Receiving Response from SAMLServiceProvider.ReceiveSSO

Is there a way to receive response on Identity provider from Service provider, after SAMLServiceProvider.ReceiveSSO is called.

Did you want access to the raw SAML response XML?

If so, may I ask why you need this access?

The SAML response XML is available through the SAML low-level API but it isn’t exposed in the high-level API (SAMLServiceProvider.ReceiveSSO etc). Normally you don’t require the details of the raw SAML response.



Basically What happening is my application acts as IDP and we are calling API as SP. When we send attributes from IDP in SP it validates them and then send a reply with link to navigate to another website.
So my question was how to receive the response back from SP

Sorry, I’m still a little confused.

Is this part of a browser-based SAML SSO flow?

The API call won’t be part of the SAML SSO as API calls aren’t defined in the SAML specification.

Does the API call happen after SSO completes?

Is the SP making an API call to the IdP or vice versa?

Are the SAML attributes to be included in the API call? If so, in what format?

i need to run SAMLValidator → Validate.
how can i do it, without XML itself?

The SAMLValidator class, under the ComponentSpace.SAML2.Schemas namespace, validates the supplied XML against the SAML XML Schemas.

It’s checking whether the supplied SAML message, SAML assertion or SAML metadata XML complies with these schemas.

I’m not sure what you mean by “without XML itself”. You need to supply the XML that’s to be validated against the schema.

sorry, some explanation.
From your post.
Did you want access to the raw SAML response XML?
If so, may I ask why you need this access?
The SAML response XML is available through the SAML low-level API but it isn’t exposed in the high-level API (SAMLServiceProvider.ReceiveSSO etc). Normally you don’t require the details of the raw SAML response.

If so, may I ask why you need this access? - I need it to validate the supplied XML against the SAML XML Schemas after SAMLServiceProvider.ReceiveSSO called, or before. Doesn’t matter in fact.
So, my goal is to validate the assertion and if it’s not validated, deny login. How can i implement it without low-level API?

The call to SAMLServiceProvider.ReceiveSSO does this for you. It will validate the SAML response XML against the XML schemas. If there’s an issue, it will throw an exception.

This is controlled through the SAMLController.ValidateMessagesAgainstSchema property.

At application start-up, set this property to true.


SAMLController.ValidateMessagesAgainstSchema = true;


perfect. thanks for the help.
last question.By default SAMLController.ValidateMessagesAgainstSchema is false? i don’t see what is the default value in documentation https://www.componentspace.com/documentation/saml-for-asp-net/reference/api/ComponentSpace.SAML2.SAMLController.html#ComponentSpace_SAML2_SAMLController_ValidateMessagesAgainstSchema

Yes. Currently we default to false. I know at some stage we defaulted to true but I can’t remember why we changed this. There’s a small performance overhead, of course, but this is very minor and shouldn’t be an issue.

[quote]
ComponentSpace - 9/16/2021
Yes. Currently we default to false. I know at some stage we defaulted to true but I can't remember why we changed this. There's a small performance overhead, of course, but this is very minor and shouldn't be an issue.
[/quote]

Ok, I know I promised it was the last question. but, I have another one.
is it possible to set ValidateMessagesAgainstSchema per config (we have a lot of SP configs )? not globally.
i mean if I set the value to SAMLController.ValidateMessagesAgainstSchema according to setting stored in DB for currently used configuration, when I set SAMLController.ConfigurationID = XXX, will it work properly?
Why I'm asking because we have had an issue with certificates when we were set not SAMLController.ConfigurationID but SAMLController.Configuration itself each time when provider used. it throws an error "certificate not found".
So, if I change SAMLController.ValidateMessagesAgainstSchema a lot, will it apply immediately for the current config or I would have an issue with cached values?

The SAMLController.ValidateMessagesAgainstSchema property sets a static boolean. It’s a global setting affecting all SAML SSO sessions regardless of the SAML configuration used. There isn’t an option to set this on a per SAML configuration basis.