CODEWITHSUNDEEP
saml-2.0identityserver3kentor-authservicessustainsys-saml2
LP13
LP13

Reputation: 34109

How to set acr-values for Sustainsys external provider in identity server 3

I have Idsvr3 with local user accounts in SQL. In addition i have also configured external identity provider which support SAML2 using https://github.com/Sustainsys/Saml2 I followed the sample here

Now when user access the client application he gets redirected to login page which presents userid/password textboxes for local login and also a button to redirect to external provider.

I want to change this behavior. I want user directly goto external login based on some condition. I've read that I can pass the required login provider to the acr_values and IdSvr3 will directly go to external provider.

Here is how i registered external provider with IdSvr3 (Note some code is removed for brevity)

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        app.Map("/identity", idsrvApp =>
        {
            var identityServerOptions = new IdentityServerOptions
            {
                AuthenticationOptions = new AuthenticationOptions()
                {                        
                }
                .Configure(ConfigureIdentityProviders),                    
            };

            idsrvApp.UseIdentityServer(identityServerOptions);
        });            
    }

    private void ConfigureIdentityProviders(IAppBuilder app, string signInAsType)
    {                           
            // SAML2
            var options = new Saml2AuthenticationOptions(false)
            {
                SPOptions = new SPOptions
                {
                    EntityId = new EntityId("https://localhost:44300/IdSrv3/Saml2"),
                },
                SignInAsAuthenticationType = signInAsType,
                Caption = "SAML2p"
            };

            UseIdSrv3LogoutOnFederatedLogout(app, options);

            options.SPOptions.ServiceCertificates.Add(new X509Certificate2(
                AppDomain.CurrentDomain.SetupInformation.ApplicationBase + "/App_Data/Sustainsys.Saml2.Tests.pfx"));

            options.IdentityProviders.Add(new IdentityProvider(
                new EntityId("https://stubidp.sustainsys.com/Metadata"),
                options.SPOptions)
            {
                LoadMetadata = true
            });

            app.UseSaml2Authentication(options);            
    }
}

and here is client application startup 

 public class Startup
    {
        public void Configuration(IAppBuilder app)
        {            
            app.UseCookieAuthentication(CK);

            app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
            {
                Authority = "https://localhost:44300/identity",
                Scope = "openid profile email",
                ClientId = "XXXXXXXXXXXXXXX",
                RedirectUri = "http://localhost:36102/",
                ResponseType = "id_token",
                SignInAsAuthenticationType = "Cookies",               

                Notifications = new OpenIdConnectAuthenticationNotifications
                {                    
                    RedirectToIdentityProvider = (n) =>
                    {
                        if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.AuthenticationRequest)
                        {
                           if(SomeCondition == true)
                           {
                              n.ProtocolMessage.AcrValues = "idp:saml2";
                           }
                        }

                        return Task.FromResult(0);
                    }
                }                
            });
        }        
    }

However identity server throws error External login error: provider requested saml2 is not a configured external provider

What is the valid name for Sustainsys/Saml2 provider and where is it configured?

Upvotes: 1

Views: 950

Answers (1)

LP13
LP13

Reputation: 34109

I think i found it. The idp is actually the value of AuthenticationType property. During external provider setup in IdentityServer3, the Saml2AuthenticationOptions by default sets the AutheticationType to Saml2. So in client application i have to use exact same value as acr-values, it is case-sensitive. I was using small s instead of capital S. When i changed to Saml2 it worked.

I can also override AutheticationType to any string i want, and that is good because now i can setup multiple external IdP that supports SAML2 protocol and differentiate them by their AutheticationType

Also i found this documentation helpful https://media.readthedocs.org/pdf/saml2/latest/saml2.pdf

Take a look how okta is configured with IdentityServer3 in section 2.5.4 Step 3: Configure your identity server with the new identity provider

Also from IdentityServer documentation

AuthenticationType must be a unique value to identify the external identity provider. This value will also be used for the idp claim in the resulting tokens. Furthermore the same value can be used to pre-select identity providers during authorization/authentication requests using the acr_values parameter (see this for more information). This value is also used to restrict the allowed identity providers on the Client configuration.

Upvotes: 2

Related Questions