Search code examples
asp.net-core-3.1itfoxtec-identity-saml2

Load SAML2 configuration on the runtime instead of loading it on the Startup

All of the ITfoxtec.Identity.Saml2 example projects on Github load the SAML configuration in the ConfigureServices method of the Startup class. I have stored all the configurations in the database. Is there a way to load the SAML configuration from within the code at the runtime (after my .Net Core project is started)?

public void ConfigureServices(IServiceCollection services)
    {
        services.Configure<Saml2Configuration>(Configuration.GetSection("Saml2"));
        services.Configure<Saml2Configuration>(saml2Configuration =>
        {
            //saml2Configuration.SignAuthnRequest = true;
            saml2Configuration.SigningCertificate = CertificateUtil.Load(AppEnvironment.MapToPhysicalFilePath(Configuration["Saml2:SigningCertificateFile"]), Configuration["Saml2:SigningCertificatePassword"]);

            //saml2Configuration.SignatureValidationCertificates.Add(CertificateUtil.Load(AppEnvironment.MapToPhysicalFilePath(Configuration["Saml2:SignatureValidationCertificateFile"])));
            saml2Configuration.AllowedAudienceUris.Add(saml2Configuration.Issuer);

            var entityDescriptor = new EntityDescriptor();
            entityDescriptor.ReadIdPSsoDescriptorFromUrl(new Uri(Configuration["Saml2:IdPMetadata"]));
            if (entityDescriptor.IdPSsoDescriptor != null)
            {
                saml2Configuration.AllowedIssuer = entityDescriptor.EntityId;
                saml2Configuration.SingleSignOnDestination = entityDescriptor.IdPSsoDescriptor.SingleSignOnServices.First().Location;
                saml2Configuration.SingleLogoutDestination = entityDescriptor.IdPSsoDescriptor.SingleLogoutServices.First().Location;
                saml2Configuration.SignatureValidationCertificates.AddRange(entityDescriptor.IdPSsoDescriptor.SigningCertificates);
                if (entityDescriptor.IdPSsoDescriptor.WantAuthnRequestsSigned.HasValue)
                {
                    saml2Configuration.SignAuthnRequest = entityDescriptor.IdPSsoDescriptor.WantAuthnRequestsSigned.Value;
                }
            }
            else
            {
                throw new Exception("IdPSsoDescriptor not loaded from metadata.");
            }
        });

        services.AddSaml2(slidingExpiration: true);

        services.AddControllersWithViews();
    }
Solution

  • Yes, it is possible to move the configuration load from startup to later. You can load the content of the Saml2Configuration config object just before it is used by calling a method. In the sample e.g., before the Saml2Configuration is used in the Login method.