Can I send a url, or some other value, to the IdP that will get round-tripped and POSTed back in the response SAML? And if so, how can I access it in my /login/callback route? To round-trip a value via the IdP you need to use RelayState. This is a value that you can send … Read more
The requirement is that the EntityId is a URI (not URL, in this case the difference between URIs and URLs is important). See “8.3.6 Entity Identifier” in the SAML2 Core spec. From SAML 2.0 Specification : 8.3.6 Entity Identifier URI: urn:oasis:names:tc:SAML:2.0:nameid-format:entity Indicates that the content of the element is the identifier of an entity that … Read more
.NET 4.5 has WIF (Windows Identity Foundation) built into it. This now supports SAML 2.0. To make use of SAML 2.0, just use .NET 4.5. The class name is Saml2XXXX (where XXXX is the token, assertion, serializer etc) Here is a link to SAML 2.0 Assertion: http://msdn.microsoft.com/en-us/library/microsoft.identitymodel.tokens.saml2.saml2assertion.aspx This will create a SAML 2.0 Assertion object. … Read more
This is probably basically an updated version of Anders Abel’s answer, but: I used https://github.com/Sustainsys/Saml2. They have a nuget package with 36k downloads called “Sustainsys.Saml2.AspNetCore2”. They have a helpful example .net core app using it that also uses .net core identity here: https://github.com/Sustainsys/Saml2/tree/master/Samples/SampleAspNetCore2ApplicationNETFramework (take a look at their startup.cs and also their external login razor … Read more
Typically, the intent of the artifact binding is to reduce the flow of SAML messages through the browser itself. This could be due to browser restrictions (browsers that have limits on query string / POST payload size) or no support for JavaScript (for auto-submitted forms), or even to improve the security model of how the … Read more
Typical SSO with SAML is something called Web SSO Profile. There are many products supporting this on the market for example OpenAM, Shibboleth, OpenSAML and Oracle Identity Federation. The specific configuration is dependant on what product you choose to use. A working example of OpenSAML that I use in my book is availible here. On … Read more
I recently went through the same thought process: having never heard of SAML, I needed to enable a web application to authenticate via SAML with OneLogin as the identity provider (instead of Active Directory). During implementation, I made heavy use of OneLogin’s documentation and the passport-saml library, both of which I recommend, though I’m not … Read more
The original meaning of RelayState is that the SP can send some value to the IDP together with the AuthnRequest and then get it back. The SP can put whatever value it wants in the RelayState and the IDP should just echo it back in the response. This RelayState parameter is meant to be an … Read more