2

I have asp.net MVC application I want to make SSO windows authentication. I use Ping Federate as the IdP and SP. When I enter the site it redirect to the SSO page after I enter my credentials it post the SAML to the SP and the SP redirect to the site.

The Problem My app not recognize that the user is authenticated and redirect back to the SSO page that already authenticate the user to it again post the SAML to the SP and there is infinite loop. What am I missing? Do I need to change something in my web.config file?

this is what I have in the web.config

<authentication mode="Windows">
</authentication>
<identity impersonate="true" />
ilay zeidman
  • 2,654
  • 5
  • 23
  • 45
  • why are u using impersonation..? – MethodMan Dec 24 '14 at 16:57
  • I used before I move to Ping Federate... – ilay zeidman Dec 24 '14 at 16:58
  • `Impersonation can significantly affect performance and scaling. It is generally more expensive to impersonate a client on a call than to make the call directly.` if you are using `SSO` it expects authentication and credentials to be of that particular user.. are you familiar with PrincipalContext and AD perhaps you can incorporate that in regards to authentication – MethodMan Dec 24 '14 at 17:02
  • Are you using the .NET integration kit, the IIS integration kit or have you written your own agentless integration? – Hans Z. Jan 02 '15 at 20:24

2 Answers2

3

Depending on which adapter types you are using for your SP side, I would recommend using the appropriate kit for it. Being the OpenToken kit, Agentless kit, etc.

I had the same problem before, so what you must do is finish the flow in your application and write a cookie on the response. This would depend on which adapter you are using, but the end is the same.

If you are using OpenToken Adapters you must be receiving an open token by either query string or form post. You must open that token with the OpenToken agent kit. Once you do that, you will find your "attributes" or "claims" inside, then you must write a cookie in the response, and use that cookie to have startup a session.

If you are using Agentless Adapters you will be receiving a REF id by either query string or form post. You must grab that REF id and call the Pickup Endpoint in PingFederate. That call will return the claims, then you must write a cookie once again and startup a session.

In the past, I coded an HTTPModule that would do this for me, and I repurposed the WS-Federation functionality to write my cookies. At the end, the site would be authenticating with Ping, but reading WIF cookies like a WS-Federation enabled app to keep the session going.

However, we ended up moving to OpenIdConnect/OAuth2, which is a newer standard and does not require SP adapters.

I have released a client for OWIN that would take care of everything for you as long as you have the OAuth2/OpenIdConnect module enabled in PingFederate.

Here is the link if you ever move. https://www.nuget.org/packages/Owin.Security.Providers.PingFederate

amd989
  • 86
  • 7
0

You can give a try to asp.net saml sso connector. It supports multiple idps like ADFS, Azure AD, Bitium, Centrify, G Suite, JBoss Keycloak, Okta, OneLogin, Salesforce, AWS Cognito or even with your own custom identity provider. It really help me in my .net application for sso.

A. Naiknawre
  • 1