IT:AD:OIOSAML:HowTo:Configure
Summary
Process
- For debug purposes, ensure
SAML20Federation/ShowError
is set totrue
SAML20Federation/ServiceProvider@id
to a unique Id.- Can be any string, but Url is best practice. Does not have to match
server
value.
*
SAML20Federation/ServiceProvider@server
set to the base url that will be prepended in front of the Signon/off urls.
<ServiceProvider id="https://localhost" server="https://LLLLocalhosT:44300"> <!--<ServiceEndpoint localpath="/[VirtualPath]/login.ashx" type="signon" redirectUrl="/[VirtualPath]/MyPage.aspx" index="0" />--> <ServiceEndpoint localpath="/YOUR_VDIR/HttpHandlers/signon.ashx" type="signon" redirectUrl="/#/welcome" index="0" /> <!--<ServiceEndpoint localpath="/[VirtualPath]/logout.ashx" type="logout" redirectUrl="/[VirtualPath]/Default.aspx" index="1" />--> <ServiceEndpoint localpath="/YOUR_VDIR/HttpHandlers/signoff.ashx" type="logout" redirectUrl="/" index="1" /> <!--<ServiceEndpoint localpath="/[VirtualPath]/metadata.ashx" type="metadata" />--> <ServiceEndpoint localpath="/YOUR_VDIR/HttpHandlers/metadata.ashx" type="metadata" />
The above produces an entry with a unique id of https://localhost
and the response urls that the IdP will use to respond to will be:
<q1:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://llllocalhost:44300/YOUR_VDIR/HttpHandlers/signoff.ashx" ResponseLocation="https://llllocalhost:44300/YOUR_VDIR/HttpHandlers/signoff.ashx" /> <q1:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://llllocalhost:44300/YOUR_VDIR/HttpHandlers/signoff.ashx" ResponseLocation="https://llllocalhost:44300/YOUR_VDIR/HttpHandlers/signoff.ashx" /> <q1:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://llllocalhost:44300/YOUR_VDIR/HttpHandlers/signon.ashx" index="0" isDefault="true" />
Questions
- What is the
cdcreader.ashx
? - What is the FormHandler being used for?
- The Authentication mode is set to Form – but I really thought it would have to be set to None in order to let any OIO Handler process the request.
Config File
<?xml version="1.0"?> <configuration> <configSections> <section name="Federation" type="dk.nita.saml20.config.ConfigurationReader, dk.nita.saml20"/> <section name="SAML20Federation" type="dk.nita.saml20.config.ConfigurationReader, dk.nita.saml20"/> </configSections> <!-- Deny Access to unauthorised users, to a specific page --> <location path="MyPage.aspx"> <system.web> <authorization> <deny users="?"/> </authorization> </system.web> </location> <Federation xmlns="urn:dk.nita.saml20.configuration"> <SigningCertificate findValue="CN=ServiceProvider, O=NITA, C=DK" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName"/> <!-- The list of allowed audiences must at least contain the id of the service provider. --> <AllowedAudienceUris> <Audience>https://saml.example.net/</Audience> </AllowedAudienceUris> </Federation> <SAML20Federation xmlns="urn:dk.nita.saml20.configuration"> <ServiceProvider id="https://saml.example.net/" server="http://chjpc2.dk"> <ServiceEndpoint localpath="/demo/login.ashx" type="signon" redirectUrl="/demo/MyPage.aspx" index="0"/> <ServiceEndpoint localpath="/demo/logout.ashx" type="logout" redirectUrl="/demo/Default.aspx" index="1"/> <ServiceEndpoint localpath="/demo/metadata.ashx" type="metadata"/> <md:ContactPerson contactType="administrative" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> <md:Company>IT- og Telestyrelsen</md:Company> <md:GivenName>Søren Peter</md:GivenName> <md:SurName>Nielsen</md:SurName> <md:EmailAddress>sp@itst.dk</md:EmailAddress> <md:TelephoneNumber>35450000</md:TelephoneNumber> </md:ContactPerson> </ServiceProvider> <RequestedAttributes> <!-- The attributes that the demonstration identity provider issues. --> <att name="urn:FirstName" isRequired="true"/> <att name="urn:LastName" isRequired="true"/> <att name="urn:Age"/> </RequestedAttributes> <IDPEndPoints metadata="C:\metadata\"> <add id="http://commondomain.local/"> <CertificateValidation> <add type="dk.nita.saml20.Specification.SelfIssuedCertificateSpecification, dk.nita.saml20"/> </CertificateValidation> </add> <add id="http://tri-test8/simplesaml/saml2/idp/metadata.php"> <CertificateValidation> <add type="dk.nita.saml20.Specification.DefaultCertificateSpecification, dk.nita.saml20"/> </CertificateValidation> </add> </IDPEndPoints> <CommonDomain enabled="true" localReaderEndpoint="http://chjpc2.dk/demo/cdcreader.ashx"/> </SAML20Federation> <system.web> <authentication mode="Forms"> <forms cookieless="UseCookies" loginUrl="/demo/login.ashx" name="DemoServiceProvider"/> </authentication> ... </system.web> </configuration>