Connecting Auth0 and the identityserver 4 SAML2P Identity Provider

Rory Braybrook
Nov 13, 2017 · 3 min read

Note: This is currently in beta!

IdentityServer4 is an OpenID Connect and OAuth 2.0 framework for ASP.NET Core 2.

It has a number of protocol plug-ins. WS-Federation was there already and now Rock Solid Knowledge have added one for SAML-P 2.0.

It comes with a GitHub SAML sample. This sample includes an in-memory version of identityserver and a client stack based on Kentor Auth Services (now Sustainsys).

First off, I suggest that you get this setup and try and authenticate via the Test Client.

If you look in TestUsers.cs, you’ll see two in-memory users viz.

alice / alice and bob / bob

that you can use for authentication.

The SAML stack supports any SAML SP so I selected Auth0 to try as a PoC.

Code wise, the SAML sample stack needs a client and a SP:

In Config,cs:

// Client

where “auth0tenant” is the name of your Auth0 tenant.

In Auth0, we need an SAML Enterprise connection.

Call it RSK.

The email domain is configured to make it easier to test. Any email address with that domain e.g. joe@saml.com will be directed here.

Auth0 will not accept the default certificate in the SAML sample (idsrv3test.cer) for some reason so I made a new self-signed one (idsrv4test) and added it to the solution.

When you change the certificate in the sample, you need to change the code in Startup.cs in identityserver :

services.AddIdentityServer()
//.AddSigningCredential(new X509Certificate2(“idsrv3test.pfx”, “idsrv3test”))
.AddSigningCredential(new X509Certificate2(“idsrv4test.pfx”, “password”))
.AddInMemoryIdentityResources(Config.GetIdentityResources())

and in Startup.cs in the test client :

};
// idp.SigningKeys.AddConfiguredKey(new X509Certificate2(HostingEnvironment.MapPath(“~/idsrv3test.cer”)));
idp.SigningKeys.AddConfiguredKey(new X509Certificate2(HostingEnvironment.MapPath(“~/idsrv4test.cer”)));

I also changed the sample code to run on SSL:

Note that IIS Express has chosen https://localhost:44326 as the URL that needs to be configured in the Auth0 RSK SAML connection under “Sign In URL” and “Sign OUT URL”.

Download the Auth0 certificate:

It will be a .pem file.

This needs to be added to the solution and configured in the SP code as above:

SigningCertificates = { new X509Certificate2(“auth0rsk.pem”)

That’s it.

In Auth0, for the SAML connection, click the “Try” key:

This will take you to the identityserver 4 login screen:

Login with alice / alice:

All good!


Originally published at medium.com on November 13, 2017.

The new control plane

“Identity is the new control plane”. Articles around Microsoft Identity, Auth0 and identityserver. Click the “Archive” link at the bottom for more posts.

Rory Braybrook

Written by

NZ Microsoft Identity dude. Azure AD/ADFS. Plus Auth0. North Shore .NET User Group Admin. Ignite - http://bit.ly/2D05Uh7 YouTube - http://bit.ly/2lzBqXQ

The new control plane

“Identity is the new control plane”. Articles around Microsoft Identity, Auth0 and identityserver. Click the “Archive” link at the bottom for more posts.