Saml2.StubIdp” project).
3) Sustainsys SAML2 Sample for ASP.NET Core WebAPI without Identity
4) https://github.com/hmacat/Saml2WebAPIAndAngularSpaExample (super useful sample implementation)
5) Not able to SignOut using Saml2 from Sustainsys (help in getting the logout to work with https://stubidp.sustainsys.com)
6) https://www.nuget.org/packages/Sustainsys.Saml2.AspNetCore2/
Upvotes: 1
Related Questions
- Is it possible to change SAML IdentityProvider options outside of Startup.cs using Sustainsys.Saml2?
- ASP.NET Core authenticate API service with exterrnal identity API
- IdentityServer4 with Sustainsys.Saml2 to make OAuth SAML Assertion
- Adding an API to IdentityServer4
- Sustainsys SAML2 Sample for ASP.NET Core WebAPI without Identity
- SAML integration with ASP.NET Core Identity
- Add Asp.net Core Identity to an API secured with Identity Server
- Dynamically add a SAML2 authentication provider using Sustainsys.Saml2 in ASP.NET Core
- Saml2 Single Logout (SingleLogoutServiceResponseUrl) with Sustainsys and Identity Server 4
- SSO and IdentityServer with services that expect SAML and JWT