2

I'm using itfoxtec-identity-saml2 for autentication on a .net core 2.2 site. It all works great but for one thing, the URL of the site is case sensitive and has to be exactly as it is specified in the metadata of the SP. If it isn't this is what happens (simplified):

In the metadata, the root url to my site is https://domain/MySite

  • Microsoft.AspNetCore.Hosting.Internal.WebHost: Request starting HTTP/1.1 GET https://domain/mysite
  • Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler: AuthenticationScheme: saml2 was not authenticated.
  • Microsoft.AspNetCore.Mvc.ChallengeResult: Executing ChallengeResult with authentication schemes (saml2).
  • Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler: AuthenticationScheme: saml2 was challenged.
  • Request is routed to the Login method in the Auth controller
  • Microsoft.AspNetCore.Mvc.Infrastructure.RedirectResultExecutor: Executing RedirectResult, redirecting to https://idp/HTTP-Redirect?SAMLRequest=samlAuthRequest
  • Microsoft.AspNetCore.Hosting.Internal.WebHost: Request starting HTTP/1.1 POST https://domain/MySite/AssertionConsumerService
  • Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler: AuthenticationScheme: saml2 signed in.
  • The user is now autenticated and the original request starts up again:
  • Microsoft.AspNetCore.Hosting.Internal.WebHost: Request starting HTTP/1.1 GET https://domain/mysite
  • Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler: AuthenticationScheme: saml2 was not authenticated.

And it all starts again with a new saml auth request and a successful saml authentication that the site immediately forgets about when the user is redirected to the page of the original request again in a never ending loops of new saml auth requests.

As you can see, the original request is being made to https://domain/mysite, the IdP sends the SAML-token to the url specified in the metadata, https://domain/MySite/, and when the original page is re-requested it is made once again to https://domain/mysite.

I dont usually work that much with web stuff so I don't really know what I'm talking about, but I get a feeling that the session cookie that is being created when the SAML token has been returned only corresponds to what url formatting the SAML-token was being sent to.

The site is hosted in an IIS on a Windows Server 2012.

Is there a way to make the url to the site case insensitive?

Faronson
  • 31
  • 2

1 Answers1

1

I think the problem is that the browser treat the cookie paths as case-sensitive where IIS are not case-sensitive. ITfoxtec Identity SAML2 use ASP.NET Core Identity which use an identity cookie containing the users identity.

Because the cookie path are case-sensitive the cookie is not send by the browser if the case changes. Thereby, the user is not authenticated.

The solution is to use the same case. A solutions is to require lowercase:

  1. Configure lowercase route ASP.NET Core web app URL is case-sensitive when authenticating users (I haven't tested this solution)
  2. Add a .NET core middleware which redirect to lowercase.
  3. Configure url rewite to lowercase in IIS / web.config.
Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25