SAML2P Instructions


To purchase SAML2P please click here.


Nuget Installation

IdentityServer support for SAML2P is available on nuget, and can be installed via the package manager or Dotnet CLI.

install-package Rsk.IdentityServer4.Saml

or for IdentityServer 1.x support:

install-package Rsk.IdentityServer4.Saml -Version 1.0.0


Including the usual required services for IdentityServer, also include something like the following:


    /* other registrations */
    .AddSamlPlugin(options =>
                options.Licensee = "";
                options.LicenseKey = "";
    .AddInMemoryServiceProviders(new List<ServiceProvider>());

Note: you cannot use the temporary RSA key generated by AddTemporarySigningCredential. This plugin requires a full X509 cert.




  • SamlEndpoint: base url for SAML2P functionality. Defaults to saml
  • WantAuthenticationRequestsSigned: accepts on signed authentication requests. Default to true
  • DefaultNameIdentifierFormat: defaults to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • DefaultCanonicalizationMethod: defaults to
  • DefaultDigestAlgorithm: defaults to
  • DefaultSignatureAlgorithm: defaults to
  • DefaultClaimMapping: dictionary for mapping OIDC claim types to SAML specific assertion types. Defaults:

Dictionary of IdentityServer 4 claim type, SAML2P assertion type.

{ "name", ""},
{ "email", "" },
{ "given_name", "" },
{ "family_name", "" },
{ "birthdate", "" },
{ "website", "" },
{ "gender", "" },
{ "role", "" }

Configuring a Service Provider


  • ClientId of the service provider. Must be the same as the EntityId
  • ProtocolType must be set as IdentityServerConstants.ProtocolTypes.Saml2p or “saml2p”
  • AllowedScopes must still be used. This will dictate what claim types will be returned as SAML assertions

Service Provider

  • EntityId of the service provider. Must be the same as the ClientId
  • SigningCertificates: public keys for validating requests
  • AssertionConsumerServices: supported bindings & associated urls for serivce provider. This can be found on the Service Providers metadata
  • ClaimsMapping: service provider specific claim mappings. Otherwise default to those found in the SAML options
  • EncryptAssertions: enables assertion encryption in responses
  • EncryptionCertificate: public key used to encrypt assertions
  • RequireSamlRequestDestination: ensures a destination has been set in all authentication requests. Defaults to true


  • HTTP Redirect & HTTP POST binding types supported
  • SAML error responses not supported. Errors stay within IdentityServer
  • SAML logout responses not currently supported. Logout requests stay within IdentityServer
  • Only Service Provider initiated authentication requests supported