Add Scoping to the AuthnRequest

Bram · October 28, 2024, 3:05pm

Hello everyone,

I’m configuring a SAML implementation and would like to add Scoping to the AuthnRequest using the high-level API and configuration. So far, I’ve mainly seen examples using the low-level API, but I understand that ComponentSpace moderators recommend using the high-level API whenever possible.

For my project, I need to add the following Scoping section to the AuthnRequest:

<samlp:Scoping xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <samlp:IDPList>
        <samlp:IDPEntry ProviderID="urn:example:EB:00000000000000000000:entities:0000" />
    </samlp:IDPList>
</samlp:Scoping>

I’ve already set up most of my configuration file, but I can’t find any information on how to set Scoping directly via configuration. My question is whether this is possible within the high-level API, and if so, what is the recommended approach or configuration setting?

Any help or example configurations would be greatly appreciated!

Thanks in advance!

ComponentSpace · October 28, 2024, 8:55pm

Could you confirm whether this is for SAML for ASP.NET Core or SAML for ASP.NET?

We usually refer to the high-level versus low-level API in SAML for ASP.NET but this topic is tagged for SAML for ASP.NET Core.

Adding scoping is possible with both products although the approach is slightly different.

Thanks.

Bram · October 29, 2024, 8:20am

We are using the licensed 5.1.0 SAML for ASP.NET Core package.
Would like to hear how this is done!

Thanks in advance!

ComponentSpace · October 29, 2024, 9:06am

Scoping via configuration isn’t supported. Instead, it can be specified in the ISsoOptions parameter to the _samlServiceProvider.InitiateSsoAsync call.

For example:

var ssoOptions = new SsoOptions()
{
    TrustedIdentityProviders = new List<ITrustedIdentityProvider>()
    {
        new SsoOptions.TrustedIdentityProvider()
        {
            ProviderID = "urn:example:EB:00000000000000000000:entities:0000"
        }
    }
};

// To login automatically at the service provider, 
// initiate single sign-on to the identity provider (SP-initiated SSO).            
// The return URL is remembered as SAML relay state.
await _samlServiceProvider.InitiateSsoAsync(partnerName, returnUrl, ssoOptions);

This generates the following XML:

<samlp:Scoping>
    <samlp:IDPList>
        <samlp:IDPEntry ProviderID="urn:example:EB:00000000000000000000:entities:0000" />
    </samlp:IDPList>
</samlp:Scoping>

Bram · November 12, 2024, 3:04pm

Thanks for the quick response,

We have implemented it as you suggested and it worked

This topic can be set to resolved!

ComponentSpace · November 12, 2024, 8:28pm

Thanks for the update.