3

I implemented authentication and authorization using Identity server 4 with OIDC to allow clients accessing our application to get the necessary tokens to access our resource server (web APIs). This is the current architecture :

  • Identity Server 4 using my custom DB to authenticate users
  • Resource APIs (ASP.NET Core)
  • Angular 2 front end

I need to implement SSO, where users from other systems will pass SAML2 assertions from their identity providers to allow them to access our resource APIs without logging in to our application.

I have some confusion about where this step will happen, and what will be the workflow, will our identity server be involved in this process and how to implement that using Identity Server 4.

Hussein Salman
  • 7,806
  • 15
  • 60
  • 98
  • Check out my answer posted here (https://stackoverflow.com/questions/45130790/identityserver-sso-trusted-application/45191545#45191545). I had the exact same scenario where my SAML endpoint (.NET 4.5.2) could authenticate and then, via Identity Server 4 client secret, redirect the users to our Angular 2 web app. An added benefit is that this is not specific to SAML. Any trusted application can now SSO a user into my Angular 2 app via Identity Server 4. – alan Jul 19 '17 at 13:15

1 Answers1

3

Right now there is no SAML2 support for ASP.NET Core.

If you are using IdentityServer3, you can act as a SAML2 SP via the Kentor authentication middleware. This is not available for ASP.NET Core yet.

Generally speaking - you cannot use SAML2 to secure APIs - it is a protocol for web based SSO - not API access.

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
  • I appreciate your answer. I want to keep using OIDC with ID srv, but I want to support other SAML 2 Clients so that authentication is delegated and handled by the ID serv. If this approach is not implemented yet, Is there is a plan for release in the near future? Any workaround that you can suggest or recommend for me now? Thanks... – Hussein Salman Oct 26 '16 at 13:50
  • For acting as a SAML SP - we would need to wait for Kentor's support for ASP.NET Core - for acting as a SAML IdP, this would be a commercial add-on. Contact https://identityserver.com for that. – leastprivilege Oct 28 '16 at 07:15