While the OpenIddict samples use the Asp.net Identity package to hold user data, OpenIddict is not tightly coupled to any single Identity schema. If you are using the Asp.Net Identity schema with your OpenIddict instance, then you can use the Rsk.Saml.OpenIddict.AspNetCore.Identity package for an out of the box solution, for more information see our OpenIddict Asp.Net Identity Documentation.
If you are using another User schema then you will need to provide your own implementation of the IOpenIddictSamlUserResolver interface.
IOpenIddictSamlUserResolver
public interface IOpenIddictSamlUserResolver
{
/// <summary>
/// Determine whether a user with the <paramref name="subject"/> id is active
/// </summary>
/// <param name="subject">The sub claim of the user whos active status should be retrieved.</param>
/// <returns><c>true</c> If a user with the passed in sub claim is active, <c>false</c> otherwise.</returns>
///<exception cref="ArgumentException">Thrown when the <paramref name="subject"/> is either <c>null</c> or an empty string.</exception>
Task<bool> IsActiveUser(string subject);
/// <summary>
/// Retrieves the claims for the user who's subject claim is passed in.
/// </summary>
/// <param name="subject">The sub claim of the user for which claims should be retrieved.</param>
/// <returns>A populated collection of claims if a user with the passed in subject claim is authenticated, otherwise an empty collection of claims.</returns>
///<exception cref="ArgumentException">Thrown when the <paramref name="subject"/> is either <c>null</c> or an empty string.</exception>
Task<IEnumerable<Claim>> GetUserClaims(string subject);
}
The IOpenIddictSamlUserResolver interface contains two methods.
IsActiveAsync checks that the user with the corresponding subject value is still active and has not been deleted.
GetUserClaims returns all Claim information for a user to be filtered and inserted into SAML Responses based on a clients AllowedScopes.