Skip to content

SAML API - Common

This section describes classes common to both service provider and identity provider implementations.

SAMLController

The SAMLController class includes methods for specifying SAML configuration and other settings.

Configuration Selection

The configuration name specifies the SAML configuration to use when processing SSO and SLO requests for the current browser session.

It must match the name of one of the SAML configurations.

Typically, it's used in multi-tenant applications where each tenant has a separate SAML configuration.

There are no concurrency issues setting the configuration name for multiple browser sessions as it's stored in the SAML SSO session state.

Note

Specifying the configuration name is only required when there are multiple SAML configurations.

public static string ConfigurationName { get; set; }

For example:

SAMLController.ConfigurationName = configurationName;

SSOOptions

SSOOptions encapsulates various options associated with SSO.

All SSOOptions fields are included in the SAML authentication request unless otherwise noted.

Subject

The subject in the SAML authentication request.

Conditions

The conditions in the SAML authentication request.

RequestedUserName

The request user name identifies the user to be authenticated.

The default is none.

ForceAuthn

The ForceAuthn flag requests that the identity provider discards any existing user authentication session and establish a new user authentication session.

The default is false.

IsPassive

The IsPassive flag requests that the identity provider not visibly take control of the user interface.

The default is false.

AllowCreate

The AllowCreate flag indicates whether the identity provider is allowed to create a new user as part of processing the request.

The default is true.

ProviderName

The provider name is the human-readable name of the requesting SAML provider.

The default is none.

NameIDFormat

The name ID format specifies the format of the name ID.

The default is none.

SPNameQualifier

The service provider name qualifier specifies that the assertion subject's identifier be returned in the namespace of a service provider other than the requester.

The default is none.

RequestedAuthnContexts

The requested authentication contexts place requirements on the authentication process at the identity provider. For example, it may request multi-factor authentication of users.

The default is none.

RequestedAuthnContextComparison

The comparison method is used to evaluate the requested contexts.

The comparison methods are:

  • exact
  • minimum
  • maximum
  • better

The default is exact.

TrustedIdentityProviders

The trusted identity providers are included as scoping information in the authentication request.

The default is none.

AssertionConsumerServiceIndex

The assertion consumer service index identifying which assertion consumer service endpoint to use.

Destination

The destination specifies the address to which the SAML authentication request is sent.

The default is the configured single sign-on service URL.

Extensions

Optional SAML extensions to include in the authentication request.

TrustedIdentityProvider

TrustedIdentityProvider specifies scoping information.

ProviderID

The provider ID identifies the SAML provider by its ID.

Name

The name is the human readable name of the SAML provider.

The default is none.