ACS doesn't process SAML response in a sub-application

Question

I'm struggling to find the cause of this behavior. I have a simple MVC application with the SustainSys package configured. I've tried configuring it for both our internal SecureAuth server and also the https://stubidp.sustainsys.com test server.

It all works on localhost and when it's the root application of our internal IIS server.

When I place it in an IIS sub-application folder, it redirects to the sso server login, comes back to the ~/Saml2/Acs route with the authentication info (I see it in fiddler2), but the Acs doesn't seem to process it at that point and I remain unauthenticated and therefore it heads back to the login page and I start looping.

I'm aware of sub-app web.config inheritance, so I've even removed the web.config from the root so nothing is conflicting with the one in the sub-app. I've played with the returnURL parameter to no effect (with or without sudirectory included).

The applications in IIS (root and sub-app) are configured the same for authentication.

I'm running out of ideas to test. Anyone have any thoughts?

<sustainsys.saml2 entityId="https://apps.xxxxx.com" returnUrl="https://apps.xxxxx.com/yyyyy">
    <identityProviders>
        <add entityId="https://sso.xxxxx.com/SecureAuthXX" signOnUrl="https://sso.xxxxx.com/SecureAuthXX" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
            <signingCertificate fileName="~/App_Data/SecureAuth03VM.xxxxx.com.cer" />
        </add>
    </identityProviders>
    <federations>
        <add metadataLocation="https://apps.xxxxx.com/Federation" allowUnsolicitedAuthnResponse="true" />
    </federations>
</sustainsys.saml2>
<system.identityModel.services>
    <federationConfiguration>
        <cookieHandler requireSsl="true" name="CookieAuth" />
    </federationConfiguration>
</system.identityModel.services>

Answer 1

I solved the problem and I wanted to post what fixed it as maybe it might help someone else one day.

The issue was not with the SAML response or the Sustainsys library, but rather an attribute missing the from the web.config. After adding "path='/'" to the cookiehandler element in the federation configuration (see below), it begin persisting the authorization state in the System.Security.Principal and now works perfectly in the root application as well as all sub-applications.

<system.identityModel.services>
    <federationConfiguration>
        <cookieHandler requireSsl="true" name="FedAuth" path="/" />
    </federationConfiguration>
</system.identityModel.services>

Answer 2

There are two steps where <edit>I thought</edit> this could go wrong:

1. The Acs Url in the genereated AuthnRequest is incorrect. Please check the displayed XML content on the StubIdp to see if it correctly reflects the sub-application directory. If not, this is a bug/missing feature in the Sustainsys.Saml2.Mvc package.
2. The application does not correctly invoke the MVC controller embedded in the Sustainsys.Mvc package when deployed to a sub directory. You can test this by hitting http://yoursite.com/SubDir/Saml2 - if it works it should return the metadata XML. If this is the case, you need to review the route configuration in your application to ensure that the path is correctly routed to the controller in the MVC package.