Rsk.Saml v4: Release Notes

Over the past few months, we have been updating our SAML component to work with both IdentityServer4 and Duende IdentityServer. As a result, we have split our component into separate packages to handle SAML identity provider and service provider functionality.

To support both versions of IdentityServer, we have made changes to the namespaces used by the component. For the majority of users, this means a simple search and replace from Rsk.IdentityServer4.Saml to Rsk.Saml.IdentityServer4. If you are extending any of our implementations, then you may need to update some method signatures.

Which SAML Library Should I Use?

Choose from the options below to decide which SAML library you should use:

• I am a SAML Service Provider: I want to allow users to log in using an external SAML Identity Provider: use Rsk.Saml
• I am a SAML Identity Provider: I want to allow users in external systems to log in using my user store:
  • I am using IdentityServer4: use Rsk.Saml.IdentityServer4
  • I am using Duende IdentityServer: use Rsk.Saml.DuendeIdentityServer

Other Libraries

In order to support both IdentityServer4 and Duende IdentityServer, and remove all dependencies on IdentityServer from our service provider functionality, we now have some new SAML libraries:

• Rsk.Saml: core SAML functionality and service provider functionality
• Rsk.Saml.IdentityServer4: IdentityServer4 SAML identity provider functionality
• Rsk.Saml.DuendeIdentityServer: Duende IdentityServer SAML identity provider functionality
• Rsk.Saml.IdentityProvider: shared functionality between the IdentityServer4 or Duende IdentityServer libraries

Storage Layers

• Rsk.IdentityProvider.Storage.EntityFramework: core entity framework storage layer for identity providers
• Rsk.Saml.IdentityServer4.EntityFramework: IdentityServer4 storage layer
• Rsk.Saml.DuendeIdentityServer.EntityFramework: Duende IdentityServer storage layer

If you are an existing customer of our SAML component, you can continue to use Rsk.IdentityServer4.Saml and Rsk.IdentityServer4.Saml.EntityFramework libraries. These libraries reference the correct version of our new package structure, with version 4 providing IdentityServer4 support and version 5 providing Duende IdentityServer support.

Release Notes – Rsk.Saml v3.3.0

Before we cover the big v4 changes, here are the highlights from recent minor versions of our SAML identity provider (IdP) and service provider (SP) libraries:

• IdP: Added UseLegacyRsaEncryption option to disable the use of RSAES-PKCS1-v1_5. This currently defaults to true but will be changed to false in an upcoming release
• IdP: Interaction generator service is now called after user authentication, allowing for the use of a consent screen or cancel button
• SP: Added support for AttributeConsumingService
• Added support for NameIDPolicy
• Updated internal cryptography libraries to use .NET Core implementations

Release Notes – Rsk.Saml v4

With this release, we have changed the namespaces to always use the root namespace Rsk.Saml. We have also changed some method signatures; however, you will only see this if you are overwriting any of the internals of our SAML component.

If you experience any issues with the new structure, please contact us at [email protected], and we will be happy to help.

New Features

• IdP: Added support for Duende IdentityServer
• SP: Added support for .NET 5.0

Improvements

• SP: Dropped dependency on IdentityServer
• IdP: Improved developer experience with ISamlInteractionService. You can now pass the full return URL to the GetRequestContext method. This is not a breaking change as the method can handle both the request ID and return URL
• Improved logging of received SAML response messages
• Added ISamlSigningCertificateStore extensibility point for SAML specific signing material
• IdP: Added ISamlClientStore extensibility point for SAML specific client application configuration
• IdP: Added ISamlResourceStore extensibility for SAML specific resource & scope configuration
• Added SAML-specific configuration options for controlling Content Security Policy (CSP) headers when using the HTTP POST binding

Breaking Changes

• Root namespace change: all namespaces now use Rsk.Saml
• Dropped support for IdentityServer4 v3
• Obsoletes from Rsk.Saml v3 have now been removed
• Removed GenerateNameId from ISamlNameIdService. Please use the ISamlNameIdGenerator instead
• SP: Updated logout validation failure to throw an InvalidOperationException, copying the behavior of Microsoft authentication handlers. This behavior can be overridden using the ThrowOnLogoutError configuration setting
• SP: Removed custom ISamlSpNameIdService. Please use the core ISamlNameIdService instead
• SP: Renamed RequireSamlResponseDestination to RequireSamlMessageDestination
• SP: Removed RequireAuthenticationRequestsSigned
• IdP: Updated the default value of RequireValidSamlLogoutRequests to true. This setting will be removed in a future version, and invalid SAML logout requests will always result in an error

2021 Roadmap – Update

From our roadmap, we are now focusing on adding artifact binding support to the IdP side of our component, and a Single Logout (SLO) approach that will allow front-channel SLO after upcoming browser changes. The 2021 roadmap:

• Full removal of IdentityServer4 from Rsk.Saml (completed)
• Support for more back-channel binding types (artifact binding)
• Focus on improving documentation with feature specific documentation
• Support for “traditional” SAML SLO (not using iFrames)
• Additional documentation for debugging steps and FAQs
• Stretch goal: revamp of signing and encryption algorithm support

Our feature development is heavily influenced by customer feedback. So, if you have any feature requests, let us know!