ComponentSpace SAML v2.0 IdentityServer4 Integration Guide

Similar documents
ComponentSpace SAML v2.0 Examples Guide

ComponentSpace SAML v2.0 Okta Integration Guide

ComponentSpace SAML v2.0 Configuration Guide

ComponentSpace SAML v2.0 Developer Guide

ComponentSpace SAML v2.0 Configuration Guide

MyWorkDrive SAML v2.0 Azure AD Integration Guide

MyWorkDrive SAML v2.0 Okta Integration Guide

ComponentSpace SAML v2.0 Installation Guide

ComponentSpace SAML v2.0 Office 365 Integration Guide

Configuring Alfresco Cloud with ADFS 3.0

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

Yellowfin SAML Bridge Web Application

TECHNICAL GUIDE SSO SAML Azure AD

Qualys SAML & Microsoft Active Directory Federation Services Integration

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

Upland Qvidian Proposal Automation Single Sign-on Administrator's Guide

Integrating YuJa Active Learning into ADFS via SAML

Integrating YuJa Active Learning into Google Apps via SAML

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

Introduction to IdentityServer

Morningstar ByAllAccounts SAML Connectivity Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

SAML v2.0 for.net Developer Guide

DocuSign Single Sign On Implementation Guide Published: June 8, 2016

Introduction to application management

Using Microsoft Azure Active Directory MFA as SAML IdP with Pulse Connect Secure. Deployment Guide

Quick Connection Guide

Integrating the YuJa Enterprise Video Platform with Dell Cloud Access Manager (SAML)

ComponentSpace SAML v2.0 Developer Guide

Federated Authentication with Web Services Clients

RSA SecurID Access SAML Configuration for Datadog

Google SAML Integration with ETV

Advanced Configuration for SAML Authentication

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

Integrating YuJa Active Learning with ADFS (SAML)

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

WebADM and OpenOTP are trademarks of RCDevs. All further trademarks are the property of their respective owners.

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

SafeNet Authentication Manager

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

Oracle Utilities Opower Solution Extension Partner SSO

IBM InfoSphere Information Server Single Sign-On (SSO) by using SAML 2.0 and Tivoli Federated Identity Manager (TFIM)

SAML v1.1 for.net Developer Guide

A National e-authentication Service

Integration of the platform. Technical specifications

All about SAML End-to-end Tableau and OKTA integration

D9.2.2 AD FS via SAML2

Configuring Confluence

Authentication. Katarina

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

i-ready Support for Single Sign-On (SSO)

Integrating the YuJa Enterprise Video Platform with ADFS (SAML)

Oracle Access Manager Configuration Guide

Workday Deployment Guide Version 4.0

Google SAML Integration

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

WebEx Connector. Version 2.0. User Guide

Authentication. August 17, 2018 Version 9.4. For the most recent version of this document, visit our documentation website.

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Cisco Adaptive Security Appliance 9.5(2)

Single Sign-On (SSO)Technical Specification

Manage SAML Single Sign-On

Spotfire Security. Peter McKinnis July 2017

Introduction to SSO Access Policy

Authentication Guide

Introduction to ASP.NET Identity. Brock Allen

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Central Authentication Service Integration 2.0 Administration Guide May 2014

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

Branding Customizations

Unity Connection Version 10.5 SAML SSO Configuration Example

Configuration Guide - Single-Sign On for OneDesk

RSA SecurID Access SAML Configuration for Kanban Tool

Warm Up to Identity Protocol Soup

OpenID Cloud Identity Connector. Version 1.3.x. User Guide

Single Sign-On for PCF. User's Guide

RSA SecurID Access SAML Configuration for Samanage

TalariaX sendquick Alert Plus

BEST PRACTICES GUIDE MFA INTEGRATION WITH OKTA

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Better MDM

RSA SecurID Access SAML Configuration for Brainshark

Welcome to Oracle Service Cloud Ask the Experts

Leave Policy. SAML Support for PPO

Webthority can provide single sign-on to web applications using one of the following authentication methods:

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

RSA SecurID Access SAML Configuration for StatusPage

ComponentSpace SAML v2.0 Release Notes

SecureAuth IdP Realm Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS. Pulse Secure Connect Secure 8.3. Standard Agent Client Implementation Guide

Enabling Single Sign-On Using Okta in Axon Data Governance 5.4

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

Integration Guide. SafeNet Authentication Service. Protecting SugarCRM with SAS

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

What Does Logout Mean?

Transcription:

ComponentSpace SAML v2.0 IdentityServer4 Integration Guide Copyright ComponentSpace Pty Ltd 2017-2018. All rights reserved. www.componentspace.com

Contents Introduction... 1 IdentityServer4 as the Service Provider... 1 Adding SAML Support... 1 Service Provider Configuration... 2 Application Startup... 2 Identity Provider Configuration... 3 SP-Initiated SSO... 3 IdP-Initiated SSO... 8 SAML Logout... 8 IdentityServer4 as the Identity Provider... 11 Adding SAML Support... 11 Identity Provider Configuration... 12 Middleware vs API... 13 SAML API... 13 Application Startup... 13 SAML Controller... 13 SAML Middleware... 15 Application Startup... 15 Service Provider Configuration... 16 SP-Initiated SSO... 17 IdP-Initiated SSO... 19 SAML Logout... 19 i

Introduction IdentityServer4 doesn t natively support SAML SSO but it is extensible. This document describes how to add SAML support to IdentityServer4 acting as either an identity provider or service provider. The reader is assumed to have an existing IdentityServer4 project. For information on building, configuring and running IdentityServer4, refer to the following documentation. https://identityserver4.readthedocs.io/en/release/index.html IdentityServer4 as the Service Provider IdentityServer4 supports users signing in using external identity providers. IdentityServer4 is the SAML service provider and the external providers are the SAML identity providers. The application authenticating to IdentityServer4 may use any available protocol (e.g. OpenID Connect). The following sections described how to enable sign-on using external SAML identity providers. Adding SAML Support Add the ComponentSpace.Saml2 NuGet package to the IdentityServer4 project. Add the Certificates folder to the IdentityServer4 project. The following certificate files may be copied from the ExampleServiceProvider project. sp.pfx 1

idp.cer Service Provider Configuration In IdentityServer4 s appsettings.json, include the SAML configuration. "SAML": "$schema": "https://www.componentspace.com/schemas/saml-config-schema-v1.0.json", "Configurations": [ "LocalServiceProviderConfiguration": "Name": "https://identityserver4", "Description": "IdentityServer4", "AssertionConsumerServiceUrl": "http://localhost:5000/saml/assertionconsumerservice", "SingleLogoutServiceUrl": "http://localhost:5000/saml/singlelogoutservice", "LocalCertificates": [ "FileName": "certificates/sp.pfx", "Password": "password" ], "PartnerIdentityProviderConfigurations": [ "Name": "https://exampleidentityprovider", "Description": "Example Identity Provider", "SignAuthnRequest": true, "SingleSignOnServiceUrl": "https://localhost:44313/saml/singlesignonservice", "SingleLogoutServiceUrl": "https://localhost:44313/saml/singlelogoutservice", "PartnerCertificates": [ "FileName": "certificates/idp.cer" ] ] ], "PartnerName": "https://exampleidentityprovider" For information on SAML configuration, refer to the SAML v2.0 Configuration Guide. Application Startup In the ConfigureServices method in IdentityServer4 s Startup class, add the following. // Add SAML SSO services. services.addsaml(configuration.getsection("saml"); // Add the SAML authentication handler. services.addauthentication().addsaml(options => 2

options.signinscheme = IdentityServerConstants.ExternalCookieAuthenticationScheme; options.partnername = () => Configuration["PartnerName"]; ); For more information, refer to the SAML v2.0 Developer Guide. Identity Provider Configuration The following partner service provider configuration is included in the example identity provider s SAML configuration. "Name": "https://identityserver4", "Description": "IdentityServer4", "WantAuthnRequestSigned": true, "SignSamlResponse": true, "AssertionConsumerServiceUrl": "http://localhost:5000/saml/assertionconsumerservice", "SingleLogoutServiceUrl": "http://localhost:5000/saml/singlelogoutservice", "PartnerCertificates": [ "FileName": "certificates/sp.cer" ] SP-Initiated SSO The reader is assumed to have an application that authenticates to IdentityServer4 using OpenID Connect or some other protocol. For more information, refer to the IdentityServer4 documentation. Browse to the application and initiate login. 3

At the IdentityServer4 login page, click the SAML external login button. 4

Login at the identity provider. 5

Allow the requested permissions. 6

The user is automatically logged in at the service provider. 7

IdP-Initiated SSO IdP-initiated SSO is not supported by IdentityServer4. SAML Logout IdP-initiated SAML logout is not supported by IdentityServer4. SP-initiated SAML logout is supported. Initiate logout at the application. 8

You are logged out at IdentityServer4. 9

Click the link to return to the application. 10

IdentityServer4 as the Identity Provider IdentityServer4 supports adding authentication protocols. The following sections described how to enable SAML SSO to IdentityServer4. Authenticating applications act as SAML service providers and IdentityServer4 is the SAML identity provider. Adding SAML Support Add the ComponentSpace.Saml2 NuGet package to the IdentityServer4 project. 11

Add the Certificates folder to the IdentityServer4 project. The following certificate files may be copied from the ExampleIdentityProvider project. idp.pfx sp.cer Identity Provider Configuration In IdentityServer4 s appsettings.json, include the SAML configuration. "SAML": "$schema": "https://www.componentspace.com/schemas/saml-config-schema-v1.0.json", "Configurations": [ "LocalIdentityProviderConfiguration": "Name": "https://identityserver4", "Description": "IdentityServer4", "SingleSignOnServiceUrl": "http://localhost:5000/saml/singlesignonservice", "SingleLogoutServiceUrl": "http://localhost:5000/saml/singlelogoutservice", "ArtifactResolutionServiceUrl": "http://localhost:5000/saml/artifactresolutionservice", "LocalCertificates": [ "FileName": "certificates/idp.pfx", "Password": "password" ], "PartnerServiceProviderConfigurations": [ "Name": "https://exampleserviceprovider", "Description": "Example Service Provider", 12

"WantAuthnRequestSigned": true, "SignSamlResponse": true, "AssertionConsumerServiceUrl": "https://localhost:44360/saml/assertionconsumerservice", "SingleLogoutServiceUrl": "https://localhost:44360/saml/singlelogoutservice", "ArtifactResolutionServiceUrl": "https://localhost:44360/saml/artifactresolutionservice", "PartnerCertificates": [ "FileName": "certificates/sp.cer" ] ] ] For information on SAML configuration, refer to the SAML v2.0 Configuration Guide. Middleware vs API When adding SSO support to IdentityServer4, you have a choice between: Adding the SAML authentication handler or SAML middleware Making explicit SAML API calls within the application Both approaches are described in the following sections. SAML flows are the same for the two approaches. For more information, refer to the SAML v2.0 Developer Guide. SAML API Application Startup In the ConfigureServices method in the application s Startup class, add the following. // Add SAML SSO services. services.addsaml(configuration.getsection("saml"); For more information, refer to the SAML v2.0 Developer Guide. SAML Controller Add a SAML controller to the IdentityServer4 project. This controller includes actions for handling SAML single sign-on and logout. public class SamlController : Controller private readonly ISamlIdentityProvider _samlidentityprovider; private readonly IIdentityServerInteractionService _identityserverinteractionservice; private readonly IMessageStore<LogoutMessage> _logoutmessagestore; public SamlController( ISamlIdentityProvider samlidentityprovider, 13

IIdentityServerInteractionService identityserverinteractionservice, IMessageStore<LogoutMessage> logoutmessagestore) _samlidentityprovider = samlidentityprovider; _identityserverinteractionservice = identityserverinteractionservice; _logoutmessagestore = logoutmessagestore; public async Task<ActionResult> SingleSignOnService() // Receive the authn request from the service provider (SP-initiated SSO). await _samlidentityprovider.receivessoasync(); // If the user is logged in at the identity provider, complete SSO immediately. // Otherwise have the user login before completing SSO. if (User.Identity.IsAuthenticated) await CompleteSsoAsync(); return new EmptyResult(); else return RedirectToAction("SingleSignOnServiceCompletion"); [Authorize] public async Task<ActionResult> SingleSignOnServiceCompletion() await CompleteSsoAsync(); return new EmptyResult(); public async Task<ActionResult> SingleLogoutService() // Receive the single logout request or response. // If a request is received then single logout is being initiated by a partner service provider. // If a response is received then this is in response to single logout having been initiated // by the identity provider. var sloresult = await _samlidentityprovider.receivesloasync(); if (sloresult.isresponse) if (sloresult.hascompleted) // IdP-initiated SLO has completed. return RedirectToPage("/Index"); else // Specify the display name and return URL for logout. var logoutmessage = new Message<LogoutMessage>(new LogoutMessage 14

ClientName = "SAML Service Provider", PostLogoutRedirectUri = "/SAML/SingleLogoutServiceCompletion", DateTime.UtcNow); var logoutid = await _logoutmessagestore.writeasync(logoutmessage); // Logout locally. return RedirectToAction("Logout", "Account", new logoutid = logoutid ); return new EmptyResult(); public async Task<ActionResult> SingleLogoutServiceCompletion() // Respond to the SP-initiated SLO request indicating successful logout. await _samlidentityprovider.sendsloasync(); return new EmptyResult(); private Task CompleteSsoAsync() // Get the name of the logged in user. var username = User.Identity.Name; // Include claims as SAML attributes. var attributes = new List<SamlAttribute>(); foreach (var claim in ((ClaimsIdentity)User.Identity).Claims) attributes.add(new SamlAttribute(claim.Type, claim.value)); // The user is logged in at the identity provider. // Respond to the authn request by sending a SAML response containing a SAML assertion to the SP. return _samlidentityprovider.sendssoasync(username, attributes); SAML Middleware Application Startup In the ConfigureServices method in the application s Startup class, add the following. // Add SAML SSO services. services.addsaml(configuration.getsection("saml"); // Add SAML Middleware services. services.addsamlmiddleware(); In the Configure method in the application s Startup class, add the following. This should be placed after the UseIdentityServer call. 15

// Use SAML middleware. app.usesaml(); // Specify the display name and return URL for logout. app.use(async (context, next) => if (context.request.path.value.equals("/account/logout", StringComparison.OrdinalIgnoreCase) && string.isnullorempty(context.request.query["logoutid"])) var identityserverinteractionservice = context.requestservices.getrequiredservice<iidentityserverinteractionservice>(); var logoutmessagestore = context.requestservices.getrequiredservice<imessagestore<logoutmessage>>(); var logoutmessage = new Message<LogoutMessage>(new LogoutMessage ClientName = "SAML Service Provider", PostLogoutRedirectUri = "/SAML/SingleLogoutServiceCompletion", DateTime.UtcNow); var logoutid = await logoutmessagestore.writeasync(logoutmessage); context.request.querystring = context.request.querystring.add("logoutid", logoutid); await next(); ); For more information, refer to the SAML v2.0 Developer Guide. Service Provider Configuration The following partner identity provider configuration is included in the example service provider s SAML configuration. "Name": "https://identityserver4", "Description": "IdentityServer4", "SignAuthnRequest": true, "SingleSignOnServiceUrl": "http://localhost:5000/saml/singlesignonservice", "SingleLogoutServiceUrl": "http://localhost:5000/saml/singlelogoutservice", "ArtifactResolutionServiceUrl": "http://localhost:5000/saml/artifactresolutionservice", "PartnerCertificates": [ "FileName": "certificates/idp.cer" ] Ensure the PartnerName specifies the correct partner identity provider. "PartnerName": "https://identityserver4" 16

SP-Initiated SSO Browse to the example service provider and click the button to SSO to the identity provider. Log into IdentityServer4. 17

The user is automatically logged in at the service provider. 18

IdP-Initiated SSO IdP-initiated SSO is not supported by IdentityServer4. SAML Logout IdP-initiated SAML logout is not supported by IdentityServer4. SP-initiated SAML logout is supported. Click the logout link at the example service provider. 19

You are prompted to logout at IdentityServer4. 20

Click the Yes button. 21

Click the link to return to the example service provider. 22

23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback