Support for running as an idp with IdentityServer 4 v3 (v3.1.2) running under .Net Core 3.1

For the life of me I can’t get the integration to work. The document states to use “AddSamlMiddleware” if you don’t want to provide your own saml controller. I tried that but the configured “/SAML/SingleSignOnService” idp endpoint returns a 404. I tried providing the sample samlcontroller.cs from the integration docs and removing AddSamlMiddleware, but then it complained no middleware was registered for SAML. I tried including both but still a no go. Compounding the difficulty is you have no full working sample, just incomplete snippets. The document even links to a snippet of the SamlController.cs for the idp but leads to a snippet of the startup class instead. Also the standard startup class has changed and it’s not clear in which order the UseSaml and app.use statements belong. Could you verify this integration works and if possible provide a sample project, thank you.

Edit, adding the following attributes to the controller helped move forward, but would still like info on if samlcontroller is required if just using addsamlmiddleware:


Edit 2: As a secondary question how to I get the email of the user into the returned SAML claims? Normally in IdentityServer4 this is configured in the clients scopes, but it’s not clear how to do that with the CS Saml component since there’s not client configured for it.

Edit 3: Using the IdentityServer4 Quickstart I added the email claim manually in SamlController like this, is this the right approach?:

private readonly TestUserStore _users;

Added the following bolded items to the constructor of SamlController:

public SamlController(
ISamlIdentityProvider samlIdentityProvider,
IIdentityServerInteractionService identityServerInteractionService,
IMessageStore logoutMessageStore,
TestUserStore users = null)
_samlIdentityProvider = samlIdentityProvider;
_identityServerInteractionService = identityServerInteractionService;
_logoutMessageStore = logoutMessageStore;

// if the TestUserStore is not in DI, then we’ll just use the global users collection
// this is where you would plug in your own custom identity management library (e.g. ASP.NET Identity)
_users = users ?? new TestUserStore(TestUsers.Users);


Then in the “CompleteSsoAsync” method I added:

var user = _users.FindByUsername(userName);
var emailClaim = user.Claims.FirstOrDefault(c => c.Type == “email”);
attributes.Add(new SamlAttribute(ClaimTypes.Email, emailClaim.Value));

You have the option of either using the SAML middleware or your own SAML controller which then calls the SAML API. You shouldn’t use both approaches. A SAML controller is not required if using the SAML middleware.

I’m not sure why you received a 404. It sounds like the SAML middleware hasn’t been setup correctly. In the ConfigureServices method you call services.AddSaml and services.AddSamlMiddleware and in the Configure method you call app.UseSaml().

If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to mentioning your forum post.

We don’t ship IdentityServer4. Rather, we supply snippets of coding and documentation explaining what needs to be added for the integration.

Please include your Startup source code with modifications when you email us. We can check this and make any necessary changes.

I think the IdentityServer4 Integration Guide needs a refresh. I’ll see that this is added to our back log.

The SAML claims consist of the SAML NameID and SAML attributes returned in the SAML assertion. The SAML middleware constructs these claims from those in the HttpContext.User (ie the logged in user). These are retrieved from the Claims included in the HttpContext.User. If the user’s email address is to be returned in the SAML assertion, ensure a corresponding claim is added to the ClaimsPrincipal when the user is logged in.