public ActionResult Logout()
{
SamlPocTraceListener.Log("SAML", $"SamlController.Logout: Request for SLO received.");
// Logout locally.
FormsAuthentication.SignOut();
SamlPocTraceListener.Log("SAML", $"SamlController.Logout: User was logged out locally.");
if (SAMLServiceProvider.CanSLO())
{
// Request logout at the identity provider.
string partnerIdP = Session["IdentityProvider"].ToString();
SamlPocTraceListener.Log("SAML", $"SamlController.Logout: Initiating SLO with IdP {partnerIdP}.");
SAMLServiceProvider.InitiateSLO(Response, null, null, partnerIdP);
return(new EmptyResult());
}
SamlPocTraceListener.Log("SAML", $"SamlController.Logout: Identity Provider doesn't support SLO.");
return(RedirectToAction("Index", "Home"));
}
public ActionResult SingleSignOn(string idpName)
{
SamlPocTraceListener.Log("SAML", $"SamlController.SingleSignOn: Request for SSO with IdP {idpName} received.");
// To login at the service provider, initiate single sign-on to the identity provider (SP-initiated SSO).
//string partnerIdP = WebConfigurationManager.AppSettings[idpName];
SAMLServiceProvider.InitiateSSO(Response, null, idpName);
SamlPocTraceListener.Log("SAML", $"SamlController.SingleSignOn: SSO with IdP {idpName} initiated.");
Session["IdentityProvider"] = idpName;
return(new EmptyResult());
}
public ActionResult LogOff()
{
var authenticationType = ((ClaimsIdentity)User.Identity).FindFirstValue(nameof(AuthenticationType));
if (authenticationType == AuthenticationType.Saml.ToString())
{
return(RedirectToAction("LogOff", "SAML"));
}
SamlPocTraceListener.Log("SAML", $"AccountController.Logout: Log out user {User.Identity.Name} locally.");
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
return(RedirectToAction("Index", "Home"));
}
private ActionResult SignInUserLocally(string userName, IDictionary <string, string> attributes)
{
SamlPocTraceListener.Log("SAML", "SamlController.SignInUserLocally: Sign in user locally.");
// Extract user email
var email = SamlHelper.ExtractUserEmailFromSamlAttributes(userName, attributes);
var user = _authenticationService.FindUser(UserManager, email);
if (user == null)
{
SamlPocTraceListener.Log("SAML", $"SamlController.SignInUserLocally: Register new user: {userName} with email {email}");
// Register new user
user = new ApplicationUser {
UserName = userName, Email = email
};
var result = UserManager.Create(user, userName); // Use fake password
if (!result.Succeeded)
{
var errors = string.Join("\r\n", result.Errors);
SamlPocTraceListener.Log(
"SAML",
$"SamlController.SignInUserLocally: Error while registering user: {errors}");
return(View("Error"));
}
}
else
{
SamlPocTraceListener.Log("SAML", $"SamlController.SignInUserLocally: Found existing user: {userName}");
}
// There might be no attributes
attributes = attributes ?? new Dictionary <string, string>();
_authenticationService.Authenticate(
AuthenticationType.Saml,
email,
password: userName, // Use fake password
additionalClaims: attributes);
return(null);
}
public ActionResult AssertionConsumerService()
{
bool isInResponseTo = false;
string partnerIdP = null;
string authnContext = null;
string userName = null;
IDictionary <string, string> attributes = null;
string targetUrl = null;
SamlPocTraceListener.Log("SAML", "SamlController.AssertionConsumerService: Request to AssertionConsumerService received");
// Receive and process the SAML assertion contained in the SAML response.
// The SAML response is received either as part of IdP-initiated or SP-initiated SSO.
SAMLServiceProvider.ReceiveSSO(Request, out isInResponseTo, out partnerIdP, out authnContext, out userName, out attributes, out targetUrl);
// If no target URL is provided, provide a default.
if (targetUrl == null)
{
targetUrl = "~/";
}
SamlPocTraceListener.Log("SAML", "SamlController.AssertionConsumerService: Login user automatically using the asserted identity.");
// Login automatically using the asserted identity.
// This example uses forms authentication. Your application can use any authentication method you choose.
// There are no restrictions on the method of authentication.
// Save idp name to claims. We will reuse it on logout
attributes = attributes ?? new Dictionary <string, string>();
attributes[IdentityProviderClaimType] = partnerIdP;
var result = SignInUserLocally(userName, attributes);
if (result != null)
{
return(result);
}
// Redirect to the target URL.
return(RedirectToLocal(targetUrl));
}
public ActionResult Login(string domain, string returnUrl)
{
SamlPocTraceListener.Log("SAML", $"SamlController.SingleSignOn: Request for SSO with IdP of domain {domain} received.");
// Get appropriate IdP name
var idpName = SamlIdentityProvidersRepository.GetIdentityProviderName(domain);
if (idpName == null)
{
SamlPocTraceListener.Log("SAML", $"SamlController.SingleSignOn: IdP for domain {domain} not found.");
return(View("Error"));
}
// To login at the service provider, initiate single sign-on to the identity provider (SP-initiated SSO).
SAMLServiceProvider.InitiateSSO(Response, returnUrl, idpName);
SamlPocTraceListener.Log("SAML", $"SamlController.SingleSignOn: SSO with IdP {idpName} initiated.");
return(new EmptyResult());
}
public ActionResult AssertionConsumerService()
{
bool isInResponseTo = false;
string partnerIdP = null;
string authnContext = null;
string userName = null;
IDictionary <string, string> attributes = null;
string targetUrl = null;
SamlPocTraceListener.Log("SAML", "SamlController.AssertionConsumerService: Request to AssertionConsumerService received");
// Receive and process the SAML assertion contained in the SAML response.
// The SAML response is received either as part of IdP-initiated or SP-initiated SSO.
SAMLServiceProvider.ReceiveSSO(Request, out isInResponseTo, out partnerIdP, out authnContext, out userName, out attributes, out targetUrl);
// If no target URL is provided, provide a default.
if (targetUrl == null)
{
targetUrl = "~/";
}
SamlPocTraceListener.Log("SAML", "SamlController.AssertionConsumerService: Login user automatically using the asserted identity.");
// Login automatically using the asserted identity.
// This example uses forms authentication. Your application can use any authentication method you choose.
// There are no restrictions on the method of authentication.
FormsAuthentication.SetAuthCookie(userName, false);
((ClaimsIdentity)HttpContext.User.Identity).AddClaim(new Claim(ClaimTypes.Name, userName));
// Save received attributes as claims
if (attributes != null)
{
((ClaimsIdentity)HttpContext.User.Identity)
.AddClaims(attributes.Select(attr => new Claim(attr.Key, attr.Value)));
}
// Redirect to the target URL.
return(RedirectToLocal(targetUrl));
}
public ActionResult LogOff()
{
SamlPocTraceListener.Log("SAML", $"SamlController.Logout: Request for SLO received.");
string partnerIdP = ((ClaimsIdentity)User.Identity).FindFirstValue(IdentityProviderClaimType);
// Logout locally.
SamlPocTraceListener.Log("SAML", $"SamlController.Logout: Log out user {User.Identity.Name} locally.");
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
if (SAMLServiceProvider.CanSLO(partnerIdP))
{
SamlPocTraceListener.Log("SAML", $"SamlController.Logout: Initiating SLO with IdP {partnerIdP}.");
// Request logout at the identity provider.
SAMLServiceProvider.InitiateSLO(Response, null, null, partnerIdP);
return(new EmptyResult());
}
SamlPocTraceListener.Log("SAML", $"SamlController.Logout: Identity Provider {partnerIdP} doesn't support SLO.");
return(RedirectToAction("Index", "Home"));
}
public ActionResult SLOService()
{
SamlPocTraceListener.Log("SAML", "SamlController.SLOService: Request to single logout received from Identity Provider");
// Receive the single logout request or response.
// If a request is received then single logout is being initiated by the identity provider.
// If a response is received then this is in response to single logout having been initiated by the service provider.
bool isRequest = false;
string logoutReason = null;
string partnerIdP = null;
string relayState = null;
SAMLServiceProvider.ReceiveSLO(Request, out isRequest, out logoutReason, out partnerIdP, out relayState);
if (isRequest)
{
SamlPocTraceListener.Log("SAML", "SamlController.SLOService: Processing IdP initiated logout");
// Logout locally.
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
SamlPocTraceListener.Log("SAML", "SamlController.SLOService: User was logged out. Respond to IdP that logout succeeded.");
// Respond to the IdP-initiated SLO request indicating successful logout.
SAMLServiceProvider.SendSLO(Response, null);
}
else
{
SamlPocTraceListener.Log("SAML", "SamlController.SLOService: SP-initiated SLO has completed. Redirecting to login page.");
// SP-initiated SLO has completed.
return(RedirectToAction("Index", "Home"));
}
return(new EmptyResult());
}
