Try our conversational search powered by Generative AI!

Sustainsys Saml2 & AspNetIdentity multiplex login


I am trying to configure our Optimizely CMS 12 to use multiplex login to the CMS.

I want to use both SAML2 using Sustainsys and AspNetIdentity authentication to access the CMS.

The configuration doesn't seem to do it, I can login with the CMS user but nothing is happening when I signin with SAML2.

I get redirected to the front page, without any access. The session cookie is set, but it seem that no access rights are given?

There is probably configuration missing, however I don't know what it is. 

I've also tried the AddPolicy approach which didn't make any difference.

When I only choose to sign in with Saml2, it works. Same thing with AspNetIdentity. But they are not working when I try the multiplex appraoch.

This is the configuration:

public void ConfigureServices(IServiceCollection services)
    if (_webHostingEnvironment.IsDevelopment())
        //Add development configuration

        addQuickNavigator: true,
        enableChangeEvent: true);

    services.ConfigureOptimizely(_configuration, _webHostingEnvironment);
    services.ConfigureApplicationCookie(options =>
        options.LoginPath = "/util/Login";

    services.Configure<VisitorGroupOptions>(o => { o.EnableSession = true; });


public static IServiceCollection AddIdp(this IServiceCollection services, IConfiguration configuration)
    var appSettings = configuration.GetSection(nameof(ApplicationSettings)).Get<ApplicationSettings>();

    services.AddAuthentication(options =>
        // Default scheme that maintains session is cookies.
        options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;

        // If there's a challenge to sign in, use the Saml2 scheme.
        options.DefaultChallengeScheme = Saml2Defaults.Scheme;

        options.DefaultForbidScheme = CookieAuthenticationDefaults.AuthenticationScheme;
         .AddCookie(options =>
             options.Events.OnSignedIn = async ctx =>
                 if (ctx.Principal?.Identity is ClaimsIdentity claimsIdentity)
                     // Syncs user and roles so they are available to the CMS
                     var synchronizingUserService = ctx

                     await synchronizingUserService.SynchronizeAsync(claimsIdentity);
         .AddSaml2(options =>
             options.Notifications.AuthenticationRequestCreated = (ar, idp, props) =>

             options.Notifications.AcsCommandResultCreated = (c, r) =>

             //options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
             options.SPOptions.EntityId = new EntityId(appSettings.IdpSettings.EntityId);
             options.SPOptions.ReturnUrl = new Uri(appSettings.IdpSettings.ReturnUrl);
             //options.SPOptions.PublicOrigin = new Uri(appSettings.IdpSettings.PublicOriginURL);
             options.SPOptions.ServiceCertificates.Add(new X509Certificate2(appSettings.IdpSettings.CertificateFile, appSettings.IdpSettings.CertificatePassword, X509KeyStorageFlags.MachineKeySet));

             var idp = new IdentityProvider(new EntityId(appSettings.IdpSettings.IdentityProvidersEntityId), options.SPOptions)
                 MetadataLocation = appSettings.IdpSettings.MetadataLocation,
                 //LoadMetadata = true,
                 //Binding = Sustainsys.Saml2.WebSso.Saml2BindingType.HttpRedirect,
                 //SingleSignOnServiceUrl = new Uri(appSettings.IdpSettings.SingleSignOnServiceUrl)


    return services;
Feb 20, 2024 11:49

I'm not that familiar with the SAML2 auth scheme. But pretty sure you need to give the sign-in cookie scheme a name and then specify that name in the SAML2 options sign-in scheme name.

Edited, Feb 20, 2024 15:46

I've tried a lot of different ways, but I now get a 500 error with the following message in the log:
The authentication handler registered for scheme 'Saml2' is 'Saml2Handler' which cannot be used for SignInAsync. The registered sign-in schemes are: Identity.Application, Identity.External, Identity.TwoFactorRememberMe, Identity.TwoFactorUserId, Cookies.

Not sure if it's correctly configured, but if it is, does it mean that Saml2 isn't supported in multiplex solution out of the box?

Feb 27, 2024 7:11

All schemes and setups are supported, it has nothing to do with the CMS. This is "just" core.

Can you get SAML2 to work on its own? I would start there.

Feb 27, 2024 7:25

I see, thank you for clarifying that.

Yes, SAML2 works on it's own, without using AspNetIdentity. 
It's when "AddCmsAspNetIdentity" is used along with SAML2 when SAML2 stops working.

Edited, Feb 29, 2024 12:09

I solved it.

When using AspNetIdentity along with in my case SAML2 I needed to use IdentityConstants.ApplicationScheme as DefaultScheme instead of CookieAuthenticationDefaults.AuthenticationScheme.

Same goes for SignInScheme and SignOutScheme.

Thank you for your help Johan.

Mar 03, 2024 12:31
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.