3

Our service provider asked for the following information for the SAML integration.

Now it's my first time trying with SAML and I need to build the identity provider and I'd like to use ASP.NET Core Identity for user authentication.

As I understand it right, the flow would be

  1. From the service provider site, they have a button to sign in with SAML SSO
  2. Clicking on the button would redirect to identity provider's login page
  3. Put username and password and authenticate against our database using asp.net core identity
  4. If successful, return claim information
  5. Logged in to service provider site

I've researched and found several open-source SAML integrations with ASP.NET Core such as Sustainsys or ITfoxtec. Sustainsys has several samples and it seems like SampleIdentityServer4AspNetIdentity is the way to go.

  1. Is it the right one to build identity provider with .net identity?
  2. What are new EntityId("https://localhost:44342/Saml2") and new EntityId("http://localhost:52071/Metadata") in Startup.cs and where can I get those values?

Any guidance would be appreciated.

bbusdriver
  • 1,577
  • 3
  • 26
  • 58

1 Answers1

1

The login flow you describe is correct.

It is possible to build a identity provider using the ITfoxtec.Identity.Saml2 package and ASP.NET Core Identity. I have implemented identity providers using the ITfoxtec.Identity.Saml2 package a number of times. But you need to be aware of implementing a secure solution, it needs to be done rights else you will leave the hacker a bunch of possibilities :)

The new EntityId("https://localhost:44342/Saml2") is the identity providers id which you define yourself.

A link to a ASP.NET Core identity provider sample application https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test/TestIdPCore. Howewer, the sample application is not using the ASP.NET Core Identity.

Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25
  • 1
    I am using your library for the same purpose and it works with Asp.net Identity (not using IdentityServer). Now I am confused about how to generate a Metadata for our site (Service provider) since I am not using IdentityServer. Is this something I can generate using another tool may be? Also the app is multi-tenant supported where each tenant is identified by subdomain. So in this case how to create the metadata file? – user2058413 Jul 29 '21 at 05:51
  • You can generate SP metadata like this https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/test/TestWebAppCore/Controllers/MetadataController.cs. You need to load separate tenant configuration to generate multi-tenant metadata. – Anders Revsgaard Jul 29 '21 at 09:12
  • 1
    Thank you, like you said the differentiation between tenants will happen (assuming this is the correct way) is that issuer of SP will be his own domain like tenant1.domain.com, tenant2/tenant3 etc. so based on the domain protocol binding url will change (the way your code is done can be used). However at the .CreateMetadata().ToActionResult() it throws an error [Value cannot be null. (Parameter 'cert')]. My appsettings and your appsettings.json are similar. You have //"SignatureValidationCertificateFile": "xxx.cer" commented. What may be the problem here? – user2058413 Jul 29 '21 at 10:57
  • The problem is probably that you need to provide the config.SigningCertificate. And also add it to entityDescriptor.SPSsoDescriptor.SigningCertificates. – Anders Revsgaard Jul 29 '21 at 19:28