SAML2P Instructions

Instructions

To purchase SAML2P please click here.

 

Nuget Installation

IdentityServer support for SAML2P is available on nuget, and can be installed via the package manager or Dotnet CLI.

install-package Rsk.IdentityServer4.Saml

or for IdentityServer 1.x support:

install-package Rsk.IdentityServer4.Saml -Version 1.0.0

Installation

Including the usual required services for IdentityServer, also include something like the following:

Dependencies

services.AddIdentityServer()
    /* other registrations */
    .AddSamlPlugin(options =>
            {
                options.Licensee = "";
                options.LicenseKey = "";
            })
    .AddInMemoryServiceProviders(new List<ServiceProvider>());

Note: you cannot use the temporary RSA key generated by AddTemporarySigningCredential. This plugin requires a full X509 cert.

Pipeline

app.UseIdentityServer()
   .UseIdentityServerSamlPlugin();

Options

  • SamlEndpoint: base url for SAML2P functionality. Defaults to saml
  • WantAuthenticationRequestsSigned: accepts on signed authentication requests. Default to true
  • DefaultNameIdentifierFormat: defaults to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • DefaultCanonicalizationMethod: defaults to http://www.w3.org/2001/10/xml-exc-c14n#
  • DefaultDigestAlgorithm: defaults to http://www.w3.org/2001/04/xmlenc#sha256
  • DefaultSignatureAlgorithm: defaults to http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
  • DefaultClaimMapping: dictionary for mapping OIDC claim types to SAML specific assertion types. Defaults:

Dictionary of IdentityServer 4 claim type, SAML2P assertion type.

{ "name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"},
{ "email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" },
{ "given_name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" },
{ "family_name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" },
{ "birthdate", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth" },
{ "website", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage" },
{ "gender", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender" },
{ "role", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" }

Configuring a Service Provider

Client

  • ClientId of the service provider. Must be the same as the EntityId
  • ProtocolType must be set as IdentityServerConstants.ProtocolTypes.Saml2p or “saml2p”
  • AllowedScopes must still be used. This will dictate what claim types will be returned as SAML assertions

Service Provider

  • EntityId of the service provider. Must be the same as the ClientId
  • SigningCertificates: public keys for validating requests
  • AssertionConsumerServices: supported bindings & associated urls for serivce provider. This can be found on the Service Providers metadata
  • ClaimsMapping: service provider specific claim mappings. Otherwise default to those found in the SAML options
  • EncryptAssertions: enables assertion encryption in responses
  • EncryptionCertificate: public key used to encrypt assertions
  • RequireSamlRequestDestination: ensures a destination has been set in all authentication requests. Defaults to true

Limitations

  • SAML error responses not supported. Errors stay within IdentityServer
  • SAML logout responses not currently supported. Logout requests stay within IdentityServer
  • Only Service Provider initiated authentication requests supported
  • Only the HTTP POST binding type supported for authentication responses