Connecting two instances of IdentityServer 4 using the ComponentSpace SAML v2.0 for .NET Core and the Rock Solid Knowledge SAML v2.0 for .NET Core stack

Rory Braybrook
Sep 5, 2018 · 3 min read

This follows on from this.

That article use the (CS) stack on both sides. Here we are doing the same thing but using two different stacks, the other being the offering from (RSK). There is a good overview for RSK with the source code .

Just FYI, the respective Twitter feeds are @ComponentSpace and @rskltd.

Thanks to ComponentSpace and Rock Solid Knowledge for their help.

Essentially what we have is:

CS test client using SAML → idsrv4 running as a IDP and a SP → idsrv4 running as a IDP

The idsrv4 using CS runs as a IDP and a SP on port 6000 so lets call that idsrv4:6000. The idsrv4 using RSK runs just as a IDP on port 5000 so lets call that idsrv4:5000.

So expanding the above we get:

CS test client using SAML → idsrv4:6000 running as a CS IDP → idsrv4:6000 running as an CS SP → idsrv4:5000 running as a RSK IDP.

The RSK metadata is at:

We can see from the metadata that the entityID is:

entityID=”"

and the SSO endpoint is:

<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="" />

The first part of the path i.e. connecting CS test client using SAML → idsrv4:6000 running as a CS IDP is exactly the same as the original article (link above) so you can get the configuration from there.

The only difference is the RSK certificate:

"FileName": "certificates/idsrv3test.cer"

As usual, all the code is in the .

For idsrv4:6000:

appsettings.json:

{
"Description": "IdentityServer4-RSK",
"Name": "http://localhost:5000",
"PartnerCertificates": [
{
"FileName": "certificates/idsrv3test.cer"
}
],
"SignAuthnRequest": true,
"SingleSignOnServiceUrl": "http://localhost:5000/saml/sso"
}

In Startup.cs in the AddExternalIdentityProviders section:

.AddSaml("idsrv4", "IdentityServer4", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.SignOutScheme = IdentityServerConstants.SignoutScheme;
options.AssertionConsumerServicePath = "http://localhost:5000/saml/sso";
options.PartnerName = () => "http://localhost:5000";
})

For idsrv4:5000:

in Config.cs — GetClients:

// SAML client
new Client
{
ClientId = "",
ClientName = "idsrv4 CS",
ProtocolType = IdentityServerConstants.ProtocolTypes.Saml2p,
AllowedScopes = {"openid", "profile"}
}

Note the scopes. This defines the claims that will be sent to the client.

And in GetServiceProviders:

public static IEnumerable<ServiceProvider> GetServiceProviders()
{
return new[]
{
new ServiceProvider
{
EntityId = "",
AssertionConsumerServices =
{new Service(SamlConstants.BindingTypes.HttpPost, "")},
SigningCertificates = {new X509Certificate2("sp.cer")}
}
};
}

Note that you have to copy the certificates (sp.cer and idsrv3test.cer) over.

Running it:

Click the SSO button.

Click the “IdentityServer4” button.

This is the login screen for the RSK stack.

Authenticate as bob / bob.

Success!

Note that the user’s ID is “88421113”.

new TestUser{SubjectId = "88421113", Username = "bob", Password = "bob", 
Claims =
{
new Claim(JwtClaimTypes.Name, "Bob Smith"),
new Claim(JwtClaimTypes.GivenName, "Bob"),

This is derived from TestUsers.cs.

All good!

The new control plane

“Identity is the new control plane”. Articles around Microsoft Identity, Auth0 and identityserver. Click the “Archive” link at the bottom for more posts.

Rory Braybrook

Written by

NZ Microsoft Identity dude. Azure AD/ADFS. Plus Auth0. North Shore .NET User Group Admin. Ignite - http://bit.ly/2D05Uh7 YouTube - http://bit.ly/2lzBqXQ

The new control plane

“Identity is the new control plane”. Articles around Microsoft Identity, Auth0 and identityserver. Click the “Archive” link at the bottom for more posts.