Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How should I implement SAMLP 2.0 in an ASP.NET MVC 4 service provider?

Tags:

I'm developing an MVC 4 web application in C# and want to handle login using an existing SAML 2.0 identity provider. I am using HTTP POST binding with SimpleSAMLphp.

It seems like, in .NET 4.5, I should be using Windows Identity Foundation. First, I tried to install the Identity and Access Tool. (I am using Visual Studio 2013, which is supposed to have this tool integrated, but VS2013's version doesn't support "re-entrancy", meaning I can't use it to add WIF support to my existing application.)

After pointing the Identity and Access Tool to my identity provider's metadata, I get this error message:

userSelection.SecurityTokenServiceMetadata.SecurityTokenServiceDescriptor

Apparently, this is the error message that indicates that SAMLP 2.0 is not supported by WIF. This seems to be distinct from SAML 2.0 tokens, which are supported (at least, this outdated documentation indicates that there was a Microsoft.IdentityModel.Tokens.Saml2 namespace).

I then discovered the WIF Extension for SAML 2.0. However, this was released in May 2011 and doesn't seem to have been touched since then. Nonetheless, I downloaded the extension and attempted to build the SamlConfigTool included in the ZIP file. The tool is a console application which informs me that:

This tool will prompt for information needed to create a metadata file that describes your relying party. It will prompt for the addresses of partner metadata files to be downloaded. Finally, it will output a file called Changes_To_Web_Config.xml that has the changes that should be made to your web site's web.config file to enable SAML protection.

After entering my entity ID and SAML endpoint, the SamlConfigTool promptly crashed. Okay, maybe I don't need to use the configuration tool and I can just copy what's done in the sample ServiceProvider VS project. After migration, I'm able to open the project in VS2012, but it's not clear to me exactly how it works — it doesn't seem to contain any C# code, just new entries in Web.config. It's not clear to me how I should adapt this configuration to replace the custom login code in my MVC 4 app, and in any case relying on a dead library from 3 years ago doesn't seem like a great idea.

So, what is the best way to implement SAML 2.0 in ASP.NET MVC 4? I'm currently decoding, encoding, parsing and compressing XML by hand and it feels like there should be an easier way.

like image 821
sjy Avatar asked Feb 25 '14 04:02

sjy


People also ask

How can we implement SAML in ASP NET MVC?

To configure ASP. NET SAML Module as Service Provider, Go to the miniOrange ASP. NET SAML SSO module -> Click on Upload IDP Metadata -> Paste the copied metadata Url from your Idp -> Select Fetch Metadata -> Save.


2 Answers

You're right in that WIF (now moved into core .NET under System.IdentityModel) only supports the SAML2 tokens and not the SAML2 protocols required to implement a service provider.

Kentor.AuthServices is an open source SP implementation for ASP.NET MVC built on top of .NET 4.5. Install the package and add some settings in web.config - no coding required.

Disclaimer: I'm the author of Kentor.AuthServices

like image 142
Anders Abel Avatar answered Sep 27 '22 20:09

Anders Abel


As far as I know there is no support for SAML2P in WIF yet. I would suggest you implement it yourself.

You could use a library that implements SAML2P and use it in your MVC project. Some of the libraries you could use are OIOSAML.NET or commercial ComponentPro SAML.

Or there is an option to set an intermediate IAM. From MVC you set ideneity provider as this intermediate IAM using ws-* protocol (standard way implemented in visual studio). This IAM should be configured to relay your authentication messages to the IDP you want to use with SAML2P. After authenticating the user the IAM would only transform the claims and issue a new token that you MVC application trusts. Try to look at Shibboleth or ThinkTecture IdentityServer v2 (but the second does not implement SAML2P so you would have to add the support yourself). Or you could use ADFS2.

like image 22
pepo Avatar answered Sep 27 '22 22:09

pepo