How to set different Issuer and Audience attribute with different request based on the PartnerServiceProvider name in the controller method with in the same instance of the application.

xgghosh · March 16, 2021, 12:32am

How to send different Issuer and Audience attributes with a different request based on the PartnerServiceProvider name in the controller method with in the same instance of the application. In the method await _samlIdentityProvider.InitiateSsoAsync().

Below is the sample in the generated SAML response

<saml:Issuer xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion” Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:entity”><a href=“<a href=” https:=“” sso.abcglobal.com=“” apps=“” b2c=“” saml2=“” abc"=“”>https://sso.abcglobal.com/apps/b2c/saml2/abc</saml:Issuer>

-samlp:Status

-saml:AudienceRestriction

<saml:Audience>abc_audience</saml:Audience>

</saml:AudienceRestriction>

ComponentSpace · March 16, 2021, 4:14pm

The Issuer field is set to the LocalIdentityProviderConfiguration.Name in your SAML configuration.

The Audience is set to the PartnerServiceProviderConfiguration.Name in your SAML configuration. The specific PartnerServiceProviderConfiguration is identified by the partnerName parameter to the InitiateSsoAsync call.

Normally the Issuer name shouldn’t change based on the partner SP. It uniquely identifies your IdP regardless of which SP SSO is being initiated to.

The Audience does change based on the selected PartnerServiceProviderConfiguration.

If I haven’t answered your questions, please provide some more details regarding your requirements.

xgghosh · March 18, 2021, 12:16am

[quote]

ComponentSpace - 3/16/2021

The Issuer field is set to the LocalIdentityProviderConfiguration.Name in your SAML configuration.

The Audience is set to the PartnerServiceProviderConfiguration.Name in your SAML configuration. The specific PartnerServiceProviderConfiguration is identified by the partnerName parameter to the InitiateSsoAsync call.

Normally the Issuer name shouldn't change based on the partner SP. It uniquely identifies your IdP regardless of which SP SSO is being initiated to.

The Audience does change based on the selected PartnerServiceProviderConfiguration.

If I haven't answered your questions, please provide some more details regarding your requirements.

[/quote]

We understand your answers. In a previous version of component space, we have that flexibility to change Issuer with the below code

SAMLAssertion samlAssertion = new SAMLAssertion();

samlAssertion.Issuer = issuer;

Looking for the same type of feature in your latest version of component space for .net core 3.1
Thanks and regards,

ComponentSpace · March 18, 2021, 1:00am

You can use the OnSamlAssertionCreated event to access and modify the SAML assertion before it’s sent to the partner SP.

For example:

_samlIdentityProvider.Events.OnSamlAssertionCreated += (httpContext, samlAssertion) =>
{
samlAssertion.Issuer = new Issuer()
{
Name = “name goes here”
};

return samlAssertion;
};

await _samlIdentityProvider.InitiateSsoAsync(partnerName, userName, attributes, relayState);

There’s also an OnSamlResponseCreated event if you wish to change the issuer field in the SAML response.

However, please note that we generally don’t recommend changing the issuer as this is a static value uniquely identifying the identity or service provider.

xgghosh · March 18, 2021, 11:09pm

[quote]

ComponentSpace - 3/18/2021

You can use the OnSamlAssertionCreated event to access and modify the SAML assertion before it's sent to the partner SP.

For example:

_samlIdentityProvider.Events.OnSamlAssertionCreated += (httpContext, samlAssertion) =>
{
samlAssertion.Issuer = new Issuer()
{
Name = "name goes here"
};

return samlAssertion;
};

await _samlIdentityProvider.InitiateSsoAsync(partnerName, userName, attributes, relayState);

There's also an OnSamlResponseCreated event if you wish to change the issuer field in the SAML response.

However, please note that we generally don't recommend changing the issuer as this is a static value uniquely identifying the identity or service provider.

[/quote]

We have implemented the above code in the method. It does not override the existing issuer but appends the new issuer.
below one is given in LocalIdentityProviderConfiguration name
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://USSUER1</saml:Issuer>

Below one is added by the code
_samlIdentityProvider.Events.OnSamlAssertionCreated += (httpContext, samlAssertion) =>
{
samlAssertion.Issuer = new Issuer()
{
Name = "https://ISSUER2"
};

return samlAssertion;
};

<saml:Issuer>https://ISSUER2</saml:Issuer>

Cannot override the issuer given in LocalIdentityProviderConfiguration name. Two Issuer tags present in the same response. Please suggest.
Thanks and regards,
xgghosh

ComponentSpace · March 19, 2021, 12:51am

That’s not what I see when I add this code to the ExampleIdentityProvider.

The SAML assertion sent to the SP starts with:

<saml:Assertion
Version=“2.0”
ID=“_fe64babc-5d5b-4e2e-bac2-c66fbde29e42”
IssueInstant=“2021-03-19T07:45:08Z”
xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>
saml:Issuername goes here</saml:Issuer>
saml:Subject
saml:NameID joeuser@componentspace.com</saml:NameID>

Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace

I’d like to see the generated SAML assertion.