Reputation: 233
IDP initiated SAML flow with ITfoxtec
I am setting up an IDP initiated SAML authentication flow
One of our clients will send an SAML assertion request to us by clicking a link within their internal system to access our application - so we act as the service Provider (we use Identity Server from Duende for Authentication)
We are looking at using ITfoxtec.Identity.Saml2.MvcCore library
AS we are going with an IDP initiated SAML flow, I wanted to check to know if
As an SP (Service Provider) do we only need to have an ACS end point for the incoming SAML Assertion. On receiving the Assertion we can process it to get the Claims we need and if it meets our requirements we can give the access to our application.
Do we need to send back any notification to the IDP that sent us the Assertion ?
Once verified after receiving the Assertion, do we set the access token in our Identity Server or do we get a token in, the assertion. We need periodically need to check if the user associated with the incoming Assertion is still authenticated in the IDP. Hence I was wondering if the IDP would issue a token with an expiration date/time, if not then would we have to initiate a new SP initiated SAML flow to check if the user is still authenticated with the Client IDP ?
DO we as an SP need to issue our own Access Token ?
For Logout, we only want to log the user out of our system (So remove our token if we issue one, we do not want to log out the user from their IDP?
Do we need to simulate login in our Identity Provider or will that happen automatically when we add the SAML2 to our Authentication method in our startup.cs
Do we use the ITfoxtec.Identity.Saml2.MvcCore library as we are using Duende IdentityServer in a .netCore 5.0 setup
is this possible with ITfoxtec library ?
services.AddAuthentication() .AddSaml2(options => { var spOptions = new SPOptions { EntityId = new EntityId("https://localhost:44373/Saml2"), ReturnUrl = new Uri("https://localhost:44373"), MinIncomingSigningAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
};options.SPOptions = spOptions; options.IdentityProviders.Add(new IdentityProvider(new EntityId("https://www.example.com/SSO/SAML/App"), options.SPOptions) { AllowUnsolicitedAuthnResponse = false, MetadataLocation = "https://www.example.com/SSO/SAMLMetadata/App", LoadMetadata = true, }); });
Upvotes: 2
Views: 709
Answers (1)
Reputation: 4334
- Yes and you only need the ACS endpoint. You can also do logout if it is supported by the IdP.
- No
- You resave a SAML 2.0 token in the Assertion which has a lifetime. To check user state you either need the IdP to start a new IdP initiated login or you can start a SP initiated login, if supported by the IdP.
- No. That do not has anything to do with the SAML 2.0 integration.
- In IdP initiated scenarie the SP usually do not request the IdP to logout.
- You need to simulate IdP initiated login, you can use this code sample.
- You can integrate ITfoxtec Identity Saml2 into Duende IdentityServer but I do not have a sample on that.
Upvotes: 2
Related Questions
- How to create a IdP with ITfoxtec
- Error when connecting to a SAML 2.0 IdP that uses shibboleth
- ITfoxtec SAML 2.0 and .NET ASPX application (not MVC)
- How is IdP-initiated working with MVC in the ITFoxtec.Identity examples?
- ITfoxtec SAML 2.0: Dynamic configuration
- User.Identity.IsAuthenticated Always false in SAML 2.0 using ITFoxtec
- ITfoxtec SAML 2.0 Session TimeOut
- Configure SAML Single Sign-on in Azure with ITfoxtec SAML 2.0
- ITfoxtec Idp-initiated SSO to SP
- SAML integration with ASP.NET Core Identity