SAML 2.0 application registration
FoxIDs SAML 2.0 application registration enable you to connect an SAML 2.0 based application.
Your application become a SAML 2.0 Relying Party (RP) and FoxIDs acts as an SAML 2.0 Identity Provider (IdP).
FoxIDs support SAML 2.0 redirect and post bindings.
A application registration expose SAML 2.0 metadata where your application can discover the SAML 2.0 Identity Provider (IdP).
Both the login, logout and single logout SAML 2.0 profiles are supported. The Artifact profile is not supported.
The FoxIDs SAML 2.0 metadata do only include logout and single logout information if logout is configured in the SAML 2.0 application registration.
How to guides:
- Connect AD FS
- Connect Context Handler (Danish IdP)
Require multi-factor authentication (MFA)
The SAML 2.0 Relying Party (RP) can require multi-factor authentication by specifying the urn:foxids:mfa
value in the RequestedAuthnContext.AuthnContextClassRef
property.
The AuthnContextClassRef
property can be set in the Login
method in SamlController.cs
:
public IActionResult Login(string returnUrl = null)
{
var binding = new Saml2RedirectBinding();
binding.SetRelayStateQuery(new Dictionary<string, string>
{
{ relayStateReturnUrl, returnUrl ?? Url.Content("~/") }
});
var saml2AuthnRequest = new Saml2AuthnRequest(saml2Config)
{
// To require MFA
RequestedAuthnContext = new RequestedAuthnContext
{
Comparison = AuthnContextComparisonTypes.Exact,
AuthnContextClassRef = new string[] { "urn:foxids:mfa" },
}
};
return binding.Bind(saml2AuthnRequest).ToActionResult();
}
See more code in the AspNetCoreSamlSample and SamlController.cs line 104.
Configuration
How to configure your application as an SAML 2.0 Relying Party (RP).
The FoxIDs SAML 2.0 application registration metadata endpoint is
https://foxids.com/tenant-x/environment-y/application-saml-pr1/saml/idpmetadata
if the application is configured in tenanttenant-x
and environmentenvironment-y
with the application registration nameapplication-saml-pr1
.
A application registration can possibly support login through multiple authentication methods by adding the authentication method name to the URL.
An authentication method name e.g.login
can possible be added to the metadata URL like thishttps://foxids.com/tenant-x/environment-y/application-saml-pr1(login)/saml/idpmetadata
The following screen shot show the basic FoxIDs SAML 2.0 application registration configuration available in FoxIDs Control Client.
More configuration options become available by clicking
Show advanced
.
Change the issued SAML 2.0 claim collection with claim transforms.