Early Preview

This is currently very much a preview. Please feel free to try things out, but don't be upset if anything is not yet working. Feedback is welcome over on our GitHub Dicussions page.

interface Duende.​IdentityServer.​Saml.​IIdpInitiatedSsoService

Assembly: Duende.IdentityServer

Service for generating IdP-initiated SSO responses. The host calls this from a portal page (or similar UI) where the user is already authenticated. The service validates the target SP, generates a signed SAML response, and returns an <see cref="T:Duende.IdentityServer.Saml.IdpInitiatedSsoResult" /> that either contains an <see cref="T:Microsoft.AspNetCore.Http.IResult" /> the host returns from its endpoint, or an error the host can display in its portal UI.

Remarks

<para> Because the user is already authenticated when this service is called, the IdP-initiated flow does not redirect to the login page. The SAML response is generated immediately and sent via the appropriate binding (e.g., HTTP-POST). </para> <para> <strong>Anti-forgery:</strong> This service does not perform anti-forgery validation itself. The caller (typically a Razor Page or MVC action) is responsible for protecting the endpoint that invokes this service with standard ASP.NET Core anti-forgery tokens or equivalent protection. </para> <para> <strong>Replay protection:</strong> IdP-initiated SSO responses do not contain an <c>InResponseTo</c> attribute because there is no prior AuthnRequest to reference. This is inherent to the IdP-initiated profile (SAML Profiles §4.1.4.5). Service providers are responsible for enforcing one-time use of assertion IDs to mitigate replay attacks. </para>

Methods

CreateResponseAsync​(Microsoft.​AspNetCore.​Http.​HttpContext httpContext, string spEntityId, string relayState, System.​Threading.​CancellationToken ct)
Creates a SAML response for IdP-initiated SSO to the specified service provider.
Returns A result containing either an <see cref="T:Microsoft.AspNetCore.Http.IResult" /> that writes the SAML response via the binding, or an error with a descriptive message.
httpContext The current HTTP context, used to resolve services and write the response via the binding.
spEntityId The entity ID of the target service provider.
relayState Optional relay state to include in the SAML response.
ct Cancellation token.
CreateResponseAsync​(Microsoft.​AspNetCore.​Http.​HttpContext httpContext, string spEntityId, System.​Threading.​CancellationToken ct)
Creates a SAML response for IdP-initiated SSO to the specified service provider, without a relay state.
Returns A result containing either an <see cref="T:Microsoft.AspNetCore.Http.IResult" /> that writes the SAML response via the binding, or an error with a descriptive message.
httpContext The current HTTP context, used to resolve services and write the response via the binding.
spEntityId The entity ID of the target service provider.
ct Cancellation token.