2

I have implemented the ITFoxtec Identity SAML2 package in a ASP.NET Core 2.2 application, and it's working great!

One of our application requirements is that the claims of a user (what roles they are in, etc) should be updated when an administrative user changes their role membership - thereby "invalidating" the claims in their cookie so that they must be updated. I've been researching the subject and most of the information I can find pertains to the ASP.NET Identity UserManager/RoleManager/SecurityStamp/SignInManager way of managing users - we do not use this method and do not intend to use this method given that we use Saml2 instead.

Do you have any suggestions on how to trigger a claims refresh once a person is logged in via ITFoxtec-Identity-Saml2, without forcing them to actually re-login?

Much appreciated!

Legoguy
  • 193
  • 1
  • 5

1 Answers1

3

I'am afraid that your scenarie is not supported by the SAML 2.0 standard(s). Basically, SAML 2.0 require the user to re-authenticate to load the new claims.

Depending on which IdP you are using you can either force the user to re-authenticate and thereby load the new claims.

Force login:

var authnRequest = new Saml2AuthnRequest(saml2Config)
{
    ForceAuthn = true,
    ...
};

OR passive login which is a smooth solution, if the IdP load the updated claims on a passive login request without re-authentication. Then the IdP is called but the user never discovers it.

Passive login request: 

var authnRequest = new Saml2AuthnRequest(saml2Config)
{
    IsPassive = true,
    ...
};

Alternatively, you need to implement a custom solution where the application call an endpoint, secured by the SAML token. The endpoint query the users claims in eg. a database and return the updated claims. If the claims are updated the application can do a re-login, I think it is possible without a logout.

Something like this:

var principal = new ClaimsPrincipal(...);
await httpContext.SignInAsync(Saml2Constants.AuthenticationScheme, principal, 
    new AuthenticationProperties
    {
        IssuedUtc = ...,
        ExpiresUtc = ..,
    });
Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25