We have created a Blazor application built using .NET 6.0 and Susstainsys.Saml2 2.9.0 for SSO using SAML 2 to our WSO2 server. Everything is working as expected in that every page is SSO protected. There is one page that we would like to have not protected by the SSO to be publicly accessible. How is this possible?
I have looked through the Sustainsys.Saml2 documentation and examples but do not see any clear way to exclude a page. I've also tried modifying portions of the Program.cs file related to both authentication and authorization but have not found anything that would seem to help. I have also looked at the App.razor file and am wondering if I need to alter the Authentication settings found there. Or should I modify or use the built in .NET Authorization Policies to create a custom policy rather than the default?
The current Program.cs
builder.Services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = "Saml2";
})
.AddSaml2(options =>
{
options.SPOptions.EntityId = new EntityId(ApplicationSettings.Environment);
options.SPOptions.PublicOrigin = new Uri(ApplicationSettings.Environment, UriKind.RelativeOrAbsolute);
options.IdentityProviders.Add(
new IdentityProvider(
new EntityId(ApplicationSettings.EntityId), options.SPOptions)
{
MetadataLocation = ApplicationSettings.SamlCertificate
});
})
.AddCookie();
builder.Services.AddAuthorization(options =>
{
options.FallbackPolicy = options.DefaultPolicy;
});
The current App.razor:
<CascadingAuthenticationState>
<Router AppAssembly="@typeof(App).Assembly">
<Found Context="routeData">
<AuthorizeRouteView RouteData="@routeData" DefaultLayout="@typeof(MainLayout)">
<Authorizing>
<text>Please wait, we are authorizing you...</text>
</Authorizing>
<NotAuthorized>
<text>You are not authorized to access this application. Contact the help desk if you think there is a problem.</text>
</NotAuthorized>
</AuthorizeRouteView>
<FocusOnNavigate RouteData="@routeData" Selector="h1" />
</Found>
<NotFound>
<PageTitle>Not found</PageTitle>
<LayoutView Layout="@typeof(MainLayout)">
<p role="alert">Sorry, there's nothing at this address.</p>
</LayoutView>
</NotFound>
</Router>
</CascadingAuthenticationState>
@{
}
Since your authentication is already set up and working as expected on all pages, you can use the following attribute on specific pages that you want to allow non-authenticated users to access:
@attribute [AllowAnonymous]
From the namespace:
@using Microsoft.AspNetCore.Components.Authorization