Search code examples
asp.netsecuritysingle-sign-onidentityserver4

IdentityServer4 and SSO

I have two types of login in my web api:

  1. through the application.
  2. Through a personal sso related to a private company. I implemented my authentication service using IdentityServer4.

But the challenges I have:

  1. I don't know how to implement a personal company SSO for my IdentityServer.
  2. I need to be able to use IdentityServer EndPoints as well (for example, using EndPoint Authroize to validate the received token, which can either be issued through my application or from SSO which is for another company).
  3. I have two addresses for /.well-known/openid-configuration. At the time of receiving user information, how should I understand that I should ask my IdentityServer or the SSO server to receive the information?

Program.cs

 services.AddIdentityServer(opt =>
            {
                opt.EmitStaticAudienceClaim = true;
            }).AddInMemoryClients(IdentityServerConfigs.Clients)
                .AddInMemoryIdentityResources(IdentityServerConfigs.IdentityResources)
                .AddInMemoryApiScopes(IdentityServerConfigs.ApiScopes)
                .AddInMemoryApiResources(IdentityServerConfigs.ApiResources)
                .AddAspNetIdentity<User>()
                .AddProfileService<CustomProfileService>()
                .AddExtensionGrantValidator<CustomSecurityStampValidator>()
                .AddSigningCredential(crt);

IdentityServerConfigs.cs

public static IEnumerable<Client> Clients =>
        [
            new Client()
            {
                AllowedGrantTypes = CustomGrantTypes.SecurityStamp_Credentials,
                ClientId = "****",
                ClientSecrets = [new Secret("****".Sha256())],
                //refresh Token
                AllowOfflineAccess = true,
                AccessTokenLifetime=3600, //1h
                RefreshTokenUsage=TokenUsage.ReUse,
                RefreshTokenExpiration=TokenExpiration.Sliding,
                
                AllowedScopes = [
                    "roles",
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    ],
            }
        ];
Solution

  • I don't know how to implement a personal company SSO for my IdentityServer.

    Your "personal company SSO" would be registered as an External IdP with IS4.

    IS4's documentation has a section documenting this: https://identityserver4.readthedocs.io/en/latest/topics/signin_external_providers.html

    But you should be using IdentityServer7 now, not IS4, so see the updated docs here: https://docs.duendesoftware.com/identityserver/v7/ui/login/external/

    I need to be able to use IdentityServer EndPoints as well (for example, using EndPoint Authroize to validate the received token, which can either be issued through my application or from SSO which is for another company).

    Those will be unaffected by configuring an external IdP.

    I have two addresses for /.well-known/openid-configuration. At the time of receiving user information, how should I understand that I should ask my IdentityServer or the SSO server to receive the information?

    Hang on there, you should have only one URI for /.well-known/openid-configuration, and that should be at the IS4 (ideaslly, IS7) instance you're configuring; while your personal-SSO obviously will have its own endpoints, with identical paths, the hostname will differ and that's fine because it's an entirely separate IdP (this is what identity federation is all about).

    If you're asking about who or what should access the config/token/userinfo endpoints on your personal-SSO, then the answer to that depends on how exactly you follow the guide - you could do it yourself - or use another library (even IS's cousin: IdentityModel), but AFAICT, IS4/IS7 won't do this for you because it's agnostic as to how each (and any) external IdP works.