Merge pull request #2376 from DuendeSoftware/beh/saml-stores

ISamlServiceProviderStore Enhancments

Author: Erwinvandervalk

identity-server/src/EntityFramework.Storage/DbContexts/ConfigurationDbContext.cs

@@ -102,6 +102,14 @@ public ConfigurationDbContext(DbContextOptions<TContext> options)
     /// </value>
     public DbSet<IdentityProvider> IdentityProviders { get; set; }
 
+    /// <summary>
+    /// Gets or sets the SAML service providers.
+    /// </summary>
+    /// <value>
+    /// The SAML service providers.
+    /// </value>
+    public DbSet<SamlServiceProvider> SamlServiceProviders { get; set; }
+
     /// <summary>
     /// Override this method to further configure the model that was discovered by convention from the entity types
     /// exposed in <see cref="Microsoft.EntityFrameworkCore.DbSet{T}" /> properties on your derived context. The resulting model may be cached
@@ -130,6 +138,7 @@ protected override void OnModelCreating(ModelBuilder modelBuilder)
         modelBuilder.ConfigureClientContext(StoreOptions);
         modelBuilder.ConfigureResourcesContext(StoreOptions);
         modelBuilder.ConfigureIdentityProviderContext(StoreOptions);
+        modelBuilder.ConfigureSamlServiceProviderContext(StoreOptions);
 
         base.OnModelCreating(modelBuilder);
     }

identity-server/src/EntityFramework.Storage/Entities/SamlServiceProvider.cs

@@ -0,0 +1,49 @@
+// Copyright (c) Duende Software. All rights reserved.
+// See LICENSE in the project root for license information.
+
+#pragma warning disable 1591
+
+namespace Duende.IdentityServer.EntityFramework.Entities;
+
+public class SamlServiceProvider
+{
+    public int Id { get; set; }
+    public string EntityId { get; set; }
+    public string DisplayName { get; set; }
+    public string Description { get; set; }
+    public bool Enabled { get; set; } = true;
+
+    // TimeSpan? stored as ticks
+    public long? ClockSkewTicks { get; set; }
+    public long? RequestMaxAgeTicks { get; set; }
+
+    // ACS binding (enum stored as int)
+    public int AssertionConsumerServiceBinding { get; set; }
+
+    // SLO endpoint (flattened from SamlEndpointType?)
+    public string SingleLogoutServiceUrl { get; set; }
+    public int? SingleLogoutServiceBinding { get; set; }
+
+    public bool RequireSignedAuthnRequests { get; set; }
+    public bool EncryptAssertions { get; set; }
+    public bool RequireConsent { get; set; }
+    public bool AllowIdpInitiated { get; set; }
+
+    public string DefaultNameIdFormat { get; set; } = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified";
+    public string DefaultPersistentNameIdentifierClaimType { get; set; }
+
+    // SamlSigningBehavior? stored as int?
+    public int? SigningBehavior { get; set; }
+
+    // Navigation properties
+    public List<SamlServiceProviderAssertionConsumerService> AssertionConsumerServiceUrls { get; set; }
+    public List<SamlServiceProviderSigningCertificate> SigningCertificates { get; set; }
+    public List<SamlServiceProviderEncryptionCertificate> EncryptionCertificates { get; set; }
+    public List<SamlServiceProviderClaimMapping> ClaimMappings { get; set; }
+
+    // Audit fields (matching Client entity pattern)
+    public DateTime Created { get; set; } = DateTime.UtcNow;
+    public DateTime? Updated { get; set; }
+    public DateTime? LastAccessed { get; set; }
+    public bool NonEditable { get; set; }
+}

identity-server/src/EntityFramework.Storage/Entities/SamlServiceProviderAssertionConsumerService.cs

@@ -0,0 +1,14 @@
+// Copyright (c) Duende Software. All rights reserved.
+// See LICENSE in the project root for license information.
+
+#pragma warning disable 1591
+
+namespace Duende.IdentityServer.EntityFramework.Entities;
+
+public class SamlServiceProviderAssertionConsumerService
+{
+    public int Id { get; set; }
+    public string Url { get; set; }
+    public int SamlServiceProviderId { get; set; }
+    public SamlServiceProvider SamlServiceProvider { get; set; }
+}

identity-server/src/EntityFramework.Storage/Entities/SamlServiceProviderClaimMapping.cs

@@ -0,0 +1,21 @@
+// Copyright (c) Duende Software. All rights reserved.
+// See LICENSE in the project root for license information.
+
+#pragma warning disable 1591
+
+namespace Duende.IdentityServer.EntityFramework.Entities;
+
+public class SamlServiceProviderClaimMapping
+{
+    public int Id { get; set; }
+    /// <summary>
+    /// The claim type (dictionary key).
+    /// </summary>
+    public string ClaimType { get; set; }
+    /// <summary>
+    /// The SAML attribute name (dictionary value).
+    /// </summary>
+    public string SamlAttributeName { get; set; }
+    public int SamlServiceProviderId { get; set; }
+    public SamlServiceProvider SamlServiceProvider { get; set; }
+}

identity-server/src/EntityFramework.Storage/Entities/SamlServiceProviderEncryptionCertificate.cs

@@ -0,0 +1,17 @@
+// Copyright (c) Duende Software. All rights reserved.
+// See LICENSE in the project root for license information.
+
+#pragma warning disable 1591
+
+namespace Duende.IdentityServer.EntityFramework.Entities;
+
+public class SamlServiceProviderEncryptionCertificate
+{
+    public int Id { get; set; }
+    /// <summary>
+    /// Base64-encoded DER (raw bytes) of the X.509 certificate.
+    /// </summary>
+    public string Data { get; set; }
+    public int SamlServiceProviderId { get; set; }
+    public SamlServiceProvider SamlServiceProvider { get; set; }
+}

identity-server/src/EntityFramework.Storage/Entities/SamlServiceProviderSigningCertificate.cs

@@ -0,0 +1,17 @@
+// Copyright (c) Duende Software. All rights reserved.
+// See LICENSE in the project root for license information.
+
+#pragma warning disable 1591
+
+namespace Duende.IdentityServer.EntityFramework.Entities;
+
+public class SamlServiceProviderSigningCertificate
+{
+    public int Id { get; set; }
+    /// <summary>
+    /// Base64-encoded DER (raw bytes) of the X.509 certificate.
+    /// </summary>
+    public string Data { get; set; }
+    public int SamlServiceProviderId { get; set; }
+    public SamlServiceProvider SamlServiceProvider { get; set; }
+}

identity-server/src/EntityFramework.Storage/Extensions/ModelBuilderExtensions.cs

@@ -391,4 +391,76 @@ public static void ConfigureIdentityProviderContext(this ModelBuilder modelBuild
             entity.HasIndex(x => x.Scheme).IsUnique();
         });
     }
+
+    /// <summary>
+    /// Configures the SAML service provider context.
+    /// </summary>
+    /// <param name="modelBuilder">The model builder.</param>
+    /// <param name="storeOptions">The store options.</param>
+    public static void ConfigureSamlServiceProviderContext(this ModelBuilder modelBuilder, ConfigurationStoreOptions storeOptions)
+    {
+        if (!string.IsNullOrWhiteSpace(storeOptions.DefaultSchema))
+        {
+            modelBuilder.HasDefaultSchema(storeOptions.DefaultSchema);
+        }
+
+        modelBuilder.Entity<SamlServiceProvider>(sp =>
+        {
+            sp.ToTable(storeOptions.SamlServiceProvider);
+            sp.HasKey(x => x.Id);
+
+            sp.Property(x => x.EntityId).HasMaxLength(200).IsRequired();
+            sp.Property(x => x.DisplayName).HasMaxLength(200);
+            sp.Property(x => x.Description).HasMaxLength(1000);
+            sp.Property(x => x.DefaultNameIdFormat).HasMaxLength(500);
+            sp.Property(x => x.DefaultPersistentNameIdentifierClaimType).HasMaxLength(500);
+            sp.Property(x => x.SingleLogoutServiceUrl).HasMaxLength(2000);
+
+            sp.HasIndex(x => x.EntityId).IsUnique();
+
+            sp.HasMany(x => x.AssertionConsumerServiceUrls)
+                .WithOne(x => x.SamlServiceProvider)
+                .HasForeignKey(x => x.SamlServiceProviderId).IsRequired().OnDelete(DeleteBehavior.Cascade);
+            sp.HasMany(x => x.SigningCertificates)
+                .WithOne(x => x.SamlServiceProvider)
+                .HasForeignKey(x => x.SamlServiceProviderId).IsRequired().OnDelete(DeleteBehavior.Cascade);
+            sp.HasMany(x => x.EncryptionCertificates)
+                .WithOne(x => x.SamlServiceProvider)
+                .HasForeignKey(x => x.SamlServiceProviderId).IsRequired().OnDelete(DeleteBehavior.Cascade);
+            sp.HasMany(x => x.ClaimMappings)
+                .WithOne(x => x.SamlServiceProvider)
+                .HasForeignKey(x => x.SamlServiceProviderId).IsRequired().OnDelete(DeleteBehavior.Cascade);
+        });
+
+        modelBuilder.Entity<SamlServiceProviderAssertionConsumerService>(acs =>
+        {
+            acs.ToTable(storeOptions.SamlServiceProviderAssertionConsumerService);
+            acs.HasKey(x => x.Id);
+            acs.Property(x => x.Url).HasMaxLength(2000).IsRequired();
+            acs.HasIndex(x => new { x.SamlServiceProviderId, x.Url }).IsUnique();
+        });
+
+        modelBuilder.Entity<SamlServiceProviderSigningCertificate>(cert =>
+        {
+            cert.ToTable(storeOptions.SamlServiceProviderSigningCertificate);
+            cert.HasKey(x => x.Id);
+            cert.Property(x => x.Data).HasMaxLength(4000).IsRequired();
+        });
+
+        modelBuilder.Entity<SamlServiceProviderEncryptionCertificate>(cert =>
+        {
+            cert.ToTable(storeOptions.SamlServiceProviderEncryptionCertificate);
+            cert.HasKey(x => x.Id);
+            cert.Property(x => x.Data).HasMaxLength(4000).IsRequired();
+        });
+
+        modelBuilder.Entity<SamlServiceProviderClaimMapping>(mapping =>
+        {
+            mapping.ToTable(storeOptions.SamlServiceProviderClaimMapping);
+            mapping.HasKey(x => x.Id);
+            mapping.Property(x => x.ClaimType).HasMaxLength(250).IsRequired();
+            mapping.Property(x => x.SamlAttributeName).HasMaxLength(250).IsRequired();
+            mapping.HasIndex(x => new { x.SamlServiceProviderId, x.ClaimType }).IsUnique();
+        });
+    }
 }

identity-server/src/EntityFramework.Storage/Interfaces/IConfigurationDbContext.cs

@@ -63,6 +63,14 @@ public interface IConfigurationDbContext : IDisposable
     /// </value>
     DbSet<IdentityProvider> IdentityProviders { get; set; }
 
+    /// <summary>
+    /// Gets or sets the SAML service providers.
+    /// </summary>
+    /// <value>
+    /// The SAML service providers.
+    /// </value>
+    DbSet<SamlServiceProvider> SamlServiceProviders { get; set; }
+
     /// <summary>
     /// Saves the changes.
     /// </summary>

identity-server/src/EntityFramework.Storage/Mappers/SamlServiceProviderMappers.cs

@@ -0,0 +1,106 @@
+// Copyright (c) Duende Software. All rights reserved.
+// See LICENSE in the project root for license information.
+
+using System.Security.Cryptography.X509Certificates;
+using Duende.IdentityServer.EntityFramework.Entities;
+using Duende.IdentityServer.Models;
+
+namespace Duende.IdentityServer.EntityFramework.Mappers;
+
+/// <summary>
+/// Extension methods to map to/from entity/model for SAML service providers.
+/// </summary>
+public static class SamlServiceProviderMappers
+{
+    /// <summary>
+    /// Maps an entity to a model.
+    /// </summary>
+    /// <param name="entity">The entity.</param>
+    /// <returns></returns>
+    public static Models.SamlServiceProvider ToModel(this Entities.SamlServiceProvider entity) =>
+        new Models.SamlServiceProvider
+        {
+            EntityId = entity.EntityId,
+            DisplayName = entity.DisplayName,
+            Description = entity.Description,
+            Enabled = entity.Enabled,
+            ClockSkew = entity.ClockSkewTicks.HasValue
+                ? TimeSpan.FromTicks(entity.ClockSkewTicks.Value) : null,
+            RequestMaxAge = entity.RequestMaxAgeTicks.HasValue
+                ? TimeSpan.FromTicks(entity.RequestMaxAgeTicks.Value) : null,
+            AssertionConsumerServiceBinding = (SamlBinding)entity.AssertionConsumerServiceBinding,
+            AssertionConsumerServiceUrls = entity.AssertionConsumerServiceUrls?
+                .Select(a => new Uri(a.Url)).ToHashSet() ?? new HashSet<Uri>(),
+            SingleLogoutServiceUrl = entity.SingleLogoutServiceUrl != null
+                ? new SamlEndpointType
+                {
+                    Location = new Uri(entity.SingleLogoutServiceUrl),
+                    Binding = (SamlBinding)entity.SingleLogoutServiceBinding!.Value
+                } : null,
+            RequireSignedAuthnRequests = entity.RequireSignedAuthnRequests,
+#pragma warning disable SYSLIB0057 // Type or member is obsolete
+            // TODO - Use X509CertificateLoader in a future release (when we drop NET8 support)
+            SigningCertificates = entity.SigningCertificates?
+                .Select(c => new X509Certificate2(Convert.FromBase64String(c.Data))).ToList(),
+            EncryptionCertificates = entity.EncryptionCertificates?
+                .Select(c => new X509Certificate2(Convert.FromBase64String(c.Data))).ToList(),
+#pragma warning restore SYSLIB0057 // Type or member is obsolete
+            EncryptAssertions = entity.EncryptAssertions,
+            RequireConsent = entity.RequireConsent,
+            AllowIdpInitiated = entity.AllowIdpInitiated,
+            ClaimMappings = entity.ClaimMappings?
+                .ToDictionary(m => m.ClaimType, m => m.SamlAttributeName)
+                ?? new Dictionary<string, string>(),
+            DefaultNameIdFormat = entity.DefaultNameIdFormat,
+            DefaultPersistentNameIdentifierClaimType = entity.DefaultPersistentNameIdentifierClaimType,
+            SigningBehavior = entity.SigningBehavior.HasValue
+                ? (SamlSigningBehavior)entity.SigningBehavior.Value : null,
+        };
+
+    /// <summary>
+    /// Maps a model to an entity.
+    /// </summary>
+    /// <param name="model">The model.</param>
+    /// <returns></returns>
+    public static Entities.SamlServiceProvider ToEntity(this Models.SamlServiceProvider model) =>
+        new Entities.SamlServiceProvider
+        {
+            EntityId = model.EntityId,
+            DisplayName = model.DisplayName,
+            Description = model.Description,
+            Enabled = model.Enabled,
+            ClockSkewTicks = model.ClockSkew?.Ticks,
+            RequestMaxAgeTicks = model.RequestMaxAge?.Ticks,
+            AssertionConsumerServiceBinding = (int)model.AssertionConsumerServiceBinding,
+            AssertionConsumerServiceUrls = model.AssertionConsumerServiceUrls?
+                .Select(u => new SamlServiceProviderAssertionConsumerService { Url = u.AbsoluteUri })
+                .ToList() ?? new List<SamlServiceProviderAssertionConsumerService>(),
+            SingleLogoutServiceUrl = model.SingleLogoutServiceUrl?.Location.AbsoluteUri,
+            SingleLogoutServiceBinding = model.SingleLogoutServiceUrl != null
+                ? (int)model.SingleLogoutServiceUrl.Binding : null,
+            RequireSignedAuthnRequests = model.RequireSignedAuthnRequests,
+            SigningCertificates = model.SigningCertificates?
+                .Select(c => new SamlServiceProviderSigningCertificate
+                {
+                    Data = Convert.ToBase64String(c.RawData)
+                }).ToList() ?? new List<SamlServiceProviderSigningCertificate>(),
+            EncryptionCertificates = model.EncryptionCertificates?
+                .Select(c => new SamlServiceProviderEncryptionCertificate
+                {
+                    Data = Convert.ToBase64String(c.RawData)
+                }).ToList() ?? new List<SamlServiceProviderEncryptionCertificate>(),
+            EncryptAssertions = model.EncryptAssertions,
+            RequireConsent = model.RequireConsent,
+            AllowIdpInitiated = model.AllowIdpInitiated,
+            ClaimMappings = model.ClaimMappings?
+                .Select(kvp => new SamlServiceProviderClaimMapping
+                {
+                    ClaimType = kvp.Key,
+                    SamlAttributeName = kvp.Value
+                }).ToList() ?? new List<SamlServiceProviderClaimMapping>(),
+            DefaultNameIdFormat = model.DefaultNameIdFormat,
+            DefaultPersistentNameIdentifierClaimType = model.DefaultPersistentNameIdentifierClaimType,
+            SigningBehavior = model.SigningBehavior.HasValue
+                ? (int)model.SigningBehavior.Value : null,
+        };
+}

identity-server/src/EntityFramework.Storage/Options/ConfigurationStoreOptions.cs

@@ -213,6 +213,35 @@ public class ConfigurationStoreOptions
     /// </summary>
     public TableConfiguration IdentityProvider { get; set; } = new TableConfiguration("IdentityProviders");
 
+    /// <summary>
+    /// Gets or sets the SAML service providers table configuration.
+    /// </summary>
+    public TableConfiguration SamlServiceProvider { get; set; } = new TableConfiguration("SamlServiceProviders");
+
+    /// <summary>
+    /// Gets or sets the SAML service provider assertion consumer services table configuration.
+    /// </summary>
+    public TableConfiguration SamlServiceProviderAssertionConsumerService { get; set; } =
+        new TableConfiguration("SamlServiceProviderAssertionConsumerServices");
+
+    /// <summary>
+    /// Gets or sets the SAML service provider signing certificates table configuration.
+    /// </summary>
+    public TableConfiguration SamlServiceProviderSigningCertificate { get; set; } =
+        new TableConfiguration("SamlServiceProviderSigningCertificates");
+
+    /// <summary>
+    /// Gets or sets the SAML service provider encryption certificates table configuration.
+    /// </summary>
+    public TableConfiguration SamlServiceProviderEncryptionCertificate { get; set; } =
+        new TableConfiguration("SamlServiceProviderEncryptionCertificates");
+
+    /// <summary>
+    /// Gets or sets the SAML service provider claim mappings table configuration.
+    /// </summary>
+    public TableConfiguration SamlServiceProviderClaimMapping { get; set; } =
+        new TableConfiguration("SamlServiceProviderClaimMappings");
+
     /// <summary>
     /// Gets or set if EF DbContext pooling is enabled.
     /// </summary>