I’m building a control to function as an IdP. It should be fairly simple. We have two SPs (for now) and SSO can be either IdP- or SP-initiated. I’m a little unclear on how to determine the partnerSP, at least in an SP-initiated request.
For an idP-related request, I can pass the partnerSP to the control as a QueryString parameter, like this:
SAMLIdentityProvider.InitiateSSO(Response, username, attributes, null, Request.QueryString[“ReturnUrl”]);
and as long as the ReturnURL matches a PartnerServiceProvider name value in my saml.config file, the InitiateSSO method will use that partner. Is that correct?
For SP-initiated requests I don’t know how to determine the SP from the request. Here is my code:
if (string.IsNullOrEmpty(targetURL))
{
//No ReturnUrlParameter was received, so assume this is an SP-initiated Request
SAMLIdentityProvider.ReceiveSSO(Request, out xxxxx); //how do I determine the partner SP?
}
The example applications all pull the SP from the web.config file and it’s set up with only 1 SP (at least all the ones I’ve found). How do I determine the Service Partner to use when I haven’t even received the request yet?
Thanks in advance. I have a very short deadline for this project and six weeks ago I had never even heard of SAML.
Your understanding of how the partnerSP parameter to SAMLIdentityProvider.InitiateSSO works is correct.
For SAMLIdentityProvider.ReceiveSSO, the partnerSP is an output parameter. You don’t determine the partnerSP value. It’s returned to you.
The SAML authn request received and processed when you call SAMLIdentityProvider.ReceiveSSO includes an Issuer field identifying the SP.
SAMLIdentityProvider.ReceiveSSO sets the partnerSP parameter to the value of this Issuer field.
This also must match one of the Names in your saml.config otherwise we throw an exception.