We're using Sustainsys's SAML2 component (the OWIN one) to integrate with Okta.
(These are older apps and we were previously using the Kentor HttpModule for authentication but have needed to upgrade to the OWIN version so we can support the addition of AAD auth.)
The first time the first user tries to login following a restart of the site, everything works fine. However, when the next user (could be a different user on a different device) tries to log in, the Request.IsAuthenicated is always false. There are no errors being reported and we can see the login is succeeding in Okta logs. I can also see the successful login attempt in the code by inspecting the objects in the 'AcsCommandResultCreated' notification handler.
Initially we thought this could be related to Cookies so tried a couple of suggestions from the git docs but these have not solved the issue. Given the distribution of the issue (i.e. the user could be on a different device) we're pretty sure it's not a cookie issue.
We have the following in startup.cs:
var samlOptions = new Saml2AuthenticationOptions(true);
samlOptions.Notifications.AcsCommandResultCreated = (result, dictionary) =>
{
Console.WriteLine("AcsCommandResultCreated");
};
samlOptions.Notifications.AuthenticationRequestCreated = (request, provider, dictionary) =>
{
const int threshold = 1;
var owinContext = HttpContext.Current.GetOwinContext();
var existingCookies = owinContext.Request.Cookies.Where(kvp => kvp.Key.StartsWith("Saml2.")).ToList();
if (existingCookies.Count < threshold) return;
for (var i = 0; i <= existingCookies.Count - threshold; i++)
{
var cookieKey = existingCookies[i].Key;
owinContext.Response.Cookies.Delete(cookieKey, new CookieOptions()
{
Secure = true
});
}
};
app.UseSaml2Authentication(samlOptions);
The handler for the AuthenticationRequestCreated is code from a suggestion that this might be cookie related. Issues is present with or without this in place.
We have the following in the web.config:
<sustainsys.saml2 entityId="https://localhost:44399/" returnUrl="https://localhost:44399/" authenticateRequestSigningBehavior="Never">
<nameIdPolicy allowCreate="true" format="Persistent" />
<identityProviders>
<add entityId="FROM OKTA" signOnUrl="FROM OKTA" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
<signingCertificate fileName="path to cert" />
</add>
</identityProviders>
</sustainsys.saml2>
We're requesting the auth challenge from a button click using the code:
HttpContext.GetOwinContext().Authentication.Challenge("Saml2", DefaultAuthenticationTypes.ApplicationCookie);
The issue is preset both running locally and on the server.
As I've said, the very first time the first user tries to login, everything works fine so we're confident that the issue isn't env or config related.
Any help would be greatly appreciated!