Skip to content

Step-by-Step Guide - Identity Provider

This section walks you through the recommended steps for enabling your web application to act as an identity provider and support SAML SSO with partner service providers.

Creating a Certificate

An X.509 certificate and its private key are required as SAML messages or assertions sent by your identity provider should be signed.

Use the CreateSelfSignedCert console application to create a self-signed certificate.

For more information, refer to the Certificates section.

Creating the Local Identity Provider Configuration

SAML configuration is used to specify the local identity provider. The Configuration section describes the various alternatives for specifying SAML configuration. Here we will use the simplest approach which is to store the SAML configuration in your application's appsettings.json.

Use the CreateConfiguration console application to create a saml.json.

Copy the generated configuration from saml.json into your application's appsettings.json.

For more information, refer to the Configuration section.

Exporting the Local Identity Provider Metadata

SAML metadata is the standard format for exchanging configuration information between SAML providers. SAML metadata is supplied to partner providers so they can update their internal configuration to support SSO.

Use the ExportMetadata console application to generate the SAML metadata.

Share the SAML metadata with your partner provider(s). You could make the metadata available for download from a URL or supply it directly to the partner provider.

For more information, refer to the Metadata section.

Importing the Partner Service Provider Metadata

SAML metadata supplied by partner providers is used to update your SAML configuration with the partner service provider's settings.

Use the ImportMetadata console application to update the SAML configuration.

For more information, refer to the Metadata section.

Updating the Application Code

The SAML API section describes the various SAML APIs to support SSO and SLO flows when acting as the identity provider.

The Examples section lists the various example projects. These are a good starting point for understanding how to call the SAML API.

Update your application to call the SAML API to enable SAML SSO.

Testing SAML SSO

Before testing, ensure the following have been completed:

  1. Your application's appsettings.json has been updated with the SAML configuration.
  2. The local and partner certificate files are correctly referenced in the SAML configuration.
  3. Your application has been updated to call the SAML API.
  4. The partner provider has imported your SAML metadata and is ready.