The Saml component for Duende IdentityServer leverages the configuration and persisted grants databases for Client and temporary data. Beyond the the standard migrations and stores for IdentityServer, the RockSolidKnowledge SAML component for IdentityServer requires an IServiceProviderStore to store SAML ServiceProvider specific information and an ISamlArtifactStore to store SAML artifacts for use with the back-channel SAML artifact binding.

RockSolidKnowledge provide EntityFramework Core packages for these stores, but you can also implement your own if required.

EntityFramework Core

To use our EntityFramework Core stores with Duende IdentityServer you will need to install the Duende IdentityServer EntityFramework Core package:

dotnet add package Rsk.Saml.DuendeIdentityServer.EntityFramework

Service Provider Data

We provide two types of store implementations for storing Service Provider configuration data, IServiceProviderStore: EntityFramework Core and in-memory stores.

In-Memory Service Provider Store

The in-memory store allows you to configure your identity provider using an in-memory collection. The in-memory collection can be hard-coded or loaded dynamically from a configuration file. The in-memory store allows you to develop and test your implementation without needing a database. However, it is not recommended in production, as the in-memory collection is only created on application start-up.

To use the in-memory Service Provider Store, InMemoryServiceProviderStore, with your IdentityServer, use the AddInMemoryServiceProviders extension on IIdentityServerBuilder.

services.AddIdentityServer()
    // Other configuration code removed for brevity
    .AddSamlPlugin()
    .AddInMemoryServiceProviders(new List<ServiceProvider>())

EntityFramework Core Service Provider Store

Using the EntityFramework Core Service provider store with IdentityServer

To use the EF Service Provider Store with your IdentityServer, use the AddSamlConfigurationStore extension on IIdentityServerBuilder. The SamlConfigurationStoreOptions class contains properties that allow you to control the EF store and the underlying SamlConfigurationDbContext.

var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;

services.AddIdentityServer()
    // Other configuration code removed for brevity
    .AddSamlPlugin()
    .AddSamlConfigurationStore(options => options.ConfigureDbContext = dbContextBuilder => dbContextBuilder.UseSqlServer(
        "<connection_string>", sqlServerOptions => sqlServerOptions.MigrationsAssembly(migrationsAssembly)));

Registering a Custom Service Provider Store

To register a custom Service Provider store implementation in IdentityServer, use the AddServiceProviderStore extension method on IIdentityServerBuilder.

services.AddIdentityServer()
    // Other configuration code removed for brevity
    .AddSamlPlugin()
    .AddServiceProviderStore<CustomServiceProviderStore>();

  options.AddSamlPlugin(builder =>
  {
    //Other configuration code removed for brevity
    builder.UseServiceProviderStore<CustomServiceProviderStore>();
  });

The AddServiceProviderStore method for IdentityServer takes in a generic parameter that must be a class that implements the IServiceProviderStore interface.

Artifact Data

For our SAML Identity Provider component, we provide three implementations of the ISamlArtifactStore store.

• Artifact Store that relies on IdentityServer Persisted Grants
• In-memory Artifact Store
• EntityFramework Core Artifact Store

SAML Identity Provider and SAML Service Provider components both use the ISamlArtifactStore interface, as they can both use HTTP Artifact binding to send SAML messages. If you are acting as both an Identity Provider and Service Provider, the same artifact store will be used by both IdP and SP. This means that the last registered implementation in the DI container will be utilized. You only need to register the ISamlArtifactStore once.

IdentityServer Persisted Grants Artifact Store

The SamlPersistedGrantArtifactStore relies on the IdentityServer Persisted Grants using the IPersistedGrantService. This store is registered by default when you call .AddSamlPlugin() and are using the IdentityServer framework.

In-Memory Artifact Store

This store uses an in-memory collection to store sensitive artifact exchange data. We recommend using a different implementation if you are using HTTP Artifact binding in production.

To use the in-memory artifact store, SamlInMemoryArtifactStore, with your IdentityServer, use the AddInMemorySamlArtifactStore extension on IIdentityServerBuilder. This store cannot be used with OpenIddict.

services.AddIdentityServer()
    // Other configuration code removed for brevity
    .AddSamlPlugin()
    .AddInMemorySamlArtifactStore()

EntityFramework Core Artifact Store

To use the EF artifact store with your IdentityServer, use the AddSamlArtifactStore extension on IIdentityServerBuilder. The SamlArtifactStoreOptions class contains properties that allow you to control the EF store and the underlying SamlArtifactDbContext.

var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;

services.AddIdentityServer()
    // Other configuration code removed for brevity
    .AddSamlPlugin()
    .AddSamlArtifactStore(options => options.ConfigureDbContext = dbContextBuilder => dbContextBuilder.UseSqlServer(
        "<connection_string>", sqlServerOptions => sqlServerOptions.MigrationsAssembly(migrationsAssembly)));

To use the EFCore artifact store with OpenIddict call the UseSamlEntityFrameworkCore method on the OpenIddictSamlBuilder class. you need to follow this with a call to AddSamlMessageDbContext method. This method takes in a DbOptionsBuilder class alowing you to configure the connection string amonst other things.

Registering a Custom Artifact Store

To register a custom artifact store implementation in IdentityServer, use the AddCustomArtifactStore extension method on IIdentityServerBuilder.

services.AddIdentityServer()
    // Other configuration code removed for brevity
    .AddSamlPlugin()
    .AddCustomArtifactStore<CustomArtifactStore>();

If you wish to add a custom artifact store when using OpenIddict, call the UseCustomArtifactStore method on the OpenIddictSamlBuilder class.

Both the AddCustomArtifactStore and the UseCustomArtifactStore methods are generic and take in a class that must implenent the ISamlArtifactStore interface.