4

I am having trouble combining several libraries and a load balanced environment to produce successful login functionality.

I'm working with Microsoft.AspNetCore.Identity.EntityFramework 2.0.3 and a custom SAML implementation, which uses Microsoft.AspNetCore.Identity.SignInManager.GetExternalLoginInfoAsync() to get login information. Locally it all works fine together, even in IIS. But on a server that this is deployed to, it doesn't work. GetExternalLoginInfoAsync() fails to authenticate, forcing the Identity system to redirect to the login page and not allow the user authentication to proceed. Though, it has intermittently worked in a load-balanced environment. Perhaps 1% of the time it works, mainly after a fresh deployment of the code. Then it goes back to not working.

This is what I see in the log when it is deployed to the load balanced server:

AuthenticationScheme: "Identity.External" was not authenticated.

This is my generic Identity startup:

 services.AddIdentity<ApplicationUser, IdentityRole>()
         .AddEntityFrameworkStores<ApplicationDbContext>()
         .AddDefaultTokenProviders();

BTW, a standard ASP.Net Identity implementation works just fine in this load balanced environment. But not the implementation with GetExternalLoginInfoAsync().

I have looked here on SO and on MS's site, but I can't find anything that addresses this scenario.

The code I'm using is based on this project. Here is where it tries to call the method in question:

 var info = await _signInManager.GetExternalLoginInfoAsync();
 if (info == null)
 {
     _logger.LogWarning("Null login info");
     return RedirectToPage("./Login");
 }

Locally, this does not return null, and the info is used to login to ASP.Net Identity. On the server, it returns null.

How can I make GetExternalLoginInfoAsync() work 100% on the server, load balanced or not, when it works just fine locally?

jaycer
  • 2,941
  • 2
  • 26
  • 36
  • think your going to struggle here.. are you trying to log in with the likes of facebook and google, i think they require you to have a https connection due to personal details being passed back, so it has to be encrypted.. – Josh Stevens Jul 19 '18 at 19:28
  • Thanks, no it's a SAML system, internal to the organization, but external to this application. The flow is: client -> load balancer -> ASP.Net application -> load balancer -> client -> SAML system (login) -> client -> load balancer -> ASP.Net application. The communication between the ASP.Net application and the load balancer is on http, everything else is https. – jaycer Jul 19 '18 at 19:34
  • 1
    how is the authentication happening.. you are not using oAuth? have you got any more code to share? – Josh Stevens Jul 19 '18 at 19:56
  • 1
    Are you sure the issue is the https/http thing? Could the load balancer be dropping some header / cookie information before passing the http request along? – Sal Jul 20 '18 at 05:08
  • I have edited the question quite a bit, and added more code. https doesn't appear to be the issue, because we added a cert and changed the bindings. The load balancer admin says that it is not removing any cookies. I will do more checking with Fiddler. – jaycer Jul 23 '18 at 15:10
  • And no, it is not using OAuth. – jaycer Jul 23 '18 at 15:18
  • How many nodes? Are you using sticky session with your balancer? Session information (in memory) is being shared between nodes or you need sticky session? Try balancer with only one node, just to verify. – gorlok Jul 25 '18 at 13:36
  • It's two nodes, with sticky session. I tried limiting it to one node by shutting one down. Then identity log in worked twice within the same browser window. But once I closed the browser and tried again it didn't work. There weren't any code changes, so I don't know why it worked twice then stopped working. – jaycer Jul 25 '18 at 14:01

0 Answers0