Early Preview
This is currently very much a preview. Please feel free to try things out,
but don't be upset if anything is not yet working. Feedback is welcome over on our
GitHub Dicussions page.
class Duende.IdentityServer.Configuration.SamlOptions
Assembly: Duende.IdentityServer
Inheritance: object → SamlOptions
Options for SAML 2.0 Identity Provider functionality.
Properties
public
string
EntityId
The Entity Id of this SAML 2.0 Identity Provider. Defaults to null,
which derives the entity ID from the OIDC issuer combined with <see cref="P:Duende.IdentityServer.Configuration.SamlOptions.EntityIdPath" /> .
public
string
EntityIdPath
Path component appended to the OIDC issuer to form the SAML entity ID.
Ignored if <see cref="P:Duende.IdentityServer.Configuration.SamlOptions.EntityId" /> is set explicitly.
Defaults to "/Saml2".
public
bool
WantAuthnRequestsSigned
Gets or sets whether the IdP requires signed AuthnRequests.
Defaults to true.
public
System.Collections.ObjectModel.ReadOnlyDictionary<string, string>
DefaultClaimMappings
Default mappings from claim types to SAML attribute names.
Key: claim type (e.g., "email", "name")
Value: SAML attribute name (e.g., "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name")
Includes common OIDC to SAML attribute mappings by default.
Service providers can override these mappings via SamlServiceProvider.ClaimMappings.
If a claim type is not in this dictionary, it will be passed through using the claim type as the attribute name.
public
System.Collections.ObjectModel.ReadOnlyDictionary<string, string>
DefaultAuthnContextMappings
Default mappings from OIDC acr/amr claim values to SAML AuthnContextClassRef URIs.
Key: OIDC acr or amr value (e.g., "pwd", "mfa", "external")
Value: SAML AuthnContextClassRef URI (e.g., "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")
Used during AuthnStatement generation. The generator checks acr first, then amr claims
against this map. If no match is found, falls back to Unspecified.
Service providers can override via <see cref="P:Duende.IdentityServer.Models.SamlServiceProvider.AuthnContextMappings" /> .
public
System.Collections.ObjectModel.Collection<string>
SupportedNameIdFormats
Gets or sets the supported NameID formats.
Defaults to EmailAddress and Unspecified.
public
string
EmailNameIdClaimType
Gets or sets the claim type used to source the value for email NameID format.
Defaults to <c>"email"</c> . Per-SP override is available via
<c>SamlServiceProvider.EmailNameIdClaimType</c> .
public
System.TimeSpan
DefaultClockSkew
Gets or sets the default clock skew tolerance for SAML message validation.
Defaults to 5 minutes.
public
bool
RequireSignedLogoutResponses
Gets or sets whether LogoutResponse messages must be signed or delivered over a trusted
binding (TLS or higher). Defaults to <c>true</c> per SAML 2.0 Profiles §4.4.4.
Individual service providers can override this via
<see cref="P:Duende.IdentityServer.Models.SamlServiceProvider.RequireSignedLogoutResponses" /> .
public
System.TimeSpan
DefaultRequestMaxAge
Gets or sets the default maximum age for SAML authentication requests.
Defaults to 5 minutes.
public
System.TimeSpan
DefaultAssertionLifetime
Gets or sets the default lifetime for SAML assertions. This controls how long
the generated assertion is valid (the window between NotBefore and NotOnOrAfter).
Defaults to 5 minutes.
public
System.TimeSpan
SigninStateLifetime
Gets or sets the lifetime of SAML signin state entries. This controls how long
the signin state is retained while the user completes authentication.
Defaults to 15 minutes.
public
System.TimeSpan
LogoutSessionLifetime
Gets or sets the lifetime of SAML logout session entries. This controls how long
the logout session tracking state is retained while front-channel logout iframes
complete and SP responses are collected.
Defaults to 5 minutes.
public
Models.SamlSigningBehavior
DefaultSigningBehavior
Gets or sets the default signing behavior for SAML messages.
Defaults to <see cref="F:Duende.IdentityServer.Models.SamlSigningBehavior.SignAssertion" /> .
public
int
MaxRelayStateLength
Maximum length of the RelayState parameter, measured in bytes of its UTF-8 encoding.
SAML spec recommends 80 bytes, but can be increased for SPs that support longer values.
Default: 80 (UTF-8 bytes).
public
int
MaxMessageSize
Maximum size of an inbound SAML message, in characters. For typical SAML
content (ASCII XML, base64 payloads) this is approximately equal to bytes.
Default: 1,048,576.
public
SamlEndpointOptions
Endpoints
Gets or sets the endpoint options for SAML.
public
SamlMetadataOptions
Metadata
Gets or sets the metadata generation options.
AuthnRequestErrorInspector
Optional callback invoked when XML read errors occur while parsing an
<see cref="T:Duende.IdentityServer.Saml.Samlp.AuthnRequest" /> . The callback can inspect and remove errors from
<see cref="P:Duende.IdentityServer.Saml.Xml.ReadErrorInspectorContext`1.Errors" /> to suppress exceptions. The callback
also has access to the partially-parsed <c>context.Data</c> and the raw XML via
<c>context.XmlSource</c> , allowing it to fix values (e.g., parse a quirky date format
and populate the corresponding property directly).
Consumers needing per-SP behavior can branch on <c>context.Data.Issuer</c> .
Remarks <c>context.Data.Issuer</c> is unvalidated at callback time — it has not yet been
verified against the configured service provider store. Do not make security-sensitive
decisions based solely on the issuer value without additional verification.
LogoutRequestErrorInspector
Optional callback invoked when XML read errors occur while parsing a
<see cref="T:Duende.IdentityServer.Saml.Samlp.LogoutRequest" /> . The callback can inspect and remove errors from
<see cref="P:Duende.IdentityServer.Saml.Xml.ReadErrorInspectorContext`1.Errors" /> to suppress exceptions. The callback
also has access to the partially-parsed <c>context.Data</c> and the raw XML via
<c>context.XmlSource</c> , allowing it to fix values (e.g., parse a quirky date format
and populate the corresponding property directly).
Consumers needing per-SP behavior can branch on <c>context.Data.Issuer</c> .
Remarks <c>context.Data.Issuer</c> is unvalidated at callback time — it has not yet been
verified against the configured service provider store. Do not make security-sensitive
decisions based solely on the issuer value without additional verification.
LogoutResponseErrorInspector
Optional callback invoked when XML read errors occur while parsing a
<see cref="T:Duende.IdentityServer.Saml.Samlp.LogoutResponse" /> . The callback can inspect and remove errors from
<see cref="P:Duende.IdentityServer.Saml.Xml.ReadErrorInspectorContext`1.Errors" /> to suppress exceptions. The callback
also has access to the partially-parsed <c>context.Data</c> and the raw XML via
<c>context.XmlSource</c> , allowing it to fix values (e.g., parse a quirky date format
and populate the corresponding property directly).
Consumers needing per-SP behavior can branch on <c>context.Data.Issuer</c> .
Remarks <c>context.Data.Issuer</c> is unvalidated at callback time — it has not yet been
verified against the configured service provider store. Do not make security-sensitive
decisions based solely on the issuer value without additional verification.
Methods
public
bool
Equals(object obj)
Inherited from object
protected
void
Finalize()
Inherited from object
public
int
GetHashCode()
Inherited from object
protected
object
MemberwiseClone()
Inherited from object
public
string
ToString()
Inherited from object