0

I have successfully set up Identity Server utilizing the SAML protocol and incorporated a service provider for SAML-based login through the RSK SAML plugin.

Although I found a suitable plugin for the .NET Core framework, we have been unable to locate a compatible plugin for the .NET 4.5 framework. I tried many other plugins provided for .net service provider implementation but none seems to work as there was the packet sent by other plugins was always invalid.

Then I did an analysis for the SAML request sent by the .Net core plugin, here is the packet decoded form

 <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
  ID="_31dfbcb18a51492fba2d3c8d38ef6923"
  Version="2.0"
  IssueInstant="2023-07-17T14:56:31Z"
  Destination="https://localhost:7003/saml/sso"
  AssertionConsumerServiceURL="https://localhost:5003/signin-saml"
  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
  <saml2:Issuer>https://localhost:5003</saml2:Issuer>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod
        Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <SignatureMethod
        Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
      <Reference
        URI="#_31dfbcb18a51492fba2d3c8d38ef6923">
        <Transforms>
          <Transform
            Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <Transform
            Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </Transforms>
        <DigestMethod
          Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
        <DigestValue>sakdasndasndksadns=</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>+BebOrHxuSzEAeobyrZq3/Kdq...==</SignatureValue>
    <KeyInfo>
      <X509Data>
        <X509Certificate>KgAwIBA...==</X509Certificate>
      </X509Data>
    </KeyInfo>
  </Signature>
</saml2p:AuthnRequest>

It seems that RSK's SAML has a very specific implementation for SAML and the same is expected from the client as well. Shall I try to replicate the same SAML plugin and develop a custom plugin for the .NET 4.5 framework to ensure seamless compatibility with Identity/Duende Server? Nonetheless, I am aware that this approach may not address every conceivable threat, as mitigating all potential risks can be complex.

Can Sustainsys or Component Space plugins be used for service provider implementation, with Identity server as the Idp? Do these plugins require their own Idp implementation to work with?

Is there any other plugin/approach to solve this issue?

TLDR: Identity server has a service provider plugin only for .Net Core but not for .Net 4.5 service provider plugin. Third-party SAML plugins are not working.

Rohit
  • 330
  • 1
  • 5
  • 16

0 Answers0