Using ITfoxtec SAML2 library with Duende Identity server (5.0 ) as the SP

[jawaharrajan-investx]

Which version of Duende IdentityServer are you using? Duende Identity server (5.0 )

Which version of .NET are you using? 5.0

Describe the bug Adding ITfoxtec SAML2 library Getting an error : System.InvalidOperationException: 'Scheme already exists: saml2'

A clear and concise description of what the bug is.

To Reproduce

Steps to reproduce the behavior.

Expected behavior

A clear and concise description of what you expected to happen.

Log output/exception with stacktrace

data

Additional context

code added to start up in Configureservices

        services.Configure<Saml2Configuration>(Configuration.GetSection("Saml2"));

        services.Configure<Saml2Configuration>(saml2Configuration =>
        {
            saml2Configuration.AllowedAudienceUris.Add(saml2Configuration.Issuer);

            var entityDescriptor = new EntityDescriptor();
            entityDescriptor.ReadIdPSsoDescriptorFromUrl(new Uri(Configuration["Saml2:IdPMetadata"]));
            if (entityDescriptor.IdPSsoDescriptor != null)
            {
                saml2Configuration.SingleSignOnDestination = entityDescriptor.IdPSsoDescriptor.SingleSignOnServices.First().Location;
                saml2Configuration.SignatureValidationCertificates.AddRange(entityDescriptor.IdPSsoDescriptor.SigningCertificates);
            }
            else
            {
                throw new Exception("IdPSsoDescriptor not loaded from metadata.");
            }
        });
        services.AddSaml2();
        services.AddSaml2(slidingExpiration: true);

in Configure

app.UseSaml2();

after the app.UseRouting

[brockallen]

After a quick look at the above code, I'm guessing it's because you have these 2 lines:

  services.AddSaml2();
  services.AddSaml2(slidingExpiration: true);

But since that library is not from Duende Software, we don't support it. If you keep having problems, I'd suggest contacting the vendor.

[jawaharrajan-investx]

Thanks Brock Do you guys recommend using the Sustainsys.saml2 library, as it is an Open source one ?

RSK SAML_2P that you provide is it licence based - how much would be like yearly fee or one time purchase ?

We at present just need to set up our Identity Server as an SP to receive incoming SAML assertions from a clinet

[brockallen]

Do you guys recommend using the Sustainsys.saml2 library, as it is an Open source one ?

It works well if all you need is to be a SP.

RSK SAML_2P that you provide is it licence based - how much would be like yearly fee or one time purchase ?

You'd have to contact them -- that's a separate company.

[jawaharrajan-investx]

Thanks Brock for your reply

the Sustainsys SAML2 Library --> they say on supports .net core2.x and 3.x with IdentityServer 4.0

We are on .net (core) 5.0 and use Duende IdentityServer --> is Duende Identity Server (Identity server 5.0)?

so would Sustainsys work for us?

Thanks

Jawahar Rajan | Senior Developer @.**@.> | D: 519-722-2275

@.*** InvestX Capital Ltd. 999 Canada Place, Suite 654, Vancouver, BC V6C 3E1 Websitehttp://investx.com/ | LinkedInhttp://www.linkedin.com/company/investx-capital-ltd-?trk=biz-companies-cym | Twitterhttps://twitter.com/investxcapital The Sell-Side Marketplace For Late-Stage Private Equity

@.***

Securities products and services are offered by InvestX Markets LLC, a member of FINRA and SIPC and InvestX Financial (Canada) Ltd., a registered exempt market dealer in the provinces of British Columbia, Alberta, Ontario, Quebec and New Brunswick. Past performance is not indicative of future results. Investing involves risk, including risk of loss. This message is for the intended recipients only and contains confidential proprietary information. The unauthorized use, dissemination, distribution or reproduction of this e-mail, including attachments, is prohibited and may be unlawful. Statements made and opinions expressed are by the sender in their personal capacity and are not binding on any InvestX company until contracted.

From: Brock Allen @.> Sent: Thursday, August 11, 2022 10:55 AM To: DuendeSoftware/Support @.> Cc: Jawahar Rajan @.>; Author @.> Subject: Re: [DuendeSoftware/Support] Using ITfoxtec SAML2 library with Duende Identity server (5.0 ) as the SP (Issue #155)

CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Do you guys recommend using the Sustainsys.saml2 library, as it is an Open source one ?

It works well if all you need is to be a SP.

RSK SAML_2P that you provide is it licence based - how much would be like yearly fee or one time purchase ?

You'd have to contact them -- that's a separate company.

— Reply to this email directly, view it on GitHubhttps://github.com/DuendeSoftware/Support/issues/155#issuecomment-1212102303, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AYSGKWV24I5AGIY3FHRAOWLVYUH2ZANCNFSM56IKBOTQ. You are receiving this because you authored the thread.Message ID: @.**@.>>

[brockallen]

Yes, that should work -- if it works in .NET 6, then it will work with Duende IdentityServer.

Let's ask the author: @AndersAbel? :)

[AndersAbel]

Yes, Sustainsys.Saml2 is supported on .NET 6 and works with Duende IdentityServer.

The information you found was written back when those mentioned versions where the latest available.

[jawaharrajan-investx]

Hello Anders, Thanks for your response. With using Sustainsys.Saml2. i see that it generates its own Internal ACS (AssertionConsumerServie)

in our case the Client will send us a SAML response (IDP Initiated SAML flow) So once we validate the SAML Response as valid and do some additional internal checks then how can we sign them in to our IdentityServer, so create a session for the user and then redirect them to the service application.

do we need to modify our Startup.cs in our service Application ?

Do you have acode sample for IDP Initiated SAML flow using Sustainsys.SAML2

[AndersAbel]

Set AllowUnsolicitedAuthnResponse on the IdentityProvider object to allow Idp-initiated sign on. You also need to set up a default redirect URL on SpOptions.ReturnUrl or set the RelayStateUsedAsReturnUrl flag on the IdentityProvider.

Please note that Idp-initiated sign on is always vulnerable to session pinning attacks. It is a consequence of how the protocol is designed and nothing that can be worked around in the Saml2 library.