Hi there, please bear with me as I am new to SSO and IDP’s. We have used Component space for some of our older applications in .NET. We are moving to .NET Core, and I am trying to implement a proof of concept of it to sell to our leaders. We use WSO2 server as a Service Provider. It has a login page. Our apps initiate logging when a person is not logged into the application by sending them to that login page, having them login in and receiving a response back from WSO2 server with the details. In the old version we were not using any certificates in our .NET Application. So, i’m a little confused by what certificate I actually need, and if this is necessary to have in the .NET application? I’m including my SAML Configuration. I hope someone can help us get this setup.
“SAML”: {
“$schema”: “<a href=“https://www.componentspace.com/schemas/saml-config-schema-v1.0.json” ,”=“”><a href=“https://www.componentspace.com/schemas/saml-config-schema-v1.0.json",">https://www.componentspace.com/schemas/saml-config-schema-v1.0.json”,
“Configurations”: [
{
“LocalServiceProviderConfiguration”: {
“Name”: “SRM”,
“Description”: “SSO Provider.”,
“AssertionConsumerServiceUrl”: “<a href=“https://localhost:44388/Home/AssertionConsumerService” “=””><a href=“https://localhost:44388/Home/AssertionConsumerService”“>https://localhost:44388/Home/AssertionConsumerService”
},
“PartnerIdentityProviderConfiguration”: {
“Name”: “<a href=“https://glifeeisdev.grantham.edu/samlsso” ,”=“”>https://{WSO2 Server Address}/samlsso",
“Description”: “SSO Provider.”,
“WantAuthnRequestSigned”: false,
“SignSamlResponse”: false,
“SingleSignOnServiceUrl”: “https://{WSO2 Server Address}:443/samlsso”,
“SingleLogoutServiceUrl”: “https://{WSO2 Server Address}:443/samlsso”
}
}
]
}
You will need to specify a certificate in the PartnerIdentityProviderConfiguration.
The SAML response or assertion sent back to your application by WSO2 will be signed.
The PartnerIdentityProviderConfiguration certificate is used to verify the signature.
The LocalServiceProviderConfiguration certificate is only required if the SAML authn request being sent to WSO2 is to be signed or if SAML assertions are to be encrypted.
Typically SAML assertions aren’t encrypted.
If your current .NET implementation doesn’t require a local SP certificate (ie PFX) file then WSO2 doesn’t require the authn request to be signed.
Therefore you shouldn’t need a LocalServiceProviderConfiguration certificate.
If you have the SAML metadata for WSO2 you can use our ImportMetadata tool to update your SAML configuration. This will include extracting the PartnerIdentityProviderConfiguration certificate.