Open in app

Sign in

Write

Sign in

Connecting Auth0 and the identityserver 4 SAML2P Identity Provider

Rory Braybrook
Tech Feed
Published in
3 min readNov 13, 2017

Note: This is currently in beta!

IdentityServer4 is an OpenID Connect and OAuth 2.0 framework for ASP.NET Core 2.

It has a number of protocol plug-ins. WS-Federation was there already and now Rock Solid Knowledge have added one for SAML-P 2.0.

It comes with a GitHub SAML sample. This sample includes an in-memory version of identityserver and a client stack based on Kentor Auth Services (now Sustainsys).

First off, I suggest that you get this setup and try and authenticate via the Test Client.

If you look in TestUsers.cs, you’ll see two in-memory users viz.

alice / alice and bob / bob

that you can use for authentication.

The SAML stack supports any SAML SP so I selected Auth0 to try as a PoC.

Code wise, the SAML sample stack needs a client and a SP:

In Config,cs:

// Client{
 ClientId = “urn:auth0:auth0tenant:RSK”,
 ClientName = “Auth0 Test Client”,
 ProtocolType = IdentityServerConstants.ProtocolTypes.Saml2p,
 RedirectUris = { “https://auth0tenant.au.auth0.com/login/callback” },
 AllowedScopes = { “openid”, “profile” }
 };// SP{
 EntityId = “urn:auth0:auth0tenant:RSK”,
 SigningCertificates = { new X509Certificate2(“auth0rsk.pem”) },
 AssertionConsumerServices =
 {
 new Service(SamlConstants.BindingTypes.HttpPost, “https://auth0tenant.au.auth0.com/login/callback”)
 }
 };

where “auth0tenant” is the name of your Auth0 tenant.

In Auth0, we need an SAML Enterprise connection.

Call it RSK.

The email domain is configured to make it easier to test. Any email address with that domain e.g. joe@saml.com will be directed here.

Auth0 will not accept the default certificate in the SAML sample (idsrv3test.cer) for some reason so I made a new self-signed one (idsrv4test) and added it to the solution.

When you change the certificate in the sample, you need to change the code in Startup.cs in identityserver :

services.AddIdentityServer()
 //.AddSigningCredential(new X509Certificate2(“idsrv3test.pfx”, “idsrv3test”))
 .AddSigningCredential(new X509Certificate2(“idsrv4test.pfx”, “password”))
 .AddInMemoryIdentityResources(Config.GetIdentityResources())

and in Startup.cs in the test client :

};
 // idp.SigningKeys.AddConfiguredKey(new X509Certificate2(HostingEnvironment.MapPath(“~/idsrv3test.cer”)));
 idp.SigningKeys.AddConfiguredKey(new X509Certificate2(HostingEnvironment.MapPath(“~/idsrv4test.cer”))); options.IdentityProviders.Add(idp);

I also changed the sample code to run on SSL:

Note that IIS Express has chosen https://localhost:44326 as the URL that needs to be configured in the Auth0 RSK SAML connection under “Sign In URL” and “Sign OUT URL”.

Download the Auth0 certificate:

It will be a .pem file.

This needs to be added to the solution and configured in the SP code as above:

SigningCertificates = { new X509Certificate2(“auth0rsk.pem”)

That’s it.

In Auth0, for the SAML connection, click the “Try” key:

This will take you to the identityserver 4 login screen:

Login with alice / alice:

All good!

Authentication
Auth0
Identity
Saml2

--

--

Rory Braybrook
Tech Feed

Written by Rory Braybrook

714 Followers
Writer for

NZ Microsoft Identity dude and MVP. Azure AD/B2C/ADFS/Auth0/identityserver. StackOverflow: https://bit.ly/2XU4yvJ Presentations: http://bit.ly/334ZPt5

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams