An Open Source ASP.NET SAML2 Service Provider
I’m happy to announce an open source ASP.NET SAML2 Service Provider. SAML2 is a common standard for single sign on in enterprise environments. A Service Provider in SAML2 is a web site that allows log on through SAML2 Identity Provider (IdP). Implementing a Service Provider requires issuing authentication requests (AuthnRequest) and handling the returned response.
Please check the Kentor.AuthServices tag for the latest posts and news. The information in this post is quite old and mostly outdated.
At Kentor we have seen an increase in the demand for using SAML2 authentication from our customers. When doing a recent project we didn’t find any suitable component, so we had to roll our own. Knowing that we would need to do this more times for other applications we decided to write a more general, standalone component that we can reuse in other projects. We are now also releasing it as open source for anyone to use for free.
The Kentor.AuthServices Library
The library is hosted at github and is released under an LGPL license. We chose that license because while it should be possible to use the library in closed source and commercial solutions, we want the library itself and any improvements to it to remain open source.
The core part of the library is the Saml2AuthenticationModule IIS module that handles the authentication. In the most simple case, it is possible to add the IIS module to configuration and get federated authentication without a single line of code to write. There is a sample ASP.NET MVC application available that uses the library and shows how to call it.
The library is available on NuGet and can be installed with the following command.
PM> Install-Package Kentor.AuthServices
Please Review the Code!
Being a security sensitive library I would be extremely grateful for any code review being done – especially security reviews and checking that the validation of incoming tokens is done correctly. It is so easy to make a mistake and even a tiny one could compromise a site that uses the library.
Contributing
I’m of course happy if anyone would like to contribute to make the library more complete. I’ve added a bunch of issues with things I would like to add if I have time.
Let me Know!
Finally I would be very interested in any feedback if you have tried the library. Did it work? If not, what didn’t? Do you have any suggestions for more features? Do you know of any other similar component that would be better to use than starting from scratch (don’t tell me I’ve wasted my time writing a component just because I’m bad at googling)?
Please leave a comment below or drop me a mail and let me know about your experiences.
Saj on 2014-03-04
Hi Abel,
Is it possible to to configure the library for a given SP application with multiple identityProvider?
Appreciate your response.
Anders Abel on 2014-03-04
AuthServices supports multiple identity providers and federations, see the config documentation for details about how to use it.
Currently (v0.3.0), it isn’t possible. It is however something I have planned for, so the configuration model and other code is written with multiple Idps in mind.It shouldn’t be too hard to add that functionality. Pull Requests are always welcome – sponsored development (you pay me to do it) is also possible. Please get back by mail if that’s interesting.SamlMik on 2014-12-08
Can these modules also be used to authenticate against e.g. Google from within a .Net application (not ASP)?
Anders Abel on 2014-12-08
Probably not, as the focus has been the SAML2P Web SSO profile. When you say Google I assume that you mean OAuth2 or OpenID Connect, which is completely separate protocols. In that case you should look for OpenID Connect or OAuth2 modules. If you indeed want to use SAML2 with a non-webb .NET application it could be possible to extend AuthServices for that, but it’s nothing I’ve looked into.
Saj on 2014-03-05
Thanks Abel.
Adding a name attribute to the Identityprovider config and the ability to request the configuration by name (with default) is what I thought it required.
public Saml2AuthenticationRequest CreateAuthenticateRequest(string idpName)
I am just getting started and I will certainly keep these options in mind.
Anders Abel on 2014-03-05
That looks great. Please open an issue on github if you want to discuss the solution further. Also note that the entire library (except the config classes) so far has been developed test driven, so please add appropriate new tests and make sure old tests work when you add new functionality.
Ryan on 2014-03-20
In your example MVC project you use the [Authorize] attribute. Is it possible to use this with roles as well?
Anders Abel on 2014-03-22
Yes, it’s possible to do that. If the incoming assertion contains roles (or if you use a
ClaimsAuthenticationManagerto assign roles) you can use[Authorize(Roles = "admin")].Chris on 2014-04-12
I’ve started learning SAML 2.0 in conjunction with your component and it works great so far. Thanks! I see that you allow the IdP signing certificate to be specified. But what about IdP encryption certificates? I’m a total newbie here but it looks as though signing and encryption certificates can be different, looking at the IdP Metafile. Have I completely misunderstood, or are you limilted to those IdP’s that share the same certificate for signing and encryption? Thanks!
Anders Abel on 2014-04-13
Thanks for your feedback :-)
Unfortunately there is no support for encrypted assertions in Kentor.AuthServices so far, so the configuration is not in any way prepared for that. It might be added later, but it’s not anything I will have time to do for the near future.
Chris on 2014-04-25
Thanks Abel. Pity! I will now try http://saml2.codeplex.com but your implementation has still been very useful to me as it allowed me to get up and running with a very complex subject. Thanks again. And hopefully Microsoft will come to their senses in the near future, and make the SAML 2.0 protocol a first class citizen in .NET, just like WS-Federation.
Fred Smithfield on 2014-06-16
Hi Anders
Your code looks very interesting.
I’m thinking of integrating it into a cloud-based website which I want to link with Microsoft’s ADFS 2 IdP. Do you think this is possible? Do you know if anyone has successfully done this?
Best Wishes
Fred
Anders Abel on 2014-06-17
It should be possible to use with the ADFS, but I haven’t done it myself and I don’t know if anyone else has done it either.
If you try it, please let me know if it works.
Yohann TANGUY on 2015-03-17
Problem with Novell IDP in SamlResponse
Error in Frameworl :
System.Xml.XmlException: ID0013: The value must be an absolute URI.
at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadSimpleUriElement(XmlReader reader, UriKind kind, Boolean allowLaxReading)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadAuthenticationContext(XmlReader reader)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadAuthenticationStatement(XmlReader reader)
some LInks :
https://www.novell.com/support/kb/doc.php?id=7015106
https://www.novell.com/support/kb/doc.php?id=7008865
Have you got any solution ?
Thanks
Anders Abel on 2015-03-18
Looks like you’ve got an entity id that is not an absolut URI, which is required by the SAML2 Core specification 1.3.2. Many SAML2 implementations are a bit relaxed with this and allows entity ids that are not an absolute URI. The Microsoft library we use is however more strict and rejects any entity that is not an absolute uri.
By the way, is this really an output from AuthServices? In that case the stack trace should be System.IdentityModel and not Microsoft.IdentityModel.
Yohann TANGUY on 2015-03-19
Thanks a lot for your response.
Yes the stack trace mentionned “System.IdentityModel “( I copied the stack from another post) but the issue is the same.
Can i bypass this control, (modify AuthServices Sources ?)
Do you know other Service Provider .NET ? Woking with novell.
Thanks in advance.
Anders Abel on 2015-03-23
This is nothing that is suitable to fix by changing AuthServices (if it’s even feasible, the error check is deep within the .NET framework code).
You should fix this by changing the configuration of your Novell Idp to use a correct value. E.g. an entity id of “idp.example.com” is not allowed. It should be “http://idp.example.com” or “urn:myidp”. Anything hat is an absolute URI will do.
Andrew on 2015-06-11
Very excited to give this a try. I have never attempted SAML and would like to know how best to get started. We are authoring a service which a 3rd party will call over the internet for us to authorize access to their site from public internet browsers. If the client is valid (in our AD) we will send a valid “token”, otherwise the request will be denied. Will this approach fit into this library? Anticipating your response.
Anders Abel on 2015-06-12
From what you describe SAML2 and AuthServices might be a good fit, but I can’t tell from that limited information if it will work in your case.
I’d suggest that you find a good resource on SAML2 in general such as the oasis executive summary.
Kentor.AuthServices is mainly a Service Provider implementation, so if that’s what you need AuthServices will be a good fit. If you need an Identity Provider for users in your Active Directory, ADFS is usually the way to go.
Yaroslav on 2015-06-22
Hello,
I’m trying to understand how your library works. I have MVC application and your MVC example. How could I connect them if I have custom authentication? Where and how should I handle successful authentication response with all attributes I have requested?
Thanks
Anders Abel on 2015-06-30
Implement a
ClaimsAuthenticationManageras described in the documentation.Yaroslav on 2015-06-23
I also have another question. System I’m trying to make it work with, uses this way to initiate SSO
?idpmetadata={entityId} instead of idp which is hardcoded in your library
Anders Abel on 2015-06-30
As you’ve seen yourself, the idp query string name is hard coded. You can either work around it by providing another wrapper page that does a redirect to the AuthServices SignIn url, or you can provide a pull request which makes the parameter configurable.
Kristian Rogers on 2015-06-24
Hi Abel,
Nice library providing SAMLP for SP in .NET.
I have AuthServices working with ADFS 3.0 and SAMLP using HttpPost binding.
In testing I noticed that when selecting the browser back button after authentication (and redirect), AuthServices results in a Saml2ResponseFailedValidationException “Replayed or unknown InResponseTo …”. Any thoughts on this?
Also, haven’t been able to figure out the best practice for SignOut with ADFS.
Anders Abel on 2015-06-30
The back button is a problem we’ve noticed as well. It’s hard to do anything about it on the SP side. Messing with the back button is never a good idea and the back button will take the user back to the Idp – or rather – a cached copy of the Idp page.
SignOut is in the works, see the github issue #247.
Andres Lindo on 2015-11-04
Hello, any simple sample to use the library in ASP .NET Web Forms (not MVC). Thanks.
Also I’m getting an error after installing Nuget package:
Could not load type ‘Kentor.AuthServices.Saml2AuthenticationModule’ from assembly ‘Kentor.AuthServices’.
Anders Abel on 2015-11-15
The Saml2AuthenticationModule has been moved to a separate nuget package, Kentor.AuthSerivces.HttpModule.
For a web forms application, you can use the same setup as in the SampleApplication in the github repository. Even though that application is an MVC app, it uses a setup that works on web forms as well.
Gaurang Patel on 2016-05-04
Hi Anders Abel,
Thanks for such amazing SSO integration tool.
I have same issue with web forms I am not able to solve the issue of “Could not load type ‘Kentor.AuthServices.Saml2AuthenticationModule’ from assembly ‘Kentor.AuthServices’.”.
I also install Kentor.AuthSerivces.HttpModule. But Still same error.
Please advise me or if you have any code for webforms
Thanks
Gaurang
Anders Abel on 2016-05-04
You need to reference the `Kentor.AuthServices.HttpModule` assembly:
<add name="Saml2AuthenticationModule" type="Kentor.AuthServices.HttpModule.Saml2AuthenticationModule, Kentor.AuthServices.HttpModule" />Gaurang on 2016-05-05
Hi Anders
It is working very well. But i have one question.
HttpContext.Current.User.Identity.IsAuthenticated is return TRUE, But HttpContext.Current.User.Identity.Name return Empty.
is there any way that we can fixed this issue.
As i am using both Azure SSO and Now SAML
Thanks,
Gaurang
Anders Abel on 2016-05-09
The `Name` property is just a shorthand to retrieve the claim with the type identified by the `NameClaimType` property. By default it is set to `ClaimTypes.Name`, but in Saml2 work it might be reasonable to set it to `ClaimTypes.NameIdentitifier` or some other claim that is present in the identity.
Ron J on 2016-01-06
Hi Anders, I found this site by search for “webforms saml2” and your software looks promising. However, for a webforms application, how are the URL mappings made? I can’t seem to figure out how to set the service/consumer endpoints for the service provider. Any tips on how this works?
Also, in IIS Manager, should I see Kentor show up in “modules”?
Anders Abel on 2016-01-10
What do you mean by URL mappings? How the ACS url of the application is set up? It defaults to ~/AuthServices/ACS. You can change the AuthServices part through the modulePath configuration property/attribute.
I don’t know if the module should show up in IIS manager, I never use it myself to handle modules. If you want to check if AuthServices was successfully loaded you can browse to ~/AuthServices which should download an xml document with metadata. It will download and not display in the browser because of the content type (which is set according to the SAML metadata standard).
Steve on 2016-02-11
I downloaded the project and tried to build it in VS 2013 and just got a raft of errors. What is the required tool stack?
Anders Abel on 2016-02-12
The code uses C#6 features so you need Visual Studio 2015. If you don’t have upgraded yet, you can use the free VS2015 community edition for this project as it is open source.
ratt on 2016-03-11
Hello
I need to use IIS as SP and get the saml response from a IDP created with weblogic credential mapper.
could you please assist me in getting the authentication details from the IDP without redirecting it to IDP url.
Anders Abel on 2016-03-16
The SAML2 Web SSO Profile requires a redirect to be done. It is how SAML2 is constructed, so there is no way to work around the redirect.
Gireesh K on 2016-06-16
Can these modules also be used to authenticate against e.g. Office 365,shibboleth from within a .Net application
Anders Abel on 2016-06-16
Yes, they can be used with Shibboleth. When you say Office365 I suppose you really mean Azure AD as that’s what’s Office365 uses for authenticaiton. For Azure AD I’d recommend that you primarily look into one of the supported solutions from Microsoft instead of using SAML2P. If you want one solution that can hook up to many different external login providers SAML2P might be the way to go even for Azure AD.
Leo Tohill on 2017-04-10
Is this still the place for suggestions, questions, and comments? or is it better to go to GitHub/issues?
Thanks,
leo
Anders Abel on 2017-04-24
GitHub/issues is a better place for questions. This (now quite outdated) blog post has somehow turned into a general Q&A board.
Charles Barnett on 2017-08-01
I have been trying for about a month to implement SAML 2.0 into an existing ASP.NET MVC application. I am new to the whole concept of SAML and WIF. I have an ADFS server already (recently started new in this position). I am simply trying to get started and implement the MVC controller into the application. Do you have a read me file? I havent been able to understand where to start or how to put the pieces together to get the functionality. Previously, all of the sample implementations that I had attempted to write dealt heavy with the web.config file. Where are the changes that need to be made to the web.config file? Is there a readme file that will explain how to implement these services?
Charles Barnett on 2017-08-02
Nevermind…..I found the readme file while digging around on GitHub. Thanks!