Sustainsys.Saml2.Owin : Having two different service providers in one website

Question

I'm configuring my website for SSO to be a service provider for a single identity provider.

I'm on .NET MVC 4.7.2 and I used Sustainsys.Saml2

Everything works fine for a single service provider.

The problem is with the way my SaaS architecture works. I have a single website (with IIS) with a single configuration, and different domain names coming to this website.

I then ask a client shared database which connection string I have to use using the request url.

I have no idea if this way of running a SaaS architecture is right or not, but anyway, since I have only one IIS website, I don't know how to add a per client Saml2 configuration (where only the service provider entityId and returnUrl would differ).

I was thinking to do something like this :

public partial class Startup
{
    public void ConfigureAuth(IAppBuilder app)
    {
        app.UseSaml2Authentication(CreateSaml2OptionsClient1());
        app.UseSaml2Authentication(CreateSaml2OptionsClient2());
    }
}

Sadly, the first call to UseSaml2Authentication seems to set the configuration and the second call does nothing.

I also have thought about conditionning these calls (app.UseSaml2Authentication(CreateSaml2OptionsClient1());) by getting the request url and loading the client specific Saml2 configuration, but in the startup I don't have access neither to the request url nor to my db context.

Is there a way to have multiple Saml2 configurations or to condition the configuration being used while keeping my SaaS architecture ?

What I need is to have my website website-a.com/Saml2 with entityId = website-a.com/Saml2 and idp = IDP1 and also my website-b.com/Saml2 with entityId = website-b.com/Saml2 and idp = IDP1, and all of that in only one IIS website.

Answer 1

I found a solution to my problem.

What I did was having two app.Map in my Startup class, on two different uris and each one with a different Saml2 configuration (where only the identity provider differs).

app.Map("uri1", a => {
    a.UseSaml2Authentication(CreateSaml2Options(client1));
});
app.Map("uri2", a => {
    a.UseSaml2Authentication(CreateSaml2Options(client2));
});

This works since client1 is plugged on uri1 and client2 is plugged on uri2, but the problem is that client1 could access to uri2 and vice versa.

Answer 2

You need to look at it different, you're trying to add more than one saml configuration but you need to set the identity providers you're going to use instead, and on each one you can configure its saml configuration, so you have just one configuration per identity provider

In your startup you need to use something like this (depending on the version you're using)

app.Map("/identity", a =>
{
    a.UseIdentityServer(new IdentityServerOptions
    {
        AuthenticationOptions = new AuthenticationOptions
        {
            IdentityProviders = ConfigureMyIdentityProviders
        }
    });
});

The ConfigureMyIdentityProviders is just the method where you're setting up each identity provider configuration, where you need to set it y client:

private void ConfigureMyIdentityProviders(IAppBuilder appBuilder, string signInAsType)
{
    var myIdentityProviders = // the list of your identity providers;


    foreach (var idp in myIdentityProviders)
    {
        // here you'll set the configuration per identity provider
        app.UseSaml2Authentication(CreateSaml2Options(idp));
    }
}

I recommend you to create a generic method and there you pass the information of your idp, there you can do the validations you want per client.