skoruba
proposal: add SAML2 external provider configuration
This PR utilizes the https://github.com/Sustainsys/Saml2 component for plugging into a configurable SAML2 endpoint.
How to test:
- In appsettings.json configure the following ExternalProvidersConfiguration:
"Saml2OurEntityId": "https://YOURADDRESSHERE/Saml2",
"Saml2TheirEntityId": "https://samltest.id/saml/idp",
"Saml2TheirMetadataLocation": "https://samltest.id/saml/idp",
- run the STS project, navigate to https://YOURADDRESSHERE/Saml2 and save the xml file
- navigate to https://samltest.id/upload.php and upload the previous xml file
- try logging in via the new external provider "Saml2"
Current issues:
- fails to map email from the test service SAML response. The mapping from SAML2 claims to the ones used in here needs more work.
Can you recommend some steps how to test it? Which Saml2 provider do you suggest for testing? Thanks
Hi, did you try the testing steps in the PR description? samltest.id seemed to work well enough for a simple test.
Sure, I'll check the conflicts soon-ish
Thanks, sorry I checked changed files first then whole PR description - steps are very clear - I will test it. 😎
Hmm, can't figure out why the build fails in CI...
C:\projects\identityserver4-admin\src\Skoruba.IdentityServer4.STS.Identity\Skoruba.IdentityServer4.STS.Identity.csproj : error NU1605: Detected package downgrade: Skoruba.AuditLogging.EntityFramework from 1.0.0-beta8 to 1.0.0-beta7. Reference the package directly from the project to select a different version. [C:\projects\identityserver4-admin\tests\Skoruba.IdentityServer4.STS.Identity.IntegrationTests\Skoruba.IdentityServer4.STS.Identity.IntegrationTests.csproj]
Yet no project I see references the older version of that library...
AppVeyor CI log: "Microsoft.Data.SqlClient.SqlException (0x80131904): Cannot open database "IdentityServer4Admin" requested by the login. The login failed."
@spaasis and @skoruba I merged this pull request, master and branch feature/633-update-is4-to-v4. I tested with my auth0 account and is successful. There are some fixes for logout that I pretend to merge here also.
Can I make a PR?
Hey guys, sorry for delay, I'll work on new release 2.0.0 and I'll add it this external provider there. Thanks!
Hey guys, sorry for delay, I'll work on new release 2.0.0 and I'll add it this external provider there. Thanks!
@skoruba There are problems regarding logout.
Sustainsys library needs 2 claims and its issuer to work.
The claims can be stored but the issuer is lost because Microsoft Identity doesn't store it.
I made a workaround to store the issuer and originalissuer as 2 new claims so now I store 4 claims and could make it to call external provider auth0 logout service.
But auth0 throws an error that I'm trying to figure out.
@spaasis @skoruba Added PR #795
@skoruba there is still a bug regarding logout.
After user first login (creation on database) is keeping his information as local idp on:
src/Skoruba.IdentityServer4.STS.Identity/Controllers/AccountController.cs
//line 803
var idp = User.FindFirst(JwtClaimTypes.IdentityProvider)?.Value;
So on first logout
//line 814
vm.ExternalAuthenticationScheme = idp;
Is never reached and it won't logout the user from external logout service.
I can't figure how to solve this.
@spaasis @skoruba Added PR #795
@skoruba there is still a bug regarding logout.
After user first login (creation on database) is keeping his information as local idp on:
src/Skoruba.IdentityServer4.STS.Identity/Controllers/AccountController.cs
//line 803 var idp = User.FindFirst(JwtClaimTypes.IdentityProvider)?.Value;So on first logout
//line 814 vm.ExternalAuthenticationScheme = idp;Is never reached and it won't logout the user from external logout service.
I can't figure how to solve this.
I figured how to fix logout on First Sign and updated my PR.
@skoruba can you please review it and check if is the right approach for all changes?
