Federation Configuration

The Federation section defines the configuration settings that are specific to the library itself. These settings include the following:

Element Use
SigningCertificate Specifies the certificate information for the application to use for signing purposes on SAML requests
AllowedAudienceUris Sets the allowed audiences for SAML requests between the Identity Provider and the Service Provider. This value must be a well-formed URI
Actions Specifies the Actions that SAML2 should take after receiving a valid response from the Identity Provider. Typically, this will include the built in SamlPrincipalAction, your own implementation of IAction for logging the user into your own system, and the built in RedirectAction to redirect the user to the correct location after authentication.


The SigningCertificate element allows for specifying the certificate and store on the hosting server from which to pull the certificate used for signing / encryption, etc.

It allows the following attributes:

Attribute Use
findValue The value to use when searching for the certificate using the designated x509FindType
storeLocation The certificate store location. Can be any of the values specified in the StoreLocation:http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storelocation.aspx enumeration. Typically, "LocalMachine".
storeName The certificate store name. Can be any of the values specified in the StoreName:http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storename.aspx enumeration. Typically, "My".
x509FindType The method by which to identify the certificate. Can be any of the values specified in the X509FindType enumeration.

It is important to note that the application must have access to the private key of the certificate in the key store. This can be done from mmc.exe and the Certificates snap-in. The private key permissions must be set to allow Read permissions for the identity the App Pool is running under. On IIS7+, this could be the IIS_IUSRS group if you are not running the App Pool under a different identity.


The AllowedAudienceUris element sets the SAML AudienceRestrictions values. This must contain at least the ID of the Service Provider. The subelement "Audience" must be a well formed URI, but does not have to be a URL (e.g. you could use SP IDs such as "urn:###:production:www.example.com:443" or any other valid URI here as well).




The Actions element specifies the actual actions to take after a successful SAML response has been received. There are three built in actions.

Action Purpose
SamlPrincipalAction Sets the SamlPrincipal on the current HTTP context. This is how SAML2 stores the returned attributes from the SAML response.
RedirectAction Handles the redirect after a successful SAML response has been processed using the specified URLs in the ServiceProvider Endpoints, or the returnUrl specified by a MembershipProvider instance prior to initializing the SAML request.
CDCRedirectAction (Optional) Handles Common Domain Cookie redirects after a successful SAML response has been processed.

Custom actions can be injected into this collection to do other things in your own application as necessary (e.g. using the attributes passed back to look up a local user and log them in via forms authentication, etc.). Any action must implement SAML2.Actions.IAction.


  <Federation xdt:Transform="Insert">
      <add name="SetSamlPrincipal" type="SAML2.Actions.SamlPrincipalAction, SAML2" />
      <add name="CustomAuthentication" type="MyProject.CustomAuthenticationAction, MyProject" />
      <add name="Redirect" type="SAML2.Actions.RedirectAction, SAML2" />

Last edited Aug 1, 2013 at 10:07 PM by i8beef, version 5


No comments yet.