Using Kentor.AuthServices.StubIdp as production IDP

Question

I'm trying to implement an IDP (SAML2) server inside my application. I don't want any of my partners to ask our customers to register on their side given the fact that my application has all the data needed.

I'm not very familiar with the SAML2 protocol. I found the project Kentor.AuthServices.StubIdp to be the most interesting because it implements everything I need. I'm also aware that it's not built for production purposes.

I planned to build the IDP on top of StubIdp, because I can't afford pricey solutions like ComponentPro.

Is there a better alternatives? Is building on top of StubIdp a good idea?

Answer 1

SAML2 login can be done in two ways:

1. SP-initiated, where the SP sends an AuthnRequest to the Idp and the Idp answers with a SamlResponse.
2. Idp-initaited, where the Idp sends an unsolicited SamlResponse.

Kentor.AuthServices (the library that drives the StubIdp) contains everything needed for Idp-initiated logins. Look in the Stub Idp source for how it's done.

Doing SP-initiated login correctly is more complicated as the Idp should do some validation on the incoming AuthnRequest. Those validations are completely missing in the Stub Idp (that's kind of the idea for a testing environment). Implementing SP-initiated login is definitely possible, but to do it securely a lot more work is needed.