Implement CAS SSO using GSS.Authentication.CAS.AspNetCore

[DevtrustModCo]

Hi there,
I have a blazor server app with and authentication feature beased on identity and a login/pwd forme. I have a requirement to implement SSO using CAS 3.0. The authentication flow should be the following : the users will autenticate to there CAS server first, clique on a link and they will be redirected to my app and here i need to start the full sso authentication flow :
1- Redirecting them to their cas server by using a very precise query: let's say https://CASServer/#?service=https://myapp/API/Connect
2- As the user is already athenticated on the CAS server, the server will send me back a ticket that i need to validate before r
3- Once the ticket is validated, i need to readclaims to create and # the user
4 then redirecting the user to a page called : https://myapp/UserPage

I tryed to use the library but it seems to break in the HandleRemoteAuthenticateAsync methode because the state is empty. When i use debuggin, it looks like the first methode called is HandleRemoteAuthenticateAsync , so yes the state is empty.
Would anybody know how do i fixe this. Please note that mycallbackpath value is API/Connect and this is not a real endpoint ( i dont have a page or a controller like this).

I have been struggling with this for the last 3 weeks, so thank a million for your help. here is my startup.cs code for ConfigureServices
public void ConfigureServices(IServiceCollection services)
{
OnConfiguringServices(services);

        services.AddHttpContextAccessor();
        services.AddScoped<HttpClient>(serviceProvider =>
        {

          var uriHelper = serviceProvider.GetRequiredService<NavigationManager>();

          return new HttpClient
          {
            BaseAddress = new Uri(uriHelper.BaseUri)
          };
        });

        services.AddHttpClient();
        services.AddAuthorization();


        //services.AddAuthorization(opts =>
        //{
        //    opts.FallbackPolicy = new AuthorizationPolicyBuilder()
        //        .RequireAuthenticatedUser()
        //        .Build();
        //});
        services.AddAuthentication(options =>
        {
            options.DefaultChallengeScheme = "CAS";
            options.DefaultSignInScheme = "CAS";
           
        }
        
        )

.AddCAS("CAS",options =>
{
options.CasServerUrlBase = Configuration["CasServerUrl"];
options.CallbackPath = Configuration["CallbackPath"];

options.Events.OnCreatingTicket = context =>
{
    if (context.Identity == null)
    {
       
        return Task.CompletedTask;

    }
   
    // Map claims from assertion
    var assertion = context.Assertion;
    context.Identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, assertion.PrincipalName));
    if (assertion.Attributes.TryGetValue("display_name", out var displayName))
    {
        context.Identity.AddClaim(new Claim(ClaimTypes.Name, displayName));
    }

    if (assertion.Attributes.TryGetValue("email", out var email))
    {
        context.Identity.AddClaim(new Claim(ClaimTypes.Email, email));
    }

    return Task.CompletedTask;
};

})
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidAudience = Configuration["AuthSettings:Audience"],
ValidIssuer = Configuration["AuthSettings:Issuer"],
RequireExpirationTime = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["AuthSettings:Key"])),
ValidateIssuerSigningKey = true
};
});

[akunzai]

Hi @DevtrustModCo,

Here is a Blazor Server sample, and It works for me.

Please compare it to your code and modify your code as needed.

[DevtrustModCo]

Dear Akunzai, I hope this message finds you well. I wanted to express my sincere gratitude for your assistance in resolving the issue with my CAS server. It turns out the server was configured to accept only specific parameters, primarily the service parameter, leading to the initial complications. Now, I find myself facing a new challenge and could use your expertise. As part of our application's requirements, we need to implement a logout mechanism. When a user logs out from the CAS server, an endpoint on our side should be triggered. Despite my attempts, I haven't been successful in achieving this. The primary requirement is to disconnect the user from our application when the CAS server initiates a logout. I've set up an endpoint on our side ( /API/GAR/Disconnect), but integrating it seamlessly with the CAS server's logout process has proven challenging. I was wondering if you have any insights or suggestions on how to achieve this. Specifically, I aim to handle the CAS server's logout request in a way that allows us to perform the necessary user logout or session cleanup in our application. Any guidance or advice you can provide would be immensely appreciated. Thank you once again for your invaluable support. Best regards, Le ven. 30 juin 2023 à 17:50, Charley Wu ***@***.***> a écrit :

…

Hi @DevtrustModCo <https://github.com/DevtrustModCo>, Here is a Blazor Server sample <https://github.com/akunzai/GSS.Authentication.CAS/tree/main/samples/BlazorServerSample>, and It works for me. Please compare it to your code and modify your code as needed. — Reply to this email directly, view it on GitHub <#350 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A2LP2SXUS47Z6GWWKSW7M53XN3YVVANCNFSM6AAAAAAZYHXLIQ> . You are receiving this because you were mentioned.Message ID: <akunzai/GSS .***@***.***>

[akunzai]

1. Make sure SLO is enabled at your CAS server for your web app
2. Make sure SLO requests can be sent to your web app

   for local development, you can try any tool like ngrok that can bridge requests to localhost

3. Enable SLO in your web app, take look this sample

[DevtrustModCo]

Hello, Thank you for your answer. My issue is solved now, the provided sample was my emergecy exit. Again, thanks a milion . Le dim. 14 janv. 2024, 13:33, Charley Wu ***@***.***> a écrit :

…

1. Make sure SLO <https://apereo.github.io/cas/6.6.x/installation/Logout-Single-Signout.html> is enabled at your CAS server for your web app 2. Make sure SLO requests can be sent to your web app for local development, you can try any tool like ngrok <https://ngrok.com/> that can bridge requests to localhost 3. Enable SLO in your web app, take look this sample <https://github.com/akunzai/GSS.Authentication.CAS/blob/8a286bb7f1a4af80367bd6d83517d516ed2dbbed/samples/AspNetCoreSample/Program.cs#L12C56-L12C68> — Reply to this email directly, view it on GitHub <#350 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A2LP2SUMP36BGNZGFINKHALYOPGATAVCNFSM6AAAAAAZYHXLISVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DCMRTGQ4DM> . You are receiving this because you were mentioned.Message ID: <akunzai/GSS .***@***.***>