Over the past few months, we have been updating our SAML component to work with both IdentityServer4 and Duende IdentityServer. As a result, we have split our component into separate packages to handle SAML identity provider and service provider functionality.
To support both versions of IdentityServer, we have made changes to the namespaces used by the component. For the majority of users, this means a simple search and replace from Rsk.IdentityServer4.Saml to Rsk.Saml.IdentityServer4. If you are extending any of our implementations, then you may need to update some method signatures.
Which SAML Library Should I Use?
Choose from the options below to decide which SAML library you should use:
- I am a SAML Service Provider: I want to allow users to log in using an external SAML Identity Provider: use Rsk.Saml
- I am a SAML Identity Provider: I want to allow users in external systems to log in using my user store:
- I am using IdentityServer4: use Rsk.Saml.IdentityServer4
- I am using Duende IdentityServer: use Rsk.Saml.DuendeIdentityServer
Other Libraries
In order to support both IdentityServer4 and Duende IdentityServer, and remove all dependencies on IdentityServer from our service provider functionality, we now have some new SAML libraries:
- Rsk.Saml: core SAML functionality and service provider functionality
- Rsk.Saml.IdentityServer4: IdentityServer4 SAML identity provider functionality
- Rsk.Saml.DuendeIdentityServer: Duende IdentityServer SAML identity provider functionality
- Rsk.Saml.IdentityProvider: shared functionality between the IdentityServer4 or Duende IdentityServer libraries
Storage Layers
- Rsk.IdentityProvider.Storage.EntityFramework: core entity framework storage layer for identity providers
- Rsk.Saml.IdentityServer4.EntityFramework: IdentityServer4 storage layer
- Rsk.Saml.DuendeIdentityServer.EntityFramework : Duende IdentityServer storage layer
If you are an existing customer of our SAML component, you can continue to use Rsk.IdentityServer4.Saml and Rsk.IdentityServer4.Saml.EntityFramework libraries. These libraries reference the correct version of our new package structure, with version 4 providing IdentityServer4 support and version 5 providing Duende IdentityServer support.
Release Notes – Rsk.Saml v3.3.0
Before we cover the big v4 changes, here are the highlights from recent minor versions of our SAML identity provider (IdP) and service provider (SP) libraries:
- IdP: Added
UseLegacyRsaEncryptionoption to disable the use of RSAES-PKCS1-v1_5. This currently defaults to true but will be changed to false in an upcoming release - IdP: Interaction generator service is now called after user authentication, allowing for the use of a consent screen or cancel button
- SP: Added support for AttributeConsumingService
- Added support for NameIDPolicy
- Updated internal cryptography libraries to use .NET Core implementations
Release Notes – Rsk.Saml v4
With this release, we have changed the namespaces to always use the root namespace Rsk.Saml. We have also changed some method signatures; however, you will only see this if you are overwriting any of the internals of our SAML component.
If you experience any issues with the new structure, please contact us at support@identityserver.com, and we will be happy to help.
New Features
- IdP: Added support for Duende IdentityServer
- SP: Added support for .NET 5.0
Improvements
- SP: Dropped dependency on IdentityServer
- IdP: Improved developer experience with
ISamlInteractionService. You can now pass the full return URL to theGetRequestContextmethod. This is not a breaking change as the method can handle both the request ID and return URL - Improved logging of received SAML response messages
- Added
ISamlSigningCertificateStoreextensibility point for SAML specific signing material - IdP: Added
ISamlClientStoreextensibility point for SAML specific client application configuration - IdP: Added
ISamlResourceStoreextensibility for SAML specific resource & scope configuration - Added SAML-specific configuration options for controlling Content Security Policy (CSP) headers when using the HTTP POST binding
Breaking Changes
- Root namespace change: all namespaces now use
Rsk.Saml - Dropped support for IdentityServer4 v3
- Obsoletes from Rsk.Saml v3 have now been removed
- Removed
GenerateNameIdfromISamlNameIdService. Please use theISamlNameIdGeneratorinstead - SP: Updated logout validation failure to throw an
InvalidOperationException, copying the behavior of Microsoft authentication handlers. This behavior can be overridden using theThrowOnLogoutErrorconfiguration setting - SP: Removed custom
ISamlSpNameIdService. Please use the coreISamlNameIdServiceinstead - SP: Renamed
RequireSamlResponseDestinationtoRequireSamlMessageDestination - SP: Removed
RequireAuthenticationRequestsSigned - IdP: Updated the default value of
RequireValidSamlLogoutRequeststo true. This setting will be removed in a future version, and invalid SAML logout requests will always result in an error
2021 Roadmap – Update
From our roadmap, we are now focusing on adding artifact binding support to the IdP side of our component, and a Single Logout (SLO) approach that will allow front-channel SLO after upcoming browser changes. The 2021 roadmap:
- Full removal of IdentityServer4 from Rsk.Saml (completed)
- Support for more back-channel binding types (artifact binding)
- Focus on improving documentation with feature specific documentation
- Support for “traditional” SAML SLO (not using iFrames)
- Additional documentation for debugging steps and FAQs
- Stretch goal: revamp of signing and encryption algorithm support
Our feature development is heavily influenced by customer feedback. So, if you have any feature requests, let us know!
