SAML Configuration

Configuration information associated with the high level API may be specified:

  • within the saml.config file in the application’s root directory
  • within a SAML configuration file in some other directory
  • programmatically

If specified within a file, the syntax must comply with the following XML schema.
Any errors in the configuration will be reported when the configuration is first loaded.

SAML Configuration XML Schema

The XML schema file is attached to this topic.


<?xml version="1.0" encoding="utf-8"?>

<schema targetNamespace=“urn:componentspace:SAML:2.0:configuration”
xmlns=“http://www.w3.org/2001/XMLSchema
xmlns:saml=“urn:componentspace:SAML:2.0:configuration”
elementFormDefault=“qualified”>














































































<attribute name=“DigestMethod” type=“saml: DigestMethodType” default=“<a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=”“><a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=”“><a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=”“><a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=”“><a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=”“><a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#sha1”/“>http://www.w3.org/2000/09/xmldsig#sha1”/>
<attribute name=“SignatureMethod” type=“saml:SignatureMethodType” default=“<a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=”“><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=”“><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=”“><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=”“><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=”“><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1”/“>http://www.w3.org/2000/09/xmldsig#rsa-sha1”/>
<attribute name=“KeyEncryptionMethod” type=“saml:KeyEncryptionMethodType” default=“<a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5” “=””><a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5” “=””><a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5” “=””><a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5” “=””><a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5” “=””><a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5” “=””><a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5”/“>http://www.w3.org/2001/04/xmlenc#rsa-1_5”/>
<attribute name=“DataEncryptionMethod” type=“saml: DataEncryptionMethodType” default=“<a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc”/“>http://www.w3.org/2001/04/xmlenc#aes128-cbc”/>




















<enumeration value=“<a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5” “=””><a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5” “=””><a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5” “=””><a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5” “=””><a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5” “=””><a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5” “=””><a href=“http://www.w3.org/2001/04/xmlenc#rsa-1_5”/“>http://www.w3.org/2001/04/xmlenc#rsa-1_5”/>
<enumeration value=“<a href=“http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p” “=””><a href=“http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p” “=””><a href=“http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p” “=””><a href=“http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p” “=””><a href=“http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p” “=””><a href=“http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p” “=””><a href=“http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p”/“>http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p”/>



<enumeration value=“<a href=“http://www.w3.org/2001/04/xmlenc#tripledes-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#tripledes-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#tripledes-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#tripledes-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#tripledes-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#tripledes-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#tripledes-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#tripledes-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#tripledes-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#tripledes-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#tripledes-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#tripledes-cbc”/“>http://www.w3.org/2001/04/xmlenc#tripledes-cbc”/>
<enumeration value=“<a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes128-cbc”/“>http://www.w3.org/2001/04/xmlenc#aes128-cbc”/>
<enumeration value=“<a href=“http://www.w3.org/2001/04/xmlenc#aes192-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes192-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#aes192-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes192-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#aes192-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes192-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#aes192-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes192-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#aes192-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes192-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#aes192-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes192-cbc”/“>http://www.w3.org/2001/04/xmlenc#aes192-cbc”/>
<enumeration value=“<a href=“http://www.w3.org/2001/04/xmlenc#aes256-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes256-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#aes256-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes256-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#aes256-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes256-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#aes256-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes256-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#aes256-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes256-cbc” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#aes256-cbc” “=””><a href=“http://www.w3.org/2001/04/xmlenc#aes256-cbc”/“>http://www.w3.org/2001/04/xmlenc#aes256-cbc”/>



<enumeration value=“<a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=”“><a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=”“><a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=”“><a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=”“><a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=”“><a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#sha1”/“>http://www.w3.org/2000/09/xmldsig#sha1”/>
<enumeration value=“<a href=“http://www.w3.org/2001/04/xmlenc#sha256” “=””><a href=“http://www.w3.org/2001/04/xmlenc#sha256” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#sha256” “=””><a href=“http://www.w3.org/2001/04/xmlenc#sha256” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#sha256” “=””><a href=“http://www.w3.org/2001/04/xmlenc#sha256” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#sha256” “=””><a href=“http://www.w3.org/2001/04/xmlenc#sha256” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#sha256” “=””><a href=“http://www.w3.org/2001/04/xmlenc#sha256” “=”“><a href=“http://www.w3.org/2001/04/xmlenc#sha256” “=””><a href=“http://www.w3.org/2001/04/xmlenc#sha256”/“>http://www.w3.org/2001/04/xmlenc#sha256”/>



<enumeration value=“<a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=”“><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=”“><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=”“><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=”“><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=”“><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1"/">http://www.w3.org/2000/09/xmldsig#rsa-sha1”/>
<enumeration value=“<a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” “=””><a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” “=”“><a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” “=””><a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” “=”“><a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” “=””><a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” “=”“><a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” “=””><a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” “=”“><a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” “=””><a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” “=”“><a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” “=””><a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/">http://www.w3.org/2001/04/xmldsig-more#rsa-sha256”/>











The following sections described the SAML configuration.

SAML Configuration
IdentityProvider
The optional IdentityProvider element specifies the configuration for the application when acting as an identity provider.
ServiceProvider
The optional ServiceProvider element specifies the configuration for the application when acting as a service provider.
PartnerIdentityProvider
The optional PartnerIdentityProvider element specifies the configuration for a partner identity provider.
PartnerServiceProvider
The optional PartnerServiceProvider element specifies the configuration for a partner service provider.
ReloadOnConfigurationChange
The optional ReloadOnConfigurationChange attribute specifies whether the application should be reloaded if the configuration changes. The default is true.
TraceLevel
The optional TraceLevel attribute specifies the trace level for logging.
Tracing configuration is specified in the application’s web.config. Refer to section 15.1 for more details. The trace switch value in the <system.diagnostics> section specifies whether verbose trace is enabled or not.
The trace switch may be overridden by specifying a trace level. For example, if the trace switch value in <system.diagnostics> is Off, the trace level may be set to Verbose to enable trace without modifying web.config.
In most scenarios, it’s preferable to modify the trace switch value in <system.diagnostics>.
By default, the trace level is not specified and therefore the trace switch value in <system.diagnostics> applies.
Identity Provider Configuration
There is no identity provider specific configuration.
Service Provider Configuration
AssertionConsumerServiceUrl
The AssertionConsumerServiceUrl attribute specifies the application’s assertion consumer service (ACS) URL. SAML responses will be received at the ACS.
Partner Identity Provider Configuration
SingleSignOnServiceUrl
The optional SingleSignOnServiceUrl attribute specifies the partner identity provider’s single sign-on (SSO) service URL. Authentication requests will be sent to the SSO service. This is only required for SP-initiated SSO.
SingleSignOnServiceBinding
The optional SingleSignOnServiceBinding attribute specifies the transport binding to use when sending authentication requests to the partner identity provider’s SSO service. The default is to use the HTTP-Redirect binding.
SignAuthnRequest
The optional SignAuthnRequest attribute specifies whether authentication requests sent to the partner identity provider should be signed. The default is false.
ForceAuthn
The optional ForceAuthn attribute specifies whether to set the force authentication attribute in authentication requests. The default is false.
WantResponseSigned
The optional WantResponseSigned attribute specifies whether the SAML response from the partner identity provider should be signed. The default is false.
WantAssertionSigned
The optional WantAssertionSigned attribute specifies whether the SAML assertion from the partner identity provider should be signed. The default is false.
WantAssertionEncrypted
The optional WantAssertionEncrypted attribute specifies whether the SAML assertion from the partner identity provider should be encrypted. The default is false.
DisableAudienceRestrictionCheck
The optional DisableAudienceRestrictionCheck attribute specifies whether the audience restriction condition in the SAML assertion should be checked. This attribute should only be set to true to work around limitations in the partner identity provider. The default is false.
OverridePendingAuthnRequest
The optional OverridePendingAuthnRequest attribute specifies whether a pending authentication request may be overridden and an IdP-initiated SAML response received. Setting this flag to true supports an SP-initiated SSO flow being supplanted by an IdP-initiated SSO. The default is false.
RequestedAuthnContext
The optional RequestedAuthnContext attribute specifies the requested authentication context to include in authentication requests sent to the partner identity provider. The default is none.
ProviderName
The optional ProviderName attribute specifies the provider name to include in authentication requests sent to the partner identity provider. The default is none.
Partner Service Provider Configuration
AssertionConsumerServiceUrl
The optional AssertionConsumerServiceUrl attribute specifies the partner service provider’s assertion consumer service (ACS) URL. SAML responses will be sent to the ACS.
An AssertionConsumerServiceUrl must be configured for IdP-initiated SSO.
For SP-initiated SSO, the assertion consumer service URL included in the authn request from the service provider will be used. If no assertion consumer service URL is included in the authn request then the AssertionConsumerServiceUrl must be configured for SP-initiated SSO.
WantAuthnRequestSigned
The optional WantAuthnRequestSigned attribute specifies whether the authentication request from the partner service provider should be signed. The default is false.
SignSAMLResponse
The optional SignSAMLResponse attribute specifies whether SAML responses sent to the partner service provider should be signed. The default is false.
SignAssertion
The optional SignAssertion attribute specifies whether SAML assertions sent to the partner service provider should be signed. The default is false.
EncryptAssertion
The optional EncryptAssertion attribute specifies whether SAML assertions sent to the partner service provider should be encrypted. The default is false.
AssertionLifeTime
The optional AssertionLifeTime attribute specifies the NotBefore/NotOnOrAfter time interval for the SAML assertion. The format is hh:mm:ss. The default is 3 minutes.
AuthnContext
The optional AuthnContext attribute specifies the authentication context to include in SAML assertions sent to the partner service provider. The default is urn:oasis:names:tc:saml:2.0:ac:classes:unspecified.
Partner Provider Configuration
PartnerCertificateFile
The optional PartnerCertificateFile attribute specifies the X.509 certificate file for this provider. The certificate file name may be an absolute path or a path relative to the application folder.
PartnerCertificateSerialNumber
The optional PartnerCertificateSerialNumber attribute specifies the X.509 certificate by serial number for this provider. The certificate is retrieved from the local computer’s X.509 certificate store.
PartnerCertificateThumbprint
The optional PartnerCertificateThumbprint attribute specifies the X.509 certificate by thumbprint for this provider. The certificate is retrieved from the local computer’s X.509 certificate store.
PartnerCertificateSubject
The optional PartnerCertificateSubject attribute specifies the X.509 certificate by subject name for this provider. The certificate is retrieved from the local computer’s X.509 certificate store.
SingleLogoutServiceUrl
The SingleLogoutServiceUrl attribute specifies the partner provider’s single logout (SLO) service URL. Logout requests will be sent to the SLO service.
SingleLogoutServiceResponseUrl
The SingleLogoutServiceResponseUrl attribute specifies the partner provider’s single logout (SLO) service response URL. Logout responses will be sent to the SLO response service. If not specified then logout responses are sent to the same URL as logout requests.
SingleLogoutServiceBinding
The optional SingleLogoutServiceBinding attribute specifies the transport binding to use when sending logout messages to the partner provider’s SLO service. The default is to use the HTTP-Redirect binding.
LogoutRequestLifeTime
The optional LogoutRequestLifeTime attribute specifies the NotOnOrAfter time interval for the logout request. The format is hh:mm:ss. The default is 3 minutes.
DisableInboundLogout
The optional DisableInboundLogout attribute specifies whether logout requests sent by the partner provider are not supported. The default is false.
DisableOutboundLogout
The optional DisableOutboundLogout attribute specifies whether logout requests sent to the partner provider are not supported. The default is false.
DisableInResponseToCheck
The optional DisableInResponseToCheck attribute specifies whether the SAML message’s InResponseTo should be checked. This attribute should only be set to true to work around limitations in the partner provider. The default is false.
SignLogoutRequest
The optional SignLogoutRequest attribute specifies whether logout requests sent to the partner provider should be signed. The default is false.
SignLogoutResponse
The optional SignLogoutResponse attribute specifies whether logout responses sent to the partner provider should be signed. The default is false.
WantLogoutRequestSigned
The optional WantLogoutRequestSigned attribute specifies whether the logout request from the partner provider should be signed. The default is false.
WantLogoutResponseSigned
The optional WantLogoutResponseSigned attribute specifies whether the logout response from the partner provider should be signed. The default is false.
UseEmbeddedCertificate
The optional UseEmbeddedCertificate attribute specifies whether the certificate embedded in the XML signature should be used when verifying the signature. If false then a configured certificate retrieved from the certificate manager is used. The default is false.
NameIDFormat
The optional NameIDFormat attribute specifies the name identifier format to include in SAML assertions sent to the partner service provider or in authn requests sent to the partner identity provider. The default is urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
DigestMethod
The optional DigestMethod attribute specifies the XML signature digest method. The default is http://www.w3.org/2000/09/xmldsig#sha1.
SignatureMethod
The optional SignatureMethod attribute specifies the XML signature method. The default is "http://www.w3.org/2000/09/xmldsig#rsa-sha1.
KeyEncryptionMethod
The optional KeyEncryptionMethod attribute specifies the XML encryption key encryption method. The default is http://www.w3.org/2001/04/xmlenc#rsa-1_5.
DataEncryptionMethod
The optional DataEncryptionMethod attribute specifies the XML encryption data encryption method. The default is http://www.w3.org/2001/04/xmlenc#aes128-cbc.
ClockSkew
The optional ClockSkew attribute specifies the time span to allow for differences between local and partner computer clocks when checking time intervals. The default is no clock skew.
Provider Configuration
Name
The Name attribute specifies the name of the provider.
LocalCertificateFile
The optional LocalCertificateFile attribute specifies the X.509 certificate file for this provider. The certificate file name may be an absolute path or a path relative to the application folder.
LocalCertificatePassword
The optional LocalCertificatePassword attribute specifies the password associated with the X.509 certificate file for this provider.
Certificate files (.pfx) that include the private key should be protected by a password.
Certificate files (
.cer) that do not include a private key are not password protected.
The certificate password must be kept secure. In a test environment using a test certificate, specifying the password using the LocalCertificatePassword attribute is acceptable.
For a production certificate, the password should be stored encrypted in web.config. Refer to the LocalCertificatePasswordKey attribute for more details.
LocalCertificatePasswordKey
The optional LocalCertificatePasswordKey attribute specifies the web.config’s appSettings key for the certificate file password.
For example, if the LocalCertificatePasswordKey attribute value is localCertificatePassword, then under the web.config’s appSettings section, an entry with the key name localCertificatePassword is expected and the entry value is used as the password.
By encrypting the appSettings section using the aspnet_regiis utility, the certificate file password is secured.
LocalCertificateSerialNumber
The optional LocalCertificateSerialNumber attribute specifies the X.509 certificate by serial number for this provider. The certificate is retrieved from the local computer’s X.509 certificate store.
LocalCertificateThumbprint
The optional LocalCertificateThumbprint attribute specifies the X.509 certificate by thumbprint for this provider. The certificate is retrieved from the local computer’s X.509 certificate store.
LocalCertificateSubject
The optional LocalCertificateSubject attribute specifies the X.509 certificate by subject name for this provider. The certificate is retrieved from the local computer’s X.509 certificate store.



Is it possible to configure an IDP and SP in the same saml.config?

When I try to add serviceProdiver to an IDP the SAML Configuration schema validation fails.

I have this scenario of configuring an adaptor that works as an IDP and SP depending on endpoints.

Yes, you can include both in the same saml.config. This is required if your application is acting as both the IdP and SP and we have a number of customers who do this. The two parts of the configuration are independent of each other.
Could you please tell me the specific error you get ie the stack trace (the Exception.ToString()?
Also, please either attach your saml.config to this post or email it to us at support@componentspace.com.
Thanks.

Here is the error message when I run the validateconfig on it and on load

C:\Program Files (x86)\ComponentSpace SAML v2.0 for .NET\Examples\Utility\Valida
teConfig\bin\Release>validateconfig saml.config
Validating saml.config.
ComponentSpace.SAML2 Verbose: 0 : 9:54:55 AM: ComponentSpace.SAML2, Version=2.5.
0.6, Culture=neutral, PublicKeyToken=7c51d97b3a0a8ff9
ComponentSpace.SAML2 Verbose: 0 : 9:54:55 AM: A schema validation error occurred
in at line 0, column 0. The element ‘SAMLConfiguration’ in namespace ‘urn:comp
onentspace:SAML:2.0:configuration’ has invalid child element ‘PartnerIdentityPro
vider’ in namespace ‘urn:componentspace:SAML:2.0:configuration’. List of possibl
e elements expected: ‘PartnerServiceProvider’ in namespace ‘urn:componentspace:S
AML:2.0:configuration’.
ComponentSpace.SAML2 Verbose: 0 : 9:54:55 AM: Exception: ComponentSpace.SAML2.Ex
ceptions.SAMLException: One or more configuration XML schema validation errors o
ccurred.
ComponentSpace.SAML2.Exceptions.SAMLException: One or more configuration XML sch
ema validation errors occurred.
at ComponentSpace.SAML2.Configuration.SchemaValidator.ValidateConfiguration(X
mlDocument xmlDocument) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\Configura
tion\SchemaValidator.cs:line 77
at ComponentSpace.SAML2.Configuration.SAMLConfiguration.Validate(String fileN
ame) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\Configuration\SAMLConfigurat
ion.cs:line 120
at ValidateConfig.Program.Main(String[] args) in c:\Program Files (x86)\Compo
nentSpace SAML v2.0 for .NET\Examples\Utility\ValidateConfig\Program.cs:line 35


SAML Config

<?xml version="1.0"?>


<IdentityProvider Name=“<a href=“http://aldev.test.com/esaml””>http://aldev.test.com/esaml"
CertificateSubject=“CN=ALDEV.test.com”
/>
<ServiceProvider Name=“urn:componentspace:MvcExampleServiceProvider”
AssertionConsumerServiceUrl=“~/SAML/AssertionConsumerService”
CertificateFile=“Certificates\sp.cer”/>

<PartnerServiceProvider Name=“<a href=“https://test-preview.test.com””>https://test-preview.test.com"
WantAuthnRequestSigned=“false”
SignSAMLResponse=“true”
SignAssertion=“true”
EncryptAssertion=“false”
AssertionConsumerServiceUrl=“<a href=“https://test-preview.test.com/saml/sso””>https://test-preview.test.com/saml/sso"
SingleLogoutServiceUrl=“<a href=“https://test-preview.test.com/saml/sso/logged-out.jspa””>https://test-preview.test.com/saml/sso/logged-out.jspa"
CertificateFile=“test.cer”/>


<PartnerIdentityProvider Name=“<a href=“http://www.test.com/kt2ooznvAPBLMODHBWSI””>http://www.test.com/kt2ooznvAPBLMODHBWSI"
SignAuthnRequest=“true”
WantSAMLResponseSigned=“true”
SingleSignOnServiceUrl=“<a href=“https://test-staging.test.com/app/template_saml_2_0/kt2ooznvAPBLMODHBWSI/sso/saml””>https://test-staging.test.com/app/template_saml_2_0/kt2ooznvAPBLMODHBWSI/sso/saml"
CertificateFile=“Certificates\sp.cer”/>



<?xml version="1.0"?>

http://aldev.test.com/esaml"
CertificateSubject="CN=ALDEV.test.com"
/>
<ServiceProvider Name="urn:componentspace:MvcExampleServiceProvider"
AssertionConsumerServiceUrl="~/SAML/AssertionConsumerService"
CertificateFile="Certificates\\sp.cer"/>


http://www.test.com/kt2ooznvAPBLMODHBWSI"
SignAuthnRequest="true"
WantSAMLResponseSigned="true"
SingleSignOnServiceUrl="https://test-staging.test.com/app/template_saml_2_0/kt2ooznvAPBLMODHBWSI/sso/saml"
CertificateFile="Certificates\\sp.cer"/>

https://test-preview.test.com"
WantAuthnRequestSigned="false"
SignSAMLResponse="true"
SignAssertion="true"
EncryptAssertion="false"
AssertionConsumerServiceUrl="https://test-preview.test.com/saml/sso"
SingleLogoutServiceUrl="https://test-preview.test.com/saml/sso/logged-out.jspa"
CertificateFile="test.cer"/>


Thanks that did help get past the saml loading issue but ran into another issue when trying to iniatteSSO in identity provider.

Its the same config and the Identity provider has the private key but it cant find it when service provider is configured in the same instance.

The local provider X.509 certificate doesn’t have a private key.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: ComponentSpace.SAML2.Exceptions.SAMLException: The local provider X.509 certificate doesn’t have a private key.
Source Error:
Line 63: {Line 64: // send IDP Initiated SAML to JiveLine 65: SAMLIdentityProvider.InitiateSSO(Line 66: Response,Line 67: OktaUser.Name,

Source File: c:\Users\alag6020\Documents\Visual Studio 2013\Projects\esaml\esaml\Controllers\OktaController.cs Line: 65
Stack Trace:
[SAMLException: The local provider X.509 certificate doesn’t have a private key.] ComponentSpace.SAML2.Configuration.SAMLConfiguration.GetLocalCertificate() in c:\Sandboxes\ComponentSpace\SAMLv20\Library\Configuration\SAMLConfiguration.cs:363 ComponentSpace.SAML2.SAMLIdentityProvider.CreateSAMLResponse(String userName, SAMLAttribute[] attributes) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\SAMLIdentityProvider.cs:364 ComponentSpace.SAML2.SAMLIdentityProvider.InitiateSSO(HttpResponseBase httpResponse, String userName, SAMLAttribute[] attributes, String relayState, String partnerSP) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\SAMLIdentityProvider.cs:479 ComponentSpace.SAML2.SAMLIdentityProvider.InitiateSSO(HttpResponseBase httpResponse, String userName, IDictionary attributes, String relayState, String partnerSP) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\SAMLIdentityProvider.cs:453 esaml.Controllers.OktaController.AssertionConsumerService(String SAMLResponse, String RelayState) in c:\Users\alag6020\Documents\Visual Studio 2013\Projects\esaml\esaml\Controllers\OktaController.cs:65 lambda_method(Closure , ControllerBase , Object[] ) +245 System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) +59 System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary parameters) +435 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary parameters) +60 System.Web.Mvc.Async.ActionInvocation.InvokeSynchronousActionMethod() +76 System.Web.Mvc.Async.AsyncControllerActionInvoker.b__36(IAsyncResult asyncResult, ActionInvocation innerInvokeState) +36 System.Web.Mvc.Async.WrappedAsyncResult.CallEndDelegate(IAsyncResult asyncResult) +73 System.Web.Mvc.Async.WrappedAsyncResultBase.End() +136 System.Web.Mvc.Async.AsyncResultWrapper.End(IAsyncResult asyncResult, Object tag) +102 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +49 System.Web.Mvc.Async.AsyncInvocationWithFilters.b__3c() +117 System.Web.Mvc.Async.<>c__DisplayClass45.b__3e() +323 System.Web.Mvc.Async.<>c__DisplayClass30.b__2f(IAsyncResult asyncResult) +44 System.Web.Mvc.Async.WrappedAsyncResult.CallEndDelegate(IAsyncResult asyncResult) +47 System.Web.Mvc.Async.WrappedAsyncResultBase.End() +136 System.Web.Mvc.Async.AsyncResultWrapper.End(IAsyncResult asyncResult, Object tag) +102 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +50 System.Web.Mvc.Async.<>c__DisplayClass28.b__19() +72 System.Web.Mvc.Async.<>c__DisplayClass1e.b__1b(IAsyncResult asyncResult) +185 System.Web.Mvc.Async.WrappedAsyncResult.CallEndDelegate(IAsyncResult asyncResult) +42 System.Web.Mvc.Async.WrappedAsyncResultBase.End() +133 System.Web.Mvc.Async.AsyncResultWrapper.End(IAsyncResult asyncResult, Object tag) +56 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +40 System.Web.Mvc.Controller.b__1d(IAsyncResult asyncResult, ExecuteCoreState innerState) +34 System.Web.Mvc.Async.WrappedAsyncVoid.CallEndDelegate(IAsyncResult asyncResult) +70 System.Web.Mvc.Async.WrappedAsyncResultBase.End() +139 System.Web.Mvc.Async.AsyncResultWrapper.End(IAsyncResult asyncResult, Object tag) +59 System.Web.Mvc.Async.AsyncResultWrapper.End(IAsyncResult asyncResult, Object tag) +40 System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +44 System.Web.Mvc.Controller.b__15(IAsyncResult asyncResult, Controller controller) +39 System.Web.Mvc.Async.WrappedAsyncVoid.CallEndDelegate(IAsyncResult asyncResult) +62 System.Web.Mvc.Async.WrappedAsyncResultBase.End() +139 System.Web.Mvc.Async.AsyncResultWrapper.End(IAsyncResult asyncResult, Object tag) +59 System.Web.Mvc.Async.AsyncResultWrapper.End(IAsyncResult asyncResult, Object tag) +40 System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +39 System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +39 System.Web.Mvc.MvcHandler.b__4(IAsyncResult asyncResult, ProcessRequestState innerState) +39 System.Web.Mvc.Async.WrappedAsyncVoid.CallEndDelegate(IAsyncResult asyncResult) +70 System.Web.Mvc.Async.WrappedAsyncResultBase.End() +139 System.Web.Mvc.Async.AsyncResultWrapper.End(IAsyncResult asyncResult, Object tag) +59 System.Web.Mvc.Async.AsyncResultWrapper.End(IAsyncResult asyncResult, Object tag) +40 System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +40 System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +38 System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9514812 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155

Which version of the SAML2 DLL do you have?
http://www.componentspace.com/Forums/31/Determining-the-Component-Version-and-License
An earlier version of the component didn’t handle distinct certificates for the local identity provider and service provider correctly.

https://www.componentspace.com/forums/uploads/images/c8091745-6a70-45d9-a7c4-653f.jpg

The current version is 2.5.0.14. Please move up to the latest version.
If you’re using an evaluation version, please download the latest version from our web site.
If you’ve purchased a license, please contact support@componentspace.com.
Thanks.

when i add new version of Component Space i.e 2.6.0.17 then it show current is not a member of ComponentSpace.SAML2.Configuration
SAMLConfiguration.Current = samlConfig

Thanks for the clarification.
Generally we maintain backward compatibility but we did break it in this instance as part of the refactoring of the SAML configuration classes.
Instead of setting SAMLConfiguration.Current you now set SAMLController.Configuration.
You’ll see an example of this at:
http://www.componentspace.com/Forums/38/Specifying-the-SAML-Configuration-Programmatically

[quote]
ComponentSpace - 12/27/2016
Thanks for the clarification.
Generally we maintain backward compatibility but we did break it in this instance as part of the refactoring of the SAML configuration classes.
Instead of setting SAMLConfiguration.Current you now set SAMLController.Configuration.
You'll see an example of this at:
http://www.componentspace.com/Forums/38/Specifying-the-SAML-Configuration-Programmatically
[/quote]

Awesome, I was wondering where that static property went! However, the SAMLConfiguration.Load() method also seems to have disappeared in between version 2.5.0.16 and 2.6.0.13. What is the modern way of handling that call?

Do you mean, how do you load the SAML configuration file?
This occurs automatically. You don’t need to call the API.

[quote]
ComponentSpace - 1/27/2017
Do you mean, how do you load the SAML configuration file?
This occurs automatically. You don't need to call the API.
[/quote]

You mean by using the SamlConfigFile config key?

By default we look for the saml.config in your application’s root folder (ie the same folder as your main web.config).
The SamlConfigFile config key is only required if the file is located elsewhere.
The simplest approach is to not specify SamlConfigFile and to include the saml.config in your application’s root folder.

I have upgraded the new Dll from the older one.
So changed some code after the upgrade :
Old:
SAMLConfiguration.Current = samlConfiguration;

New Change:
SAMLController.Configuration = samlConfiguration;

But i am facing issues after the changes with following error:
SAML2ResponseErrorPage

No partner identity providers have been configured

can you please help on this.

Please take a look at the following forum post.
http://www.componentspace.com/Forums/38/Specifying-the-SAML-Configuration-Programmatically
You need to call AddPartnerIdentityProvider as shown.
If there’s still an issue and you prefer not to post code here you’re welcome to email support@componentspace.com and we can take a look at your code.

[quote]
ComponentSpace - 3/23/2017
Please take a look at the following forum post.
http://www.componentspace.com/Forums/38/Specifying-the-SAML-Configuration-Programmatically
You need to call AddPartnerIdentityProvider as shown.
If there's still an issue and you prefer not to post code here you're welcome to email support@componentspace.com and we can take a look at your code.
[/quote]

we load the SAML Configuaration from a metadata file . Its a XML that is loaded. I guess the error is due to the change as in the "out Attributes" i am receiving null value.

Can you confirm the SAML metadata you’re loading includes an IDPSSODescriptor?
Does your code call AddPartnerIdentityProvider?


[quote]
ComponentSpace - 3/23/2017
Can you confirm the SAML metadata you're loading includes an IDPSSODescriptor?
Does your code call AddPartnerIdentityProvider?


[/quote]

Hello Team,

I fixed the issue.As the Issue was with the SAMLConfiguration xml. did not included the Node.I think this is included in the new version.
Thanks for your Support.

Thanks.