Today we released Kentor.AuthServices 0.18.1. It contains a number of bug fixes, but also a couple of breaking changes to a mostly internal API and logout handling.
You are affected if…
- you build a
HttpRequestData
yourself, instead of using a build in ToHttpRequestData()
extension method.
- you are using Single Logout and…
- you have a
ClaimsAuthenticationManager
- you manually create a
AuthServicesClaimTypes.LogoutNameIdentifier
claim
- you filter out claims that are persisted
Most users should not be affected, but if you match any of the above please read on.
This is an announcement of two new related features in the Authservices SAML2 StubIdp, AttributeStatements and user lists.
AttributeStatements
Until now the only identification related element supported by the StubIdp was the Subject NameID.
In many SAML2 installations additional data, like roles and full name, are included as AttributeStatements. This has been supported by the AuthServices library, but it has not been possible to generate testdata with the StubIdp.
Now we have implemented a dynamic list of AttributeStatements in the StubIdp.
Using the Kentor.AuthServices SAML2 Service Provider with Thinktecture IdentityServer 3 bridges the gap between SAML2 and OAuth2/OpenID Connect. Thinktecture IdentityServer 3 support clients using the modern OAuth2 and OpenID Connect protocols. It can either have a local account database through e.g. ASP.NET Identity, or use external authentication services. By registering Kentor.AuthServices with IdentityServer, IdentityServer can authenticate to a SAML2 Idp.
I know that SAML2 is often regarded as legacy, but the truth is that there is still vast amounts of infrastructure out there that supports SAML2, but has not yet taken the leap to OpenID Connect. When the client applications prefer modern standards, a bridge between them is needed. With Kentor.AuthServices, Thinktecture IdentityServer can be that bridge.
Get It Running
To add SAML2 to IdentityServier, changes are needed in three places: Installing the Kentor.AuthServices.Owin
package, alter the startup configuration method for IdentityServer and add two lines to the web/app.config file.
The Kentor.AuthServices SAML2 Service Provider has got one important improvement for simplified operations: automatic metadata refresh. Identity providers and federations configured by loading metadata are now automatically refreshed based on the cache duration settings in the received metadata. Especially for federation setups this significantly simplifies the operations. When new identity providers are added to the federation, those are automatically made available in AuthServices and any removed identity providers are pruned from the active list.
The core AuthServices, MVC and Owin packages are all available for download on Nuget. The source and issue list are on GitHub.
Contents
- Automatic refresh of metadata.
- StubIdp metadata contains
cacheDuration
- Configuration option for
metadataUrl
for identity providers.
returnUri
renamed to returnUrl
in configuration.
We continue to improve the Kentor.AuthServices SAML2 Service Provider for ASP.NET with the release of version 0.8.0. With this release the entire configuration system has been rebuilt, to enable configuration from other sources than the config file. This is good news for anyone thinking of integrating Kentor AuthServices in an application where configuration is offered through a user interface. There has also been further support for federations added, with administrative metadata now being exported as well as support attribute consuming services and the Idp discovery extensions to metadata.
The core AuthServices, MVC and Owin packages are all available for download on Nuget. The source and issue list are on GitHub.
Contents
- Automatic generation of service provider URLs, removing configuration.
- Configuration can now be supplied from code and not only in config file.
- Administrative metadata (organization and contactPerson) support.
- Serialization of SAML Attributes.
- Support for Bootstrapcontext, saving incoming assertion in the resulting identity.
- Fixed new principal returned by ClaimsAuthenticationManager being ignored.
- Attribute consuming service support in metadata and AuthnRequest.
- Discovery service response location included in metadata if use of discovery service is enabled.
- Fixed null reference exception on HTTP POST with owin middleware.