Identity server 4 with SAML 2.0 as external identity provider for SSO

Jay picture Jay · Mar 1, 2018 · Viewed 8k times · Source

I am using identity server 4 for authentication to my ASP.Net Core solution. And it is working well with Facebook, Google and other external identity provider. And now I am trying to add SAML 2.0 authentication to the identity server using Sustainsys.Saml2 from https://github.com/Sustainsys/Saml2 and making it work as an external identity provider. (Customers to our site want to login using their SAML identity provider using our Identity Server in the same way they can login via Facebook, Google, etc)

And what I have now is the

  1. sign in URL - https://sso.domain.com/saml/idp/profile/redirectorpost/sso

  2. sign out URL - https://sso.domain.com/saml/idp/profile/post/sls

  3. CRT certificate for the SAML based identity provider of our customer.

However, I cannot find the document that describes how to setup the configuration of SAML 2.0 in identity server 4 startup.cs file. I think the configuration should look like the following based on the sample available at: https://github.com/Sustainsys/Saml2/blob/master/Samples/SampleAspNetCore2ApplicationNETFramework/Startup.cs

services.AddAuthentication()
    .AddSaml2(options => 
        {
            options.SPOptions.EntityId = new EntityId("..."); 
            options.IdentityProviders.Add(
                new IdentityProvider(
                        new EntityId("..."), options.SPOptions)
                        {
                            LoadMetadata = true,
                        });
            options.SPOptions.ServiceCertificates.Add(new X509Certificate2("..."));
       }
    );

In the sample there are two url's

  1. https://localhost:44342/Saml2

  2. http://localhost:52071/Metadata

What do these represent?

Can somebody tell me how to setup all the options for SAML2 in identity server 4?

Answer

Anders Abel picture Anders Abel · Mar 4, 2018
  1. is the entity id of your application - corresponding to client id in open id connect.
  2. is the entity id of the upstream idp.

There is a sample IdSrv4 in another branch: https://github.com/Sustainsys/Saml2/tree/netstandard/Samples/SampleIdentityServer4

The sample uses the preview version for .NET Core, but the config is basically the same.

There are working IdentityServer4 samples in https://github.com/Sustainsys/Saml2/tree/master/Samples