While OpenIddict is Identity Schema agnostic, it expects user claims to be resolved during Endpoint pass-through. The SAML component for OpenIddict also requires user information to populate SAML assertions, though the component does not use the same pass-through pattern. Instead an IOpenIddictSamlUserResolver
is required to resolve user information during requests.
The Rsk.Saml.OpenIddict.AspNetCore.Identity
package can be used to resolve User information for OpenIddict instances using Asp.Identity. If you are using another Identity schema see using a custom Identity schema with OpenIddict Saml
Install Rsk.Saml.OpenIddict.AspNetCore.Identity Package
You can install the Asp.Identity integration package to your project using your preferred method.
dotnet add package Rsk.Saml.OpenIddict.AspNetCore.Identity
You can configure the package using the OpenIddictSamlBuilder
extension method AddSamlAspIdentity
, specifying your IdentityUser
class as the generic constraint.
options.AddSamlPlugin(builder =>
{
builder.UseSamlEntityFrameworkCore()
.AddSamlMessageDbContext()
.AddSamlConfigurationDbContext();
builder.ConfigureSamlOpenIddictServerOptions();
builder.PruneSamlMessages();
builder.AddSamlAspIdentity<ApplicationUser>();
});
This will add an IOpenIddictSamlUserResolver
that will attempt to resolve the requested claim types from the Users Claims information. AddSamlAspIdentity
will also configure the default UserIdClaimType
, UserNameClaimType
, RoleClaimType
and EmailClaimType
from their default xml namespace values to the standard JwtClaimType values required by the Saml Component.
builder.Services.Configure<IdentityOptions>(options =>
{
options.ClaimsIdentity.UserIdClaimType = JwtClaimTypes.Subject;
options.ClaimsIdentity.UserNameClaimType = JwtClaimTypes.Name;
options.ClaimsIdentity.RoleClaimType = JwtClaimTypes.Role;
options.ClaimsIdentity.EmailClaimType = JwtClaimTypes.Email;
});