Hey all, I was hoping to get some advice on using ComponentSpace on a prototype project for a client, maybe some pushing towards the correct implementation, or some definite, "don't do that, you fool". My understanding of SAML is rapidly growing but I lack some missing bits I hope can be filled in on. The process flow for the project is as follows (ASP.NET core 3.1) - User is added to our database (usual details including username and password).
- User logs into the site and standard ASP.NET Core Identify Claims are set for Given Name, Family Name, E-Mail, GUID etc. The login process is our custom code, should this be replaced the examples given for IdP, or are we OK to carry on like this?
- User is presented with a range of "vendors" on a dashboard page, each vendor is a Service Provider that requires an assertion & metadata in their own format, with the usual SAML Response signed (our .pfx) and the assertion encrypted with the SP public key.
- User clicks the vendor logo and the ComponentSpace magic does it job and sends the assertion to the SP and if all is valid on the SP side, the user is silently logged into the SP's website and is redirected to their dashboard.
- The unique identifier for each user is their e-mail address which is registered as the same across all SPs.
So, I guess this makes our website the IdP as the user is validating against our database and identity service, while we push the user via the assertion post to the various SP's once they click a vendor logo. There could be 1 vendor or there could be 10, it depends what vendors our user has been signed up to.
Do we still need to use all the IdP type wire-up discussed about in the ComponentSpace examples (since we're doing our own identity verification), or can we just post a different assertion to each SP? Are there any examples to show this (I'm still in the R&D phase atm so I'm hedging my bets on someone making something click for me)?
Thanks.
|