Setting up an SAML Dynamic Provider
Step 3: Define the Service Provider
Here is where you define the Service Provider. Be aware that your IDS acts as the Service Provider in the SAML connection:
| Name | Required | Type | Description |
|---|---|---|---|
SP Entity Id |
Yes | Text | String that uniquely identifies this Service Provider |
Callback path (ACS endpoint) |
Yes | Text | Relative path to redirect an authenticated user after sign-in. If you use Duende Dynamic Authentication, it must start with the configured prefix, the default value is '/federation/' |
Step 4: Certificate
Here we can setup an optional certificate that can be used by your Service Provider to sign requests. This helps to ensure that requests are coming from a legitimate source.
-
If you don't want to setup this certificate just click on 'Next'.
-
If you want to add a certificate, enter a certificate file and password and then, click on the "Test" button to validate the certificate.
-
If you change your mind, click Clear to remove the certificate.
| Name | Required | Type | Description |
|---|---|---|---|
Certificate |
Yes | File | Certificate in PFX or P12 format |
Password |
Yes | Text | Password protecting the certificate selected |
Step 5: Define IdP Metadata Address
Here we setup the connection to the external Identity Provider:
| Name | Required | Type | Description |
|---|---|---|---|
Idp Metadata Address |
Yes | Text | Metadata address of the Identity Provider. It has a button to verify the address is reachable and that contains a well-formated metadata. |
Step 6: Sign-In Scheme
Here we select the Sign in Scheme that will handle authentication:
| Name | Required | Type | Description |
|---|---|---|---|
Sign in Scheme |
Yes | Text | Sign in Scheme representing an authentication handler on your IDS code |
The interface offers default schemes for IdentityServer and Asp.Identity in the form of radio buttons. These options will automatically populate the Sign in Scheme field. However, you also have the flexibility to manually enter a different scheme if desired.
IdentityServer Overriding Sign In/Out Schemes
Depending on how Identity Server's SAML plug-in is configured this setting could be overridden. If 'SignInScheme' or 'SignOutScheme' are set in Saml2pAuthenticationOptions in Identity Server then these will override the settings configured in AdminUI.
The following is a code fragment that shows a way these setting could be configured:
services.AddIdentityServer(...)
.AddSamlDynamicProvider(options =>
{
options.SignInScheme = "MySignInScheme";
options.SignOutScheme = "MySignOutScheme";
});
Step 7: Summary
The final step in the creation process is a summary that will allow you to review the settings for the dynamic provider as a whole and then also go back and make changes. There is also the option to disable the provider if you do not wish it to be active immediately.
