Configuring SAML 2 SP from IdP metadata programmatically

raggiholm · July 9, 2015, 10:24am

Hello.

I need to be able to configure my system programmatically and I have received a metadata file (xml) from the IdP. Can I get the PartnerIdentityProviderConfiguration object directly from this file programmatically?

ComponentSpace · July 9, 2015, 1:40pm

SAML metadata files and our SAML configuration file (saml.config) have different formats so you need to extract information from the metadata file and add it to the saml.config file in the correct format.
The Metadata\ImportMetdata project demonstrates how to do this.
This example project makes use of the ComponentSpace.SAML2.Metadata classes to handle the SAML metadata and the ComponentSpace.SAML2.Configuration classes to update the saml.config.
Let me know if you have any other questions.

raggiholm · July 10, 2015, 2:21am

OK, so this is not possible as a “one-liner”. Is it possible for you to demonstrate how I could change the LoadSAMLConfigurationProgrammatically() method in your sample code (ExampleServiceProvider) to use values read from the file into the metadata classes?

The code in the example show fixed values:
samlConfiguration.AddPartnerIdentityProvider(
new PartnerIdentityProviderConfiguration() {
Name = “urn:componentspace:ExampleIdentityProvider”,
SignAuthnRequest = false,
WantSAMLResponseSigned = true,
WantAssertionSigned = false,
WantAssertionEncrypted = false,
SingleSignOnServiceUrl = "<a href=“http://localhost/ExampleIdentityProvider/SAML/SSOService.aspx",">http://localhost/ExampleIdentityProvider/SAML/SSOService.aspx”,
SingleLogoutServiceUrl = "<a href=“http://localhost/ExampleIdentityProvider/SAML/SLOService.aspx",">http://localhost/ExampleIdentityProvider/SAML/SLOService.aspx”,
PartnerCertificateFile = “idp.cer”
});

But I would like to get those values from the metadata file.

ComponentSpace · July 11, 2015, 7:29pm

The Metadata\ImportMetdata project includes the following code which loads the SAML metadata file.

private static EntitiesDescriptor LoadMetadata() {
Console.WriteLine(“Loading SAML metadata file {0}.”, fileName);

XmlDocument xmlDocument = new XmlDocument();
xmlDocument.PreserveWhitespace = true;
xmlDocument.Load(fileName);

EntitiesDescriptor entitiesDescriptor = null;

if (EntitiesDescriptor.IsValid(xmlDocument.DocumentElement)) {
Console.WriteLine(“Reading SAML entities descriptor metadata.”);
entitiesDescriptor = new EntitiesDescriptor(xmlDocument.DocumentElement);
} else if (EntityDescriptor.IsValid(xmlDocument.DocumentElement)) {
Console.WriteLine(“Reading SAML entity descriptor metadata.”);
entitiesDescriptor = new EntitiesDescriptor();
entitiesDescriptor.EntityDescriptors.Add(new EntityDescriptor(xmlDocument.DocumentElement));
} else {
throw new ArgumentException(“Expecting entities descriptor or entity descriptor.”);
}

return entitiesDescriptor;
}

You can then construct an empty SAMLConfiguration and call the MetadataImporter.Import method to import the SAML metadata into the configuration.

SAMLConfiguration samlConfiguration = new SAMLConfiguration();
IList x509Certificates = new List();

MetadataImporter.Import(entitiesDescriptor, samlConfiguration, x509Certificates);

raggiholm · January 13, 2016, 3:13am

Hi again

This is working fine for sign-on but the log-out request is not signed, and the provider wants it to be signed. How can i ensure that the log-out request is signed?

ComponentSpace · January 13, 2016, 6:05pm

For the PartnerIdentityProviderConfiguration you need to set the SignLogoutRequest property to true. If you want to sign the logout response then set the SignLogoutResponse property to true.

samlConfiguration.AddPartnerIdentityProvider(
new PartnerIdentityProviderConfiguration() {
Name = “urn:componentspace:ExampleIdentityProvider”,
SignAuthnRequest = false,
SignLogoutRequest = true,
SignLogoutResponse = true,
WantSAMLResponseSigned = true,
WantAssertionSigned = false,
WantAssertionEncrypted = false,
SingleSignOnServiceUrl = “<a title=“http://localhost/ExampleIdentityProvider/SAML/SSOService.aspx” href=“http://localhost/ExampleIdentityProvider/SAML/SSOService.aspx” target=”_blank" ,“=”“><a href=“http://localhost/ExampleIdentityProvider/SAML/SSOService.aspx",">http://localhost/ExampleIdentityProvider/SAML/SSOService.aspx”,
SingleLogoutServiceUrl = “<a href=“http://localhost/ExampleIdentityProvider/SAML/SLOService.aspx” ,”=”"><a href=“http://localhost/ExampleIdentityProvider/SAML/SLOService.aspx",">http://localhost/ExampleIdentityProvider/SAML/SLOService.aspx”,
PartnerCertificateFile = “idp.cer”
});

raggiholm · January 14, 2016, 3:30am

Ok. I am loading the configuration from metadata file like this:

'Import IdentityProviderMetadata into configuration
Dim x509Certificates As IList(Of X509Certificate2) = New List(Of X509Certificate2)()
MetadataImporter.Import(entitiesDescriptor__1, samlConfiguration__1, x509Certificates)

Will the following code then do the same?

'Other configuration
Dim pipc As PartnerIdentityProviderConfiguration = samlConfiguration__1.PartnerIdentityProviderConfigurations.FirstOrDefault().Value
If pipc IsNot Nothing Then
pipc.SignLogoutRequest = True
pipc.SignLogoutResponse = True
End If

ComponentSpace · January 14, 2016, 1:14pm

Yes. Setting these values programmatically is equivalent to the example I showed if using a saml.config file.