0

All of the ITfoxtec.Identity.Saml2 example projects on Github load the SAML configuration in the ConfigureServices method of the Startup class. I have stored all the configurations in the database. Is there a way to load the SAML configuration from within the code at the runtime (after my .Net Core project is started)?

public void ConfigureServices(IServiceCollection services)
    {
        services.Configure<Saml2Configuration>(Configuration.GetSection("Saml2"));
        services.Configure<Saml2Configuration>(saml2Configuration =>
        {
            //saml2Configuration.SignAuthnRequest = true;
            saml2Configuration.SigningCertificate = CertificateUtil.Load(AppEnvironment.MapToPhysicalFilePath(Configuration["Saml2:SigningCertificateFile"]), Configuration["Saml2:SigningCertificatePassword"]);

            //saml2Configuration.SignatureValidationCertificates.Add(CertificateUtil.Load(AppEnvironment.MapToPhysicalFilePath(Configuration["Saml2:SignatureValidationCertificateFile"])));
            saml2Configuration.AllowedAudienceUris.Add(saml2Configuration.Issuer);

            var entityDescriptor = new EntityDescriptor();
            entityDescriptor.ReadIdPSsoDescriptorFromUrl(new Uri(Configuration["Saml2:IdPMetadata"]));
            if (entityDescriptor.IdPSsoDescriptor != null)
            {
                saml2Configuration.AllowedIssuer = entityDescriptor.EntityId;
                saml2Configuration.SingleSignOnDestination = entityDescriptor.IdPSsoDescriptor.SingleSignOnServices.First().Location;
                saml2Configuration.SingleLogoutDestination = entityDescriptor.IdPSsoDescriptor.SingleLogoutServices.First().Location;
                saml2Configuration.SignatureValidationCertificates.AddRange(entityDescriptor.IdPSsoDescriptor.SigningCertificates);
                if (entityDescriptor.IdPSsoDescriptor.WantAuthnRequestsSigned.HasValue)
                {
                    saml2Configuration.SignAuthnRequest = entityDescriptor.IdPSsoDescriptor.WantAuthnRequestsSigned.Value;
                }
            }
            else
            {
                throw new Exception("IdPSsoDescriptor not loaded from metadata.");
            }
        });

        services.AddSaml2(slidingExpiration: true);

        services.AddControllersWithViews();
    }
Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25
Adnan Yaseen
  • 833
  • 1
  • 15
  • 44

1 Answers1

1

Yes, it is possible to move the configuration load from startup to later. You can load the content of the Saml2Configuration config object just before it is used by calling a method. In the sample e.g., before the Saml2Configuration is used in the Login method.

Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25
  • 1
    Thank you for your response. I have done this successfully and loaded the configuration from the database. Now the issue is that when Idp sends back the SAML response, how would I know that for which user this response is for? Because when I will know for which user this response is, I will be able to retrieve the configuration from the database to verify the SAML response. I hope that you understand the issue here. – Adnan Yaseen Mar 22 '21 at 12:56
  • 1
    After you receive the response you can read it with ReadSamlResponse without doing validation, like in: https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/test/TestWebAppCore/Controllers/AuthController.cs#L53. Therafter, you can e.g. read an ID or the relay state as a reference. – Anders Revsgaard Mar 22 '21 at 14:03