Authentication and Authorization in ASP.NET
Authentication is the process of determining a user’s identity, and authorization determines if a user has access to a resource.
In ASP.NET, the IAuthenticationService
uses a collection of registered IAuthenticationhandler
instances along with middleware to perform authentication-related actions, such as Authenticate
, Challenge
, and SignOut
.
Each handler is an encapsulation of logic related to a specific provider. For example, the OIDC implementation obtains Identity Tokens for the configured OIDC-based SSO server. In contrast, the SAML2P IAuthenticationHandler
implementation will instead send authentication SAMLRequests
on challenge
and receive and validate SAMLResponses
upon successful authentication.
A single host can have multiple Authentication Handlers registered, even of the same type, each one connecting to a different external provider.
Authentication Schemes
An Authentication Scheme is the mechanism for referring to a specific IAuthenticationHandler
and its authentication-related actions, such as Challenge
.
You can manually specify the IAuthenticationHandler
you wish to use by passing the correct scheme into the relevant actions. If a scheme is not specified, the default scheme will be used.
public IActionResult Login()
{
return Challenge(new AuthenticationProperties { RedirectUri = "/" }, "saml2p");
}
SAML2p Authentication handlers as Service Providers
Our SAML Service Provider component is a standard ASP.NET authentication handler, IAuthenticationHandler
, such as the Microsoft OpenId Connect authentication handler.
Each IAuthenticationHandler
is treated as a separate ServiceProvider instance with its own configuration and metadata document/metadata address. Just like with other Authentication Handlers, each handler requires its own unique CallbackPath
(Assertion Consumer Endpoint) so that on successful authentication tokens/SAML messages are directed to the correct IAuthenticationHandler
/ServiceProvider abstraction. The default CallbackPath
in the SAML2P component is /saml/acs
. You can read more on this in our Federating with Multiple External Providers documentation.
Accessing the authentication actions of a SAML ServiceProvider is done the same way as other Authentication Handlers, by passing the configured Authentication Scheme into the relevant Controller actions or calling the appropriate extension methods on HttpContext.
Example of calling a Controller action:
public IActionResult Login()
{
return Challenge(new AuthenticationProperties { RedirectUri = "/" }, "saml2p");
}
Example of calling an extension method on HttpContext:
var result = await HttpContext.AuthenticateAsync("saml2p");
For more information on Authentication and Authorization in .NET see the Microsoft documentation.