Suomi.fi e-identification client for .NET

Depends on Sustainsys.Saml2.AspNetCore2.

Note: The client was created for a specific use case and is provided "as is". Pull requests and suggestions for generalizing the usage are welcome.

• Targets .NET Standard 2.1, see other release branches for 2.0 support
• Only HTTP Redirect binding is supported.
• Supports new AES-GCM encryption algorithm
• Supports 2 Idp certificates
• Supports 2 Service certificates

Usage example

First make sure SamlConfig is configured, for example in appsettings.json (replace ENTITYID and CERTIFICATE_NAME as necessary):

You can also add a secondary Idp certificate when You know that the Idp is about to change their signing certificate. The configuration also supports 2 service certificates.

  "Saml": {
    "Saml2EntityId": "ENTITYID",
    "Saml2SSOUrl": "https://testi.apro.tunnistus.fi/idp/profile/SAML2/Redirect/SSO",
    "Saml2SLOUrl": "https://testi.apro.tunnistus.fi/idp/profile/SAML2/Redirect/SLO",
    "Saml2IdpEntityId": "https://testi.apro.tunnistus.fi/idp1",
    "Saml2IdpCertificate": "apro-test.cer",
    "Saml2SecondaryIdpCertificate": "",
    "Saml2Certificate": "CERTIFICATE_NAME",
    "Saml2SecondaryCertificate": "",
    "Saml2CertificateStoreLocation": "CurrentUser"
  },

Add your certificate to certificate manager, for example Current user -> Personal -> Certificates. Make sure the private key is exportable. When using the standard certificate store, CERTIFICATE_NAME above must match certificate friendly name. The certificate store loading can be customized by replacing it with your own implementation of the ICertificateStore interface.

In Startup.cs:

    public void ConfigureServices(IServiceCollection services) {

      // ...

      services.Configure<SamlConfig>(Configuration.GetSection("Saml"));
      services.AddOptions();
      services.AddScoped<ICertificateStore>(x => new CertificateStore(x.GetService<IOptions<SamlConfig>>().Value));
      services.AddSuomiFiIdentificationClient();
    }

In your controller (for example SuomiFiIdentificationController):

    [AllowAnonymous]
    [HttpGet("authenticate")]
    public ActionResult AuthenticateWithSaml(Saml2Action samlAction, string language = "") {

      var returnUrl = "http://example.com/ACSPost";
      var redirectUrl = client.Authenticate(returnUrl, language, new RelayState(Saml2Action.Register, string.Empty, language));

      return new RedirectResult(redirectUrl);

    }

    [HttpPost("ACSPost")]
    public async Task<ActionResult> ACSPost(string samlResponse, string relayState = "") {

      var errorUrl = "/#/login?error=true";
      var saml2Response = validator.Validate(samlResponse, true);

      if (!saml2Response.Success) {
        return new RedirectResult(errorUrl);
      }

      var parsedState = RelayState.Parse(relayState);

      // Log in user, store session claims etc.

    }

    [HttpGet("logout")]
    public async Task<ActionResult> Logout() {
      // Fetch stored session claims to end session properly
      var sessionNameIdentifier = "";
      var sessionIndex = "";

      await HttpContext.SignOutAsync();
      var redirectUrl = client.Logout(sessionNameIdentifier, sessionIndex);

      return new RedirectResult(redirectUrl);

    }

    [HttpGet("SLORedirect")]
    public ActionResult SLORedirect(string samlResponse) {

      authStateAccessor.Delete();
      
      return new RedirectResult("/");

    }