Search code examples
c#asp.netowinsaml-2.0sustainsys-saml2

Sustainsys.Saml2.Owin : Having two different service providers in one website

I'm configuring my website for SSO to be a service provider for a single identity provider.

I'm on .NET MVC 4.7.2 and I used Sustainsys.Saml2

Everything works fine for a single service provider.

The problem is with the way my SaaS architecture works. I have a single website (with IIS) with a single configuration, and different domain names coming to this website.

I then ask a client shared database which connection string I have to use using the request url.

I have no idea if this way of running a SaaS architecture is right or not, but anyway, since I have only one IIS website, I don't know how to add a per client Saml2 configuration (where only the service provider entityId and returnUrl would differ).

I was thinking to do something like this :

public partial class Startup
{
    public void ConfigureAuth(IAppBuilder app)
    {
        app.UseSaml2Authentication(CreateSaml2OptionsClient1());
        app.UseSaml2Authentication(CreateSaml2OptionsClient2());
    }
}

Sadly, the first call to UseSaml2Authentication seems to set the configuration and the second call does nothing.

I also have thought about conditionning these calls (app.UseSaml2Authentication(CreateSaml2OptionsClient1());) by getting the request url and loading the client specific Saml2 configuration, but in the startup I don't have access neither to the request url nor to my db context.

Is there a way to have multiple Saml2 configurations or to condition the configuration being used while keeping my SaaS architecture ?

What I need is to have my website website-a.com/Saml2 with entityId = website-a.com/Saml2 and idp = IDP1 and also my website-b.com/Saml2 with entityId = website-b.com/Saml2 and idp = IDP1, and all of that in only one IIS website.

Solution

  • I found a solution to my problem.

    What I did was having two app.Map in my Startup class, on two different uris and each one with a different Saml2 configuration (where only the identity provider differs).

    app.Map("uri1", a => {
    a.UseSaml2Authentication(CreateSaml2Options(client1));
});
app.Map("uri2", a => {
    a.UseSaml2Authentication(CreateSaml2Options(client2));
});

    This works since client1 is plugged on uri1 and client2 is plugged on uri2, but the problem is that client1 could access to uri2 and vice versa.