ComponentSpace

Forums



Can you have both IDP and SP functionality in the same MVC application?


Can you have both IDP and SP functionality in the same MVC...

Author
Message
rbrayb
rbrayb
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Forum Members
Posts: 4, Visits: 9
Have searched for this but didn't find anything.

Essentially we want the application to authenticate with an IDP via SAML (the SP part) to control access and roles and then call a SAML application via an IDPInitiated call (the IDP part).

If yes, are there any samples showing how to flow between the two?




ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Yes, this is definitely possible and we have customers doing this now.
I'm afraid we don't have any examples but it's fairly straightforward.
The IdP and SP sides of your application are in many ways independent of each other with different endpoints etc.
The flow would be:

1. Acting as the SP, call SAMLServiceProvider.InitiateSSO to send a SAML authn request to the IdP.
2. User logs into the IdP.
3. Call SAMLServiceProvider.ReceiveSSO to receive and process the SAML response from the IdP.
4. Login the user locally in the application. Possibly save user information in the session etc if required.
5. Acting as the IdP, call SAMLIdentityProvider.InitiateSSO to create and send a SAML response to the SP.

User identity information received from the IdP may be used to create and send the SAML response to the SP.
 



Regards
ComponentSpace Development
rbrayb
rbrayb
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Forum Members
Posts: 4, Visits: 9
ComponentSpace - 4/5/2019
Yes, this is definitely possible and we have customers doing this now.
I'm afraid we don't have any examples but it's fairly straightforward.
The IdP and SP sides of your application are in many ways independent of each other with different endpoints etc.
The flow would be:

1. Acting as the SP, call SAMLServiceProvider.InitiateSSO to send a SAML authn request to the IdP.
2. User logs into the IdP.
3. Call SAMLServiceProvider.ReceiveSSO to receive and process the SAML response from the IdP.
4. Login the user locally in the application. Possibly save user information in the session etc if required.
5. Acting as the IdP, call SAMLIdentityProvider.InitiateSSO to create and send a SAML response to the SP.

User identity information received from the IdP may be used to create and send the SAML response to the SP.
 


Thanks for this. I have both sides working now.

Assume the IDP side is ADFS. The user logs in via IWA and now we do the IDPInitiated side.

We want to use the logged in user credentials for the IDPInitiated flow.

Is there any way to pre-populate them?

Any samples that show this?

Thanks.

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You need to setup some claim rules in ADFS. These specify what user identity information will be included as the SAML NameID and SAML attributes sent to your SP.
Once you receive these you can either use the same user identity information or some variation of them to send to the external SP.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search