IdentityServer4.Contrib.Saml2BearerGrant
3.0.0
dotnet add package IdentityServer4.Contrib.Saml2BearerGrant --version 3.0.0
NuGet\Install-Package IdentityServer4.Contrib.Saml2BearerGrant -Version 3.0.0
<PackageReference Include="IdentityServer4.Contrib.Saml2BearerGrant" Version="3.0.0" />
paket add IdentityServer4.Contrib.Saml2BearerGrant --version 3.0.0
#r "nuget: IdentityServer4.Contrib.Saml2BearerGrant, 3.0.0"
// Install IdentityServer4.Contrib.Saml2BearerGrant as a Cake Addin #addin nuget:?package=IdentityServer4.Contrib.Saml2BearerGrant&version=3.0.0 // Install IdentityServer4.Contrib.Saml2BearerGrant as a Cake Tool #tool nuget:?package=IdentityServer4.Contrib.Saml2BearerGrant&version=3.0.0
SAML 2.0/1.1 bearer grant types for IdentityServer4
Extension grant types for IdentityServer4 implementing a subset of RFC 7522.
- Adds support for SAML 2.0 and SAML 1.1 assertions as grant for token requests.
- New grant types
urn:ietf:params:oauth:grant-type:saml2-bearer
andurn:ietf:params:oauth:grant-type:saml-bearer
(WS-Federation uses SAML 1.1 assertions).
You can add the extension grant types to IdentityServer using the extension builder methods AddSamlBearerGrant()
and AddSaml2BearerGrant()
.
This extension was built for legacy applications using SAML or WS-Federation authentication. Today still a lot of companies are using these authentication protocols in their legacy business applications. For example SharePoint is using the WS-Federation protocol for federated authentication. These applications have no chance to get an OAuth2 access token with an user as subject.
With this extension grant they can request an access token from the Token Endpoint by a valid SAML assertion and client credentials. The access token will contain the user id which was the subject of the SAML assertion.
Deviations from RFC 7522
- We do not support self-issued (by the OAuth clients) assertions nor 3rd-Party security token services. Only assertions issued by IdentityServer as SAML-IdP will work as grant.
- This library doesn't supports SAML Assertions for Client Authentication.
- Client id and secret are required for client authentication for each token request.
- We do not validate the <Audience> element because we except the Relying Party URI as audience for SAML authentication. According to RFC 7522 the <Audience> element must contain the Token Endpoint URL of the Identity Provider.
.NET and IdentityServer Support
This library is targeting .NET Core 3.1 and IdentityServer4 release 3.0.0+.
How to use
Server
public void ConfigureServices(IServiceCollection services)
{
services.AddIdentityServer()
.AddSaml2BearerGrant()
// allow SAML 1.1 assertions to support WS-Federation clients.
.AddSamlBearerGrant()
}
Client
Use a SAML assertion and client credentials to get an access token that is subjected to the user:
POST /connect/token
grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&
scope=openid api1&
assertion=<base64-url-encoded-assertion>&
client_id=<my-oidc-client-id>
client_secret=secret
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net5.0 was computed. net5.0-windows was computed. net6.0 was computed. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
.NET Core | netcoreapp3.1 is compatible. |
-
.NETCoreApp 3.1
- IdentityServer4 (>= 3.0.0)
- Microsoft.IdentityModel.Tokens.Saml (>= 6.8.0)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.