saml.config ServiceProvider Name is important

SAML for ASP.NET
1

Hi,

We have a single Service Provider application that is hosted on multiple IIS Sites on the same server (“test1”, “test2” and “live”) and for the “live” version, there are a couple of additional whitelabel domains over and above the standard domain. I also have a “Dev” environment on my local machine “<a href=“http://localhost:3003"”>http://localhost:3003” e.g.

SITE: https://test1.example.com
SITE: https://test2.example.com
SITE: https://www.example.com
±-> https://app.whitelabel1.com

SITE: https://localhost:3003


We want to use the same configuration for all environments/bindings so don’t need to differentiate “ServiceProvider” details in the saml.config e.g.

<ServiceProvider
Name=“<a href=“http://localhost:3003"”>http://localhost:3003
Description=“My SP Application”
AssertionConsumerServiceUrl=“~/SamlLoginCallback”



The problem is, the SSO process only works if the Name attribute matches (exactly) the schema/domain/port(if required). If it doesn’t, then after the 3rd-party IdP login succeeds, we get:
[quote]Unable to resolve the peer identification from the message.[/quote]
and I can’t (and shouldn’t really need to) use a different saml.config for each environment.


With regards to the Name attribute of the SAMLConfiguration\ServiceProvider element of saml.config, I’ve been told by Component Space support:
[quote]Do you need to use different service provider names?
Although it’s in the form of a URL, it’s really just used as a unique name. It doesn’t necessarily have to point to a web resource etc.[/quote]

This is contradictory to what I am getting. If I enter the domain of the site in the Name attribute, it works, if I enter anything else (like the domain of our live server, or anything random), we get the above error when the IdP tries to redirect back.

So what I’m wondering is, what do I need to do to set up a config that works like this:

<ServiceProvider
Name=“SCHEMA_DOMAIN_PORT_FROM_CURRENT_REQUEST
Description=“My SP Application”
AssertionConsumerServiceUrl=“~/SamlLoginCallback”


(i.e. the Name is dynamically set based on the current request)?

Thanks,
Chris

2

Hi Chris
You need to ensure that whatever Name you use is also known to the partner identity provider(s).
SAML messages include an issuer field identifying which provider sent the message.
The issuer field for SAML authn requests is set to the Name.
I suspect the “Unable to resolve the peer identification from the message” error means the IdP doesn’t recognize the issuer field value.
If you had to change the name dynamically you would have to set the configuration programmatically rather than using a saml.config file.
However, I suspect it’s just a case of ensuring whatever name you choose for your service provider is configured at the partner identity provider.