I am trying to figure out how to get an email from the saml2AuthnResponse that is returned by the IdP.
I am not sure how to access this using ITFoxTec.
Here is my AssertionConsumerService code:
[Route("AssertionConsumerService")]
public async Task<IActionResult> AssertionConsumerService()
{
var binding = new Saml2PostBinding();
var saml2AuthnResponse = new Saml2AuthnResponse(config);
binding.ReadSamlResponse(Request.ToGenericHttpRequest(validate: true), saml2AuthnResponse);
if (saml2AuthnResponse.Status != Saml2StatusCodes.Success)
{
throw new AuthenticationException($"SAML Response status: {saml2AuthnResponse.Status}");
}
binding.Unbind(Request.ToGenericHttpRequest(validate: true), saml2AuthnResponse);
await saml2AuthnResponse.CreateSession(HttpContext, claimsTransform: (claimsPrincipal) => ClaimsTransform.Transform(claimsPrincipal));
var relayStateQuery = binding.GetRelayStateQuery();
var returnUrl = relayStateQuery.ContainsKey(relayStateReturnUrl) ? relayStateQuery[relayStateReturnUrl] : Url.Content("~/na");
// local custom login service
var username = saml2AuthnResponse.NameId;
var user = _loginService.Login(username.ToString(), null);
await HttpContext.SignInAsync(user);
return Redirect(returnUrl);
}
I know it’s being sent by the IdP, because when I examine the output of a SAML browser extension, I can see it…here is an example:
<saml2:Attribute FriendlyName="eduPersonPrincipalName"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue>[email protected]</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Is there a way to do this?
Thanks!
2
I’ve only used the ItFoxTec library once and haven’t had to do this myself yet, but from what I can see in the working code I’m using you need to look at saml2AuthnResponse.ClaimsIdentity
Additionally, it can be possible in some rare scenarios for some IdPs to return a successful response for an unauthenticated user. So where you have this code:
if (saml2AuthnResponse.Status != Saml2StatusCodes.Success)
my own system looks like this:
if (saml2AuthnResponse.Status != Saml2StatusCodes.Success || ! saml2AuthnResponse.ClaimsIdentity.IsAuthenticated)
Of course there are more ways to do it, but that second check is important.