Hi,
I want to use IdentityProvider sample projects as identity provider and my custom application will act as service providers. My service provider applications stored IdP metadata (xml) into database. How can I export sample projects IdP metadata? and How to register my service providers applications on sample IdentitProvider projects? My service provider application is using low level APIs with ComponentSpace 2.6.0.2 (Runtime Version: v4.0.30319). The SSO code is already there, written using low level API, now I have implement SLO. Can you please share some sample code to implement SLO?
Also, It will really help if you answer following queries:
1. Is it compulsory to have single logout url to service provider configured at IdP? (So IdP can send logout request to all other session participates)
2. IdP must have url to initiate single logout, is it correct?
Here is existing code of my service provider applications for SSO
SP-Initiate SSO Request
private void RequestLoginAtIdentityProvider(SsoProfile config, string relayState)
{
…
switch (ssoProfileSingleSignOnServiceBinding)
{
case SAMLIdentifiers.BindingURIs.HTTPRedirect:
AsymmetricAlgorithm key = null;
if (ssoProfileSignAuthnRequest)
{
key = ssoProfileLocalCertificate.ToCertificate().PrivateKey;
}
ServiceProvider.SendAuthnRequestByHTTPRedirect(Response, ssoProfileSingleSignOnServiceUrl, authnRequestXml, relayState, key);
break;
case SAMLIdentifiers.BindingURIs.HTTPPost:
ServiceProvider.SendAuthnRequestByHTTPPost(Response, ssoProfileSingleSignOnServiceUrl, authnRequestXml, relayState);
// Don’t send this form.
Response.End();
break;
…
}
…
}
To receive saml2 response from Identitfy provider
[HttpPost]
[Route(“SSO/saml2/AssertionConsumerService”)]
public async virtual Task AssertionConsumerService()
{
return await ReceiveSAMLResponse(SamlBindingType.POST);
}
// urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
[HttpGet]
[Route(“SSO/saml2/AssertionConsumerService.redirect”)]
public async virtual Task AssertionConsumerServiceRedirect()
{
return await ReceiveSAMLResponse(SamlBindingType.Redirect);
}
private async Task ReceiveSAMLResponse(SamlBindingType bindingType)
{
…
switch (bindingType)
{
case SamlBindingType.POST:
ServiceProvider.ReceiveSAMLResponseByHTTPPost(Request, out samlResponseXml, out relayState);
break;
case SamlBindingType.Redirect:
AsymmetricAlgorithm key = null;
if (profile.PartnerCertificate != null)
{
key = new X509Certificate2(profile.PartnerCertificate, (string)null, X509KeyStorageFlags.MachineKeySet).PublicKey.Key;
}
HTTPRedirectBinding.ReceiveResponse(Request, out samlResponseXml, out relayState, out signed, key);
break;
…
}
…
}
We don’t recommend using the SAML low-level API as it requires more application code and a deeper understanding of the SAML specification. It’s particularly difficult implementing SAML logout correctly, especially as the identity provider.
Also, the version you’re using (2.6.0.2) is over four years old. I recommend upgrading if possible.
https://www.componentspace.com/documentation/saml-for-asp-net/ComponentSpace%20SAML%20for%20ASP.NET%20Release%20Notes.pdf
The current example identity providers include their SAML metadata files. This isn’t the case with the version you have. You will have to create the metadata for the iidentity provider from the template files we include under the examples\metadata folder.
To register your SPs with the example identity provider, update the saml.config with the appropriate entries. In recent updates this is made easier by running the ImportMetadata console application.
To implement SLO, I suggest taking a look at the SAML2ServiceProvider project under the SSO\LowLevelAPI\SP-Initiated folder. The Default.aspx page includes a logout button for initiating SLO. The SAML/SLOService.aspx page receives and processes SAML logout messages from the partner IdP.