public RedirectActionResult Logout([FromUri] LogoutRequestParams requestParams)
{
var returnUrl = requestParams?.ReturnUrl ?? $"{BaseUrl}/en/";
var errorUrl = requestParams?.ErrorUrl ?? $"{BaseUrl}/en/bad-request";
var unauthorizedUrl = requestParams?.UnauthorizedUrl ?? $"{BaseUrl}/en/unauthorized";
// AllowAnonymous so we can redirect to unauthorized instead of returning json
if (!User.Identity.IsAuthenticated)
{
return(new RedirectActionResult($"{unauthorizedUrl}?error=IsAuthenticated"));
}
try
{
// triggers the saml2 sign out
AuthenticationManager.SignOut();
// Dont clear Current.User needed for sign out
GccfAuthorizationFilter.DeregisterSession();
}
catch (Exception e)
{
Log.Logger.Error(e, "");
return(new RedirectActionResult($"{errorUrl}?error=Exception"));
}
// todo CookieHandler has this route hardcoded to clear cookies
return(new RedirectActionResult(returnUrl));
}
private static Saml2AuthenticationOptions CreateSaml2Options()
{
var spOptions = CreateSpOptions();
var saml2Options = new Saml2AuthenticationOptions(false)
{
SPOptions = spOptions
};
var idp5 = new IdentityProvider(
new EntityId("http://idp5.canadacentral.cloudapp.azure.com:80/opensso"), spOptions)
{
MetadataLocation = HostingEnvironment.MapPath("~/App_Data/idp5-metadata.xml"),
AllowUnsolicitedAuthnResponse = true
};
// Key from IDP COT
idp5.SigningKeys.AddConfiguredKey(new X509Certificate2(
HostingEnvironment.MapPath("~/App_Data/idp5.canadacentral.cloudapp.azure.com.cer")));
var cbs = new IdentityProvider(
new EntityId("https://cbs-uat-cbs.securekey.com"), spOptions)
{
MetadataLocation = HostingEnvironment.MapPath("~/App_Data/cbs-metadata-signed.xml")
};
cbs.SigningKeys.AddConfiguredKey(GetGccfSigninCertificate());
var gckey = new IdentityProvider(
new EntityId("https://te.clegc-gckey.gc.ca"), spOptions)
{
MetadataLocation = HostingEnvironment.MapPath("~/App_Data/gckey-metadata-signed.xml")
};
gckey.SigningKeys.AddConfiguredKey(GetGccfSigninCertificate());
saml2Options.Notifications = new Saml2Notifications
{
GetBinding = GccfAuthorizationFilter.GetSaml2Binding()
};
saml2Options.IdentityProviders.Add(idp5);
saml2Options.IdentityProviders.Add(cbs);
saml2Options.IdentityProviders.Add(gckey);
return(saml2Options);
}
public async Task <RedirectActionResult> SigninCallback([FromUri] SigninCallbackRequestParams requestParams)
{
/**
* Could create a session in SamlOwin.Identity.ApplicationSignInManager.CreateUserIdentityAsync
* and have it checked and deleted on soap logout
*/
var returnUrl = requestParams?.ReturnUrl ?? $"{BaseUrl}/en/";
var errorUrl = requestParams?.ErrorUrl ?? $"{BaseUrl}/en/bad-request";
var unauthorizedUrl = requestParams?.UnauthorizedUrl ?? $"{BaseUrl}/en/unauthorized";
var samlError = requestParams?.Error;
if (samlError != null)
{
return(new RedirectActionResult($"{errorUrl}?error=SamlSignInError"));
}
try
{
// refreshing url will be null
var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync();
if (loginInfo == null)
{
return(new RedirectActionResult($"{errorUrl}?error=ExternalLoginInfo"));
}
// If IsPersistent property of AuthenticationProperties is set to false, then the cookie expiration time is set to Session.
var signInStatus = await _signInManager.ExternalSignInAsync(loginInfo, true);
if (signInStatus != SignInStatus.Success)
{
return(new RedirectActionResult($"{unauthorizedUrl}?error={signInStatus:G}"));
}
// required for saml2 single sign out
AuthenticationManager.User.AddIdentity(loginInfo.ExternalIdentity);
GccfAuthorizationFilter.RegisterSession(loginInfo.ExternalIdentity);
}
catch (Exception e)
{
Log.Logger.Error(e, "");
return(new RedirectActionResult($"{errorUrl}?error=Exception"));
}
return(new RedirectActionResult($"{returnUrl}#SignIn"));
}
