search

Sustainsys / Saml2

Saml2 Authentication services for ASP.NET
Other
945 stars 605 forks source link

How to implement dynamic options provider for Saml2 IDP (e.g. Shibboleth IDP) in IdentityServer4 implementation? #1365

Closed prrami closed 1 year ago

prrami commented 1 year ago

In our IdentiyServer4 implementation, we have implemented option provider for OpenIDConnect which gets resolved at runtime and provides dynamic options as per IDP like aad/okta/onelogin. Now we want to support Saml2 IDP(Shibboleth in our case) also and want to implement option provider for Saml2 so we can assign dynamic options at runtime. We are using Systainsys.Saml2.AspNetCore2 NuGet to support Saml2 IDP.

right now we have created Saml2OptionsProvider class and have it registered for Saml2Options in Program.cs as below same as we have done for OpenIDConnect but didn't get success to resolve this.

builder.Services.AddScoped<IOptionsMonitor<Saml2Options>, Saml2OptionsProvider>(); 

services.AddAuthentication()
.AddOpenIdConnect("aad", "Azure AD", options =>
            {
                options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
                options.SignOutScheme = IdentityServerConstants.SignoutScheme;
            })
.AddSaml2("Saml2", "Saml2", options =>
            {
                options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
                options.SignOutScheme = IdentityServerConstants.DefaultCookieAuthenticationScheme;

            })

As shown above two options are set here in program.cs. Other we want to set runtime using option provider. Please share details if you have any idea on how to implement same.

AndersAbel commented 1 year ago

The Saml2 library has built in support to have multiple providers connected to one scheme. If you know all the available providers at startup, then add each of them as an IdentityProvider object. Then override the SelectIdentityProvider notification to use the right one. If you don't know them all at startup, or if they are completely dynamic, you can use the SelectIdentityProvider and GetIdentityProvider notifications to use run-time configuration.

prrami commented 1 year ago

@AndersAbel ,

We know all the providers so we have registered all of them in startup. but we have multi tenant application, so provider and its options may change tenant wise and it gets resolved at runtime. right now it is working fine for OpenIDConnect providers like aad/okta/onelogin. We have added common options in startup and other options are resolved from {Tenant}OptionsProvider class because we have registered below line in startup.

builder.Services.AddScoped<IOptionsMonitor<OpenIdConnectOptions>, AadTenantOptionsProvider>();

Same way we have created Saml2OptionsProvider class and registered in startup as below. and we expect that for Saml2 tenant it should hit there to resolve other options. but it is not getting resolved right now.

builder.Services.AddScoped<IOptionsMonitor<Saml2Options>, Saml2OptionsProvider>();

We set options.SignInScheme, options.SignOutScheme options in startup and want to set other dynamic options like below from that OptionsProvider class.