Kentor.AuthServices vs. Shibboleth for SAML2 on ASP.NET

When creating Kentor.AuthServices the goal was to create a solution that as seamlessly as possible integrates with the security model of ASP.NET. This is a comparison of Kentor.AuthServices and Shibboleth, the existing open source solution that seems to be mostly used.

When I decided to write my own service provider for .NET I had done some research on ASP.NET and SAML2 and mostly found references to commercial packages, or to alternatives such as setting up an ADFS server to bridge between SAML2 and WsFederation that’s supported natively by .NET. To be honest, I hadn’t found Shibboleth but was made aware of it about a month later. My first reaction was “oh no, have I wasted my time writing something that already exists”, but when looking deeper, I don’t think I did waste any time, but rather have come up with something that is better from a .NET perspective.


Before diving into the details I must point out that the findings I present on Shibboleth are solely based on the documentation. I haven’t actually set up Shibboleth and run it myself. If I’ve got anything wrong, please leave a comment correcting me.

Architecture and Installation

Kentor.AuthServices is built on top of the System.IdentityModel functionality in .NET 4.5. It is installed through a Nuget package (or a separate package for MVC) and distributed together with the web application. All configuration is done in the web.config. No separate installation or configuration is required.

Shibboleth is available both as a Java and a C++ implementation. For Internet Information Server, there is an install package that will install everything needed. Shibboleth was not written for IIS 7 (which was a complete rewrite for Windows Vista and Server 2008), so it requires some IIS 6 compatibility package for the installation package to work. Then the installer can be run.

The installer will prompt for an install path, change default configuration files as appropriate for Windows, and set various environment variables for you. The shibd service will also be installed for you.

So Shibboleth installs a separate windows service and sets up global configuration changes through environment variables. When reading through the Shibboleth documentation I think that its unix roots are obvious; even though ported to windows it still uses a unix style of configuration, installation and path names.

Configuration

Kentor.AuthServices is configured entirely in web.config. Shibboleth is configured in a separate shibboleth2.xml file (which to me looks as being machine global).

Authorization

SAML2 is all about authentication, to establish the identity of the user. The authorization (controlling what resources the user have access to) is not covered by the SAML2 standard. Kentor.AuthServices is not involved in authorization at all; it establishes a .NET identity and uses the built in SessionAuthenticationModule to persist the identity for subsequent requests. All the authorization is done using normal .NET methods such as the [AuthorizeAttribute] of ASP.NET MVC.

Shibboleth by default protects any path starting with /secure but can be configured for other paths as well. There are mechanisms that could pass the data received from the Idp on to a .NET application through HTTP Headers, but they do not plug in directly into the .NET security model.

Security Features

Finally I have to do a comparison of the security features of Kentor.AuthServices and Shibboleth. It’s not much of a comparison to be honest. Shibboleth is a complete SAML2 implementation which Kentor.AuthServices isn’t (yet).

Conclusion

If the features of Kentor.AuthServices covers what you need – then go for it. It will be easier to install and configure and it is a first class citizen of the .NET environment. If you need a full blown implementation of the SAML2 specification Shibboleth is the open source alternative to look at, but I would also look at commercial components to see if they provide a better experience from a .NET point of view.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.