Identityserver4: SAML2.0 support

You can implement an extension grant for the SAML 2.0 Profile for OAuth 2.0. I've done this for the JWT Assertion Profile.

https://tools.ietf.org/html/rfc7522

Your application would accept the SAML assertion, and then send it to the idsrv token endpoint with the SAML assertion grant type. Idsrv will resolve your extension grant validator where your code running in idsrv would validate the assertion, resulting in an access token being issued.

Are there any plans for IdentityServer4 SAML2.0 support?

Given how we have designed for external authentication, we don't inherently support protocols for external IdPs. This is something you'd need an authentication middleware for. Microsoft will never implement this, so you should consider hiring @andersabel to build it.

Sorry, i didn't meant external authentication.

I want IdentityServer to have a SAML endpoint, like mentioned here it should already work with WS-Federation:
https://identityserver4.readthedocs.io/en/release/topics/add_protocols.html

In a blog entry from @leastprivilege it says

When we designed IdentityServer4, we wanted to make it easier to extend the core token service with custom protocol endpoints.
https://leastprivilege.com/2017/03/03/extending-identityserver4-with-ws-federation-support/

Ah, so then you'd need to follow the pattern in our ws-fed example: https://github.com/IdentityServer/IdentityServer4.WsFederation. But you would still need a library or component to handle the SAML2-P protocol. Microsoft will never implement this, so you should consider hiring @AndersAbel to build it.

We are considering building a commercial SAML2p plugin. Please contact us at [email protected] to discuss more details.

Hello @leastprivilege,
Do you already have any idea about the price of this plugin and an estimated release date?

Thank you.

Email us, @clegendre, and we can get you those details.

The scheduled release date will be 1st September, the price of the component is $2500. Checkout identityserver.com for more updates. We will be updating the web site to contains details shortly

is that avaliable now ? I sent email ,but no reply

https://leastprivilege.com/2017/10/13/saml2p-identity-provider-support-for-identityserver4/

Hello ,

Does Identity Server 4 support OAuth and SAML?.As we have an existing MVC application which needs to support the above two security protocols.This MVC application is using external Identity Providers like SSO..But our Identity Server is configured as OpenId and OAuth.If its possible please give a solution.

Thanks

You would need to implement something like https://tools.ietf.org/html/rfc7522. This isn't currently supported by IdentityServer or the IdentityServer SAML component.

So, Is it possible to have SAML2 with .net core 2 and identityserver4? Documentation says that it is possible, also there is a link to the sample, BUT!!! Sample Project was built with .net framework 4.6.1 (you can open properties of the project and see the version of .net). SamlPlugin is NOT COMPATIBLE with .net core 2....

@scottbrady91 When I'm installing nuget package with SAML plugin it says: "Package Rsk.IdentityServer4.Saml 2.0.2.3 was restored using .net framework 4.6.1 instead of target framework .netCoreApp 2. This package may be not fully compatible with your project"
How that can be solved?

@pizzadev The IdentityServer 4 SAML component supports ASP.NET Core 2.0 targetting the full .NET Framework. We're looking at adding .NET Core support, using the new Microsoft libraries that came out a few weeks ago, in the next version of the library.

Hi Scott, Any tentative timeline for new .Net core libraries support in Rsk.IdentityServer4.Saml and Rsk.IdentityServer4.WsFederation packages?

@scottbrady91 any updates on .NET Core support?

We've made a start at porting them, but have been slowed down since none of the metadata libraries made it to .NET standard. Unless anyone knows otherwise?

We're considering idsrv4 for auth in our saas app. We have multiple customers who will want their users to login with identities stored in their ad servers. One of these uses saml 2. We control the client apps, currently a mobile app (ionic) and webforms app that will use user logins, either local to idsrv or via the id server of the customer and an api that will use client logins, likely local to idsrv but unsure.

1. Where does the oauth solution presented by @chrisowhite fit in?

2. The saml commercial offering had some limitations, no support for logout - will this be added /why is it not supported - is it something inherent to one of the parts / a ton of work?

3. If we get our customer to support ws fed, what is the timeline for the saml 2 offering to support .net core proper? The question is do we need to target .net461 from the off to support a saml 2 customer 6 months from now, asuming a switchover might be tricky?

4. Idsrv 3 has a saml example. It's noted the example server used doesn't support much security. Does this mean there's much more work to make this the code fit for use against saml2 pointing to ad for production use?

I'm not asking for all the indepth tech details, just ensuring idsrv is the way to go and pointers.

The above is @scottbrady91 mostly for you, sorry for the spam. I don't think an edit sends a notification.

@gary-b Take my idea with a grain of salt since it's basically a hack. The right way to do this would be to support SAML in idsrv either via the RSK solution of if you happen to already have a license with ComponentSpace as they have another option for integrating with IdentityServer4.

Based on your scenario, it sounds like you want IdentityServer to act as a SAML SP (send SAML requests and receive SAML responses), as opposed to acting as an IdP (receive SAML requests and send SAML responses). Whilst our component does offer that side of the story, this does not need to be IdentityServer specific.

But to answer your questions:

1. SAML doesn't have the concept of API security, so when you log in using SAML you don't get anything similar to an access token. A proposed solution to this is to use RFC7522 and swap SAML assertions for access tokens.
2. For acting as a SAML IdP, there is limited support for logout. Currently we just don't support logout responses. This was to keep things simple and maintain OpenID Connect single sign off. There are plans to build upon this in the future.
3. .NET Standard 2.0 support is scheduled for release in September. I'm still working through porting the old metadata libraries.
4. I'm not sure which sample you mean. Do you have a link?

Thanks @scottbrady91 You are correct i think in that idsrv will be a saml2 sp

1. We will have a mobile app where the user signs in, and then it makes rest calls when online. These rest calls will be secured with a token presumably. Does the fact that the IDP idsrv will be redirecting them to use SAML2 mean that we will have to deal with RFC7522? Does using WS-Fed save us from this?

(4). I was referring to https://coding.abel.nu/2015/01/saml2-for-thinktecture-identityserver-3-with-kentor-authservices/

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.