We have a multi-tenant application that uses service-provider-initiated SAML authentication. There are multiple
SAML identity providers, potentially a different one for each tenant. The URL that initially invokes the application
provides the tenant id as a url query parameter. We use that id to lookup the identity provider information, and
initiate the SAML flow.
We need to retain the tenant id between the initial entry to the app, and the entry that results from the POST request
that contains the SAML assertion. We have been keeping this information in an ASP.Net cookie, but this is unsatisfactory
for security reasons, and due to the recent browser changes involving “samesite”. Does the ComponentSpace library provide
a better means of retaining this information? Perhaps in its own session state - can we add into that?
The SAMLController.ConfigurationID is saved to the SAML session state that we maintain.
For SP-initiated SSO, there’s no need to set this property when receiving the SAML response as it was saved when the SAML authn request was sent.
[quote]
[/quote]
Thanks for the response. I'm trying to connect the dots.
When I build my configuration dynamically using ISamlConfigurationResolver, does it still have a ConfigurationID that I specify?
When authentication is complete, how do I determine which ConfigurationId was used? I'm not seeing it in ReceiveSSO.
When your implementation of ISamlConfigurationResolver is called, the configurationID parameter to the various methods is set to the configuration ID you’d previously specified through the SAMLController.ConfigurationID property.
You can also access the configuration ID through the SAMLController.ConfigurationID property. You can do this at the time of calling ReceiveSSO to determine what configuration ID was used.