Hello,
I’m attempting to utilize SAML for the first time due to a new relationship with a third party vendor. So far I feel comfortable configuring the SAML with your Low Level example but I’m a bit lost with your High Level example and I was hoping to ask you a couple of questions that your forum didn’t seem to answer yet.
-Can you configure tags such as Subject, Conditions, AuthnContextClassRef, etc using High Level? If so, could you explain how?
-Can you confirm that the attribute dictionary being passed into the InitiateSSO method is simply the Name-Value pair for the Attributes in the AttributeStatement?
-I’m not understanding why an HttpResponse is being passed into the InitiateSSO method…could you explain?
-How do the SAML Response and Assertion get included in the InitiateSSO POST when they’re not even passed into the InitiateSSO method (I’d use your SendSAMLResponseByHTTPPost method as an example of one that does accept the SAML xml object as a parameter). Is the configuration information for the SAML all included in the saml.config file and then it gets automatically generated?
I appreciate any help you can provide. Thanks!
-Nate
I'm attempting to utilize SAML for the first time due to a new relationship with a third party vendor. So far I feel comfortable configuring the SAML with your Low Level example but I'm a bit lost with your High Level example and I was hoping to ask you a couple of questions that your forum didn't seem to answer yet.
-Can you configure tags such as Subject, Conditions, AuthnContextClassRef, etc using High Level? If so, could you explain how?
-Can you confirm that the attribute dictionary being passed into the InitiateSSO method is simply the Name-Value pair for the Attributes in the AttributeStatement?
-I'm not understanding why an HttpResponse is being passed into the InitiateSSO method...could you explain?
-How do the SAML Response and Assertion get included in the InitiateSSO POST when they're not even passed into the InitiateSSO method (I'd use your SendSAMLResponseByHTTPPost method as an example of one that does accept the SAML xml object as a parameter). Is the configuration information for the SAML all included in the saml.config file and then it gets automatically generated?
I appreciate any help you can provide. Thanks!
-Nate
Btw, I'm referencing your HighLevelAPI - MvcExampleIdentityProvider project for the above questions.
When using the SAML high-level API, the SAML response and assertion are built for you but dependent on certain API parameters and configuration.
For example, the subject name identifier is supplied as the user name to SAMLIdentityProvider.InitiateSSO and SAMLIdentityProvider.SendSSO.
The attributes parameter is converted to one or more SAML attributes that are included in the SAML assertion.
The HttpResponse is used to return the HTML form containing the SAML response to the browser. It includes a small piece of JavaScript to automatically submit the SAML response to the service provider. This is the same when you use the low-level API. In fact, the high-level API calls into the low-level APi for transporting the SAML response.
The SAML response and assertion are built by the high-level API. When you use the low-level API your application has to build these. The high-level API does this for you.
The contents of the SAML response and assertion are determined by input parameters to the high-level API and the SAML configuration.
For example, the subject name identifier is supplied as the user name to SAMLIdentityProvider.InitiateSSO and SAMLIdentityProvider.SendSSO.
The attributes parameter is converted to one or more SAML attributes that are included in the SAML assertion.
The HttpResponse is used to return the HTML form containing the SAML response to the browser. It includes a small piece of JavaScript to automatically submit the SAML response to the service provider. This is the same when you use the low-level API. In fact, the high-level API calls into the low-level APi for transporting the SAML response.
The SAML response and assertion are built by the high-level API. When you use the low-level API your application has to build these. The high-level API does this for you.
The contents of the SAML response and assertion are determined by input parameters to the high-level API and the SAML configuration.
Thank you for the fast response. Do you happen to have a reference that explains all possible fields that can be used in the high-level saml.config file or can any SAML field be configured this way by simply listing the name of the field and setting it's value.
For instance, would these all work:
IssueInstant="2017-02-09T21:03:21.8245Z"
ID="123456789"
Issuer="CompanyIdentifier"
NameId="Sample User"
Method="SomeValue"
Recipient="SomeUrl"
NotOnOrAfter="2018-02-09T21:03:21.8245Z"
NotBefore="2015-02-09T21:03:21.8245Z"
AuthnInstant="2017-02-09T21:03:21.8245Z"
AuthnContextClassRef="SomeSpecificValueHere"
You’ll find the configuration documented in section 6 of our Developer Guide PDF which ships with the product.
We also ship a saml-config-schema.xsd which is the XML schema for SAML configuration.
Please note that there isn’t a one-to-one relationship between the SAML configuration and the various fields in a SAML message.
Many of these fields (eg ID, IssueInstant etc) are generated automatically.
Some (eg Issuer, Recipient) are retrieved from the SAML configuration although the names are differemt.
Others (eg Name ID) are passed in through the SAML API.