I am trying to figure out how and for what the entity id is used for, and also if what I would like to try would cause issues. I’m not seeing where the entity id is used for anything other than identification purposes. I’d like to use this with azure with multiple projects with each project having different groups and permissions. Azure requires that the entity id be unique per idp, my service provider has the ability to setup different configurations but their entity id is always the same for all configurations. So my question is, is the entity id used for anything other than just an identifier?, also can I just make up a entity id per service provider configuration?
So in other simpler terms, is the entity id used to validate anything in the saml response or can we make it anything we want as long as it is unique.
The entity ID is part of a provider’s SAML metadata and uniquely identifies the provider. According to the SAML specification, it must be a URI (ie either a URN or URL). We recommend using a URL for maximum interoperability. The URL doesn’t have to point to a resource etc. You will see some entity IDs that aren’t URIs but this isn’t recommended. We support any string value as an entity ID and don’t enforce the URI requirement.
All SAML messages include an issuer field which identifies the provider that sent the message. The issuer field and entity ID must have the same value.
Typically, partner SAML metadata is used to setup the internal SAML configuration to support SSO with that partner. The Name is set to entityID from the metadata. When a SAML message is received, the issuer field is used to lookup the corresponding configuration by its Name.
All SAML messages include an issuer field which identifies the provider that sent the message. The issuer field and entity ID must have the same value.
Typically, partner SAML metadata is used to setup the internal SAML configuration to support SSO with that partner. The Name is set to entityID from the metadata. When a SAML message is received, the issuer field is used to lookup the corresponding configuration by its Name.
Thanks for the response. So as long a our implementation can change the entity id on a sp-initiated request dynamically, we should be able to change the entity id as long as the idp is setup with the same entity id's.
Normally entityIDs are static. If you dynamically changed the entityID of your service provider this would somehow have to be communicated to the partner identity providers.
If what you mean is that you wish to dynamically specify which partner identity provider to initiate SSO to, that’s done by specifying the partnerName parameter to SAMLServiceProvider.InitiateSSO. The partnerName matches the name of one of the entries in your SAML configuration. These names correspond to the IdP entityIDs.
If what you mean is that you wish to dynamically specify which partner identity provider to initiate SSO to, that's done by specifying the partnerName parameter to SAMLServiceProvider.InitiateSSO. The partnerName matches the name of one of the entries in your SAML configuration. These names correspond to the IdP entityIDs.
I think I explained it wrong, we want to dynamically switch the entity id used, not change the name, for example client 1 has 3 different configurations with different entity ids and each configuration maps differently on our side. Based on the token they send us we want to switch the name of the entity id we use, even though we the service provider are initiating.
Just to confirm, the entityID you wish to switch is that of your service provider?
Assuming so, one option is to have separate SAML configurations - one for each of the entityIDs. For more information, please refer to the “Multi-Tenancy Support” section of our Configuration Guide.
https://www.componentspace.com/documentation/saml-for-asp-net/ComponentSpace%20SAML%20for%20ASP.NET%20Configuration%20Guide.pdf
Each tenant has a separate configuration including a local service provider configuration. The local service provider name corresponds to the entityID.
Another option is to implement the ISAMLConfigurationResolver interface which is described in the “Implementing ISAMLConfigurationResolver” section of the Configuration Guide.
Here you can have a single SAML configuration but you can dynamically changes the local service provider name as required.
Assuming so, one option is to have separate SAML configurations - one for each of the entityIDs. For more information, please refer to the "Multi-Tenancy Support" section of our Configuration Guide.
https://www.componentspace.com/documentation/saml-for-asp-net/ComponentSpace%20SAML%20for%20ASP.NET%20Configuration%20Guide.pdf
Each tenant has a separate configuration including a local service provider configuration. The local service provider name corresponds to the entityID.
Another option is to implement the ISAMLConfigurationResolver interface which is described in the "Implementing ISAMLConfigurationResolver" section of the Configuration Guide.
Here you can have a single SAML configuration but you can dynamically changes the local service provider name as required.
Right, we already have a multi tenant setup but we use the same entityId for each tenant. I was thinking instead of this being hard coded we make the name on the local service provider configuration configurable with our saml configuration. I just wanted to make sure that doing so would not cause any issues with the verification process.
I don’t think it will but I’m not really sure why you need to change the entityID.
One of the main reasons for a multi-tenant configuration is where each tenant has a separate configuration including a different local service provider name.