it:ad:oiosaml:howto:configure

IT:AD:OIOSAML:HowTo:Configure

Summary

Process

  • For debug purposes, ensure SAML20Federation/ShowError is set to true
  • SAML20Federation/ServiceProvider@id to a unique Id.
    • Can be any string, but Url is best practice. Does not have to match server value.

    * SAML20Federation/ServiceProvider@server set to the base url that will be prepended in front of the Signon/off urls. 

 <ServiceProvider id="https://localhost" server="https://LLLLocalhosT:44300">
      <!--<ServiceEndpoint localpath="/[VirtualPath]/login.ashx" type="signon" redirectUrl="/[VirtualPath]/MyPage.aspx" index="0" />-->
      <ServiceEndpoint localpath="/YOUR_VDIR/HttpHandlers/signon.ashx" type="signon" redirectUrl="/#/welcome" index="0" />
      <!--<ServiceEndpoint localpath="/[VirtualPath]/logout.ashx" type="logout" redirectUrl="/[VirtualPath]/Default.aspx" index="1" />-->
      <ServiceEndpoint localpath="/YOUR_VDIR/HttpHandlers/signoff.ashx" type="logout" redirectUrl="/" index="1" />
      <!--<ServiceEndpoint localpath="/[VirtualPath]/metadata.ashx" type="metadata" />-->
      <ServiceEndpoint localpath="/YOUR_VDIR/HttpHandlers/metadata.ashx" type="metadata" />

The above produces an entry with a unique id of https://localhost and the response urls that the IdP will use to respond to will be: 

   <q1:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://llllocalhost:44300/YOUR_VDIR/HttpHandlers/signoff.ashx" ResponseLocation="https://llllocalhost:44300/YOUR_VDIR/HttpHandlers/signoff.ashx" />
    <q1:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://llllocalhost:44300/YOUR_VDIR/HttpHandlers/signoff.ashx" ResponseLocation="https://llllocalhost:44300/YOUR_VDIR/HttpHandlers/signoff.ashx" />
    <q1:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://llllocalhost:44300/YOUR_VDIR/HttpHandlers/signon.ashx" index="0" isDefault="true" />

Questions

  • What is the cdcreader.ashx?
  • What is the FormHandler being used for?
  • The Authentication mode is set to Form – but I really thought it would have to be set to None in order to let any OIO Handler process the request.

Config File


<?xml version="1.0"?>
<configuration>

  <configSections>
    <section name="Federation" type="dk.nita.saml20.config.ConfigurationReader, dk.nita.saml20"/>
    <section name="SAML20Federation" type="dk.nita.saml20.config.ConfigurationReader, dk.nita.saml20"/>
  </configSections>


  <!-- Deny Access to unauthorised users, to a specific page -->
  <location path="MyPage.aspx">
    <system.web>
      <authorization>
        <deny users="?"/>
      </authorization>
    </system.web>
  </location>


  <Federation xmlns="urn:dk.nita.saml20.configuration">
    <SigningCertificate findValue="CN=ServiceProvider, O=NITA, C=DK" storeLocation="LocalMachine" 
                              storeName="My" 
                              x509FindType="FindBySubjectDistinguishedName"/>

    <!-- The list of allowed audiences must at least contain the id of the service provider. -->
    <AllowedAudienceUris>
      <Audience>https://saml.example.net/</Audience>
    </AllowedAudienceUris>
  </Federation>


  <SAML20Federation xmlns="urn:dk.nita.saml20.configuration">

    <ServiceProvider id="https://saml.example.net/" server="http://chjpc2.dk">
      <ServiceEndpoint localpath="/demo/login.ashx" type="signon" redirectUrl="/demo/MyPage.aspx" index="0"/>
      <ServiceEndpoint localpath="/demo/logout.ashx" type="logout" redirectUrl="/demo/Default.aspx" index="1"/>
      <ServiceEndpoint localpath="/demo/metadata.ashx" type="metadata"/>
      
      <md:ContactPerson contactType="administrative" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
        <md:Company>IT- og Telestyrelsen</md:Company>
        <md:GivenName>Søren Peter</md:GivenName>
        <md:SurName>Nielsen</md:SurName>
        <md:EmailAddress>sp@itst.dk</md:EmailAddress>
        <md:TelephoneNumber>35450000</md:TelephoneNumber>
      </md:ContactPerson>
    </ServiceProvider>

    <RequestedAttributes>
      <!-- The attributes that the demonstration identity provider issues. -->
      <att name="urn:FirstName" isRequired="true"/>
      <att name="urn:LastName" isRequired="true"/>
      <att name="urn:Age"/>
    </RequestedAttributes>

    <IDPEndPoints metadata="C:\metadata\">

      <add id="http://commondomain.local/">
        <CertificateValidation>
          <add type="dk.nita.saml20.Specification.SelfIssuedCertificateSpecification, dk.nita.saml20"/>
        </CertificateValidation>
      </add>

      <add id="http://tri-test8/simplesaml/saml2/idp/metadata.php">
        <CertificateValidation>
          <add type="dk.nita.saml20.Specification.DefaultCertificateSpecification, dk.nita.saml20"/>
        </CertificateValidation>
      </add>

    </IDPEndPoints>

    <CommonDomain enabled="true" localReaderEndpoint="http://chjpc2.dk/demo/cdcreader.ashx"/>

  </SAML20Federation>



  <system.web>
    <authentication mode="Forms">
      <forms cookieless="UseCookies" loginUrl="/demo/login.ashx" name="DemoServiceProvider"/>
    </authentication>
    ...
  </system.web>
</configuration>

Resources

  • /home/skysigal/public_html/data/pages/it/ad/oiosaml/howto/configure.txt
  • Last modified: 2023/11/04 01:52
  • by 127.0.0.1