Each SAML ServiceProvider requires a corresponding OIDC Client record. The following options are required by the component for OpenIddict.
Aditionally, each SAML ServiceProvider requires a corresponding OpenIddict application.
ClientId string
The unique identifier of the service provider. Must be the same as the EntityId
Permissions HashSet<string>
The permissions for the Client. Scope permissions are configured here with the scp:
prefix. This will dictate what claim types will be returned as SAML assertions
Service Provider
EntityId string
The unique identifier of the service provider. Must be the same as the ClientId
SigningCertificates List<X509Certificate2
The service provider's public keys. Used for validating incoming requests
AssertionConsumerServices List<Service>
The service provider endpoints that SAML responses & assertions will be sent to
SingleLogoutServices List<Service>
The service provider endpoints that SAML logout requests and responses will be sent to
ArtifactResolutionServices List<Service>
The service provider endpoints where the artifacts will be resolved. Only Soap is supported
ClaimsMapping IDictionary<string, string>
Maps OpenID format claim types to SAML suitable claim types. Claim types not defined in the mapping will not be included in generated SAML tokens. Overrides the default found in SamlIdpOptions
. Example: {"name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"}
SignAssertions bool
When true
, the generated assertion will be signed (as opposed to just the SAML response). Defaults to true
EncryptAssertions bool
When true
, the generated assertions will be encrypted. Defaults to false
EncryptionCertificate X509Certificate2
The ServiceProvider public key that will be used to encrypt generated assertions
AllowIdpInitiatedSso 'bool'
When true
, allows OpenIddict to generate IdP Initiated SSO Responses for this Service Provider. Defaults to false
NameIdentifierFormat string
The NameID format to use in SAML assertions. If this value is not set, the default NameID format specified in the configuration options, DefaultNameIdentifierFormat
, will be used
ArtifactDeliveryBindingType string
The binding type to use for sending artifacts. If this value is not set, the default binding type specified in the configuration options, ArtifactDeliveryBindingType
, will be used. Only urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
and urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
are supported.
RequireSamlMessageDestination bool
Indicates if the incoming messages must contain a destination. When true
, message validation will fail if the destination is missing. Defaults to true
RequireAuthenticationRequestsSigned bool?
Indicates if all authentication requests sent by this ServiceProvider must be signed. This option overrides the global IdP config setting WantAuthenticationRequestsSigned
. If null
, IdP will use WantAuthenticationRequestsSigned
. If false
, IdP will ignore any signature validation failures for authentication requests sent by this ServiceProvider. Defaults to null
RequireSignedArtifactResponses bool?
Indicates if the received ArtifactResponse messages must be signed
RequireSignedArtifactResolveRequests bool?
Indicates if the received ArtifactResolve messages must be signed