如何为Identity Server 4配置SAML 2.0作为外部SSO身份提供商?
Alright, let's break down how to add SAML 2.0 support to your existing Identity Server 4 setup using the Sustainsys.Saml2 component—this will let your customers log in with their own SAML identity providers just like they do with Facebook or Google.
Since you already have Identity Server 4 working smoothly with external providers like Facebook and Google, the setup for SAML 2.0 will fit right into your existing flow. Here's a step-by-step guide:
1. Install Required NuGet Packages
First, grab the packages that integrate Sustainsys.Saml2 with ASP.NET Core and Identity Server. Run these commands in your project's CLI or Package Manager Console:
Install-Package Sustainsys.Saml2.AspNetCore2 Install-Package Sustainsys.Saml2.IdentityServer4
2. Configure Sustainsys.Saml2 in Your App
Depending on whether you're using the old Startup.cs or the newer top-level Program.cs, wire up the SAML services and middleware:
For Program.cs:
- Add the SAML services to your service collection. This example includes a basic hardcoded provider (we'll cover dynamic setup next):
builder.Services.AddSustainsysSaml2(options => { // Set your Identity Server's SAML entity ID (use your actual server URL) options.SPOptions.EntityId = new EntityId("https://your-identity-server-domain/saml2"); // Add a customer's SAML identity provider options.IdentityProviders.Add(new IdentityProvider( new EntityId("https://your-customer-saml-provider/metadata"), options.SPOptions) { LoadMetadata = true, // Automatically fetch provider metadata if supported // If metadata isn't available, manually set the SSO URL: // SingleSignOnServiceUrl = new Uri("https://your-customer-saml-provider/sso") }); });
- Add the SAML middleware to your pipeline (place it after Identity Server middleware):
app.UseIdentityServer(); app.UseSustainsysSaml2(); // Add this line
3. Register SAML as an External Provider with Identity Server
Link the SAML integration to Identity Server so it shows up as a login option alongside Facebook/Google. Update your Identity Server configuration:
builder.Services.AddIdentityServer() // Keep your existing config (clients, identity resources, API resources) .AddAspNetIdentity<ApplicationUser>() .AddSustainsysSaml2(); // Register the SAML provider
4. Support Dynamic Customer SAML Providers
Since each customer will have their own SAML setup, you'll want to load provider configurations from a database instead of hardcoding them. Here's a quick example of how to do that:
// Fetch provider settings from your database (adjust to match your model) var customerSamlProviders = await _dbContext.SamlProviders.ToListAsync(); foreach (var provider in customerSamlProviders) { options.IdentityProviders.Add(new IdentityProvider( new EntityId(provider.EntityId), options.SPOptions) { DisplayName = provider.DisplayName, // Show this name on the login page LoadMetadata = provider.UseMetadata, SingleSignOnServiceUrl = new Uri(provider.SsoUrl), // Load the provider's signing certificate (store it as base64 in your DB) SigningKeys = { new X509Certificate2(Convert.FromBase64String(provider.SigningCertificate)) } }); }
5. Test the Login Flow
Once everything is set up, your users will see the new SAML provider option on your Identity Server's login page. When they select it, they'll be redirected to their organization's SAML login screen. After successful authentication, they'll be sent back to Identity Server to complete the login process—just like with Facebook or Google.
Important Tips
- HTTPS is mandatory: SAML requires secure communication, so ensure your Identity Server is running over HTTPS.
- Customize the UI: Use the
DisplayNameproperty on theIdentityProviderto make the option clear for users (e.g., "Login with Acme Corp SSO"). - Troubleshooting: If you run into issues, enable SAML logging in your appsettings.json to debug metadata loading or authentication errors:
{ "Logging": { "LogLevel": { "Sustainsys.Saml2": "Debug" } } }
内容的提问来源于stack exchange,提问作者Jay
