ComponentSpace

Forums



SP initiated SSO - multiple SP


SP initiated SSO - multiple SP

Author
Message
LGSADE
LGSADE
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)

Group: Forum Members
Posts: 3, Visits: 23
Hi,

My company has purchased ComponentSpace recently and we success in implementing SP-initiated SSO for our applications.

Our current configuration is the following :
- app get an saml.config file at its root. This config file contains one ServiceProvider and two PartnerIdentityProvider
- according to the examples, we switch between the two IdP using a key stored in the web.config file
- the first IdP is only for test, but for convenience we keep it in the application if needed. The real IdP which will be used is the second

Our issue is the following :
- our second IdP is Google, which needs to know the exact ACS URL. So the ACS URL of the ServiceProvider in the config.file must match the one stored in the IdP. No problem here, it works
- for security reasons, we have two domains for our app : one is public and externals members can access from the internet, the other is intern and only company members can access it from a local network
- so we need two ACS URL, depending on the domain, our security policy forced us to. But Google as an IdP accepts only one
- we have the idea to configure two SAML app in Google : one for external and one for internal. This means we have to switch in the app between two SP configurations before the first SSO call

That's where I get some trouble. I assume I am new to the SAML configuration and may have misunderstood some points.

1 - Is this possible to have two SP in the saml.config file (as PartnerServiceProvider?) and switch between them? If yes, how to do it programmatically? (SP initiated SSO)
2 - If not, I try to have two saml.config file, stored in some other folder than root. I try the code below, but the SSO still try to load the saml.config file from the root, is there something I'm doing wrong?

string path = "somepath";
    SAMLConfigurationFile.Load(path);
    SAMLServiceProvider.InitiateSSO(Response, null, partnerIdP);



3 - If there's an other solution?

Please let me know if my explanation isn't clear enough, any help would be greatly appreciated.

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You can have multiple SAML configurations in the one saml.config file. This is part of our multi-tenanted support.
Having two separate saml.config files is not supported as internally we store the configuration statically so the second configuration will replace the first.
In your case where the ACS URL is different, the simplest approach is to have a single saml.config file as you have now but to call the SAMLServiceProvider.InitiateSSO overload that takes the assertion consumer service URL as a parameter.
This overload uses the specified rather than the configured URL.
For example:

SAMLServiceProvider.InitiateSSO(Response, null, partnerIdP, null, assertionConsumerServiceUrl, null);




Regards
ComponentSpace Development
LGSADE
LGSADE
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)

Group: Forum Members
Posts: 3, Visits: 23
Hi,

Thanks for advice and quick answer!
Your approach solved my problem for sending the SAML Assertion.

Meanwhile, I forgot to mention all the essentials parameters for Google SSO, which are ACS URL and Entity ID.
As I said in the first post, we have created two SAML App in Google, one with :
- ACS URL = CompanyDomain.net/SAML
- Entity ID = CompanyDomain.net
The other one with :
- ACS URL = CompanyDomain.fr/SAML
- Entity ID = CompanyDomain.fr

ACS URL is OK thanks to your answer.
Entity ID is the parameter Name for the ServiceProvider in the saml.config. I'm currently able to change it through the SSOOptions in the SAMLServiceProvider.InitiateSSO.
But in the controller in charge of receiving the SAML Assertion, I get the following :
SAMLServiceProvider.ReceiveSSO(Request, out isInResponseTo, out partnerIdP, out authnContext, out userName, out attributes, out targetUrl);

Here my controller only read the Name in the saml.config file, which may have changed depending on the domain. It results logically in an error if Name and received SP Name don't match.
How can I can dynamically change the SP Name before the SAMLServiceProvider.ReceiveSSO ?
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
I think your best option then is to use our multi-tenanted support.
Each domain will have it's own separate SAML configuration in the saml.config file.
The following example outlines multiple configurations in the one file.

<SAMLConfigurations xmlns="urn:componentspace:SAML:2.0:configuration">
  <SAMLConfiguration ID=”domain1”>
    <ServiceProvider Name=”SP1”/>
    <PartnerIdentityProviders>
      <PartnerIdentityProvider Name=”IdP1”/>
      <PartnerIdentityProvider Name=”IdP2”/>
    </PartnerIdentityProviders>
  </SAMLConfiguration>

  <SAMLConfiguration ID=”domain2”>
    <ServiceProvider Name=”SP2”/>
    <PartnerIdentityProviders>
      <PartnerIdentityProvider Name=”IdP3”/>
      <PartnerIdentityProvider Name=”IdP4”/>
    </PartnerIdentityProviders>
  </SAMLConfiguration>
</SAMLConfigurations>


Each <SAMLConfiguration> is the configuration for a particular domain.
Prior to making any SAML SSO call, you need to set the SAMLController.ConfigurationID property to specify which configuration to use.
For example:

SAMLController.ConfigurationID = “domain1”;
SAMLServiceProvider.InitiateSSO(…);


And:

SAMLController.ConfigurationID = “domain1”;
SAMLServiceProvider.ReceiveSSO(…);




Regards
ComponentSpace Development
LGSADE
LGSADE
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)

Group: Forum Members
Posts: 3, Visits: 23
Hi,

That's exactly the answer I was looking for, I just implemented it and it works.

Thanks a lot team for great support and quick answers :)
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You're most welcome.  :)

Regards
ComponentSpace Development
Marcel Digital
Marcel Digital
New Member
New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)

Group: Forum Members
Posts: 1, Visits: 4
ComponentSpace - 8/29/2018
I think your best option then is to use our multi-tenanted support.
Each domain will have it's own separate SAML configuration in the saml.config file.
The following example outlines multiple configurations in the one file.

<SAMLConfigurations xmlns="urn:componentspace:SAML:2.0:configuration">
  <SAMLConfiguration ID=”domain1”>
    <ServiceProvider Name=”SP1”/>
    <PartnerIdentityProviders>
      <PartnerIdentityProvider Name=”IdP1”/>
      <PartnerIdentityProvider Name=”IdP2”/>
    </PartnerIdentityProviders>
  </SAMLConfiguration>

  <SAMLConfiguration ID=”domain2”>
    <ServiceProvider Name=”SP2”/>
    <PartnerIdentityProviders>
      <PartnerIdentityProvider Name=”IdP3”/>
      <PartnerIdentityProvider Name=”IdP4”/>
    </PartnerIdentityProviders>
  </SAMLConfiguration>
</SAMLConfigurations>


Each <SAMLConfiguration> is the configuration for a particular domain.
Prior to making any SAML SSO call, you need to set the SAMLController.ConfigurationID property to specify which configuration to use.
For example:

SAMLController.ConfigurationID = “domain1”;
SAMLServiceProvider.InitiateSSO(…);


And:

SAMLController.ConfigurationID = “domain1”;
SAMLServiceProvider.ReceiveSSO(…);



Hi, 

Is there a way to do this for version 2.6.11?
I didn't see a SAMLController in this version and adding multiple configurations within saml.config didn't seem to be supported, or at least now in that format/syntax. 

Essentially, we just want to have multiple ServiceProviders to switch and use. 

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You would need to upgrade. Please contact [email protected] for upgrade options.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search