Saml2 support

[henninga]

Hei

First off, I'm sorry if this is the wrong place to ask. I'm looking into how to use identityserver 3 with OpenSSO/OpenAM and Saml2 Oasis. From what I've gathered Identityserver does not support saml2, is that right? If so, are there any plans for adding support?

If neither is true, does anybody have any information in how would one go about in creating a auth middleware/plugin for opensso and saml2?

[leastprivilege]

Which role should IdSrv play - Identity Provider or Service Provider?

[henninga]

What's the difference?

[leastprivilege]

providing identity or consuming identity - check the SAML spec

[henninga]

From my understanding it would be service provider. Is that what idsrv does by default today?

[leastprivilege]

do you want to allow users to sign-in at IdSrv3 using OpenAM as the identity provider - or the other way round?

[henninga]

Well, I think it would be the first one. Sign in at idsrv3 using openam as IdP. Sorry for sounding like a dumbass. This world is quite new to me. Never worked with SSO, claim based authentication, saml or openid before.

I see that KentorIT here on github has some saml2 stuff, with owin support, https://github.com/KentorIT/authservices. Maybe that can be used?

[leastprivilege]

That would have been my suggestion - I never tried it - so let me know how it goes.

[charlieknoll]

I have recently implemented a SAML2 IdP using KentorIT as a starting point. For reference, I needed an SAML endpoint to authorize Google Apps users of our organization. The KentorIT repo has an example Stub IdP which generates an example SAML response. With a little tweaking I have it working with Google. I am planning on integrating it into our Thinktecture OP but I have not got that up and running yet. It may require proxying a call to the OP to generate the SAML response.

[AndersAbel]

@charlieknoll In the AuthServices library most of the building blocks required for an idp are present, but I just want to point out that the stub idp bypass just about every security measure a SAML Idp should employ. It's a testing service so it makes it easier to use for tests. But if you build something real based on the stub, you have to make sure that you add the missing security features.

[leastprivilege]

We verified that the Kentor AuthServices library works with IdSrv3 - in other words IdSrv can use other SAML2p Idp for authentication. So Henning's scenario should work.

[pawepaw]

Can you provide any sample for doing this or at least Kentor middleware configuration for IdentityServer?

[AndersAbel]

@pawepaw There's a blog post on how to do it.

[pawepaw]

@AndersAbel Sure there is but it's not complete. Missing information about asc service routing in Kentor.AuthServices library and I had to analyze code to find it. I think you should provide client configuration in SAML Identity Provider application to make it clear.

But I can confirm that I managed to make it working and IdSrv3 works with Kentor AuthServices.

[AndersAbel]

@pawepaw If you've found that the post isn't complete, please post a comment with the missing information. Both IdSrv3 and Kentor.AuthServices are open source and available for free so I hope that you're willing to help others by sharing your findings. If you need full support both I as well and the IdSrv3 authors do provide that on a commercial basis.

[rkoehnen]

@leastprivilege and @AndersAbel Hi guys, thanks for the great work. I'm just starting to get my head around all of this. I was hoping to use IdSrv3 as the idp as I want to use OAuth2 for most of the solution. However, I have a relying party app that demands saml2 in order to be federated with any idp. I tried the wsfederation plugin with IdSrv3 but that doesn't appear to implement the saml2 portion of wsfed compatibility? Is that correct? Is there a way this could be done with Kentor.AuthServices?

[AndersAbel]

@rkoehnen The WS-Fed plugin supports the WS-Fed protocol and not the SAML2 protocol. Kentor.AuthServices is only an SAML2 SP implementation, not an Idp. It might be possible to build a SAML2 plugin for IdSrv3 on top of Kentor.AuthServices, but it's probably a lot of work.