ComponentSpace

Forums



SAML High-Level API


SAML High-Level API

Author
Message
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)

Group: Administrators
Posts: 2.2K, Visits: 5.7K
SAML Identity Provider APIs
The following APIs may be called when acting as an identity provider.

SAMLIdentityProvider.InitiateSSO
The InitiateSSO method sends a SAML response to the specified service provider as part of IdP-initiated SSO.
For example:
  
             SAMLIdentityProvider.InitiateSSO(
               Response,
               “testuser”,
               new Dictionary<string, string>() {
                   { “membership-level”, “platinum” },
                   { “membership-number”, “12345678” } },
               null,
               null);

  
The Response is used to send the SAML response to the service provider via the browser.
The second parameter is the name of the user.
The third parameter is the user’s optional attribute names and values.
The fourth parameter is the target service provider URL or null if the default page should be displayed.
The fifth parameter is the partner service provider’s name or null if there’s only one configured partner service provider.

SAMLIdentityProvider.ReceiveSSO
The ReceiveSSO method receives an authn request from a service provider as part of SP-initiated SSO.
For example:
  
             SAMLIdentityProvider.ReceiveSSO(
               Request,
               out partnerSP);

  
The Request is used to receive the authn request.
The partnerSP receives the name of the service provider that sent the authn request.

SAMLIdentityProvider.SendSSO
The SendSSO method sends a SAML response to the service provider as part of SP-initiated SSO.
For example:
  
             SAMLIdentityProvider.SendSSO(
               Response,
               “testuser”,
               new Dictionary<string, string>() {
                   { “membership-level”, “platinum” },
                   { “membership-number”, “12345678” } });

  
The Response is used to send the SAML response to the service provider via the browser.
The second parameter is the name of the user.
The third parameter is the user’s optional attribute names and values.

SAMLIdentityProvider.InitiateSLO
The InitiateSLO method sends a logout request to each service provider in session as part of IdP-initiated SLO.
For example:
  
             SAMLIdentityProvider.InitiateSLO(
               Response,
               null);

  
The Response is used to send the logout request to the service provider via the browser.
The second parameter is the logout reason or null if none.

SAMLIdentityProvider.ReceiveSLO
The ReceiveSLO method receives a logout request from a service provider as part of SP-initiated SLO or a logout response from a service provider as part of IdP-initiated SLO.
For example:
  
             SAMLIdentityProvider.ReceiveSLO(
               Request,
               Response,
               out isRequest,
               out hasCompleted,
               out logoutReason,
               out partnerSP);

  
The Request is used to receive the logout message.
The Response is used to send a logout message.
The isRequest receives the flag indicating whether a logout request or response has been received.
The hasCompleted receives the flag indicating whether the IdP-initiated SLO has completed.
The logoutReason receives the logout reason.
The partnerSP receives the name of the service provider that sent the logout message.

SAMLIdentityProvider.SendSLO
The SendSLO method sends a logout message to the service provider.
For example:
  
             SAMLIdentityProvider.SendSLO(
               Response,
               null);

  
The Response is used to send the logout message to the service provider via the browser.
The second parameter is the error message or null if none.

SAML Service Provider APIs
The following APIs may be called when acting as a service provider.

SAMLServiceProvider.InitiateSSO
 The InitiateSSO method sends an authn request to the specified identity provider as part of SP-initiated SSO.
 For example:
  
             SAMLServiceProvider.InitiateSSO(
               Response,
               null,
               null);

  
The Response object is used to send the authn request to the identity provider via the browser.
The second parameter is the relay state (e.g. target URL) or null if not required.
The third parameter is the partner identity provider’s name or null if there’s only one configured partner identity provider.

SAMLServiceProvider.ReceiveSSO
The ReceiveSSO method receives a SAML response from an identity provider as part of either IdP-initiated SSO or SP-initiated SSO.
For example:
  
             SAMLServiceProvider.ReceiveSSO(
               Request,
               out isInResponseTo,
               out partnerIdP,
               out userName,
               out attributes,
               out targetUrl);

  
The Request is used to receive the SAML response.
The isInResponseTo receives the flag indicating whether SAML response is in response to an authn request (i.e. SP-initiated SSO) or not (i.e. IdP-initiated SSO).
The partnerIdP receives the name of the identity provider.
The userName receives the name of the user.
The attributes receives the user’s optional attribute names and values.
The targetUrl receives the target service provider URL or null if the default page should be displayed.

SAMLServiceProvider.InitiateSLO
The InitiateSLO method sends a logout request to the identity provider as part of SP-initiated SLO.
For example:
  
             SAMLServiceProvider.InitiateSLO(
               Response,
               null,
               null);

  
The Response is used to send the logout request to the service provider via the browser.
The second parameter is the logout reason or null if none.
The third parameter is the partner identity provider’s name or null if there’s only one configured partner identity provider.

SAMLServiceProvider.ReceiveSLO
The ReceiveSLO method receives a logout request from a service provider as part of SP-initiated SLO or a logout response from a service provider as part of IdP-initiated SLO.
For example:
  
             SAMLServiceProvider.ReceiveSLO(
               Request,
               out isRequest,
               out logoutReason,
               out partnerIdP);

  
The Request is used to receive the logout message.
The isRequest receives the flag indicating whether a logout request or response has been received.
The logoutReason receives the logout reason.
The partnerIdP receives the name of the identity provider that sent the logout message.

SAMLServiceProvider.SendSLO
The SendSLO method sends a logout message to the identity provider.
For example:
  
             SAMLServiceProvider.SendSLO(
               Response,
               null);

  
The Response is used to send the logout message to the identity provider via the browser.
The second parameter is the error message or null if none.

Configuration Management
The high-level API is configuration driven. The configuration is described at:
http://www.componentspace.com/Forums/37/SAML-Configuration
http://www.componentspace.com/Forums/38/Storing-the-SAML-Configuration-in-a-Database



Regards
ComponentSpace Development
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)

Group: Administrators
Posts: 2.2K, Visits: 5.7K
SAMLIdentityProvider.InitiateSSO and SAMLIdentityProvider.SendSSO send the SAML response to the service provider using the HTTP-Post binding. This means the SAML response is sent to the service provider via the browser as HTTP Post data.
SAMLServiceProvider.InitiateSSO sends the authn request using the HTTP-redirect binding by default or, if configured to do so, the HTTP-Post binding. If sent using HTTP-redirect the authn request is sent as a query string parameter. If sent using HTTP-Post the authn request is sent as HTTP Post data.
The corresponding Receive methods receive these messages over the corresponding bindings.
These bindings (HTTP-Post and HTTP-redirect) are defined within the SAML specification.

Regards
ComponentSpace Development
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)

Group: Administrators
Posts: 2.2K, Visits: 5.7K
For SP-initiated SLO the message flow is as follows.
SP sends a logout request to IdP.
IdP sends a logout response to SP.

At the SP, this corresponds to the following API calls.
SAMLServiceProvider.InitiateSLO
SAMLServiceProvider.ReceiveSLO

For IdP-initiated SLO the message flow is as follows.
IdP sends a logout request to the SP.
SP sends a logout response to the IdP.

At the SP, this corresponds to the following API calls.
SAMLServiceProvider.ReceiveSLO
SAMLServiceProvider.SendSLO

So, for SP-initiated SLO you shouldn't be calling SAMLServiceProvider.SendSLO.
The SAMLServiceProvider.ReceiveSLO returns isRequest indicating whether a logout request or response was received.
A logout request is part of IdP-initiated SLO. A logout response is part of SP-initiated SLO.
If required, you can use isRequest to determine how to process the logout message.
The ExampleServiceProvider demonstrates supporting both SP-initiated SLO and IdP-initiated SLO.



Regards
ComponentSpace Development
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)

Group: Administrators
Posts: 2.2K, Visits: 5.7K
I think the best thing to do would be to enable SAML trace and send the log file as an email attachment to support@componentspace.com. That way I can see exactly what the flow and error are. Please mention this forum topic.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace


Regards
ComponentSpace Development
samldev
samldev
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Forum Members
Posts: 3, Visits: 21
Hello,
I see that LocalCertificatePasswordKey looks up appSettings for encrypted password value. But we don't want to encrypt all appSettings values. Is it possible to lookup from a custom configSection that is enrypted?



ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)

Group: Administrators
Posts: 2.2K, Visits: 5.7K
I'm afraid we don't support custom config sections.
An alternative is to store the certificate and private key in the Windows certificate store rather than in a PFX file.
You then only need to specify the certificate by thumbprint, serial number or subject name. A password doesn't have to be configured.
The following article describes how to store the certificate in the Windows certificate store and then reference it.

http://www.componentspace.com/Forums/44/X.509-Certificate-Management


Regards
ComponentSpace Development
samldev
samldev
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Forum Members
Posts: 3, Visits: 21
For High Level API how do I get the NameID value which is an email address?

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)

Group: Administrators
Posts: 2.2K, Visits: 5.7K
When you call SAMLServiceProvider.ReceiveSSO you are returned, as output parameters, the userName and attributes.
The userName is the SAML subject name identifier (ie the NameID).
The attributes are the SAML attribute name/value pairs.
If the NameID is an email address then this will be returned in the userName output parameter.

Regards
ComponentSpace Development
samldev
samldev
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Forum Members
Posts: 3, Visits: 21
We had an issue with NameID format. Documentation says default is unspecified but format was defaulting to entity.

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)ComponentSpace Development (3.1K reputation)

Group: Administrators
Posts: 2.2K, Visits: 5.7K
When acting as the identity provider we default the NameID format to "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
If acting as the service provider the NameID format is whatever is sent by the partner identity provider.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









Forums, Documentation & Knowledge Base - ComponentSpace


Search