Kentor SAML2 Auth Questions

398 Views Asked by At

Ok first let me say that I really feel stupid asking some of these questions because I thought I had a good understanding of things but I just can't seem to grasp what is going on with the Kentor Authorization MVC model. For example in the Web.config file they have specified forms authentication as follows:

<authentication mode="Forms">
  <forms loginUrl="~/AuthServices/SignIn" />
</authentication> 

But I can't find that end point anywhere. Then in the HomeController.cs file they have a endpoint that is designated like this:

    [Authorize]
    public ActionResult Secure()
    {            
        var identity = System.Web.HttpContext.Current.User.Identity as ClaimsIdentity;
        return View(identity.Claims);
    }

But when I run this through the debugger it never gets hit. I am sorry to ask such open ended questions and I know that people have put a lot of time into the Kentor library and it is greatly appreciated. Is the MVC example complete or are some of these things just examples of how you can do things but are not really used in the example project?

EDIT: I figured out the missing end-point. Being new to MVC I did not realize a basic fact --> a referenced DLL could add controller end-points. I thought all the end points had to be in my code. (Let the flogging begin).

What I have realized now is that while I am considered an MVC project in VS I am really a client with a Web API. So my problem is that my project can't seem to find the Authorization/signin end-point. I am assuming that means I have to use the OWIN model which I have no idea what OWIN even is so this should be a treat.

My next question would be is there anyway to use the MVC model with a Web API? If so how do I get my client to recognize the sign-in end-point that is within the Kentor library?

EDIT: So I stepped back and used the HTTP Module instead of diving into OWIN. I know I wussed out. One important fact is that if you use this module and keep getting your identity back as unauthorized make sure that this section is in your Web.config:

<system.identityModel.services>
  <federationConfiguration>
    <cookieHandler requireSsl="false" name="SomeName" />
  </federationConfiguration>
</system.identityModel.services> 

I don't remember a lot being said about this in the instructions but for me it allowed my User.Identity object to get populated. Now I am on to trying to get the userID (which still does not get populated but is in the claims) figured out. Hope this thread helps someone in the future.

1

There are 1 best solutions below

1
On

Re your last question "Is there any way to use the MVC model with a Web API" the short answer is: NO.

For a Web API to be secure you should use OAuth2/OpenID Connect. So what you need is a token issuer that can authenticate to an upstream SAML2 Identity Provider.

If you're still in classic ASP.NET you should look at IdentityServer3 which can do all that.