Beta Instructions

To get access to the beta, please email [email protected]. The SAML2P beta is available until 1st December 2017.

A sample project can be found on GitHub

Nuget Installation

To install the beta nuget package, you must first create a local package source. The best article we've found on how to do this is:

Once you have the package source up and running, and your nuget package placed in that directory, the package will be available to install using the namespace IdentityServer4.Saml.

Please note that the SAML2P library is still in beta so, when you go to install the package, look for pre-release versions.


Including the usual required services for IdentityServer, also include something like the following:


    /* other registrations */
    .AddInMemoryServiceProviders(new List<ServiceProvider>());

Note: you cannot use the temporary RSA key generated by AddTemporarySigningCredential. This plugin requires a full X509 cert.




  • SamlEndpoint: base url for SAML2P functionality. Defaults to saml
  • WantAuthenticationRequestsSigned: accepts on signed authentication requests. Default to true
  • DefaultNameIdentifierFormat: defaults to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • DefaultCanonicalizationMethod: defaults to
  • DefaultDigestAlgorithm: defaults to
  • DefaultSignatureAlgorithm: defaults to
  • DefaultClaimMapping: dictionary for mapping OIDC claim types to SAML specific assertion types. Defaults:

Dictionary of IdentityServer 4 claim type, SAML2P assertion type.

{ "name", ""},
{ "email", "" },
{ "given_name", "" },
{ "family_name", "" },
{ "birthdate", "" },
{ "website", "" },
{ "gender", "" },
{ "role", "" }

Configuring a Service Provider


  • ProtocolType must be set as IdentityServerConstants.ProtocolTypes.Saml2p or “saml2p”
  • RedirectUris must include every url that will issue SAML authentication requests
  • AllowedScopes must still be used. This will dictate what claim types will be returned as SAML assertions

Service Provider

  • EntityId
  • SigningCertificates: public keys for validating requests
  • AssertionConsumerServices: supported bindings & associated urls for serivce provider. This can be found on the Service Providers metadata
  • ClaimsMapping: service provider specific claim mappings. Otherwise default to those found in the SAML options.


  • SAML error responses not supported. Errors stay within IdentityServer
  • Only Service Provider initiated authentication requests supported
  • Only the HTTP Redirect binding type supported for authentication requests
  • Only the HTTP POST binding type supported for authentication responses
  • No SAML Logout for beta