We’re currently using XML configuration with certificates stored in the file system. We would like to move to programmatic configuration with configuration elements and certificates stored in a SQL Server database. From the Developer Guide, we’re pretty clear on programmatic configuration but we’re trying to work out how to retrieve certificates from a database. Is there a documented approach to this? Are there any cautionary tales regarding this approach? Thanks for any guidance you can provide.
Hi Russ,
The Configuration Guide describes two techniques for setting SAML configuration programmatically. When storing configuration in a database, the recommended approach is to implement the ISAMLConfigurationResolver interface as described in the guide.
Certificates should be stored in the database as base-64 strings.
The Certificate Guide includes a “Certificate Strings” section describing how to convert certificates into strings.
The following example code is for a configuration resolver that returns hard-coded values. Your configuration resolver would read these values from your database.
The CertificateConfiguration.String property is used to specify the certificate as a base-64 string.
using ComponentSpace.SAML2.Configuration;
using ComponentSpace.SAML2.Configuration.Resolver;
public class ExampleConfigurationResolver : AbstractSAMLConfigurationResolver
{
///
/// Gets the LocalServiceProviderConfiguration.
///
/// The configuration ID or null if none.
/// The local service provider configuration.
///
/// Thrown when the local service provider configuration cannot be found.
///
public override LocalServiceProviderConfiguration GetLocalServiceProviderConfiguration(string configurationID)
{
return new LocalServiceProviderConfiguration()
{
Name = “<a href=“https://ExampleServiceProvider” ,”=“”><a href=“https://ExampleServiceProvider”,“>https://ExampleServiceProvider”,
AssertionConsumerServiceUrl = “~/SAML/AssertionConsumerService.aspx”,
LocalCertificates = new List()
{
new CertificateConfiguration()
{
String = “base-64 string goes here”,
Password = “password”
}
}
};
}
///
/// Gets the PartnerIdentityProviderConfiguration given the partner name.
///
/// The configuration ID or null if none.
/// The partner name.
/// The partner identity provider configuration.
///
/// Thrown when the partner identity provider configuration cannot be found.
///
public override PartnerIdentityProviderConfiguration GetPartnerIdentityProviderConfiguration(string configurationID, string partnerName)
{
return new PartnerIdentityProviderConfiguration()
{
Name = “<a href=“https://ExampleIdentityProvider” ,”=“”><a href=“https://ExampleIdentityProvider”,“>https://ExampleIdentityProvider”,
SignAuthnRequest = true,
SingleSignOnServiceUrl = “<a href=“https://localhost:44390/SAML/SSOService.aspx” ,”=“”><a href=“https://localhost:44390/SAML/SSOService.aspx",">https://localhost:44390/SAML/SSOService.aspx”,
SingleLogoutServiceUrl = “<a href=“https://localhost:44390/SAML/SLOService.aspx” ,”=“”><a href=“https://localhost:44390/SAML/SLOService.aspx",">https://localhost:44390/SAML/SLOService.aspx”,
PartnerCertificates = new List()
{
new CertificateConfiguration()
{
String = “base-64 string goes here”,
}
}
};
}
}
You register your ISAMLConfigurationResolver implementation at application start-up.
SAMLController.ConfigurationResolver = new ExampleConfigurationResolver();
[quote][/quote]
Hi Russ,
The Configuration Guide describes two techniques for setting SAML configuration programmatically. When storing configuration in a database, the recommended approach is to implement the ISAMLConfigurationResolver interface as described in the guide.
Certificates should be stored in the database as base-64 strings.
The Certificate Guide includes a "Certificate Strings" section describing how to convert certificates into strings.
The following example code is for a configuration resolver that returns hard-coded values. Your configuration resolver would read these values from your database.
The CertificateConfiguration.String property is used to specify the certificate as a base-64 string.
using ComponentSpace.SAML2.Configuration;
using ComponentSpace.SAML2.Configuration.Resolver;
public class ExampleConfigurationResolver : AbstractSAMLConfigurationResolver
{
///
/// Gets the LocalServiceProviderConfiguration.
///
/// The configuration ID or null if none.
/// The local service provider configuration.
///
/// Thrown when the local service provider configuration cannot be found.
///
public override LocalServiceProviderConfiguration GetLocalServiceProviderConfiguration(string configurationID)
{
return new LocalServiceProviderConfiguration()
{
Name = "https://ExampleServiceProvider",
AssertionConsumerServiceUrl = "~/SAML/AssertionConsumerService.aspx",
LocalCertificates = new List()
{
new CertificateConfiguration()
{
String = "base-64 string goes here",
Password = "password"
}
}
};
}
///
/// Gets the PartnerIdentityProviderConfiguration given the partner name.
///
/// The configuration ID or null if none.
/// The partner name.
/// The partner identity provider configuration.
///
/// Thrown when the partner identity provider configuration cannot be found.
///
public override PartnerIdentityProviderConfiguration GetPartnerIdentityProviderConfiguration(string configurationID, string partnerName)
{
return new PartnerIdentityProviderConfiguration()
{
Name = "https://ExampleIdentityProvider",
SignAuthnRequest = true,
SingleSignOnServiceUrl = "https://localhost:44390/SAML/SSOService.aspx",
SingleLogoutServiceUrl = "https://localhost:44390/SAML/SLOService.aspx",
PartnerCertificates = new List()
{
new CertificateConfiguration()
{
String = "base-64 string goes here",
}
}
};
}
}
You register your ISAMLConfigurationResolver implementation at application start-up.
SAMLController.ConfigurationResolver = new ExampleConfigurationResolver();
The Configuration Guide describes two techniques for setting SAML configuration programmatically. When storing configuration in a database, the recommended approach is to implement the ISAMLConfigurationResolver interface as described in the guide.
Certificates should be stored in the database as base-64 strings.
The Certificate Guide includes a "Certificate Strings" section describing how to convert certificates into strings.
The following example code is for a configuration resolver that returns hard-coded values. Your configuration resolver would read these values from your database.
The CertificateConfiguration.String property is used to specify the certificate as a base-64 string.
using ComponentSpace.SAML2.Configuration;
using ComponentSpace.SAML2.Configuration.Resolver;
public class ExampleConfigurationResolver : AbstractSAMLConfigurationResolver
{
///
/// Gets the LocalServiceProviderConfiguration.
///
/// The configuration ID or null if none.
/// The local service provider configuration.
///
/// Thrown when the local service provider configuration cannot be found.
///
public override LocalServiceProviderConfiguration GetLocalServiceProviderConfiguration(string configurationID)
{
return new LocalServiceProviderConfiguration()
{
Name = "https://ExampleServiceProvider",
AssertionConsumerServiceUrl = "~/SAML/AssertionConsumerService.aspx",
LocalCertificates = new List()
{
new CertificateConfiguration()
{
String = "base-64 string goes here",
Password = "password"
}
}
};
}
///
/// Gets the PartnerIdentityProviderConfiguration given the partner name.
///
/// The configuration ID or null if none.
/// The partner name.
/// The partner identity provider configuration.
///
/// Thrown when the partner identity provider configuration cannot be found.
///
public override PartnerIdentityProviderConfiguration GetPartnerIdentityProviderConfiguration(string configurationID, string partnerName)
{
return new PartnerIdentityProviderConfiguration()
{
Name = "https://ExampleIdentityProvider",
SignAuthnRequest = true,
SingleSignOnServiceUrl = "https://localhost:44390/SAML/SSOService.aspx",
SingleLogoutServiceUrl = "https://localhost:44390/SAML/SLOService.aspx",
PartnerCertificates = new List()
{
new CertificateConfiguration()
{
String = "base-64 string goes here",
}
}
};
}
}
You register your ISAMLConfigurationResolver implementation at application start-up.
SAMLController.ConfigurationResolver = new ExampleConfigurationResolver();
Thanks for pointing out the Certificate Guide. I think that was the puzzle piece I was missing.
You’re welcome.