Hello,
I am in the process of implementing SAML auth with Identity Server 4 as a Service Provider. I have everything setup and working properly except for the handling of the External Login callback after authenticating with and external idp.
It seems no matter what I pass in the AuthenticationProperties object that is passed to the ChallengeResult, after I successfully login with the Idp I am always redirected to the default callback url which is: /Identity/Account/ExternalLogin?handler=Callback.
Here is my code for setting up the AuthenticationProperties and ChallengeResult:
var props = new AuthenticationProperties()
{
RedirectUri = Url.Action("ExternalLoginCallback"),
Items =
{
{ "returnUrl", returnUrl },
{ "scheme", provider }
}
};
return new ChallengeResult(provider, props);
based on that code I see the following in the HandleChallengeAsync method of the SamlAuthenticationHandler for the AuthenticationProperties object:
Items:
{[.redirect, /account/ExternalLoginCallback]}
{[returnUrl, /connect/authorize/callback....}
{[scheme, saml2-okta-idsrv]}
And the redirectUri is "/account/ExternalLoginCallback".
Not only am I not getting redirected back to the right callback url, but the Items I provided in the authentication properties (scheme and returnUrl) are not available either.
When I put in a route for the default callback url I am able to inspect the authentication result with this code:
var result = await HttpContext.AuthenticateAsync(_appConfiguration.Value.ExternalCookieAuthenticationSchemeEnvironment)
That result comes back with Succeeded = true and I see that the claims from the principal are correct. But the result properties has the following:
redirectUri = /Identity/Account/ExternalLogin?handler=Callback
Properties.Items:
{[LoginProvider, saml2-okta-idsrv]}
{[.redirect, /Identity/Account/ExternalLogin?handler=Callback]}
{[.issued, Thu, 06 Dec 2018 00:03:46 GMT]}
{[.expires, Thu, 20 Dec 2018 00:03:46 GMT]}
Shouldnt the authentication properties include the proper redirect and the extra items I provided when passed into the ChallengeResult?
Here is my code where I am setting up the saml provider
builder.AddSaml(externalIdentityProviderModel.AuthenticationScheme,
externalIdentityProviderModel.DisplayName ?? "",
options =>
{
options.SignInScheme = configurationOptions.Value.ExternalCookieAuthenticationSchemeEnvironment;
options.PartnerName = () => externalIdentityProviderModel.SamlConfig.Name;
});
I know that I can provide a LoginCompletionUrl setting in the options as well, and while that does override the default url and redirect me to where I want to go, it still does not have the extra Items that I provided in the AuthenticationProperties (returnUrl, and scheme).
In my search for answers I also came across this forum post that seems to be the same issue as I am having, if it helps any.
https://www.componentspace.com/Forums/9181/RelayState-is-overwritten-by-SamlAuthenticationHandlerCan you tell me if this is a bug or if I am doing something wrong.
Let me know if you need any other information from me.
Thanks