ComponentSpace

Forums



Retrieve SAML2 information automatically from configured metadata url


Retrieve SAML2 information automatically from configured metadata url

Author
Message
[email protected]...
david.ernstsson@stratsys.se
New Member
New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)

Group: Forum Members
Posts: 11, Visits: 39
We are in the process of migrating our identity solution from MVC to .NET Core and have previously been using your component for SAML2 support and intend to do so still.

Use case:
- We have a multi-tenancy webapplication and (amongst other things) offer configurable SAML2 SSO to our customers own IDPs.
- Our customers/consultants can configure either a specific saml2 metadata url (prefered) or manually configure all the details such as certificates and SSO-url. These changes are propagated live.
- Perhaps a little bit out of scope but when customer/consultant specified a metadata-url we currently save this information to the database and use this for stability reasons.

A few questions:
- What we would really prefer is a possibility to simply configure a metadata-url and then ComponentSpace handles the rest of information retrieval. Has this been under consideration? Other middlewares for OAuth2 or OpenID Connect supports this out-of-the-box. Any specific reason why SAML2 would be different?
- Let's say we do not have any private keys for certificates (SAML2 only used for SP), any security concerns with hosting the XML Security Service on a separate HTTPS site outside our firewalls?
- Any information about when full support for .NET Core will be available from Microsofts side? Have been trying to find a time-line but to no avail.

Regards,
David Ernstsson
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Hi David
Currently we're working on support for importing/exporting SAML metadata to/from SAML configuration. The support will be similar to what we have now in the SAML v2.0 for ASP.NET product. We'd certainly like to hear any specific requirements you might have around this to ensure they're covered.
When are you looking for this support to be included in the product?
If you're not generating signatures or decrypting SAML assertions then only public keys and SAML message or assertion XML will be sent to the XML Security service.
I would still recommend HTTPS and it would be advisable to deploy this behind the corporate firewall but I see no risks associated in not doing so.
Nothing is stored in the XML Security service. It's stateless.
The only risk, if any, is a man-in-the-middle attached on HTTPS.
As long as the HTTPS private key is secure and you're using TLS 1.2 etc transport security, I don't see any issues.
Microsoft have included the XML Security classes in the .NET Core v2.0 Git repository. That's a good sign. We're keeping a close eye on this and hopefully XML Security support will be part of the .NET Core v2.0 release later this year.
As soon as it's available we will make use of it and deprecate the XML Security service.

Regards
ComponentSpace Development
[email protected]...
david.ernstsson@stratsys.se
New Member
New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)

Group: Forum Members
Posts: 11, Visits: 39
ComponentSpace - 6/19/2017
Hi David
Currently we're working on support for importing/exporting SAML metadata to/from SAML configuration. The support will be similar to what we have now in the SAML v2.0 for ASP.NET product. We'd certainly like to hear any specific requirements you might have around this to ensure they're covered.
When are you looking for this support to be included in the product?
If you're not generating signatures or decrypting SAML assertions then only public keys and SAML message or assertion XML will be sent to the XML Security service.
I would still recommend HTTPS and it would be advisable to deploy this behind the corporate firewall but I see no risks associated in not doing so.
Nothing is stored in the XML Security service. It's stateless.
The only risk, if any, is a man-in-the-middle attached on HTTPS.
As long as the HTTPS private key is secure and you're using TLS 1.2 etc transport security, I don't see any issues.
Microsoft have included the XML Security classes in the .NET Core v2.0 Git repository. That's a good sign. We're keeping a close eye on this and hopefully XML Security support will be part of the .NET Core v2.0 release later this year.
As soon as it's available we will make use of it and deprecate the XML Security service.

We are starting our migration of saml2 more or less now and expect that part to be finished in the coming weeks so really as soon as possible would be helpful. But for future maintenance and development it certainly would help as well. Generally we feel the component is alittle bit too much expecting low level configurations being known at startup which at least for us simply isn't true at all. Without having spent too much time yet with your .Core component we will probably be implementing our own ICertificateManager as well as quite alot of custom code to get it all working. 

Optimally we are looking for being able to simply supplying a metadata-url at runtime (similar to ICertificateManager) through either some service configured at startup or even better (and more similar to how OpenId Connect middleware works) being able to change configuration/options as late as possible by providing custom functionality supplied to the middleware.

Thanks for info about .NET Core v2.0
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Configuration can be updated dynamically if required. It's just that in many cases the configuration is known at startup time.
You can set the configuration programmatically as demonstrated in our example projects.
We do this at startup but there's no reason why you can't perform configuration updates as and when required.
I welcome any other feedback you might have.

Regards
ComponentSpace Development
[email protected]...
david.ernstsson@stratsys.se
New Member
New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)New Member (17 reputation)

Group: Forum Members
Posts: 11, Visits: 39
ComponentSpace - 6/21/2017
Configuration can be updated dynamically if required. It's just that in many cases the configuration is known at startup time.
You can set the configuration programmatically as demonstrated in our example projects.
We do this at startup but there's no reason why you can't perform configuration updates as and when required.
I welcome any other feedback you might have.

Yeah we will certainly manage to handle and implement our case, we would just prefer it if it was more natively supported :)

Let's say we do something like this:
1.  Create a custom middleware and add this before mvc pipeline
2. By DI get SamlConfigurations and then make our own api request to external metadata url
3. Manually read metadata and set the corresponding properties for the first/specific PartnerIdentityConfiguration
4. This will then be used by any later middleware or saml requests triggered from mvc pipe

It will work but we would prefer if it was more natively supported. Specifically if you could simply create/refresh/load a PartnerIdentityConfiguration from a specific url this would mean far less custom code for us. Thoughts?


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Thank you for the feedback.
We will look at adding this type of functionality.
I don't have a time frame but our current priority is better support for SAML metadata import/export and this fits perfectly into this.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search