+x1. You call the SAML high-level API SAMLIdentityProvider.ReceiveSSO. This processes the SAML authn request including handling whatever decoding is necessary. You don't have to worry about these details in your code. 2. We recommend loading the SAML configuration once at startup. You would only reload the configuration if it's been changed but generally this is an infrequent occurrence. The PartnerCertificateFile is required if the SAML authn request is signed or the SAML assertion is to be encrypted. If neither is the case then the PartnerCertificateFile needn't be specified. 3. You call the SAML high-level API SAMLIdentityProvider.SendSSO to send a SAML response to the SP. This handles setting the various parameters you mentioned, signing the SAML response or assertion, encoding and posting the message etc. I recommend taking a look at the example projects under the Example\SSO\HighLevelAPI folder. You'll find an ExampleIdentityProvider, MvcExampleIdentityProvider and OwinExampleIdentityProvider projects. These demonstrate calling the high-level as well as including saml.config files. If you decide to set the SAML configuration programmatically, I suggest taking a look at the ExampleIdentityProvider's Global.asax code. Thank you for the quick response! 1. Yes, I did use SAMLIdentityProvider.ReceiveSSO() but we want to whitelist issuerURL in our system so if anyone else sends us an auth request we reject it. We also need to check if ForceAuth flag is true or not so I think we need to parse query params please let me know if there is a utility method to decode base 64 and inflate. 2. For saml config please let me explain our use case: We have many clients and each one of them has different URL and can act as an IDP. We are planning to create a new authn page which will receive the auth request so something like this https://client1.com/AuthRequest.aspx, https://client2.com/AuthRequest.aspx etc Each client can have its own multiple service providers so for ex: client 1 can have sp1 and sp2 as service providers client 2 can have sp3 and sp4 as service providers Do you recommend creating one saml.config file loaded at startup which will have all our clients "Name" and service providers details ? I imagine the file would look like this and wasn't sure if its a common scenario: <LocalIP1> <PartnerSP-1> <PartnerSP-2> <LocalIP2> <PartnerSP3> <PartnerSP4> .... Also, is there just one saml.config file for all environments ? or can we create multiple config files so something like dev-saml.config, stage-saml.config etc ? 3) Awesome! yes I was able to use SendSSO() and the assertion posted to our federation service was successful :) I did looked at those examples they were really helpful thank you!
|