Share via

How to override Sustainsys.Saml2 ACS URL to /api/Saml2/Acs instead of default /Saml2/Acs in .NET Core?

Niket Kumar Singh 540 Reputation points
2025-04-04T11:57:02.36+00:00

Hi all,

I'm integrating SAML-based SSO using Azure AD (Enterprise App) with a .NET 6 Web API using Sustainsys.Saml2 (via code-based configuration).

My Goal:

I want to use the Assertion Consumer Service (ACS) endpoint at: https://localhost:5001/api/Saml2/Acs (instead of the default /Saml2/Acs route hardcoded by Sustainsys).

🔧 My Setup:

Azure AD SSO (Enterprise App):

  • Identifier (Entity ID): https://xxxxxxxxxxxxxxxxx/a/webapi/api/externallogin/saml/identifier
  • Reply URL (ACS): https://localhost:5001/api/Saml2/Acs (only this is configured)

ASP.NET Core Controller:

[Route("api/Saml2")]
[ApiController]
public class Saml2Controller : ControllerBase
{
    [HttpGet("Microsoft_Login")]
    [AllowAnonymous]
    public IActionResult MicrosoftLogin() =>
        Challenge(new AuthenticationProperties(), "Saml2");

    [HttpPost("Acs")]
    [AllowAnonymous]
    public IActionResult Acs() =>
        Ok("SAML response processed.");
}

Startup.cs Configuration:

services.AddAuthentication()
    .AddSaml2(options =>
    {
        options.SPOptions.EntityId = new EntityId("https://xxxxxxxxxxxxxxx/a/webapi/api/externallogin/saml/identifier");
        options.SPOptions.PublicOrigin = new Uri("https://localhost:5001");
        options.SPOptions.ModulePath = "/api/Saml2";  // tried this
        options.IdentityProviders.Add(new IdentityProvider(
            new EntityId("https://sts.windows.net/<tenant-id>/"), options.SPOptions)
        {
            MetadataLocation = "https://login.microsoftonline.com/<tenant-id>/federationmetadata/2007-06/federationmetadata.xml",
            LoadMetadata = true
        });
    });

Even though I’ve:

Added the correct [Route("api/Saml2")] on the controller

Configured Azure AD reply URL as /api/Saml2/Acs

Tried setting SPOptions.ModulePath = "/api/Saml2"

Still, when initiating login and tracing the SAML AuthnRequest in network tools:

The AssertionConsumerServiceURL in the request sent to Azure is: https://localhost:5001/Saml2/Acs (❌)

❌ This causes the following error from Azure AD:

AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application.

Browser address bar correctly redirects to /api/Saml2/Acs, but the actual SAML response POST still goes to /Saml2/Acs

I’ve read GitHub Issue #1031 and confirmed:

  • AssertionConsumerServiceUrl cannot be overridden in Sustainsys v2.x
  • Only SPOptions.ModulePath can change the base path (/Saml2)
  • The hardcoded /Acs path cannot be changed in v2.x
  • Some users had to fork the repo to override AuthServicesUrls.cs
  1. Is there any supported way in Sustainsys.Saml2 v2.x to fully override the ACS URL (e.g., to /api/Saml2/Acs)?
  2. Is there a workaround (besides forking the repo) to force the correct AssertionConsumerServiceUrl in the SAML request?
  3. Would switching to Sustainsys v3 or a different lib (e.g., ITfoxtec) help with this scenario?

Any help or guidance from the community would be highly appreciated!

.NET F#
.NET F#
.NET: Microsoft Technologies based on the .NET software framework.F#: A strongly typed, multi-paradigm programming language developed by the F# Software Foundation, Microsoft, and open contributors.
129 questions
0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.