Rsk.Saml v5: Release Notes

In the last year, we have been focusing on developing new features for our SAML2P component. Driven by your feedback, some of our new features and improvements include:

• Support for Duende IdentityServer v6
• Support for .NET 6
• Full support for back-channel binding type, HTTP Artifact binding, to combat upcoming browser changes and offer increased security for your SSO solution
• Improved logging to offer more diagnostic information

In addition, we have enriched a collection of helpful resources to aid you in the development of your SAML SSO, which means,

• New QuickStarts, feature-specific documentation, and additional debugging steps and FAQs
• Initial work on adding code documentation for public APIs

Release Notes - Rsk.Saml v4.3

Before we cover the big v5 changes, here are some of the highlights from recent minor versions of our SAML Identity Provider (IdP) and Service Provider (SP) libraries:

• SP: Added support for the Duende IdentityServer's Dynamic Providers feature
• SP: Added support for AuthContextDecl attribute when validating SAML assertions
• SP: Added support for sending login hints to IdP, using the Subject element in Authentication Requests
• SP: Added support for incoming IdP-initiated RelayState. Added AllowedIdpInitiatedRelayStates configuration option
• SP: Added support for decryption of assertions using AES-GCM
• IdP: Handle numerical boolean values for the AllowCreate attribute in authentication requests
• IdP: Gracefully handle the scenario where the user is already signed out upon receiving a SAML logout request

Release Notes - Rsk.Saml v5

With this release, we have added support for .NET 6. That means we currently support .NET Core 3.1, .NET 5 and .NET 6. This version only supports Duende IdentityServer v6 and IdentityServer4 v4. We will continue to support IdentityServer4 until the end of 2022.

We have updated some class names to use the 'Saml' prefix for consistency, and some method signatures have been updated; however, you will only see this if you are overriding any of the internals of our SAML component.

If you experience any issues with this update, please contact us at [email protected], and we will be happy to help.

New Features

• IdP: Added support for Duende IdentityServer v6
• SP: Added support for .NET 6
• IdP and SP: Added support for HTTP Artifact binding, which uses a direct server-to-server connection to exchange SAML messages. HTTP Artifact binding can now be used to send and receive all SAML message types. You can read more on this feature in our article: Improving SAML SSO Security Using HTTP Artifact Binding
• IdP: Added support for setting NameIdFormat per Service Provider
• IdP: Added support for sending a RelayState with IdP-initiated SSO
• SP: Added support for configuring SigningOptions

Improvements

• IdP and SP: Added ISamlMetadataSerializer extensibility point for metadata serialization
• IdP and SP: Improved logging, primarily for incoming message validation, to offer more diagnostic information
• IdP and SP: Added configuration option LogSamlMessages. When set to true, SAML messages sent and received will be logged as debug messages
• IdP: AuthenticationContext is set based on OIDC 'amr' values, if SAML compatible. The authentication context will be set to Unspecified if the user did not authenticate using any SAML compatible authentication methods
• SP: ISamlDecryptionService is now used to decrypt both EncryptedAssertion and EncryptedId
• SP: Set default value for SignedOutCallbackPath to /saml/slo

Breaking Changes

• IdP: Assertion encryption now uses OAEP instead of PKCS1-v1_5 as the default RSA key transport algorithm. To use RSAES-PKCS1-v1_5, set the UseLegacyRsaEncryption to true
• IdP: Removed the word 'Interfaces' from EntityFramework library namespace
• IdP and SP: For consistency, class names with the prefixes 'Saml2' or 'Saml2p' were updated to use the 'Saml' prefix
• IdP and SP: Initial work on removing dependency on X509Certificate2 from interfaces
• IdP and SP: Updated request and response generators for creating HTTP-Artifact binding messages
• IdP and SP: Updated ISamlEncryptionService and ISamlDecryptionService to be agnostic of the type of XML element being handled to enhance reusability
• IdP and SP: Simplified the interface for ISamlEndpointService and added the ability to get Artifact Resolution Services endpoints
• IdP: Updated logout response validation to use RequireSignedLogoutResponses configuration option
• IdP: Added the ability to get all service provider Entity IDs from IServiceProviderStore
• IdP: Updated ISamlPersistedGrantService to handle artifacts
• IdP: Added the ability to remove SAML persisted grants from ISamlPersistedGrantStore
• IdP: Updated ISamlPersistedGrantStore Store method to require the key to be passed in as a parameter
• SP: Replaced IArtifactResolutionService with ISoapRequestService

EF Migrations

As the IdP, you will need to run migrations for SamlConfigurationDbContext. 

We have also added a new DbContext called SamlArtifactDbContext that stores artifact message data when you use HTTP-Artifact binding to send messages. If you are using HTTP-Artifact binding to send messages, you will need to run migrations for SamlArtifactDbContext.

Check out our Data Storage and Persistence docs for IdP and SP.

2022 Roadmap

From our roadmap, we are now focusing on a Single Logout (SLO) approach that will allow front-channel SLO after upcoming 3rd party cookie blocking in browsers. The 2022 roadmap (subject to change):

• Support for "traditional" SAML SLO (not using iFrames)
• Add an event service for SAML Identity Provider endpoints
• Focus on improving code documentation for public APIs
• Additional feature and protocol specific documentation
• Remove dependency on X509 certificates from interfaces
• Support KeyName in the XML signatures
• Improve extensibility for SAML Service Provider

Our feature development is heavily influenced by customer feedback. So, if you have any feature requests, let us know!