Rock Solid Knowledge is pleased to announce version 2.4 of the IdentityServer4 SAML component. This release includes new features for both SAML Service Providers and Identity Providers, based on user feedback and sponsored development.
- SP: Added support for HTTP Redirect binding responses
- SP: Added support for IdP-Initiated SSO
- IdP: Added support for full SAML SP-Initiated SLO
- IdP: Added support for SAML IdP-Initiated SLO
- Fixed typo in NameID constants
- Dropped support for IdentityServer v2.2
New Service Provider Features
Added support for HTTP Redirect binding responses
The Service Provider component can now receive SAML responses & assertions using the HTTP redirect binding. The SP metadata document has been updated to include this binding. The HTTP POST binding is still marked as the default binding type.
Added support for IdP-Initiated Single Sign On (SSO)
The Service Provider component can now receive unsolicited SAML responses & assertions using IdP-Initiated SSO. This behaviour is disabled by default and can be enabled using the AllowIdpInitiatedSso property.
Many of our customers are constrained to only use IdP-Initiated SSO by external parties. So, whilst we would not recommend this for new projects, this is something we have added to facilitate them. Because of the security concerns with this flow, this is not a feature we will be adding to the IdP side of our product.
You can read more about this feature and its security concerns in our article Dangers of using IdP-Initiated SSO.
We recommend implementing replay detection when using this flow. This can be facilitated using your implementation
IDistributedCache. If using this feature, we recommend using a production-ready non-volatile cache such as Redis or SQL Server.
New Identity Provider Features
Added support for full SAML SP-Initiated Single Log Out (SLO)
The Identity Provider component now supports both the receipt of logout requests and the ability to return logout responses. Logout responses are facilitated by the
Added support for SAML IdP-Initiated Single Log Out (SLO)
The Identity Provider component now supports the ability to send logout requests to Service Providers that are a part of the IdentityServer session. This uses a similar approach to OpenID Connect’s front-channel logout, where iframes are created to send HTTP Redirect and POST binding logout requests via the browser.
You can read more about SLO in our documentation.