DuendeSoftware
diff --git a/‎Directory.Packages.props‎
Lines changed: 1 addition & 0 deletions b/‎Directory.Packages.props‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎identity-server/aspire/AppHosts/All/All.csproj‎
Lines changed: 1 addition & 0 deletions b/‎identity-server/aspire/AppHosts/All/All.csproj‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎identity-server/aspire/AppHosts/All/Program.cs‎
Lines changed: 1 addition & 0 deletions b/‎identity-server/aspire/AppHosts/All/Program.cs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎identity-server/aspire/AppHosts/All/appsettings.json‎
Lines changed: 1 addition & 0 deletions b/‎identity-server/aspire/AppHosts/All/appsettings.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎identity-server/clients/src/MvcSaml/.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎identity-server/clients/src/MvcSaml/.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎identity-server/clients/src/MvcSaml/Controllers/HomeController.cs‎
Lines changed: 23 additions & 0 deletions b/‎identity-server/clients/src/MvcSaml/Controllers/HomeController.cs‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎identity-server/clients/src/MvcSaml/HostingExtensions.cs‎
Lines changed: 106 additions & 0 deletions b/‎identity-server/clients/src/MvcSaml/HostingExtensions.cs‎
Lines changed: 106 additions & 0 deletions
diff --git a/‎identity-server/clients/src/MvcSaml/MvcSaml.csproj‎
Lines changed: 29 additions & 0 deletions b/‎identity-server/clients/src/MvcSaml/MvcSaml.csproj‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎identity-server/clients/src/MvcSaml/Program.cs‎
Lines changed: 36 additions & 0 deletions b/‎identity-server/clients/src/MvcSaml/Program.cs‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎identity-server/clients/src/MvcSaml/Properties/launchSettings.json‎
Lines changed: 12 additions & 0 deletions b/‎identity-server/clients/src/MvcSaml/Properties/launchSettings.json‎
Lines changed: 12 additions & 0 deletions
@@ -98,6 +98,7 @@
     <PackageVersion Include="SimpleFeedReader" Version="2.0.4" />
     <PackageVersion Include="Spectre.Console.Cli" Version="0.53.0" />
     <PackageVersion Include="Spectre.Console.Json" Version="0.53.0" />
+    <PackageVersion Include="Sustainsys.Saml2.AspNetCore2" Version="2.11.0" />
     <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="8.0.1" />
     <PackageVersion Include="System.Net.Http" Version="4.3.4" />
     <PackageVersion Include="System.Text.Json" Version="10.0.0" />
 
@@ -47,6 +47,7 @@
     <ProjectReference Include="..\..\..\clients\src\MvcHybridBackChannel\MvcHybridBackChannel.csproj" />
     <ProjectReference Include="..\..\..\clients\src\MvcJarJwt\MvcJarJwt.csproj" />
     <ProjectReference Include="..\..\..\clients\src\MvcJarUriJwt\MvcJarUriJwt.csproj" />
+    <ProjectReference Include="..\..\..\clients\src\MvcSaml\MvcSaml.csproj" />
     <ProjectReference Include="..\..\..\clients\src\Web\Web.csproj" />
     <ProjectReference Include="..\..\..\clients\src\WindowsConsoleSystemBrowser\WindowsConsoleSystemBrowser.csproj" />
     <ProjectReference Include="..\..\..\hosts\AspNetIdentity10\Host.AspNetIdentity10.csproj" />
 
@@ -118,6 +118,7 @@ void ConfigureWebClients()
     RegisterClientIfEnabled<Projects.MvcHybridBackChannel>("mvc-hybrid-backchannel");
     RegisterClientIfEnabled<Projects.MvcJarJwt>("mvc-jar-jwt");
     RegisterClientIfEnabled<Projects.MvcJarUriJwt>("mvc-jar-uri-jwt");
+    RegisterClientIfEnabled<Projects.MvcSaml>("mvc-saml");
     RegisterClientIfEnabled<Projects.Web>("web");
     RegisterTemplateIfEnabled<Projects.IdentityServerTemplate>("template-is", 7001);
     RegisterTemplateIfEnabled<Projects.IdentityServerEmpty>("template-is-empty", 7002);
 
@@ -42,6 +42,7 @@
       "MvcHybridBackChannel": true,
       "MvcJarJwt": true,
       "MvcJarUriJwt": true,
+      "MvcSaml": true,
       "Web": true,
       "WindowsConsoleSystemBrowser": false
     },
 
@@ -0,0 +1 @@
+saml-sp.pfx
@@ -0,0 +1,23 @@
+// Copyright (c) Duende Software. All rights reserved.
+// See LICENSE in the project root for license information.
+
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Sustainsys.Saml2.AspNetCore2;
+
+namespace MvcSaml.Controllers;
+
+public class HomeController : Controller
+{
+    [AllowAnonymous]
+    public IActionResult Index() => View();
+
+    public IActionResult Secure() => View();
+
+    public IActionResult Logout() => SignOut(
+        new AuthenticationProperties { RedirectUri = "/" },
+        Saml2Defaults.Scheme,
+        CookieAuthenticationDefaults.AuthenticationScheme);
+}
@@ -0,0 +1,106 @@
+// Copyright (c) Duende Software. All rights reserved.
+// See LICENSE in the project root for license information.
+
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Sustainsys.Saml2;
+using Sustainsys.Saml2.AspNetCore2;
+using Sustainsys.Saml2.Configuration;
+using Sustainsys.Saml2.Metadata;
+
+namespace MvcSaml;
+
+internal static class HostingExtensions
+{
+    // The SP certificate is used to sign AuthnRequests and LogoutRequests sent to the IdP.
+    // Generate it with the commands in README.md, then restart both this app and the IdP host.
+    // Without the certificate, AuthnRequest signing and SP-initiated single logout are unavailable.
+    private const string SpCertificatePath = "saml-sp.pfx";
+    private const string SpCertificatePassword = "changeit";
+
+    public static WebApplication ConfigureServices(this WebApplicationBuilder builder)
+    {
+        // The IdentityServer base URL is injected by Aspire at runtime via the "is-host" environment variable.
+        var idpBaseUrl = builder.Configuration["is-host"]
+            ?? throw new InvalidOperationException("is-host configuration is required");
+
+        builder.Services.AddControllersWithViews();
+
+        var spCert = LoadSpCertificate();
+
+        builder.Services.AddAuthentication(options =>
+            {
+                options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+                options.DefaultChallengeScheme = Saml2Defaults.Scheme;
+            })
+            .AddCookie(options =>
+            {
+                options.Cookie.Name = "mvcsaml";
+            })
+            .AddSaml2(options =>
+            {
+                // SP entity ID — must match the EntityId registered in the IdP's SamlServiceProviders config.
+                // By convention, Sustainsys uses <base-url>/Saml2 as the entity ID.
+                options.SPOptions.EntityId = new EntityId("https://localhost:44350/Saml2");
+
+                // Best practice: require the IdP to sign assertions.
+                options.SPOptions.WantAssertionsSigned = true;
+
+                if (spCert != null)
+                {
+                    // Best practice: sign AuthnRequests and LogoutRequests with the SP's certificate.
+                    // The IdP validates the signature using the public key registered in SamlServiceProviders.
+                    options.SPOptions.ServiceCertificates.Add(spCert);
+                    options.SPOptions.AuthenticateRequestSigningBehavior = SigningBehavior.Always;
+                }
+                else
+                {
+                    // No certificate available — AuthnRequest signing and SP-initiated SLO are unavailable.
+                    // See README.md for instructions on generating saml-sp.pfx.
+                    options.SPOptions.AuthenticateRequestSigningBehavior = SigningBehavior.Never;
+                }
+
+                // Load the IdP configuration from the metadata endpoint published by IdentityServer.
+                // This automatically picks up signing certificates, endpoints, and capabilities.
+                options.IdentityProviders.Add(
+                    new IdentityProvider(new EntityId(idpBaseUrl), options.SPOptions)
+                    {
+                        MetadataLocation = $"{idpBaseUrl}/saml/metadata",
+                        LoadMetadata = true
+                    });
+            });
+
+        builder.Services.AddAuthorization();
+
+        return builder.Build();
+    }
+
+    public static WebApplication ConfigurePipeline(this WebApplication app)
+    {
+        app.UseDeveloperExceptionPage();
+        app.UseHttpsRedirection();
+        app.UseStaticFiles();
+
+        app.UseRouting();
+
+        app.UseAuthentication();
+        app.UseAuthorization();
+
+        app.MapDefaultControllerRoute()
+            .RequireAuthorization();
+
+        return app;
+    }
+
+    // Returns null if the certificate file has not been generated yet.
+    // See README.md for generation instructions.
+    private static X509Certificate2 LoadSpCertificate()
+    {
+        if (!File.Exists(SpCertificatePath))
+        {
+            return null;
+        }
+
+        return X509CertificateLoader.LoadPkcs12FromFile(SpCertificatePath, SpCertificatePassword);
+    }
+}
@@ -0,0 +1,29 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <UserSecretsId>3a8b2c1d-4e5f-6a7b-8c9d-0e1f2a3b4c5d</UserSecretsId>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <None Update="saml-sp.pfx" Condition="Exists('saml-sp.pfx')">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
+  </ItemGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Sustainsys.Saml2.AspNetCore2" />
+    <PackageReference Include="Serilog.AspNetCore" />
+
+    <PackageReference Include="OpenTelemetry" />
+    <PackageReference Include="OpenTelemetry.Exporter.Console" />
+    <PackageReference Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" />
+    <PackageReference Include="OpenTelemetry.Extensions.Hosting" />
+    <PackageReference Include="OpenTelemetry.Instrumentation.AspNetCore" />
+    <PackageReference Include="OpenTelemetry.Instrumentation.Http" />
+    <PackageReference Include="OpenTelemetry.Instrumentation.SqlClient" />
+
+    <ProjectReference Include="..\..\..\aspire\ServiceDefaults\ServiceDefaults.csproj" />
+    <ProjectReference Include="..\Constants\Constants.csproj" />
+  </ItemGroup>
+
+</Project>
@@ -0,0 +1,36 @@
+// Copyright (c) Duende Software. All rights reserved.
+// See LICENSE in the project root for license information.
+
+using MvcSaml;
+using Serilog;
+using Serilog.Events;
+
+Log.Logger = new LoggerConfiguration()
+    .MinimumLevel.Information()
+    .MinimumLevel.Override("MvcSaml", LogEventLevel.Debug)
+    .Enrich.FromLogContext()
+    .WriteTo.Console(outputTemplate: "[{Timestamp:HH:mm:ss} {Level}] {SourceContext}{NewLine}{Message:lj}{NewLine}{Exception}{NewLine}")
+    .CreateLogger();
+
+try
+{
+    var builder = WebApplication
+        .CreateBuilder(args);
+
+    builder
+        .AddServiceDefaults();
+
+    builder
+        .ConfigureServices()
+        .ConfigurePipeline()
+        .Run();
+}
+catch (Exception ex)
+{
+    Log.Fatal(ex, messageTemplate: "Unhandled exception");
+}
+finally
+{
+    Log.Information(messageTemplate: "Shut down complete");
+    Log.CloseAndFlush();
+}
@@ -0,0 +1,12 @@
+{
+  "profiles": {
+    "Host": {
+      "commandName": "Project",
+      "launchBrowser": true,
+      "applicationUrl": "https://localhost:44350",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    }
+  }
+}