Base solution for your next web application
Ends in:
01 DAYS
01 HRS
01 MIN
01 SEC
Open Closed

Using Module Zero with Kentor AuthServices/SAML (Ext Auth) #3218


User avatar
0
blewis created

I am really interested in using APB in a new project for my company, and even getting Asp.Net Zero. However, at least for this upcoming project, we have to authenticate our web app against an existing OpenAM identity server that uses SAML. I have found the Kentor AuthServices library (<a class="postlink" href="https://github.com/KentorIT/authservices/">https://github.com/KentorIT/authservices/</a>), which supports SAML and makes integration with MVC easy. I downloaded the Abp Sample MVC 5.x multi-page project and installed the AuthServices NugGet packages, and added the necessary configuration for AuthServices to the web.config.

Essentially, AuthServices replaces the normal login page with a redirect to the external OpenAM SAML server. This part works fine. If I try to access a protected page, it redirects me to our 3rd party OpenAM server. I authenticate there, then it POSTs an assertion (an XML file) back to the AuthServicesController that contains the user info (name, roles, etc). When I debug the incoming POST to the controller, I can see that it has set the appropriate Identity info and claims information.

However, at this point I am now in the AuthServicesController and I need to hook into Abp's auth/login pipeline. It's sort of like an external auth provider, but I am not using the regular Abp login form. I need to check to see if this user already exists in the Adp DB, if not, add it (and update their Adp user roles). Then log them in. I can't get them logged in and a proper Adp session.

This process is probably a lot like ADFS federated auth or OpenID. You mention support for these on the Asp.Net Zero page, but there a no other references to it.

Any pointers would be appreciated, Bryan


7 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    You are right, there must be a user crated in AbpUsers table as well. I don't any idea about Kentor but I think you need to use this <a class="postlink" href="https://github.com/KentorIT/authservices/blob/master/doc/OwinMiddleware.md">https://github.com/KentorIT/authservice ... dleware.md</a>.

    Have you tried it ?

    As far as I understand this should work like any other external login facebook, twitter etc.

    Thanks.

  • User Avatar
    1
    blewis created

    Because I was using MVC, I started by trying the MVC opion for Kentor. I didn't think about trying the OWIN option (which is a different setup). I will take a look at this info and see if it integrates better and let you know.

    Thanks.

  • User Avatar
    0
    ismcagdas created
    Support Team

    Thanks @blewis. Please let us know the result :)

  • User Avatar
    0
    blewis created

    Just as a followup. I was not able to get the OWIN version to work. Probably my own fault since I am not familiar enough with OWIN and external auth.

    However, I was able to take the MVC version of their library (KentorIT.AuthServices.MVC) and modify their AuthServicesController using some of the ExternalLogin code from your existing AccountController (taken from the AbpMvcSample project). This allowed me to receive the info from our external Identity SAML Provider and add the user to the Abp Users table if it doesn't exist and log the user in.

    I haven't been able to fully cleanup the combined code yet, but if anyone else needs SAML support, I would be happy to share.

    Bryan

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @blewis,

    Thanks a lot for sharing your experience :)

  • User Avatar
    0
    PhilWynn created

    Hi @blewis,

    I am currently about to embark on a similar task using Sustainsys.Saml2 (formerly Kentor).

    Any code you can share would be very gratefully received.

    Many thanks Phil

  • User Avatar
    0
    PhilWynn created

    Hi @blewis,

    I am pretty stuck on this. I have no idea if you are receiving this notification, but if so I would be extremely grateful for some help.

    Many thanks Phil