SAML2P Downloads

Fixed a bug causing Single Logout (SLO) to use only the subject for nameID. SLO will now respect requested nameid and custom nameids

SAML tables can not exist outside the default schema

samlBuilder.AddSamlConfigurationStore(options =>
{
 options.DefaultSchema = "custom_schema",
 options.ConfigureDbContext = //..,
} 

• The SAML response containing the "NotBefore" and "NotOnOrAfter" using the wrong time, resulting in a Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException : IDX10223: Lifetime validation failed. The token is expired. ValidTo (UTC): '16.02.2024 11:32:02', Current time (UTC): '16.02.2024 12:30:02'.

• Support for .Net 8.0
• Duende IdentityServer version 7.0 ( not compatible with any version below, use RSK.SAML 8.x.x )
• Support for OpenIddict version 5.1 
• We have added the ability to specify which assertion consumer services endpoint to use when generating IdentityProvider Initiated single sign-on responses.

Note the Saml+OpenIddict template uses a beta NuGet package when using MySql. We will release an updated template once a released package becomes available.

• Now supports OpenIddict Version 5

• Fixed issue with OpenIddict Session Service when logging into multiple service providers

• Support for the OpenIddict identity framework.
  • IDP
  • SP
• Allow overriding the way metadata is parsed to an XElement by overriding the ParseMetadataDocument method of the SamlMetadataParser . The default implementation removes the namespaces from the provided XML.
• Configuring SAML options using a fluent builder syntax is now easier. The SamlBuilder class now has a configure method for each concrete options class. This class returns a builder object, allowing options to be configured fluently.

• Dropped support for .Net core 3.1. 

Why is there no  Rsk.Saml version 7

For many years, we have versioned the various SAML-dependent packages independently. This process was getting too complex. So, as of version 8, all RSK.SAML package's major and minor numbers will be versioned in lockstep. Patch releases for each Nuget package will be independent. Since we had dependent packages with a major version 7, we have started this new approach from version 8.

• Resolved issue causing validation of artifact messages to throw a NotSupportedException 

• Ensured ALL SAML messages are now serialized using the new ISamlMessageXmlSerializer interface. This enables developers to take control of SAML message serialization where the defaults are insufficient for their specific use case.

• A mechanism to allow users to extend the serialization of SAML messages before they are signed. The documentation for this feature can be found here for an identity provider and here for a service provider.

• This release fixes an issue where HTTP artifact binding could not be used whilst validating a SAML message.

• Added the ability to override SAML SSO Response validation via extending the BaseCustomSamlValidationOverride class. Allows SP to be more forgiving for IDP that are not fully spec complient
• Added support for DuendeIdentityServer 6.3
• Updated SLO documentation for iterative SLO approach and combined SP and IdP-initiated SLO for a full SLO experience.

• Improved license validation error reporting

• Startup validation: The SAML component will now throw an exception if SAML middleware is not configured, preventing silent failure.

• Iterative SLO: Support the traditional iterative SLO approach to remove the need for iframes and solve strict cookie issues

• Support .NET 7

• Breaking change: ISamlSloRequestGenerator methods now take a SamlSloRequestData  as opposed to multiple parameters.
• Docs: Updated NameId docs to include steps required to return email NameId
• Docs: Add additional documentation on how to use extensibility points for SP and IdP

Rsk.Saml.IdentityProvider 6.0.2 & Rsk.Saml.DuendeIdentityServer 7.0.2:

• Enhance SAML response validation of Destination Attribute; previously non-valid value throws a Uri Exception. Now throws a SAMLResponseMessageException

Rsk.Saml.IdentityProvider 6.0.2 & Rsk.Saml.DuendeIdentityServer 7.0.2:

• Fixes a bug where during iterative SLO non, SAML clients were included. Now filters out non-SAML clients.

• Removed support for Core 3.1

• Security patch

• Fix "Artifact expired" bug
• Fix ISamlInteractionService.GetRequestContext method to return null instead of throwing NullRefernceException when the given parameter context is null

• IdP: Added support for ForceAuthn during authentication
• IdP: Added support for receiving login hints from the SP using the Subject element in authentication requests
• SP: Added IdentityProviderMetadataRefreshInterval option to configure how frequently the IdP configuration is retrieved
• SP: Updated the Subject NameId Format to be optional in authentication requests

• Security patch

• Fix "Artifact expired" bug
• Fix ISamlInteractionService.GetRequestContext method to return null instead of throwing NullRefernceException when the given parameter context is null

• SP: Added support for sending SessionIndex in logout requests
• SP: Added support for loading Identity Provider metadata from a local file
• SP: Added support for Identity Provider endpoints with query string parameters, e.g., "https://localhost/idp?idpid=xyz"
• SP: Set the default value of SignOutScheme to be the same as SignInScheme. This means an exception will not be thrown if SignOutScheme has not been explicitly set.

• Security patch

• Fix "Artifact expired" bug
• Fix ISamlInteractionService.GetRequestContext method to return null instead of throwing NullRefernceException when the given parameter context is null

• SP: Removed default values for SignedOutCallbackPath and ArtifactResolutionService, which were introduced in Rsk.Saml v5.0.0. These must now be set explicitly
• SP: Added SkipAuthnContextCheck option to ignore parsing and validation of AuthnContext in SAML response
• SP: Added ISamlMessageDestinationValidator extensibility point for validation of the incoming message destination attribute
• IdP: Advertized HTTP-POST binding for SingleLogoutService in metadata document

• Security patch

• Fix "Artifact expired" bug

• Fix ISamlInteractionService.GetRequestContext method to return null instead of throwing NullReferenceException when the given parameter context is null

• IdP & SP: Updated metadata document to use absolute XML namespaces
• IdP: Added diagnostic events using the IdentityServer's built-in event types
• SP: Added support for parsing metadata documents with EntitiesDescriptor containing a single EntityDescriptor
• IdP: Added a null check for ServiceProviderIds in SamlInteractionService.GetSamlSignOutFrameUrl

• Security patch

• Fix ISamlInteractionService.GetRequestContext method to return null instead of throwing NullReferenceException when the given parameter context is null

• IdP: Removed duplicate claims from SAML assertions
• IdP: Added null checks for string extension methods

• IdP: Added support for Duende IdentityServer v6
• SP: Added support for .NET 6
• IdP & SP: Added support for HTTP Artifact binding, which uses a direct server-to-server connection to exchange SAML messages. HTTP Artifact binding can now be used to send and receive all SAML message types. You can read more on this feature in our article: Improving SAML SSO Security Using HTTP Artifact Binding
• IdP: Added support for setting NameIdFormat per Service Provider
• IdP: Added support for sending a RelayState with IdP-initiated SSO
• SP: Added support for configuring SigningOptions
• IdP & SP: Added ISamlMetadataSerializer extensibility point for metadata serialization
• IdP & SP: Improved logging, primarily for incoming message validation, to offer more diagnostic information
• IdP & SP: Added configuration option LogSamlMessages. When set to true, SAML messages sent and received will be logged as debug messages
• IdP: AuthenticationContext is set based on OIDC 'amr' values, if SAML compatible. The authentication context will be set to Unspecified if the user did not authenticate using any SAML compatible authentication methods
• SP: ISamlDecryptionService is now used to decrypt both EncryptedAssertion and EncryptedId
• SP: Set default value for `SignedOutCallbackPath` to `/saml/slo`

• Improving SAML SSO Security Using HTTP Artifact BindingSP: Fixed an issue where user claims from an incoming assertion containing AuthContextDecl were not parsed
• SP: Fixed signature validation failure for encrypted assertions received via HTTP Artifact binding

Breaking Changes

• IdP: Assertion encryption now uses OAEP instead of PKCS1-v1_5 as the default RSA key transport algorithm. To use RSAES-PKCS1-v1_5, set the UseLegacyRsaEncryption to true
• IdP: Removed the word 'Interfaces' from EntityFramework library namespace
• IdP & SP: For consistency, class names with the prefixes 'Saml2' or 'Saml2p' were updated to use the 'Saml' prefix
• IdP & SP: Initial work on removing dependency on X509Certificate2 from interfaces
• IdP & SP: Updated request and response generators for creating HTTP-Artifact binding messages
• IdP & SP: Updated ISamlEncryptionService and ISamlDecryptionService to be agnostic of the type of XML element being handled to enhance reusability
• IdP & SP: Simplified the interface for ISamlEndpointService and added the ability to get Artifact Resolution Services endpoints
• IdP: Updated logout response validation to use RequireSignedLogoutResponses configuration option
• IdP: Added the ability to get all service provider Entity IDs from IServiceProviderStore
• IdP: Updated ISamlPersistedGrantService to handle artifacts
• IdP: Added the ability to remove SAML persisted grants from ISamlPersistedGrantStore
• IdP: Updated ISamlPersistedGrantStore Store method to require the key to be passed in as a parameter
• SP: Replaced IArtifactResolutionService with ISoapRequestService

• IdP: Removed duplicate claims from SAML assertions
• IdP: Added null checks for string extension methods

• SP: Fixed an issue where user claims from an incoming assertion containing AuthContextDecl were not parsed
• SP: Fixed signature validation failure for encrypted assertions received via HTTP Artifact binding

• SP: Remove request correlation cookie upon logout response failure
• IdP: Use config option UserInteraction.RequestIdParameter when transporting request ID
• IdP: Throw SamlMessageGeneratorException if the requested and default NameId formats are Email; however, the user does not have an email claim. Previously, we returned SubjectId as the NameId, but with an email claim type

• IdP: Handle numerical boolean values for the AllowCreate attribute in an authentication request
• IdP: Handle the scenario where the user is already signed out upon receiving a SAML logout request 

• IdP: Removed duplicate claims from SAML assertions
• IdP: Added null checks for string extension methods

• SP: Fixed an issue where user claims from an incoming assertion containing AuthContextDecl were not parsed
• SP: Fixed signature validation failure for encrypted assertions received via HTTP Artifact binding

• IdP: Use config option UserInteraction.RequestIdParameter when transporting request ID
• SP: Remove request correlation cookie upon logout response failure

• SP: Added support for the Duende IdentityServer's dynamic auth providers feature
• SP: Added support for sending login hints to IdP, using the `Subject` element in Authentication Requests
• SP: Added support for IdP-initiated RelayState. Added `AllowedIdpInitiatedRelayStates` configuration option
• SP: Use ISamlKeyService for retrieving validation keys in metadata generation

• SP: Fixed an issue where user claims from an incoming assertion containing AuthContextDecl were not parsed
• SP: Fixed signature validation failure for encrypted assertions received via HTTP Artifact binding

• IdP: Use config option UserInteraction.RequestIdParameter when transporting request ID
• SP: Remove request correlation cookie upon logout response failure

• Use the original URL paths to generate SAML messages, avoiding formatting around port numbers
• SP: Support decryption of assertions using AES-GCM
• SP: Use the ISamlSigningCertificateStore in metadata generator

• Fixed SLO with POST binding on Linux

• IdP: Included missing user session update when using IdP-Initiated SSO

• SP: added support for AuthContextDecl attribute when validation SAML assertions

• IdP: Use config option UserInteraction.RequestIdParameter when transporting request ID
• SP: Remove request correlation cookie upon logout response failure

• SP: Use the ISamlSigningCertificateStore in metadata generator
• Use the original URL paths to generate SAML messages, avoiding formatting around port numbers

• Fixed SLO with POST binding on Linux

• IdP: Added support for Duende IdentityServer
• SP: Added support for .NET 5.0
• SP: Dropped dependency on IdentityServer
• IdP: Improved dev experience with ISamlInteractionService. You can now pass the full return URL to the GetRequestContext method. This is not a breaking change as the method can handle both the request ID and return URL.
• IdP and SP: Improved logging of received SAML response messages
• IdP and SP: Added ISamlSigningCertificateStore extensibility point for SAML specific signing material
• IdP: Added ISamlClientStore extensibility point for SAML specific client application configuration
• IdP: Added ISamlResourceStore extensibility for SAML specific resource & scope configuration
• Added SAML-specific configuration options for controlling Content Security Policy (CSP) headers when using the HTTP POST binding
• SP: Updated logout validation failure to throw an InvalidOperationException, copying the behavior of Microsoft authentication handlers. This behavior can be overridden using the ThrowOnLogoutError configuration setting

• Root namespace change: all namespaces now use Rsk.Saml
• Dropped support for IdentityServer4 v3
• Obsoletes from Rsk.Saml v3 have now been removed
• Removed GenerateNameId from ISamlNameIdService. Please use the ISamlNameIdGenerator instead
• SP: Removed custom ISamlSpNameIdService. Please use the core ISamlNameIdService instead
• SP: Renamed RequireSamlResponseDestination to RequireSamlMessageDestination
• SP: Removed RequireAuthenticationRequestsSigned
• IdP: Updated the default value of RequireValidSamlLogoutRequests to true. This setting will be removed in a future version, and invalid SAML logout requests will always result in an error

• IdP: Use config option UserInteraction.RequestIdParameter when transporting request ID
• SP: Remove request correlation cookie upon logout response failure

• Use the original URL paths to generate SAML messages, avoiding formatting around port numbers

• Fixed SLO with POST binding on Linux

• IdP: Included missing user session update when using IdP-Initiated SSO

• SP: Added missing artifact binding ACS endpoint to metadata
• SP: Added support for AttributeConsumingService

• SP: Fixed NullReferenceException when loading ARS endpoint from IdP metadata

• IdP: Added "UseLegacyRsaEncryption" option to disable the use of RSAES-PKCS1-v1_5. This will be set to false by default in the next major release
• IdP: Interaction generator service is now called after user authentication, allowing for the use of a consent screen or cancel button
• SP: Added support for parsing ArtifactResolutionServices from IdP metadata
• Added support for NameIDPolicy
• Updated internal cryptography libraries to use .NET Core implementations

• Fixed issue with validating signatures containing repeated/duplicate namespaces (3+)

• October security update

• SP: Updated the default correlation cookie store's delete method to use SP cookie options
• SP: Improved handling of missing correlation cookie
• Logging improvements

• IdP: Metadata now includes all IdentityServer validation keys
• SP: The metadata parser now treats SLO endpoints as optional

• IdP: Added support for IdP-Initiated SSO
• SP: Added support for IdP-Initiated SLO
• IdP: ACS endpoint preference is now ordered by index
• SP: Now uses the correlation cookie name configured in the handlers cookie builder
• SP: SamlBindingService extended to include support for building SOAP binding payloads
• All custom component exceptions inherit from SamlException
• SP: Breaking change on ISamlCorrelationStore
• IdP: Method rename in IServiceProviderStore, from FindServiceProviderByEntityIdAsync to FindServiceProviderByEntityId
• IdP: RequestTrustLength option has been replaced by MessageTrustLength. Its default value is now 5 minutes
• SP: ResponseTrustLength option had been replaced by MessageTrustLength
• SP: The unused RemoteSignOutPath option has been removed
• IdP and SP: RequireSignedSingleLogoutResponses option has been renamed to RequireSignedLogoutResponses
• EF: a new property of RequireAuthenticationRequestsSigned which allows the IdP’s WantAuthnRequestsSigned setting to be overridden per SP
• EF: RequireSamlRequestDestination property renamed to RequireSamlMessageDestination. See below for EF migrations recommendations

• New SP library: Rsk.Saml. To use IdP functionality, specific to IdentityServer4, please continue to use Rsk.IdentityServer4.Saml
• Dropped support for .NET Framework and non-LTS or Current versions of .NET Core
• Obsoletes from v2 have now been removed

• October security update

• SP: Fixed metadata parsing for multiple signing certificates

• Fixed nonce size when using AES-256-GCM

• SP: Added support for Home Realm Discovery (using "IDPList" and "IDPEntry")
• SP: Added "SamlChallengeProperties" allowing a challenge request to override Home Realm Discovery and Force Authentication

• October security update

• SP: Added support for WantAssertionsSigned

• SP: Support for the artifact binding type
• SP: Added ValidationCertificates for request signing key rollover
• SP: Added RequireEncryptedAssertions option to disallow unencrypted assertions
• SP: Enabled organization and contact metadata options
• SP: Added support for RequestedAuthenticationContext and validation of AuthnContextClassRef
• SP: Set correlation cookie to essential
• SP: Added RequireSignedSingleLogoutResponses option

• Bug fix for signature transforms
• SP: Fix for SLO request using POST binding
• IdP: Added missing serialization for AuthnStatement SessionNotOnOrAfter

• October security update

• IdP & SP: Improved metadata signature generation
• SP: Improved metadata signature validation
• IdP: Added ISamlEndpointService extensibility point for choosing which ACS or SLO endpoint to use

• October security update

• SP: Added option to disable Destination validation
• Updated form POST HTML

• SP: Added missing SLO endpoints to metadata

• October security update

• SP: Added missing SLO endpoint to metadata

• Internal build version fix

• IdP: Added ISamlNameIdService extensibility point for NameID format handling
• SP: Added AuthenticationProperties to failure results

• Changed minimum version of IdentityServer4 v3 to v3.1.2

• October security update

• ASP.NET Core 3.0 and 3.1 support
• IdP & SP: Updated metadata document to place signature as the first element
• SP: Added IdP metadata loading
• SP: Added support for multiple IdP signing certificates
• SP: Added support for SLO response parsing

• SP: Added support for decryption of assertions using:
  • AES-192-CBC
  • AES-128-CBC
• SP: Added support for decryption of assertions with an encrypted key linked by reference

• SP: Added property "SkipUnrecognizedRequests". This property prevents errors from being thrown on invalid SAML requests but allows multiple SP's to share a single metadata endpoint and ACS endpoint

• SP: Added support for encrypted assertions with RSA-OAEP encryption keys

• SP: Added handling for off-spec element "AuthnContextDeclRef"

• SP: Fixed issue with empty name claim being generated from SAMLResponse

• IdP: Added handling for logout responses sent to SLO endpoint

• IdP: Fixed CSP for logout page when logout response received

• SP: Added support for HTTP Redirect binding responses
• SP: Added support for IdP-Initiated SSO
• IdP: Added support for full SAML SP-Initiated SLO
• IdP: Added support for SAML IdP-Initiated SLO

• Fixed typo in NameID constants

• Removed support for IdentityServer4 v2.2

Supports IdentityServer v2.2. This version is no longer actively maintained.