Implement SP initiated scenario using SAML2 library

1
votes

We are service provider and trying to Implement SP-initiated SSO using SAML2 library. I have following questions

  1. When end user tries to access protected SP application/resource how should SP end point identify to which IDP it should redirect the request for authentication ?

  2. Is there any standard format to accept first/Initial request from IDP user?

  3. While redirecting request to IDP what is the standard format to send response to IDP?

Our tech stack : asp .net(4.5) MVC, C# and SAML2 Sustainsys library

Our client (In SSO term IDP- Identify provider) is using : SP-initiated SAML on Azure AD

Using SAML2 library I have implemented IDP initiated SSO in which IDP is hitting our end point with SAML response and we are validating it with IDP certificate and extracting attributes etc

So for SP initiated I got following,

[Route("RequestAccess")]
[HttpPost]     
public ActionResult InitialRequest()
{
   // How to Identify user and its IDP url?
   // What should be the return type? (To redirect user to IDP)
}

// Once validated, IDP can hit our existing end point which validates assertion and redirect user. I implemented this part and works well in case of IDP initiated setup.

[Route("AssertionConsumer")]
[HttpPost]
public ActionResult ValidateIdpRequest()
{
   var options = Saml2Controller.Options; //Coming from config
   CommandResult result = CommandFactory.GetCommand(CommandFactory.AcsCommandName)
                                     .Run(Request.ToHttpRequestData(),options);
string userName = result.Principal.FindFirst(ClaimTypes.NameIdentifier)?.Value;
//Set the cooking in response
//Return
}

What I'm missing? Any suggestions/questions are welcome.

For SP initiated scenario everything I found online does not have example or explain clearly.

1
sustainsys-saml2
Please don't edit your question to add more questions. If my posted answer covered your initial question, then mark it as accepted. Post any new questions as a new question.Anders Abel
@AndersAbel Ok, thank you.S52

1 Answers

0
votes

  1. That problem is called "home realm discovery". Somehow the user much choose. Sometimes that is done by presenting a list of Idps that the user can chose from. Sometimes it is done by giving different URLs to different user (e.g. customerX.myservice.com) where each customerX subdomain maps to a specific Idp. The Sustainsys.Saml2 library has support for the SAML2 discovery service standard to handle this.

  2. You're using the low-level Sustainsys.Saml2 library yourself, which gives you a lot of things to handle yourself. It is not meant to be used directly. Use the Sustainsys.Saml2.Owin or Sustainsys.Saml2.Mvc high-level library instead. It will do the redirect and handle the returned result for you.

  3. See 2.