使用 ITfoxtec.Identity.Saml2 登录用户

Question

I am trying to implement SAML2.0 authentication using IdentityServer4 and ITfoxtec.Identity.Saml2 library.

The first step is to login via the LDAP connection and this part worked well and i get user claims.

Next step is to integrate login using AD FS

I followed principally this tutorial

https://developer.okta.com/blog/2020/10/23/how-to-authenticate-with-saml-in-aspnet-core-and-csharp

The Saml configuration code is below

services.Configure<Saml2Configuration>(saml2Configuration =>
{
    saml2Configuration.AllowedAudienceUris.Add(saml2Configuration.Issuer);

    var entityDescriptor = new EntityDescriptor();
    entityDescriptor.ReadIdPSsoDescriptorFromUrl(new Uri(Configuration["Saml2:IdPMetadata"]));
    if (entityDescriptor.IdPSsoDescriptor != null)
    {
        saml2Configuration.SingleSignOnDestination = entityDescriptor.IdPSsoDescriptor.SingleSignOnServices.First().Location;
        saml2Configuration.SignatureValidationCertificates.AddRange(entityDescriptor.IdPSsoDescriptor.SigningCertificates);
    }
    else
    {
        throw new Exception("IdPSsoDescriptor not loaded from metadata.");
    }
});

services.AddSaml2();

After server redirection and before displaying the Idp login page i have an error "certificate are not properly configured at application end"

This is the first time that I deal with SAML protocol. Any help is appreciated.

Edit: The error is on the AD FS Side

Answer 1

For more information, the ITfoxtec.Identity.Saml2 documentation and a ASP.NET Core sample .

I'm in doubt where you see the error. Is it at the IdentityServer4 application or in AD FS?

The configuration you show read the AD FS metadata and set up the IdP configuration. You also need to load the relying party configuration.

services.Configure<Saml2Configuration>(Configuration.GetSection("Saml2"));

and set the relying party signing certificate eg, like this

saml2Configuration.SigningCertificate = CertificateUtil.Load(AppEnvironment.MapToPhysicalFilePath(
            Configuration["Saml2:SigningCertificateFile"]), 

The configuration together

services.Configure<Saml2Configuration>(Configuration.GetSection("Saml2"));
services.Configure<Saml2Configuration>(saml2Configuration =>
{
    saml2Configuration.SigningCertificate = CertificateUtil.Load(AppEnvironment.MapToPhysicalFilePath(
        Configuration["Saml2:SigningCertificateFile"]), Configuration["Saml2:SigningCertificatePassword"]);
    saml2Configuration.AllowedAudienceUris.Add(saml2Configuration.Issuer);

var entityDescriptor = new EntityDescriptor();
    entityDescriptor.ReadIdPSsoDescriptorFromUrl(new Uri(Configuration["Saml2:IdPMetadata"]));
if (entityDescriptor.IdPSsoDescriptor != null)
    {
        saml2Configuration.SingleSignOnDestination = entityDescriptor.IdPSsoDescriptor.SingleSignOnServices.First().Location;
        saml2Configuration.SingleLogoutDestination = entityDescriptor.IdPSsoDescriptor.SingleLogoutServices.First().Location;
        saml2Configuration.SignatureValidationCertificates.AddRange(entityDescriptor.IdPSsoDescriptor.SigningCertificates);
    }
else
    {
        throw new Exception("IdPSsoDescriptor not loaded from metadata.");
    }
});
services.AddSaml2();  

Remark

To solve a situation like yours I have created FoxIDs which support OpenID Connect and can be connected to an AD FS with SAML 2.0. FoxIDs handles the conversion between OpenID Connect and SAML 2.0. Actually, FoxIDs also use the ITfoxtec.Identity.Saml2 library.