Sustainsys Saml2 & AspNetIdentity multiplex login

Mikael Mansour

Vote:

I am trying to configure our Optimizely CMS 12 to use multiplex login to the CMS.

I want to use both SAML2 using Sustainsys and AspNetIdentity authentication to access the CMS.

The configuration doesn't seem to do it, I can login with the CMS user but nothing is happening when I signin with SAML2.

I get redirected to the front page, without any access. The session cookie is set, but it seem that no access rights are given?

There is probably configuration missing, however I don't know what it is.

I've also tried the AddPolicy approach which didn't make any difference.

When I only choose to sign in with Saml2, it works. Same thing with AspNetIdentity. But they are not working when I try the multiplex appraoch.

This is the configuration:

public void ConfigureServices(IServiceCollection services)
{
    if (_webHostingEnvironment.IsDevelopment())
    {
        //Add development configuration
    }

    services.AddRedirectManager(
        addQuickNavigator: true,
        enableChangeEvent: true);
    services.AddMvc();
    services.AddCms().AddCmsAspNetIdentity<ApplicationUser>();

    services.ConfigureOptimizely(_configuration, _webHostingEnvironment);
    services.AddFind();
    /*
    services.ConfigureApplicationCookie(options =>
    {
        options.LoginPath = "/util/Login";
    });
    */
    services.AddEmbeddedLocalization<Startup>();

    services.Configure<VisitorGroupOptions>(o => { o.EnableSession = true; });



    services.AddIdp(_configuration);
}


public static IServiceCollection AddIdp(this IServiceCollection services, IConfiguration configuration)
{
    var appSettings = configuration.GetSection(nameof(ApplicationSettings)).Get<ApplicationSettings>();

    services.AddAuthentication(options =>
    {
        // Default scheme that maintains session is cookies.
        options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;

        // If there's a challenge to sign in, use the Saml2 scheme.
        options.DefaultChallengeScheme = Saml2Defaults.Scheme;

        options.DefaultForbidScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    })
         .AddCookie(options =>
         {
             options.Events.OnSignedIn = async ctx =>
             {
                 if (ctx.Principal?.Identity is ClaimsIdentity claimsIdentity)
                 {
                     // Syncs user and roles so they are available to the CMS
                     var synchronizingUserService = ctx
                       .HttpContext
                       .RequestServices
                       .GetRequiredService<ISynchronizingUserService>();

                     await synchronizingUserService.SynchronizeAsync(claimsIdentity);
                 }
             };
         }
            )
         .AddSaml2(options =>
         {
             options.Notifications.AuthenticationRequestCreated = (ar, idp, props) =>
             {

             };
             options.Notifications.AcsCommandResultCreated = (c, r) =>
             {

             };
             //options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
             options.SPOptions.EntityId = new EntityId(appSettings.IdpSettings.EntityId);
             options.SPOptions.ReturnUrl = new Uri(appSettings.IdpSettings.ReturnUrl);
             //options.SPOptions.PublicOrigin = new Uri(appSettings.IdpSettings.PublicOriginURL);
             options.SPOptions.ServiceCertificates.Add(new X509Certificate2(appSettings.IdpSettings.CertificateFile, appSettings.IdpSettings.CertificatePassword, X509KeyStorageFlags.MachineKeySet));

             var idp = new IdentityProvider(new EntityId(appSettings.IdpSettings.IdentityProvidersEntityId), options.SPOptions)
             {
                 MetadataLocation = appSettings.IdpSettings.MetadataLocation,
                 //LoadMetadata = true,
                 //Binding = Sustainsys.Saml2.WebSso.Saml2BindingType.HttpRedirect,
                 //SingleSignOnServiceUrl = new Uri(appSettings.IdpSettings.SingleSignOnServiceUrl)
             };

             options.IdentityProviders.Add(idp);
         });

    return services;
}

#317401

Feb 20, 2024 11:49

Johan Petersson

Vote:

I'm not that familiar with the SAML2 auth scheme. But pretty sure you need to give the sign-in cookie scheme a name and then specify that name in the SAML2 options sign-in scheme name.

#317407

Edited, Feb 20, 2024 15:46

Mikael Mansour

Vote:

I've tried a lot of different ways, but I now get a 500 error with the following message in the log:
The authentication handler registered for scheme 'Saml2' is 'Saml2Handler' which cannot be used for SignInAsync. The registered sign-in schemes are: Identity.Application, Identity.External, Identity.TwoFactorRememberMe, Identity.TwoFactorUserId, Cookies.

Not sure if it's correctly configured, but if it is, does it mean that Saml2 isn't supported in multiplex solution out of the box?

#317802

Feb 27, 2024 7:11

Johan Petersson

Vote:

All schemes and setups are supported, it has nothing to do with the CMS. This is "just" asp.net core.

Can you get SAML2 to work on its own? I would start there.

#317803

Feb 27, 2024 7:25

Mikael Mansour

Vote:

I see, thank you for clarifying that.

Yes, SAML2 works on it's own, without using AspNetIdentity.
It's when "AddCmsAspNetIdentity" is used along with SAML2 when SAML2 stops working.

#318276

Edited, Feb 29, 2024 12:09

Mikael Mansour

Vote:

I solved it.

When using AspNetIdentity along with in my case SAML2 I needed to use IdentityConstants.ApplicationScheme as DefaultScheme instead of CookieAuthenticationDefaults.AuthenticationScheme.

Same goes for SignInScheme and SignOutScheme.

Thank you for your help Johan.

#318406

Mar 03, 2024 12:31