How to set acr-values for Sustainsys external provider in identity server 3

I have Idsvr3 with local user accounts in SQL. In addition i have also configured external identity provider which support SAML2 using I followed the sample here

Now when user access the client application he gets redirected to login page which presents userid/password textboxes for local login and also a button to redirect to external provider.

I want to change this behavior. I want user directly goto external login based on some condition. I've read that I can pass the required login provider to the acr_values and IdSvr3 will directly go to external provider.

Here is how i registered external provider with IdSvr3 (Note some code is removed for brevity)

public class Startup
    public void Configuration(IAppBuilder app)
        app.Map("/identity", idsrvApp =>
            var identityServerOptions = new IdentityServerOptions
                AuthenticationOptions = new AuthenticationOptions()


    private void ConfigureIdentityProviders(IAppBuilder app, string signInAsType)
            // SAML2
            var options = new Saml2AuthenticationOptions(false)
                SPOptions = new SPOptions
                    EntityId = new EntityId("https://localhost:44300/IdSrv3/Saml2"),
                SignInAsAuthenticationType = signInAsType,
                Caption = "SAML2p"

            UseIdSrv3LogoutOnFederatedLogout(app, options);

            options.SPOptions.ServiceCertificates.Add(new X509Certificate2(
                AppDomain.CurrentDomain.SetupInformation.ApplicationBase + "/App_Data/Sustainsys.Saml2.Tests.pfx"));

            options.IdentityProviders.Add(new IdentityProvider(
                new EntityId(""),
                LoadMetadata = true


and here is client application startup

 public class Startup
        public void Configuration(IAppBuilder app)

            app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
                Authority = "https://localhost:44300/identity",
                Scope = "openid profile email",
                ClientId = "XXXXXXXXXXXXXXX",
                RedirectUri = "http://localhost:36102/",
                ResponseType = "id_token",
                SignInAsAuthenticationType = "Cookies",               

                Notifications = new OpenIdConnectAuthenticationNotifications
                    RedirectToIdentityProvider = (n) =>
                        if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.AuthenticationRequest)
                           if(SomeCondition == true)
                              n.ProtocolMessage.AcrValues = "idp:saml2";

                        return Task.FromResult(0);

However identity server throws error External login error: provider requested saml2 is not a configured external provider

What is the valid name for Sustainsys/Saml2 provider and where is it configured?


  • I think i found it. The idp is actually the value of AuthenticationType property. During external provider setup in IdentityServer3, the Saml2AuthenticationOptions by default sets the AutheticationType to Saml2. So in client application i have to use exact same value as acr-values, it is case-sensitive. I was using small s instead of capital S. When i changed to Saml2 it worked.

    I can also override AutheticationType to any string i want, and that is good because now i can setup multiple external IdP that supports SAML2 protocol and differentiate them by their AutheticationType

    Also i found this documentation helpful

    Take a look how okta is configured with IdentityServer3 in section 2.5.4 Step 3: Configure your identity server with the new identity provider

    Also from IdentityServer documentation

    AuthenticationType must be a unique value to identify the external identity provider. This value will also be used for the idp claim in the resulting tokens. Furthermore the same value can be used to pre-select identity providers during authorization/authentication requests using the acr_values parameter (see this for more information). This value is also used to restrict the allowed identity providers on the Client configuration.