SamlIdpOptions
The SamlIdpOptions class is required to configure component usage. Settings here are applied to all service providers unless overridden by a ServiceProvider record.
Licensee string
The licensee value received upon purchase
LicenseKey string
The license key value received upon purchase
SamlEndpoint string
The base URL for SAML 2.0 endpoints. Defaults to saml
IncludeSubjectConfirmationDataNotBefore bool
Ensures that generated SubjectConfirmations contain a NotBefore value. The presence of this property can break some service providers. Defaults to false
Metadata MetadataOptions
Configuration for the IdP metadata document. Allows for the setting of caching instructions as well as organization and contact details.
DefaultNameIdentifierFormat string
The default NameID format to use in SAML assertions, if a NameID format is not requested by the SP. If a ServiceProvider has been configured with NameIdentifierFormat, the ServiceProvider setting will take precedence over this default setting. Defaults to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
DefaultSignatureAlgorithm string
The default signature algorithm to use for signing. Defaults to http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
DefaultDigestAlgorithm string
The default digest algorithm to use for signing. Defaults to http://www.w3.org/2001/04/xmlenc#sha256
DefaultCanonicalizationMethod string
The default canonicalization method to use for signing. Defaults to http://www.w3.org/2001/10/xml-exc-c14n#
UseLegacyRsaEncryption bool
When true, Service Providers configured for encryption will have their assertions encrypted using the RSAES-PKCS1-v1_5 algorithm. When false, assertions will be encrypted using the RSAES-OAEP algorithm. Defaults to false.
MessageTrustLength TimeSpan
The amount of time to trust incoming SAML messages from their issue date. Defaults to 5 minutes
WantAuthenticationRequestsSigned bool
Indicates a requirement for SAML authentication requests to be signed. When true, incoming authentication request validation will fail if the request is not signed. Defaults to true
RequireSignedLogoutRequests bool
Indicates if logout requests must be signed. When true, incoming logout request validation will fail if the request is not signed. Defaults to false
RequireSignedLogoutResponses bool
Indicates if logout responses must be signed. When true, incoming logout response validation will fail if the response is not signed. Defaults to false
RequireSignedArtifactResponses bool
Indicates if the received ArtifactResponse messages must be signed. When true, incoming ArtifactResponse validation will fail if the response is not signed. Defaults to true
RequireSignedArtifactResolveRequests bool
Indicates if the received ArtifactResolve messages must be signed. When true, incoming ArtifactResolve validation will fail if the request is not signed. Defaults to true
TimeComparisonTolerance int
Used in time comparison during SAML protocol validation. Allows time comparison checks to be inaccurate by this number of seconds. This can help deal with clock skew issues across servers. Microsoft uses a default setting of 300 seconds, but we recommend using the lowest possible value. Defaults to 0
RequireAuthenticatedUserForLogoutRequests bool
Indicates if an authenticated user is required for logout requests. When true, incoming logout request validation will fail if a user is not currently signed in. Defaults to false
LogSamlMessages bool
Indicates if SAML messages should be logged. Used for debugging only. When true, SAML messages will be logged as debug messages. Defaults to false
ArtifactDeliveryBindingType string
The default global binding type to use for sending artifacts. This value can be set up on a per Service Provider level using the property ArtifactDeliveryBindingType on the ServiceProvider object. The Service Provider configuration takes precedence over this global setting. Only urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect and urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST are supported. Defaults to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
ArtifactLifeTime TimeSpan
The amount of time that an artifact is valid, after which the artifact will be marked as expired. Defaults to 5 minutes
RequireCspHeadersForLogout bool
Indicates if frame-src CSP headers are required for front-channel logout callback notifications when using iFrames. Defaults to true
UseIFramesForSlo bool
Indicates whether to use iFrames for notifying service providers during Single Logout. When false, each service provider will be redirected to iteratively. Defaults to true
CspOptions SamlCspOptions
The Content Security Policy options
UserInteraction SamlUserInteractionOptions
Settings for interacting with the SAML Identity Provider
DefaultClaimMapping IDictionary<string, string>
Maps OpenID format claim types to SAML suitable claim types. Claim types not defined in the mapping will not be included in generated SAML tokens. Defaults to:
{ "name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"},
{ "email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" },
{ "given_name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" },
{ "family_name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" },
{ "birthdate", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth" },
{ "website", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage" },
{ "gender", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender" },
{ "role", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" }
SamlUserInteractionOptions
RequestIdParameter string
The query string parameter to use when transporting the current SAML request ID
SamlCspOptions
Level SamlCspLevel
The minimum CSP level. Defaults to SamlCspLevel.Two
AddDeprecatedHeader bool
Indicates if the deprecated X-Content-Security-Policy header should be added. Defaults to true