In IdentityServer3 I have configured multiple instances of SAML2 based external providers using SustainSys library as per the documentation.
I got it working, but i have question about SPOptions.EntityID aka Audience Uri. (This is NOT the EntityID that external provider give us, but instead it's the EntityID that i need to provide to external provider)
Should this Audience Uri be unique for each instance?
Lets say, i configured 2 instances of SAML2 providers(Okta and Azure AD) in production, then based on the sample code provided, for particular environment the Audience Uriwill NOT be unique.
Below is my code based on sample code. (For brevity i have removed few lines)
public class Startup
{
public void Configuration(IAppBuilder app)
{
app.Map("/identity", idsrvApp =>
{
var identityServerOptions = new IdentityServerOptions
{
AuthenticationOptions = new AuthenticationOptions()
{
EnableAutoCallbackForFederatedSignout = true,
EnableSignOutPrompt = false
}
.Configure(ConfigureExternalIdentityProviders)
};
idsrvApp.UseIdentityServer(identityServerOptions);
});
}
private void ConfigureExternalIdentityProviders(IAppBuilder app, string signInAsType)
{
// Add okta
AddSAML2Idp(
app,
signInAsType,
"https://id.mydomain.com/identity/Saml2", //audienceURI
"okta", //idpname
"okta", //caption
"https://www.okta.com/exk4yxtgy7ZzSDp8e0h7", // externalEntityID
"https://dev-490944.oktapreview.com/app/exk4yxtgy7ZzSDp8e0h7/sso/saml/metadata"); // metadataLocation
// Add Azure AD
AddSAML2Idp(app,
signInAsType,
"https://id.mydomain.com/identity/Saml2", //audienceURI
"azuread", //idpname
"Azure ad", //caption
"https://sts.windows.net/xxxxx-fb1d-40c4-xxxxx-xxxxxxxx/", //externalEntityID
"https://login.microsoftonline.com/xxxx-fb1d-40c4-40c4-xxxxxxx/federationmetadata/2007-06/federationmetadata.xml?appid=xxxx-xxxx-xxxx-xxxx-xxxxxx"); //metadataLocation
}
private void AddSAML2Idp(IAppBuilder app, string signInAsType,string audienceURI, string idpname, string caption, string externalEntityID, string metadataLocation)
{
var authenticationOptions = new Saml2AuthenticationOptions(false)
{
SPOptions = new SPOptions
{
EntityId = new EntityId(audienceURI),
ModulePath = string.Format("/{0}", idpname)
},
SignInAsAuthenticationType = signInAsType,
AuthenticationType = idpname,
Caption = caption
};
UseIdSrv3LogoutOnFederatedLogout(app, authenticationOptions);
authenticationOptions.SPOptions.ServiceCertificates.Add(LoadCertificateFromWindwosStore());
var identityProvider = new IdentityProvider(new EntityId(externalEntityID), authenticationOptions.SPOptions)
{
MetadataLocation = metadataLocation,
LoadMetadata = true
};
authenticationOptions.IdentityProviders.Add(identityProvider);
app.UseSaml2Authentication(authenticationOptions);
}
So for okata
Audience Uri: https://id.mydomain.com/identity/Saml2
ACS Uri: https://id.mydomain.com/identity/okta/acs
and for Azure AD
Audience Uri: https://id.mydomain.com/identity/Saml2
ACS Uri: https://id.mydomain.com/identity/azuread/acs
Note the audience uri is same for both instances.
Should it be unique for each instances like:
https://id.mydomain.com/identity/okta
https://id.mydomain.com/identity/azuread
Logically the two instances are two different SAML2 Service Providers and should have different Entity IDs. But, as you're not exposing both of them to the same upstream Idp it doesn't matter.