Aguacongas.IdentityServer.Saml2p.Duende 8.2.0

.NET 8.0 This package targets .NET 8.0. The package is compatible with this framework or higher. 
dotnet add package Aguacongas.IdentityServer.Saml2p.Duende --version 8.2.0                

                    
                

            
NuGet\Install-Package Aguacongas.IdentityServer.Saml2p.Duende -Version 8.2.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="Aguacongas.IdentityServer.Saml2p.Duende" Version="8.2.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
paket add Aguacongas.IdentityServer.Saml2p.Duende --version 8.2.0                

                    
                

            
#r "nuget: Aguacongas.IdentityServer.Saml2p.Duende, 8.2.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
// Install Aguacongas.IdentityServer.Saml2p.Duende as a Cake Addin
#addin nuget:?package=Aguacongas.IdentityServer.Saml2p.Duende&version=8.2.0

// Install Aguacongas.IdentityServer.Saml2p.Duende as a Cake Tool
#tool nuget:?package=Aguacongas.IdentityServer.Saml2p.Duende&version=8.2.0

Aguacongas.IdentityServer.Saml2p.Duende

Add a SAML2P controller to your Duende Identity server.
This lib uses ITfoxtec.Identity.Saml2.MvcCore internally to implements the protocol.

Setup

services.AddIdentityServer()
    .AddKeysRotation(options => configuration.GetSection(nameof(KeyRotationOptions))?.Bind(options));

services.AddControllersWithViews()
    .AddIdentityServerSaml2P();

Saml2P depends on a ISigningCredentialStore. You can register it using AddSigningCredential with a X509Certificate2 in place of AddKeysRotation if you prefer.

Usage

saml2p/metadata returns the Saml2P metadata document.

You can add a client to you configuration with saml2p as protocol type:

new Client
{
    ClientId = "itfoxtec-testwebappcore",
    ProtocolType = ProtocolTypes.Saml2p,

    RedirectUris = { "http://localhost:10314/Auth/AssertionConsumerService" },
    PostLogoutRedirectUris = "http://localhost:10314/Auth/SingleLogout",

    ClientSecrets = [
      new Secret {
        Type = SecretTypes.X509CertificateBase64,
        Value = Convert.ToBase64String(certificate.Export(X509ContentType.Cert))
      }
    ]
}

The client must have only one redirect uri pointing to the Assertion Consumer Service route and one X509Certificate secret mathing its signing certificate.

And configure the client to use Saml2P authentication using ITfoxtec.Identity.Saml2:

services.BindConfig<Saml2Configuration>(Configuration, "Saml2", (serviceProvider, saml2Configuration) =>
{
    // The certificate must be the one configured as secret for the client;
    saml2Configuration.SigningCertificate = CertificateUtil.Load(AppEnvironment.MapToPhysicalFilePath(Configuration["Saml2:SigningCertificateFile"]), Configuration["Saml2:SigningCertificatePassword"], X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
    saml2Configuration.AllowedAudienceUris.Add(saml2Configuration.Issuer);

    var httpClientFactory = serviceProvider.GetService<IHttpClientFactory>();
    var entityDescriptor = new EntityDescriptor();
    entityDescriptor.ReadIdPSsoDescriptorFromUrlAsync(httpClientFactory, new Uri(Configuration["Saml2:IdPMetadata"])).GetAwaiter().GetResult();
    if (entityDescriptor.IdPSsoDescriptor != null)
    {
        saml2Configuration.AllowedIssuer = entityDescriptor.EntityId;
        saml2Configuration.SingleSignOnDestination = entityDescriptor.IdPSsoDescriptor.SingleSignOnServices.First().Location;
        saml2Configuration.SingleLogoutDestination = entityDescriptor.IdPSsoDescriptor.SingleLogoutServices.First().Location;
        foreach (var signingCertificate in entityDescriptor.IdPSsoDescriptor.SigningCertificates)
        {
            if (signingCertificate.IsValidLocalTime())
            {
                saml2Configuration.SignatureValidationCertificates.Add(signingCertificate);
            }
        }
        if (saml2Configuration.SignatureValidationCertificates.Count <= 0)
        {
            throw new Exception("The IdP signing certificates has expired.");
        }
        if (entityDescriptor.IdPSsoDescriptor.WantAuthnRequestsSigned.HasValue)
        {
            saml2Configuration.SignAuthnRequest = entityDescriptor.IdPSsoDescriptor.WantAuthnRequestsSigned.Value;
        }
    }
    else
    {
        throw new Exception("IdPSsoDescriptor not loaded from metadata.");
    }

    return saml2Configuration;
});            

services.AddSaml2(slidingExpiration: true);
services.AddHttpClient();

appsettings.json

{
  "Saml2": {
    "IdPMetadata": "https://localhost:5443/saml2p/metadata", // Your Duende Identity server metadata uri
    "Issuer": "itfoxtec-testwebappcore", // Client Id
    "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
    "SigningCertificateFile": "itfoxtec.identity.saml2.testwebappcore_Certificate.pfx",
    "SigningCertificatePassword": "!QAZ2wsx",
    "CertificateValidationMode": "None", // "ChainTrust"
    "RevocationMode": "NoCheck"
  }
}

Review samples in ITfoxtec/ITfoxtec.Identity.Saml2 repo

Metadata configuration

AddIdentityServerSaml2P extension accept a IConfiguration or a Saml2POptions parameter to configure the metadata document génération with claims lists.

mvcBuilder.AddIdentityServerSaml2P(configurationManager.GetSection(nameof(Saml2POptions)));

"Saml2POptions": {
    "X509CertificateValidationMode": "None",
    "ContactPersons": [
      {
        "ContactKind": "Technical",
        "Company": "Aguafrommars",
        "GivenName": "Olivier Lefebvre",
        "SurName": "Aguacongas",
        "EmailAddress": "aguacongas@gmail.com"
      }
    ],
    "RevocationMode": "NoCheck",
    "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
    "ValidUntil": 365
  }

Implement your store

To access data the ISaml2PService use a IRelyingPartyStore. You can implement this interface and provide your implementation to the DI to ovveride the default IRelyingPartyStore implementation.

/// <summary>
/// Custom IRelyingPartyStore implementation
/// </summary>
/// <seealso cref="IRelyingPartyStore" />
public class MyRelyingPartyStore : IRelyingPartyStore
{
    public async Task<RelyingParty> FindRelyingPartyByRealm(string realm)
    {
        // TODO: Implement me
        throw new NotImplementedException();
    }
}

The DI configuration become:

services.AddIdentityServer()
    .AddKeysRotation(options => configuration.GetSection(nameof(KeyRotationOptions))?.Bind(options));

services.AddControllersWithViews()
    .AddIdentityServerSaml2P();

services.AddTransient<IRelyingPartyStore, MyRelyingPartyStore>();
Product Compatible and additional computed target framework versions.
.NET net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last updated
8.2.0 67 11/9/2024
8.1.1 74 11/9/2024
8.1.0-preview57- 67 11/3/2024
8.0.1 123 9/22/2024
8.0.0 140 3/9/2024
8.0.0-preview1-0001 194 11/18/2023
7.4.6 291 10/28/2023
7.4.5 142 10/12/2023
7.4.4 180 8/10/2023
7.4.3 187 7/20/2023
7.4.2 175 7/13/2023
7.4.1 175 6/15/2023
7.4.0 177 6/4/2023
7.3.0 189 4/13/2023
7.3.0-preview1-0073 136 4/10/2023