Aguacongas.IdentityServer.Saml2p.Duende
8.2.0
dotnet add package Aguacongas.IdentityServer.Saml2p.Duende --version 8.2.0
NuGet\Install-Package Aguacongas.IdentityServer.Saml2p.Duende -Version 8.2.0
<PackageReference Include="Aguacongas.IdentityServer.Saml2p.Duende" Version="8.2.0" />
paket add Aguacongas.IdentityServer.Saml2p.Duende --version 8.2.0
#r "nuget: Aguacongas.IdentityServer.Saml2p.Duende, 8.2.0"
// Install Aguacongas.IdentityServer.Saml2p.Duende as a Cake Addin #addin nuget:?package=Aguacongas.IdentityServer.Saml2p.Duende&version=8.2.0 // Install Aguacongas.IdentityServer.Saml2p.Duende as a Cake Tool #tool nuget:?package=Aguacongas.IdentityServer.Saml2p.Duende&version=8.2.0
Aguacongas.IdentityServer.Saml2p.Duende
Add a SAML2P controller to your Duende Identity server.
This lib uses ITfoxtec.Identity.Saml2.MvcCore
internally to implements the protocol.
Setup
services.AddIdentityServer()
.AddKeysRotation(options => configuration.GetSection(nameof(KeyRotationOptions))?.Bind(options));
services.AddControllersWithViews()
.AddIdentityServerSaml2P();
Saml2P depends on a
ISigningCredentialStore
. You can register it usingAddSigningCredential
with aX509Certificate2
in place ofAddKeysRotation
if you prefer.
Usage
saml2p/metadata
returns the Saml2P metadata document.
You can add a client to you configuration with saml2p as protocol type:
new Client
{
ClientId = "itfoxtec-testwebappcore",
ProtocolType = ProtocolTypes.Saml2p,
RedirectUris = { "http://localhost:10314/Auth/AssertionConsumerService" },
PostLogoutRedirectUris = "http://localhost:10314/Auth/SingleLogout",
ClientSecrets = [
new Secret {
Type = SecretTypes.X509CertificateBase64,
Value = Convert.ToBase64String(certificate.Export(X509ContentType.Cert))
}
]
}
The client must have only one redirect uri pointing to the Assertion Consumer Service route and one X509Certificate secret mathing its signing certificate.
And configure the client to use Saml2P authentication using ITfoxtec.Identity.Saml2
:
services.BindConfig<Saml2Configuration>(Configuration, "Saml2", (serviceProvider, saml2Configuration) =>
{
// The certificate must be the one configured as secret for the client;
saml2Configuration.SigningCertificate = CertificateUtil.Load(AppEnvironment.MapToPhysicalFilePath(Configuration["Saml2:SigningCertificateFile"]), Configuration["Saml2:SigningCertificatePassword"], X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
saml2Configuration.AllowedAudienceUris.Add(saml2Configuration.Issuer);
var httpClientFactory = serviceProvider.GetService<IHttpClientFactory>();
var entityDescriptor = new EntityDescriptor();
entityDescriptor.ReadIdPSsoDescriptorFromUrlAsync(httpClientFactory, new Uri(Configuration["Saml2:IdPMetadata"])).GetAwaiter().GetResult();
if (entityDescriptor.IdPSsoDescriptor != null)
{
saml2Configuration.AllowedIssuer = entityDescriptor.EntityId;
saml2Configuration.SingleSignOnDestination = entityDescriptor.IdPSsoDescriptor.SingleSignOnServices.First().Location;
saml2Configuration.SingleLogoutDestination = entityDescriptor.IdPSsoDescriptor.SingleLogoutServices.First().Location;
foreach (var signingCertificate in entityDescriptor.IdPSsoDescriptor.SigningCertificates)
{
if (signingCertificate.IsValidLocalTime())
{
saml2Configuration.SignatureValidationCertificates.Add(signingCertificate);
}
}
if (saml2Configuration.SignatureValidationCertificates.Count <= 0)
{
throw new Exception("The IdP signing certificates has expired.");
}
if (entityDescriptor.IdPSsoDescriptor.WantAuthnRequestsSigned.HasValue)
{
saml2Configuration.SignAuthnRequest = entityDescriptor.IdPSsoDescriptor.WantAuthnRequestsSigned.Value;
}
}
else
{
throw new Exception("IdPSsoDescriptor not loaded from metadata.");
}
return saml2Configuration;
});
services.AddSaml2(slidingExpiration: true);
services.AddHttpClient();
appsettings.json
{
"Saml2": {
"IdPMetadata": "https://localhost:5443/saml2p/metadata", // Your Duende Identity server metadata uri
"Issuer": "itfoxtec-testwebappcore", // Client Id
"SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
"SigningCertificateFile": "itfoxtec.identity.saml2.testwebappcore_Certificate.pfx",
"SigningCertificatePassword": "!QAZ2wsx",
"CertificateValidationMode": "None", // "ChainTrust"
"RevocationMode": "NoCheck"
}
}
Review samples in ITfoxtec/ITfoxtec.Identity.Saml2 repo
Metadata configuration
AddIdentityServerSaml2P
extension accept a IConfiguration
or a Saml2POptions
parameter to configure the metadata document génération with claims lists.
mvcBuilder.AddIdentityServerSaml2P(configurationManager.GetSection(nameof(Saml2POptions)));
"Saml2POptions": {
"X509CertificateValidationMode": "None",
"ContactPersons": [
{
"ContactKind": "Technical",
"Company": "Aguafrommars",
"GivenName": "Olivier Lefebvre",
"SurName": "Aguacongas",
"EmailAddress": "aguacongas@gmail.com"
}
],
"RevocationMode": "NoCheck",
"SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
"ValidUntil": 365
}
Implement your store
To access data the ISaml2PService
use a IRelyingPartyStore
. You can implement this interface and provide your implementation to the DI to ovveride the default IRelyingPartyStore
implementation.
/// <summary>
/// Custom IRelyingPartyStore implementation
/// </summary>
/// <seealso cref="IRelyingPartyStore" />
public class MyRelyingPartyStore : IRelyingPartyStore
{
public async Task<RelyingParty> FindRelyingPartyByRealm(string realm)
{
// TODO: Implement me
throw new NotImplementedException();
}
}
The DI configuration become:
services.AddIdentityServer()
.AddKeysRotation(options => configuration.GetSection(nameof(KeyRotationOptions))?.Bind(options));
services.AddControllersWithViews()
.AddIdentityServerSaml2P();
services.AddTransient<IRelyingPartyStore, MyRelyingPartyStore>();
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
-
net8.0
- Aguacongas.IdentityServer.KeysRotation.Duende (>= 8.2.0)
- Aguacongas.IdentityServer.Store (>= 8.2.0)
- Duende.IdentityServer (>= 7.0.8)
- ITfoxtec.Identity.Saml2.MvcCore (>= 4.13.2)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.
Version | Downloads | Last updated |
---|---|---|
8.2.0 | 74 | 11/9/2024 |
8.1.1 | 78 | 11/9/2024 |
8.1.0-preview57- | 67 | 11/3/2024 |
8.0.1 | 152 | 9/22/2024 |
8.0.0 | 140 | 3/9/2024 |
8.0.0-preview1-0001 | 194 | 11/18/2023 |
7.4.6 | 291 | 10/28/2023 |
7.4.5 | 142 | 10/12/2023 |
7.4.4 | 180 | 8/10/2023 |
7.4.3 | 187 | 7/20/2023 |
7.4.2 | 175 | 7/13/2023 |
7.4.1 | 175 | 6/15/2023 |
7.4.0 | 177 | 6/4/2023 |
7.3.0 | 189 | 4/13/2023 |
7.3.0-preview1-0073 | 136 | 4/10/2023 |