CODEWITHSUNDEEP
saml-2.0itfoxtec-identity-saml2
Oleg Kornieiev
Oleg Kornieiev

Reputation: 23

Multiple certificates for Issuer ITfoxtec.Identity.Saml2

As context: I am trying to implement SAML2.0 authentication using ITfoxtec.Identity.Saml2 library. I want to use multiple certificates for one Service Provider, because different clients could login to Service Provider and each of them can have its own certificate. I need a third-party login service have possibility to choose among the list of certificates from my Service Provider metadata.xml when SAML request happened. Does ITfoxtec.Identity.Saml2 library support this possibility or are there some workarounds how it can be implemented?. Thank You

Upvotes: 2

Views: 991

Answers (1)

Anders Revsgaard
Anders Revsgaard

Reputation: 4334

You would normally have one Saml2Configuration. But in your case I would implement some Saml2Configuration logic, where I can ask for a specific Saml2Configuration with the current certificate (SigningCertificate/DecryptionCertificate). This specific Saml2Configuration is then used in the AuthController.

The metadata (MetadataController) would then call the Saml2Configuration logic to get a list of all the certificates.

Something like this:

public class MetadataController : Controller
{
    private readonly Saml2Configuration config;
    private readonly Saml2ConfigurationLogic saml2ConfigurationLogic;

    public MetadataController(IOptions<Saml2Configuration> configAccessor, Saml2ConfigurationLogic saml2ConfigurationLogic)
    {
        config = configAccessor.Value;
        this.saml2ConfigurationLogic = saml2ConfigurationLogic;
    }

    public IActionResult Index()
    {
        var defaultSite = new Uri($"{Request.Scheme}://{Request.Host.ToUriComponent()}/");

        var entityDescriptor = new EntityDescriptor(config);
        entityDescriptor.ValidUntil = 365;
        entityDescriptor.SPSsoDescriptor = new SPSsoDescriptor
        {
            WantAssertionsSigned = true,
            SigningCertificates = saml2ConfigurationLogic.GetAllSigningCertificates(),
            //EncryptionCertificates = saml2ConfigurationLogic.GetAllEncryptionCertificates(),
            SingleLogoutServices = new SingleLogoutService[]
            {
                new SingleLogoutService { Binding = ProtocolBindings.HttpPost, Location = new Uri(defaultSite, "Auth/SingleLogout"), ResponseLocation = new Uri(defaultSite, "Auth/LoggedOut") }
            },
            NameIDFormats = new Uri[] { NameIdentifierFormats.X509SubjectName },
            AssertionConsumerServices = new AssertionConsumerService[]
            {
                new AssertionConsumerService {  Binding = ProtocolBindings.HttpPost, Location = new Uri(defaultSite, "Auth/AssertionConsumerService") }
            },
            AttributeConsumingServices = new AttributeConsumingService[]
            {
                new AttributeConsumingService { ServiceName = new ServiceName("Some SP", "en"), RequestedAttributes = CreateRequestedAttributes() }
            },
        };
        entityDescriptor.ContactPerson = new ContactPerson(ContactTypes.Administrative)
        {
            Company = "Some Company",
            GivenName = "Some Given Name",
            SurName = "Some Sur Name",
            EmailAddress = "[email protected]",
            TelephoneNumber = "11111111",
        };
        return new Saml2Metadata(entityDescriptor).CreateMetadata().ToActionResult();
    }

    private IEnumerable<RequestedAttribute> CreateRequestedAttributes()
    {
        yield return new RequestedAttribute("urn:oid:2.5.4.4");
        yield return new RequestedAttribute("urn:oid:2.5.4.3", false);
    }
}

Upvotes: 3

Related Questions