Our SAML Identity Provider component is backed by two kinds of data:
- Service Provider Data - the configuration data of the partner Service Providers
- Artifact Data - The HTTP Artifact exchange data. This data includes sensitive SAML messages that are exchanged via the backchannel using HTTP Artifact Binding.
This data is accessed dynamically at runtime using services in the DI container. The store interfaces are designed to abstract access to the data. This gives you the flexibility to implement these interfaces yourself, allowing you to use any database of your choice.
We provide EntityFramework Core implementations for relational databases by default. This means that you can use any EF-supported database with our component. When using EntityFramework, we recommend initializing your database and running migrations following the advice in EntityFramework Core Migrations documentation.
NuGet Package
To use our EntityFramework Core stores with IdentityServer, you will need to install our IdentityServer-specific EF package.
Duende IdentityServer EntityFramework Core package:
dotnet add package Rsk.Saml.DuendeIdentityServer.EntityFramework
IdentityServer4 EntityFramework Core package:
dotnet add package Rsk.Saml.IdentityServer4.EntityFramework
Service Provider Data
We provide two types of store implementations for storing Service Provider configuration data, IServiceProviderStore
: EntityFramework Core and in-memory stores.
In-Memory Service Provider Store
The in-memory store allows you to configure your identity provider using an in-memory collection. The in-memory collection can be hard-coded or loaded dynamically from a configuration file. The in-memory store allows you to develop and test your implementation without needing a database. However, it is not recommended in production, as the in-memory collection is only created on application start-up.
To use the in-memory Service Provider Store, InMemoryServiceProviderStore
, with your IdentityServer, use the AddInMemoryServiceProviders
extension on IIdentityServerBuidler
.
services.AddIdentityServer()
// Other configuration code removed for brevity
.AddSamlPlugin()
.AddInMemoryServiceProviders(new List<ServiceProvider>())
EntityFramework Core Service Provider Store
To use the EF Service Provider Store with your IdentityServer, use the AddSamlConfigurationStore
extension on IIdentityServerBuidler
. The SamlConfigurationStoreOptions
class contains properties that allow you to control the EF store and the underlying SamlConfigurationDbContext
.
var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;
services.AddIdentityServer()
// Other configuration code removed for brevity
.AddSamlPlugin()
.AddSamlConfigurationStore(options => options.ConfigureDbContext = dbContextBuilder => dbContextBuilder.UseSqlServer(
"<connection_string>", sqlServerOptions => sqlServerOptions.MigrationsAssembly(migrationsAssembly)));
Registering a Custom Service Provider Store
To register a custom Service Provider store implementation in IdentityServer, use the AddServiceProviderStore
extension method on IIdentityServerBuidler
.
services.AddIdentityServer()
// Other configuration code removed for brevity
.AddSamlPlugin()
.AddServiceProviderStore<CustomServiceProviderStore>();
Artifact Data
For our SAML Identity Provider component, we provide three implementations of the ISamlArtifactStore
store.
- Artifact Store that relies on IdentityServer Persisted Grants
- In-memory Artifact Store
- EntityFramework Core Artifact Store
SAML Identity Provider and SAML Service Provider components use ISamlArtifactStore
, as they can both use HTTP Artifact binding to send messages. If you are acting as both Identity Provider and Service Provider, the same artifact store will be used by both IdP and SP. This means that the last registered implementation in the DI container will be utilized. You only need to register the ISamlArtifactStore
once.
IdentityServer Persisted Grants Artifact Store
The SamlPersistedGrantArtifactStore
relies on the IdentityServer Persisted Grants using the IPersistedGrantService
. This store is registered by default when you call .AddSamlPlugin()
.
In-Memory Artifact Store
This store uses an in-memory collection to store sensitive artifact exchange data. We recommend using a different implementation if you are using HTTP Artifact binding in production.
To use the in-memory artifact store, SamlInMemoryArtifactStore
, with your IdentityServer, use the AddInMemorySamlArtifactStore
extension on IIdentityServerBuidler
.
services.AddIdentityServer()
// Other configuration code removed for brevity
.AddSamlPlugin()
.AddInMemorySamlArtifactStore()
EntityFramework Core Artifact Store
To use the EF artifact store with your IdentityServer, use the AddSamlArtifactStore
extension on IIdentityServerBuidler
. The SamlArtifactStoreOptions
class contains properties that allow you to control the EF store and the underlying SamlArtifactDbContext
.
var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;
services.AddIdentityServer()
// Other configuration code removed for brevity
.AddSamlPlugin()
.AddSamlArtifactStore(options => options.ConfigureDbContext = dbContextBuilder => dbContextBuilder.UseSqlServer(
"<connection_string>", sqlServerOptions => sqlServerOptions.MigrationsAssembly(migrationsAssembly)));
Registering a Custom Artifact Store
To register a custom artifact store implementation in IdentityServer, use the AddCustomArtifactStore
extension method on IIdentityServerBuidler
.
services.AddIdentityServer()
// Other configuration code removed for brevity
.AddSamlPlugin()
.AddCustomArtifactStore<CustomArtifactStore>();