Search code examples
saml-2.0itfoxtec-identity-saml2duende-identity-server

IDP initiated SAML flow with ITfoxtec

I am setting up an IDP initiated SAML authentication flow

One of our clients will send an SAML assertion request to us by clicking a link within their internal system to access our application - so we act as the service Provider (we use Identity Server from Duende for Authentication)

We are looking at using ITfoxtec.Identity.Saml2.MvcCore library

AS we are going with an IDP initiated SAML flow, I wanted to check to know if

  1. As an SP (Service Provider) do we only need to have an ACS end point for the incoming SAML Assertion. On receiving the Assertion we can process it to get the Claims we need and if it meets our requirements we can give the access to our application.

  2. Do we need to send back any notification to the IDP that sent us the Assertion ?

  3. Once verified after receiving the Assertion, do we set the access token in our Identity Server or do we get a token in, the assertion. We need periodically need to check if the user associated with the incoming Assertion is still authenticated in the IDP. Hence I was wondering if the IDP would issue a token with an expiration date/time, if not then would we have to initiate a new SP initiated SAML flow to check if the user is still authenticated with the Client IDP ?

  4. DO we as an SP need to issue our own Access Token ?

  5. For Logout, we only want to log the user out of our system (So remove our token if we issue one, we do not want to log out the user from their IDP?

  6. Do we need to simulate login in our Identity Provider or will that happen automatically when we add the SAML2 to our Authentication method in our startup.cs

  7. Do we use the ITfoxtec.Identity.Saml2.MvcCore library as we are using Duende IdentityServer in a .netCore 5.0 setup

  8. is this possible with ITfoxtec library ?

    services.AddAuthentication() .AddSaml2(options => { var spOptions = new SPOptions { EntityId = new EntityId("https://localhost:44373/Saml2"), ReturnUrl = new Uri("https://localhost:44373"), MinIncomingSigningAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
    };

        options.SPOptions = spOptions;
    options.IdentityProviders.Add(new IdentityProvider(new EntityId("https://www.example.com/SSO/SAML/App"), options.SPOptions)
    {
        AllowUnsolicitedAuthnResponse = false,                  
        MetadataLocation = "https://www.example.com/SSO/SAMLMetadata/App",                  
        LoadMetadata = true,                  
    }); 
});
Solution
    1. Yes and you only need the ACS endpoint. You can also do logout if it is supported by the IdP.
    2. No
    3. You resave a SAML 2.0 token in the Assertion which has a lifetime. To check user state you either need the IdP to start a new IdP initiated login or you can start a SP initiated login, if supported by the IdP.
    4. No. That do not has anything to do with the SAML 2.0 integration.
    5. In IdP initiated scenarie the SP usually do not request the IdP to logout.
    6. You need to simulate IdP initiated login, you can use this code sample.
    7. You can integrate ITfoxtec Identity Saml2 into Duende IdentityServer but I do not have a sample on that.