While OpenIddict is Identity Schema agnostic, it expects user claims to be resolved during Endpoint pass-through. The SAML component for OpenIddict also requires user information to populate SAML assertions, though the component does not use the same pass-through pattern. Instead an IOpenIddictSamlUserResolver is required to resolve user information during requests.
The Rsk.Saml.OpenIddict.AspNetCore.Identity package can be used to resolve User information for OpenIddict instances using Asp.Identity. If you are using another Identity schema see using a custom Identity schema with OpenIddict Saml
Install Rsk.Saml.OpenIddict.AspNetCore.Identity Package
You can install the Asp.Identity integration package to your project using your preferred method.
dotnet add package Rsk.Saml.OpenIddict.AspNetCore.Identity
You can configure the package using the OpenIddictSamlBuilder extension method AddSamlAspIdentity, specifying your IdentityUser class as the generic constraint.
options.AddSamlPlugin(builder =>
{
builder.UseSamlEntityFrameworkCore()
.AddSamlMessageDbContext()
.AddSamlConfigurationDbContext();
builder.ConfigureSamlOpenIddictServerOptions();
builder.PruneSamlMessages();
builder.AddSamlAspIdentity<ApplicationUser>();
});
This will add an IOpenIddictSamlUserResolver that will attempt to resolve the requested claim types from the Users Claims information. AddSamlAspIdentity will also configure the default UserIdClaimType, UserNameClaimType, RoleClaimType and EmailClaimType from their default xml namespace values to the standard JwtClaimType values required by the Saml Component.
builder.Services.Configure<IdentityOptions>(options =>
{
options.ClaimsIdentity.UserIdClaimType = JwtClaimTypes.Subject;
options.ClaimsIdentity.UserNameClaimType = JwtClaimTypes.Name;
options.ClaimsIdentity.RoleClaimType = JwtClaimTypes.Role;
options.ClaimsIdentity.EmailClaimType = JwtClaimTypes.Email;
});