Hello,
We are planning on converting our current application to act as an IDP our use case is SP initiated SSO. We are currently evaluating ComponentSpace library and I would really appreciate if you could help me understand and answer some questions:
1) I did some initial setup so I can see that the authentication request is coming from SP to our sso url but since the query params (samlRequest, relayState) are encoded base 64 and deflated I was wondering if there is a helper method in componentspace which I could use to decode and inflate these params so I can parse the xml and read values ?
2) We are inclining towards using SAML config programatically and I was wondering if its ok to load the SAML configuration on sso page where we receive the authRequest ? Also, I am trying to understand how is PartnerCertificateFile used and do we really need this if we don’t have to encrypt saml assertion ? Asking because we might have to store sp certificates in the database.
3) We will be using a simple form to POST saml assertion on assertionConsumerServiceURL do you know or point me to what helper classes/methods I can use to create the response ? Is there a CreateResponse() method or something which would take in parameters like attributes, AuthRequestID, NameID, issuer, sign_assertion, sign_algorithm and return the signed response ? If not do you have an example/reference I can see on how to build response ?
Sorry for asking all questions at once but this will really help us move forward!
Thank you,
Vaibhav
- You call the SAML high-level API SAMLIdentityProvider.ReceiveSSO. This processes the SAML authn request including handling whatever decoding is necessary. You don’t have to worry about these details in your code.
2. We recommend loading the SAML configuration once at startup. You would only reload the configuration if it’s been changed but generally this is an infrequent occurrence.
The PartnerCertificateFile is required if the SAML authn request is signed or the SAML assertion is to be encrypted. If neither is the case then the PartnerCertificateFile needn’t be specified.
3. You call the SAML high-level API SAMLIdentityProvider.SendSSO to send a SAML response to the SP. This handles setting the various parameters you mentioned, signing the SAML response or assertion, encoding and posting the message etc.
I recommend taking a look at the example projects under the Example\SSO\HighLevelAPI folder. You’ll find an ExampleIdentityProvider, MvcExampleIdentityProvider and OwinExampleIdentityProvider projects. These demonstrate calling the high-level as well as including saml.config files.
If you decide to set the SAML configuration programmatically, I suggest taking a look at the ExampleIdentityProvider’s Global.asax code.
[quote][/quote]
1. You call the SAML high-level API SAMLIdentityProvider.ReceiveSSO. This processes the SAML authn request including handling whatever decoding is necessary. You don't have to worry about these details in your code.
2. We recommend loading the SAML configuration once at startup. You would only reload the configuration if it's been changed but generally this is an infrequent occurrence.
The PartnerCertificateFile is required if the SAML authn request is signed or the SAML assertion is to be encrypted. If neither is the case then the PartnerCertificateFile needn't be specified.
3. You call the SAML high-level API SAMLIdentityProvider.SendSSO to send a SAML response to the SP. This handles setting the various parameters you mentioned, signing the SAML response or assertion, encoding and posting the message etc.
I recommend taking a look at the example projects under the Example\SSO\HighLevelAPI folder. You'll find an ExampleIdentityProvider, MvcExampleIdentityProvider and OwinExampleIdentityProvider projects. These demonstrate calling the high-level as well as including saml.config files.
If you decide to set the SAML configuration programmatically, I suggest taking a look at the ExampleIdentityProvider's Global.asax code.
2. We recommend loading the SAML configuration once at startup. You would only reload the configuration if it's been changed but generally this is an infrequent occurrence.
The PartnerCertificateFile is required if the SAML authn request is signed or the SAML assertion is to be encrypted. If neither is the case then the PartnerCertificateFile needn't be specified.
3. You call the SAML high-level API SAMLIdentityProvider.SendSSO to send a SAML response to the SP. This handles setting the various parameters you mentioned, signing the SAML response or assertion, encoding and posting the message etc.
I recommend taking a look at the example projects under the Example\SSO\HighLevelAPI folder. You'll find an ExampleIdentityProvider, MvcExampleIdentityProvider and OwinExampleIdentityProvider projects. These demonstrate calling the high-level as well as including saml.config files.
If you decide to set the SAML configuration programmatically, I suggest taking a look at the ExampleIdentityProvider's Global.asax code.
Thank you for the quick response!
1. Yes, I did use SAMLIdentityProvider.ReceiveSSO() but we want to whitelist issuerURL in our system so if anyone else sends us an auth request we reject it. We also need to check if ForceAuth flag is true or not so I think we need to parse query params please let me know if there is a utility method to decode base 64 and inflate.
2. For saml config please let me explain our use case:
We have many clients and each one of them has different URL and can act as an IDP. We are planning to create a new authn page which will receive the auth request so something like this https://client1.com/AuthRequest.aspx, https://client2.com/AuthRequest.aspx etc
Each client can have its own multiple service providers so for ex:
client 1 can have sp1 and sp2 as service providers
client 2 can have sp3 and sp4 as service providers
Do you recommend creating one saml.config file loaded at startup which will have all our clients "Name" and service providers details ? I imagine the file would look like this and wasn't sure if its a common scenario:
....
Also, is there just one saml.config file for all environments ? or can we create multiple config files so something like dev-saml.config, stage-saml.config etc ?
3) Awesome! yes I was able to use SendSSO() and the assertion posted to our federation service was successful :)
I did looked at those examples they were really helpful thank you!
- We don’t accept SAML messages from unknown sources. If the issuer field of the authn request doesn’t match one of the Name values in saml.config, an exception is thrown.
There’s a SAMLIdentityProvider.ReceiveSSO overload that returns SSOOptions. The SSOOptions.ForceAutn property may be checked by your application.
2. Please refer to our multi-tenancy support. This allows you to specify multiples sets of and , one for each tenant. More information may be found at:
http://www.componentspace.com/Forums/51/SAML-MultiTenancy-Applications
For example:
There’s a single saml.config file.
However, you also have the option of specifying the saml.config via an app setting in your web.config which allows you to switch this based on the build etc.
<addkey=“SAMLConfigFile” value=“dev-saml.config” />
<o:p></o:p>