-
Notifications
You must be signed in to change notification settings - Fork 43
Configuration Examples
This is a basic example of the SAML20Federation config section with only the required sections.
<saml2>
<allowedAudienceUris>
<audience uri="http://www.example.com" />
</allowedAudienceUris>
<serviceProvider id="urn:SPName" server="https://www.example.com">
<endpoints>
<endpoint localPath="Login.ashx" type="signon" redirectUrl="~/AuthenticatedHomePage" />
<endpoint localPath="Logout.ashx" type="logout" redirectUrl="~/HomePage" />
<endpoint localPath="Metadata.ashx" type="metadata" />
</endpoints>
</serviceProvider>
<identityProviders metadata="METADATALOCATION"/>
</saml2>
Below is an example of the same configuration, but with several of the optional sections also filled in. In this case, the Identity Provider requires that a NameIdFormat be specified (Specifically, the IdP has specified that only the "transient" NameIdFormat should be used), that RequestedAuthnContext must be used in the request (so an AuthenticationContext is specified), and that the signing certificate specified in the IdP's metadata file is a self-signed certificate (so the certificate validation must be set to allow this).
In addition, this example includes two Identity Providers. In this case, because the live example this was pulled from has an IdP for testing, and for production, but other setups are also possible where multiple Identity Providers are specified.
<saml2>
<allowedAudienceUris>
<audience uri="http://www.example.com" />
</allowedAudienceUris>
<serviceProvider id="urn:SPName" server="https://www.example.com">
<endpoints>
<endpoint localPath="Login.ashx" type="signon" redirectUrl="~/AuthenticatedHomePage" />
<endpoint localPath="Logout.ashx" type="logout" redirectUrl="~/HomePage" />
<endpoint localPath="Metadata.ashx" type="metadata" />
</endpoints>
<nameIdFormats allowCreate="true">
<add format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</nameIdFormats>
<authenticationContexts comparison="Exact">
<add context="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" referenceType="AuthnContextClassRef"/>
</authenticationContexts>
</serviceProvider>
<identityProviders metadata="METADATALOCATION">
<add id="default.idp.com" default="true">
<certificateValidations>
<add type="SAML2.Specification.SelfIssuedCertificateSpecification, SAML2" />
</certificateValidations>
</add>
<add id="test.idp.com">
<certificateValidations>
<add type="SAML2.Specification.SelfIssuedCertificateSpecification, SAML2" />
</certificateValidations>
</add>
</identityProviders>
<metadata>
<contacts>
<contact type="Administrative" company="" givenName="" surName="" email="" phone="" />
</contacts>
<requestedAttributes>
<add name="urn:cn" />
</requestedAttributes>
</metadata>
</saml2>