ITfoxtec.Identity.Saml2 - multiple authentication schemas

Question

Is there a way to integrate into the same project SAML authentication and form authentication?

I have today only SAML authentication:

 services.AddSaml2("/login", true);

If I add another schema after the SAML, the SAML stops working. If I add it before, the from authentication is not triggered. This is a code of the form authentication:

services.AddAuthentication("Form")
                    .AddScheme<FormAuthenticationOptions, FormAuthenticationHandler>("Form", null)
                    .AddCookie(options => {
                        options.LoginPath = "....";
                        options.LogoutPath = "...";
                        options.EventsType = typeof(CustomCookieAuthenticationEvents);
                    });

Please, advise.

score 1 · Accepted Answer · answered Jan 17 '21 at 15:53

I checked it and cause it to work only as follows:

// Add SAML2 schema 
                services.AddAuthentication(Saml2Constants.AuthenticationScheme)
                    .AddCookie(Saml2Constants.AuthenticationScheme, o => {
                            o.LoginPath = new PathString("loginPath");
                            o.SlidingExpiration = true;
                        }
                    );

 services.AddAuthentication("TMP")
                    .AddPolicyScheme("TMP", "TMP Authorization", options => {
                        options.ForwardDefaultSelector = context => {
                            if (context.Request.Headers["Form"].Any() || context.Request.Cookies.ContainsKey("Form")) {
                                return FormAuthenticationOptions.Schema;
                            }
                            return Saml2Constants.AuthenticationScheme;
                        };
                    })
                    .AddScheme<FormAuthenticationOptions, FormAuthenticationHandler>("Form", null)
                    .AddCookie(options => {
                        options.LoginPath = LoginPath ;
                        options.LogoutPath = LogoutPath ;
                        options.EventsType = typeof(CustomCookieAuthenticationEvents);
                    });

The reason for it that itfoxtec adds its schema as default. So I added my schema policy and make the decision as to what schema to go by adding an HTTP header and cookie.

Not so elegant, but works. I think it will be nice you'll enable only add your library by adding it like this

 .AddScheme<SamlAuthenticationOptions, SamlAuthenticationHandler>(FormAuthenticationOptions.Schema, null)

and move the authentication logic to SamlAuthenticationHandler.

score 0 · Answer 2 · answered Jan 15 '21 at 08:12

You cannot use the services.AddSaml2 in this case because the method do not return the AuthenticationBuilder.

https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/src/ITfoxtec.Identity.Saml2.MvcCore/Configuration/Saml2ServiceCollectionExtensions.cs#L15

Instead, you have to use the code from the method in combination with the new authentication schema(s).

Maybe it would be something like this, but I have not tried it:

services.AddAuthentication(Saml2Constants.AuthenticationScheme)
    .AddCookie(Saml2Constants.AuthenticationScheme, o =>
    {
        o.LoginPath = new PathString(loginPath);
        o.SlidingExpiration = slidingExpiration;
        if(!string.IsNullOrEmpty(accessDeniedPath))
        {
            o.AccessDeniedPath = new PathString(accessDeniedPath);
        }
    })
    .AddScheme<FormAuthenticationOptions, FormAuthenticationHandler>("Form", null);

That is what I suspected. Will check it. Thanks – borismee Jan 17 '21 at 09:55 — borismee, Jan 17 '21 at 09:55

ITfoxtec.Identity.Saml2 - multiple authentication schemas

2 Answers2

Linked