Merge pull request #430 from DFE-Digital/rh/157607--update-usage-of-d…

…si-to-work-with-waf Update to allow DSI to work with GIAS behind proxy/WAF
DFE-Digital · Aug 10, 2023 · 9c7371b · 9c7371b
2 parents 15a60a4 + 1d52fe7
commit 9c7371b
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/Web/Edubase.Web.UI/App_Start/StartupSecureAccess.cs b/Web/Edubase.Web.UI/App_Start/StartupSecureAccess.cs
@@ -30,6 +30,7 @@ public partial class StartupSecureAccess
         public static string ApplicationIdpEntityId => AppSettings[nameof(ApplicationIdpEntityId)];
         public static Uri ExternalAuthDefaultCallbackUrl => new Uri(AppSettings[nameof(ExternalAuthDefaultCallbackUrl)]);
         public static Uri MetadataLocation => new Uri(AppSettings[nameof(MetadataLocation)]);
+        public static Uri PublicOrigin => string.IsNullOrWhiteSpace(AppSettings[nameof(PublicOrigin)]) ? null : new Uri(AppSettings[nameof(PublicOrigin)]);
 
         public void ConfigureAuth(IAppBuilder app)
         {
@@ -84,6 +85,12 @@ private static Saml2AuthenticationOptions CreateAuthServicesOptions()
                 MinIncomingSigningAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
             };
 
+            if (PublicOrigin != null)
+            {
+                // Only set if provided via configuration
+                spOptions.PublicOrigin = PublicOrigin;
+            }
+
             var authServicesOptions = new Saml2AuthenticationOptions(false) { SPOptions = spOptions };
 
             var idp = new IdentityProvider(new EntityId(MetadataLocation.AbsoluteUri), spOptions)

diff --git a/Web/Edubase.Web.UI/Web.config b/Web/Edubase.Web.UI/Web.config
@@ -268,11 +268,16 @@
       - `SessionExpireTimeSpan`           The duration (hh:MM:ss) for which the session cookie remains valid,
                                             - specifically the `Expires/Max-Age` field on the cookie.
                                             - See also: Edubase.Web.UI.StartupSecureAccess.ConfigureAuth
+      - `PublicOrigin`                    The URL of the GIAS website, as seen by the Identity Provider (IDP).
+                                          This may be required if the GIAS website is hosted behind a proxy/WAF.
+                                          Omitting this setting will default to using the value provided by `request.ApplicationUrl`.
+                                          See also #157607 and #171878.
     -->
     <add key="ApplicationIdpEntityId" value="https://stg.education.gov.uk/edubase" />
     <add key="ExternalAuthDefaultCallbackUrl" value="http://localhost:51350/Account/ExternalLoginCallback" />
     <add key="MetadataLocation" value="https://pp-gias.signin.education.gov.uk/saml/metadata" />
     <add key="SessionExpireTimeSpan" value="00:59:00" />
+    <!-- <add key="PublicOrigin" value="" /> -->
 
     <!--
       SA/DSI Simulator configuration