@mlindegarde There are two ways to add multiple Saml2 Idps using the library. 1: Use one authentication scheme (call AddSaml2 once) and add multiple IdentityProviders to the IdentityProviders collection. 2. Use one authentication scheme per Idp (call AddSaml2 once for each Idp). In the latter case you need to set a unique ModulePath for each call.
That's the reason for the error you see: The first handler will catch all incoming responses and if the response is for an Idp that is managed by another handler, it will throw an error message.
Please also note that if you use multiple handlers, they will be logically different SPs, with different metadata. So you need to make sure that you send the right metadata/Urls to each Idp
@AndersAbel It looks like I can specify the identity provider by passing "idp" and the entity id for the idp into the Items collection of the
AuthenticationProperties object. Is this the "correct" way to handle a single authentiation scheme with multiple identity providers?
var props = new AuthenticationProperties
{
RedirectUri = Url.Action(nameof(Callback)),
Items =
{
{ "returnUrl", returnUrl },
{ "scheme", scheme },
{ "idp", idp }
}
};
@mlindegarde Yes, with one scheme having multiple Idps the AuthProps is the right way.
But in many cases when the number of Idps is low and known from the start it's better with one Auth Scheme per Idp. It works better with how the Asp.Net and Asp.Net Identity architecture is setup. The main reason to have many Idps with one scheme is if the Idp list is dynamically loaded, such as from a common federation metadata file.
But in many cases when the number of Idps is low and known from the start it's better with one Auth Scheme per Idp. It works better with how the Asp.Net and Asp.Net Identity architecture is setup. The main reason to have many Idps with one scheme is if the Idp list is dynamically loaded, such as from a common federation metadata file.
We will be adding new federation metadata files as new companies come on board and I would prefer not to take down the auth server to do so.
My next question will most likely be around the proper way to add / remove IDPs dynamically. I haven't had the time to see if there is an example of that somewhere on the internet.
@AndersAbel Can you point me in the right direction for dynamically adding and removing IDPs at run-time? As my company sells its product to other companies we will need to add the new SAML2 IDP (if they have one). I do not want to have to restart the server to add the new IDP.
There are several methods. With Asp.Net Core you can add/remove schemes runtime. You can also keep a reference to the options object around and alter the IdentityProviders collection. A third variant is to completely bypass the IdentityProviders collection and use the notifications for lookup instead. Design of solutions like that is what I do as commercial support so please feel free to mail me if you want to discuss more in depth help.
Hi, I am trying to use IdP initiated flow, my app acts as an IdP. reviewing sustainsys.saml2.stubidp I don't see the use of metadata files when sending Saml2Response to SP and how is the x509 certificates used? can anyone point me to the right direction? Also, I am new to SAML, In our project we will only be using Idp initiated flow, do I need to generate metadata file form my IDP?
Where can I find the file https://stubidp.sustainsys.com/a34d5bbc-48d0-4c87-9037-03ad7599351f/Metadata in the stubidp project? is it autogenerated
- The stub idp is made for testing. It never reads the SP metadata. Instead it relies on the received message and some guessing. This works fine for testing, but is totally unsafe for production use.
- Yes, you will need metadata for your Idp that your SP can consume (unless the SP can accept manually entered parameters)
- Idp initiated means you can actually start off the StubIdp and get a secure solution - if you never respond to an SP request there's no need to validate any SP requests.
- The stubidp/<GUID>/Metadata content is generated by the MetadataController in the StubIdp project each time it is accessed. It is not a file.
There is an example of the code to generate Idp metadata in the StubIdp project. If you want to go the open source way, you have to dig into that code (and copy it if you want, the license permits that). If you want more instructions or implementation help I'd be happy to supply that as a commercial consulting job.
Hello all. I'm looking to load Idp's from a DB. I found this issue Sustainsys/Saml2#964 and I'm unsure how to implement the
SelectIdentityProvider and GetIdentityProvider notifications. Anyone can guide me in the right direction would be appreciated. Thank you.
builder.AddSaml2(
saml2Options =>
{
saml2Options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
saml2Options.SPOptions.EntityId = new EntityId(config.Saml2.ServiceProviderEntityId);
saml2Options.SPOptions.ServiceCertificates.Add(certificate);
saml2Options.Notifications.SelectIdentityProvider =
(id, data) => GetProvider(identityProviderStore, id, data, saml2Options, logger);
saml2Options.Notifications.GetIdentityProvider =
(id, data, options) => GetProvider(identityProviderStore, id, data, options, logger);
saml2Options.Notifications.AcsCommandResultCreated =
(commandResult, response) =>
{
if (commandResult.Principal.Identity is ClaimsIdentity identity)
identity.AddClaim(new Claim("in_response_to", response.InResponseTo.Value));
};
});
The
GetProvider method looks something like this...
private IdentityProvider GetProvider(IEegIdentityProviderStore identityProviderStore, EntityId id, IDictionary<string,string> data, IOptions options, ILogger logger)
{
Saml2IdentityProvider provider = identityProviderStore.GetSamlProviderByEntityId(id.Id);
if (provider == null)
return null;
idp =
new IdentityProvider(new EntityId(provider.EntityId), options.SPOptions)
{
MetadataLocation = provider.Debug
? provider.DebugMetadataLocation
: provider.MetadataLocation
};
logger.Verbose("Adding Identity Provider: {IdpName}", provider.DisplayName);
if (provider.Debug)
logger.Warning(
"Provider {Provider} is in debug mode, using metadata URL: {MetadataUrl}",
provider.DisplayName,
provider.DebugMetadataLocation);
options.IdentityProviders.Add(idp);
return idp;
}
I believe the above code would also result in adding the same IDP to the
options.IdentityProviders collection multiple times. That would also be a problem.
@mlindegarde and @AndersAbel thank you for your input. There are a couple methods there that I don't have a great understanding how they work, in either way here's what I've done adjusting your code to mine. FYI: this project is a legacy Asp.Net Web App (non-MVC).
in my Global.asax
void Application_BeginRequest(object sender, EventArgs e) {
Saml2Config.Initialize();
}In the Sam2Config file:
public class Saml2Config {
private static bool _alreadyInitialized;
private static readonly object Lock = new object();
private static NLog.Logger _logger = NLog.LogManager.GetCurrentClassLogger();
public static void Initialize() {
if (_alreadyInitialized) {
return;
}
lock (Lock) {
if (_alreadyInitialized) {
return;
}
spOptions = Options.FromConfiguration.SPOptions;
// Get list of IdentityProviders
var saml2IdentityProvidersRepository = new Saml2IdentityProvidersRepository();
var saml2IdentityProviders = saml2IdentityProvidersRepository.FindByServiceProviderEntityId(spOptions.EntityId.Id, x => x.Saml2BindingType).OrderBy(x => x.OrderPreference);
Options.FromConfiguration.Notifications.SelectIdentityProvider = (id, data) => GetProvider(saml2IdentityProviders, id, data, Options.FromConfiguration, _logger);
Options.FromConfiguration.Notifications.GetIdentityProvider = (id, data, options) => GetProvider(saml2IdentityProviders, id, data, options, _logger);
saml2IdentityProvidersRepository.Dispose();
_alreadyInitialized = true;
}
}
private static IdentityProvider GetProvider(IQueryable<Saml2IdentityProvider> identityProviderStore, EntityId id, IDictionary<string, string> data, IOptions options, ILogger logger) {
var identityProvider = identityProviderStore.FirstOrDefault(x => x.IsActive && x.IdentityProviderEntityId.Equals(id.Id));
if (identityProvider == null) {
return null;
}
var idpEntityId = new EntityId(identityProvider.IdentityProviderEntityId);
var bindingType = EnumHelper.NumToEnum<Sustainsys.Saml2.WebSso.Saml2BindingType>(identityProvider.Saml2BindingType.Value);
var idp = new IdentityProvider(idpEntityId, options.SPOptions) {
MetadataLocation = identityProvider.MetadataLocation,
LoadMetadata = identityProvider.LoadMetadata,
AllowUnsolicitedAuthnResponse = identityProvider.AllowUnsolicitedAuthnResponse,
Binding = bindingType,
};
options.IdentityProviders.Add(idp);
return idp;
}
I'm not quite sure what else I'd have to do to get it to work. I get no errors, but I don't see a list of IDPs listed on a page I created similar to the Sample page at https://github.com/Sustainsys/Saml2/blob/v2/Samples/SampleHttpModuleApplication/Views/Home/Index.cshtml
@RoLYroLLs Somewhere your front-end should be generating the link used to initiate the SAML2 login. The URL should look something like
/External/Challenge?scheme=${scheme}&idp=${entityId}&returnUrl=${returnUrl}. Your exact route is probably different than mine, but somewhere you should have a route that starts the SAML2 process.
The
idp parameter in the query string is where the entity id value comes from.
In my scenario I make sure that the
idp value is in the AuthenticationProperties.Items collection:new AuthenticationProperties
{
RedirectUri = Url.Action(nameof(Callback)),
Items =
{
{ "returnUrl", returnUrl },
{ "scheme", scheme },
{ "idp", idp }
}
}
As long as you have the
idp value in the Items collection you should get that value in your GetProvider method. You can then use that value to look up the data in the database.
I have a situation where a metadata document is held in file storage. Retrieval of this document is relatively expensive. Once the document reaches it's refresh time, the system will continually attempt to re-load it, even though the document will not change. In this instance, I would like to disable the automatic refresh feature. If I release all references to the IDP, the requests still seem to get generated. I am assuming there is no Notification Hook I could use here?
@AndersAbel I'm having a problem with HTTPS vs HTTP. When I run my identity server in a container locally I get the following:
[16:05:57 Debug] Sustainsys.Saml2.AspNetCore2.Saml2Handler
Expanded Saml2Url
AssertionConsumerServiceUrl: https://localhost:5001/Saml2/Acs
SignInUrl: https://localhost:5001/Saml2/SignIn
LogoutUrl: https://localhost:5001/Saml2/Logout
ApplicationUrl: https://localhost:5001/
The
AssertionConsumerServiceUrl is properly using https.
When I run the container in Azure the
AssertionConsumerServiceUrl is http://auth.my-company/Saml2/Acs. It's using http instead of https. I'm not sure why that is.
I am trying to use the MVC integration in my MVC app and read all the docs and looked at everything I can think of but for some reason the Saml2Controller does not seem to be loaded or responding to anything I get a 404 not found when accessing anything off that controller (e.g. https://localhost:44301/Saml2/Acs. This must be something simple that I am missing. My routing is just default MVC routing. No filters, just default. Added the sustainsys.saml.mvc package and set the configuration as in the docs, but just doesn
1 reply
doesn't seem to load or use the Saml2Controller. Any help would be appreciated!
Hi @AndersAbel , I am using HTTPModules with Asp.Net 4.6 framework, I have implemented everything but getting the below Error after redirecting from ADFS on Saml2/ACS page.
Server Error in '/' Application.
The Saml2Response must have status success to extract claims.
Saml2 Status Code: Responder
Saml2 Status Message:
Saml2 Second Level Status:
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: Sustainsys.Saml2.Exceptions.UnsuccessfulSamlOperationException: The Saml2Response must have status success to extract claims.
Saml2 Status Code: Responder
Saml2 Status Message:
Saml2 Second Level Status:
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Its been months and not able to find out solution.
Any gentleman can give their suggestion as well, please!
Please