PIV authentication not working with ASP.NET webforms app

I’m trying to implement PIV authentication with my application. The app I’m supporting is ASP.NET Web Forms app (.NET 4.7.2). Other users in my org have successfully implemented this by creating a button that simply redirects the user to {orgURL}/login/cert?fromURI={loginRedirectURIForApp}. When I follow this approach, the PIV credentials look like they are being authenticated by Okta, and the redirect to my application occurs, however, at that point my application is not recognizing the user as being authenticated (HttpContext.Current.User.IsAuthenticated evaluates to false). Thanks for any help/suggestions.

What you’re describing sounds to me like the user is able to login via PIV and get redirected back to your application, but no OAuth flow is kicked off, so OWIN doesn’t think the user is authenticated.

This is more or less how PIV (or other external IdP authentication) is designed to work in Okta: users can only be redirected to a given URI after they login via PIV, otherwise they will wind up on the Okta dashboard (had you not included the fromURI, this is what would have occurred).

To work around this assumption, you will need to make the authorize call for the user once they land on your application to start the OAuth flow, which will likely involve having the fromURI set to the login or main route of your application to facilitate this. Since they were able to have an Okta session created, your application can make an /authorize request (redirect) based on the presence of this session and, since the session already exists, the user will be immediately redirected back to the redirect_uri without being prompted to authenticate again.

Basics steps would look something like this:

  1. User accesses application’
  2. Application checks if user has session, does nothing because session does not yet exist
  3. User clicks on button to login with PIV
  4. User is logged in with PIV
  5. Application checks if user has session, makes /authorize redirect because session exists
  6. User winds up on the callback route with the authorization_code and/or tokens, depending on the flow, application handles callback and stores token
  7. isAuthenticated evaluates to true.

That makes sense. Thank you. I’m using the Okta.aspnet SDK and following the example provided at https://github.com/okta/samples-aspnet-webforms/tree/master/self-hosted-login/okta-aspnet-webforms-example (converted to VB.NET) which doesn’t have an implementation of CAC login. How would I start the OAuth flow on the login page (to which I’m being redirected from Okta when using PIV authentication). Currently it looks like the OAuth flow is started when a postback to the login page is connected with the following block:

If Request.RequestType="POST" And Not Request.IsAuthenticated Then
    Dim sessionToken As String = Request.Form("sessionToken").ToString()
    Dim properties = new AuthenticationProperties()
    properties.Dictionary.Add("sessionToken", sessionToken)
    properties.RedirectUri = "/"

    HttpContext.Current.GetOwinContext().Authenticate.Challenge(properties, OpenIDConnectAuthenticationDefaults.AuthenticationType)
End If 

Since the redirect from Okta would be a GET request, do I need to just modify this block to remove the “POST” request type check? And then how would I get the sessionToken?