ComponentSpace

Forums



How to set different Issuer and Audience attribute with different request based on the...


How to set different Issuer and Audience attribute with different...

Author
Message
xgghosh
xgghosh
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Awaiting Activation
Posts: 3, Visits: 18
How to send different Issuer and Audience attributes with a different request based on the PartnerServiceProvider name in the controller method with in the same instance of the application. In the method await _samlIdentityProvider.InitiateSsoAsync().

Below is the sample in the generated SAML response

<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sso.abcglobal.com/apps/b2c/saml2/abc</saml:Issuer>
-<samlp:Status>

-<saml:AudienceRestriction>
<saml:Audience>abc_audience</saml:Audience>
</saml:AudienceRestriction>


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)

Group: Administrators
Posts: 2.8K, Visits: 8.5K
The Issuer field is set to the LocalIdentityProviderConfiguration.Name in your SAML configuration.

The Audience is set to the PartnerServiceProviderConfiguration.Name in your SAML configuration. The specific PartnerServiceProviderConfiguration is identified by the partnerName parameter to the InitiateSsoAsync call.

Normally the Issuer name shouldn't change based on the partner SP. It uniquely identifies your IdP regardless of which SP SSO is being initiated to.

The Audience does change based on the selected PartnerServiceProviderConfiguration.

If I haven't answered your questions, please provide some more details regarding your requirements.

Regards
ComponentSpace Development
xgghosh
xgghosh
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Awaiting Activation
Posts: 3, Visits: 18
ComponentSpace - 3/16/2021
The Issuer field is set to the LocalIdentityProviderConfiguration.Name in your SAML configuration.

The Audience is set to the PartnerServiceProviderConfiguration.Name in your SAML configuration. The specific PartnerServiceProviderConfiguration is identified by the partnerName parameter to the InitiateSsoAsync call.

Normally the Issuer name shouldn't change based on the partner SP. It uniquely identifies your IdP regardless of which SP SSO is being initiated to.

The Audience does change based on the selected PartnerServiceProviderConfiguration.

If I haven't answered your questions, please provide some more details regarding your requirements.

We understand your answers. In a previous version of component space, we have that flexibility to change Issuer with the below code

SAMLAssertion samlAssertion = new SAMLAssertion();

    samlAssertion.Issuer = issuer;

Looking for the same type of feature in your latest version of component space for .net core 3.1
Thanks and regards,
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)

Group: Administrators
Posts: 2.8K, Visits: 8.5K
You can use the OnSamlAssertionCreated event to access and modify the SAML assertion before it's sent to the partner SP.

For example:


_samlIdentityProvider.Events.OnSamlAssertionCreated += (httpContext, samlAssertion) =>
{
  samlAssertion.Issuer = new Issuer()
  {
   Name = "name goes here"
  };

  return samlAssertion;
};

await _samlIdentityProvider.InitiateSsoAsync(partnerName, userName, attributes, relayState);



There's also an OnSamlResponseCreated event if you wish to change the issuer field in the SAML response.

However, please note that we generally don't recommend changing the issuer as this is a static value uniquely identifying the identity or service provider.



Regards
ComponentSpace Development
xgghosh
xgghosh
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Awaiting Activation
Posts: 3, Visits: 18
ComponentSpace - 3/18/2021
You can use the OnSamlAssertionCreated event to access and modify the SAML assertion before it's sent to the partner SP.

For example:


_samlIdentityProvider.Events.OnSamlAssertionCreated += (httpContext, samlAssertion) =>
{
  samlAssertion.Issuer = new Issuer()
  {
   Name = "name goes here"
  };

  return samlAssertion;
};

await _samlIdentityProvider.InitiateSsoAsync(partnerName, userName, attributes, relayState);



There's also an OnSamlResponseCreated event if you wish to change the issuer field in the SAML response.

However, please note that we generally don't recommend changing the issuer as this is a static value uniquely identifying the identity or service provider.


We have implemented the above code in the method. It does not override the existing issuer but appends the new issuer.
below one is given in LocalIdentityProviderConfiguration name
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://USSUER1</saml:Issuer>

Below one is added by the code
_samlIdentityProvider.Events.OnSamlAssertionCreated += (httpContext, samlAssertion) =>
      {
       samlAssertion.Issuer = new Issuer()
       {
        Name = "https://ISSUER2"
      };

       return samlAssertion;
      };

<saml:Issuer>https://ISSUER2</saml:Issuer>

Cannot override the issuer given in LocalIdentityProviderConfiguration name. Two Issuer tags present in the same response. Please suggest.
Thanks and regards,
xgghosh

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)

Group: Administrators
Posts: 2.8K, Visits: 8.5K
That's not what I see when I add this code to the ExampleIdentityProvider.

The SAML assertion sent to the SP starts with:


<saml:Assertion
Version="2.0"
ID="_fe64babc-5d5b-4e2e-bac2-c66fbde29e42"
IssueInstant="2021-03-19T07:45:08Z"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>name goes here</saml:Issuer>
<saml:Subject>
<saml:NameID>joeuser@componentspace.com</saml:NameID>

 

Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace

I'd like to see the generated SAML assertion.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 4 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









Forums, Documentation & Knowledge Base - ComponentSpace


Search