Skip to content

index.md

Latest commit

 

History

History
89 lines (67 loc) · 3.04 KB

index.md

File metadata and controls

89 lines (67 loc) · 3.04 KB
title SAML 2.0 Identity Provider
description Overview of IdentityServer's SAML 2.0 Identity Provider support for issuing SAML assertions to enterprise Service Providers.
date 2026-03-02
sidebar
label order
Overview
1

Added in 8.0 (prerelease)

IdentityServer can act as a SAML 2.0 Identity Provider (IdP), issuing SAML assertions to Service Providers (SPs). This enables integration with enterprise applications and legacy systems that use the SAML 2.0 protocol rather than OAuth 2.0 / OpenID Connect.

When to Use SAML 2.0

SAML 2.0 support is useful when:

  • You need to integrate with enterprise SaaS applications that require SAML (e.g., Salesforce, Workday, ServiceNow)
  • You are migrating from a legacy SSO system that uses SAML
  • Your organization has compliance or procurement requirements for SAML-based federation

For new integrations, OpenID Connect is recommended. SAML 2.0 support is provided for interoperability with existing SAML-based systems.

If you are new to SAML 2.0 or want a refresher on the protocol's core building blocks, see SAML 2.0 Concepts for an overview of assertions, bindings, metadata, Name Identifiers, and other key concepts before diving into configuration.

Quick Setup

1. Register SAML Services

Call AddSaml() on the IdentityServer builder:

// Program.cs
builder.Services.AddIdentityServer()
    .AddSaml();

This enables all SAML endpoints except IdP-initiated SSO (which requires explicit opt-in).

2. Register Service Providers

Register your SAML Service Providers using the in-memory store (for development/testing) or a custom ISamlServiceProviderStore implementation (for production):

// Program.cs
builder.Services.AddIdentityServer()
    .AddSaml()
    .AddInMemorySamlServiceProviders(new[]
    {
        new SamlServiceProvider
        {
            EntityId = "https://sp.example.com",
            DisplayName = "Example SP",
            AssertionConsumerServiceUrls = new[] { new Uri("https://sp.example.com/acs") },
            AssertionConsumerServiceBinding = SamlBinding.HttpPost,
        }
    });

3. Configure Protocol Type (Optional)

SAML 2.0 uses the protocol type constant IdentityServerConstants.ProtocolTypes.Saml2p ("saml2p"). This is used in logging, discovery, and extensibility hooks.

Protocol Endpoints

SAML 2.0 endpoints are registered under the /saml path prefix:

Endpoint Path
Metadata /saml/metadata
Sign-in /saml/signin
Sign-in Callback /saml/signin_callback
IdP-initiated SSO /saml/idp-initiated
Logout /saml/logout
Logout Callback /saml/logout_callback

See SAML Endpoints for full details.