Kentor.AuthServices 0.8.0 SAML2 for ASP.NET Released

We continue to improve the Kentor.AuthServices SAML2 Service Provider for ASP.NET with the release of version 0.8.0. With this release the entire configuration system has been rebuilt, to enable configuration from other sources than the config file. This is good news for anyone thinking of integrating Kentor AuthServices in an application where configuration is offered through a user interface. There has also been further support for federations added, with administrative metadata now being exported as well as support attribute consuming services and the Idp discovery extensions to metadata.

The core AuthServices, MVC and Owin packages are all available for download on Nuget. The source and issue list are on GitHub.


  • Automatic generation of service provider URLs, removing configuration.
  • Configuration can now be supplied from code and not only in config file.
  • Administrative metadata (organization and contactPerson) support.
  • Serialization of SAML Attributes.
  • Support for Bootstrapcontext, saving incoming assertion in the resulting identity.
  • Fixed new principal returned by ClaimsAuthenticationManager being ignored.
  • Attribute consuming service support in metadata and AuthnRequest.
  • Discovery service response location included in metadata if use of discovery service is enabled.
  • Fixed null reference exception on HTTP POST with owin middleware.

Beware of Uri.ToString()

When working with urls, it’s sometimes better to use the Uri class than to keep the Uri in a simple string. The Uri class helps validate that the format is a valid Uri and helps splitting out the parts of the Uri in a safe manner. But there is a big gotcha in that Uri.ToString() returns an unescaped representation of the Uri.

The contents of this post might sound simple, but they were behind a nasty heisenbug. Every single insight in this post is something that I learned in a very painful way. I hope that reading this post will convey the same insights in a less painful way.

TL;DR; in two lines of code

The entire problem can be expressed in two lines of code.

var uri = new Uri("http://localhost?p1=Value&p2=A%20B%26p3%3DFooled!");
Console.WriteLine("uri.ToString(): " + uri.ToString());

It looks simple and it should be simple, but it isn’t. When running these two lines on the .NET Framework 4 the following output is produced:

http://localhost/?p1=Value&p2=A B&p3=Fooled!

The query string has been decoded in such a way that it looks like there is an extra parameter p3!

When targeting .NET 4.5 however only the space is unescaped. This can be explained as a result of the breaking changes to System.Uri in .NET 4.5. But that is not the whole story. It gets more complicated (and bug prone) because .NET 4.5 is an in place upgrade to .NET 4.0.

Kentor.AuthServices 0.7.2 SAML2 for ASP.NET Released

Last week we released version 0.7.2 of the Kentor.AuthServices SAML2 Service Provider for ASP.NET. With this release and the 0.6.0 the week before (that I never blogged about) we’ve introduced some new features to better support SAML2 in federation setups. The first is that we now can load and parse federation metadata. No more manual configuration of peer identity providers. The second is that we now support using a discovery service to let the user select an identity provider to authentication with.

The core AuthServices, MVC and Owin packages are all available for download on Nuget. The source and issue list are on GitHub.


  • Idp metadata support.
  • Federation metadata support.
  • Discovery service support.
  • Http Redirect binding preferred.
  • Bug fixes.

Kentor.AuthServices SAML2 Owin Middleware Released

I just pushed the first version of our Owin SAML2 middleware to nuget and github as part of Kentor.AuthServices 0.5.2. Kentor.AuthServices is a SAML2 Service Provider implementation for ASP.NET, offering an HTTP Module, drop in MVC controllers and (now) an Owin middleware. The intention with the library is to approach SAML2 from a .NET perspective, making a component that fits seamlessly into the existing .NET security infrastructure.

Kentor.AuthServices is now made up of four main packages.

  • The core Kentor.AuthServices library which contains all the SAML2 functionality and the classic http module. The library exposes a public API for working with SAML2 authentication requests and responses, that can be used to e.g. build an identity provider.
  • The Kentor.AuthServices.Mvc library which is a drop in MVC controller that enables SAML2 authentication to an MVC application without writing a single line of code. Just install the nuget package and add the needed configuration to web.config to get going.
  • The Owin middleware that offers SAML2 authentication in the same way as existing providers for external authentication (e.g. Google, Facebook) and integrates with ASP.NET Identity.
  • The Stub idp for testing, that is available for free and answers to any incoming AuthnRequests.

All the source is hosted in a GitHub repo, including sample applications.

What’s new in 0.5.2?

There are three major improvements in 0.5.2 over previous versions.

  • Basic Service Provider metadata with the data that is mandatory according to the SAML2 specification is generated and published.
  • There is now support for one instance of AuthServices to work with multiple identity providers. This is a first step on the road to full federation support.
  • We’ve created a brand new owin middleware that is compatible with ASP.NET Identity and works the same way as existing external authentication providers such as Google and Facebook.

For the full list of implemented features, please see the GitHub Milestone for 0.5.0

Open Testing SAML Idp Answers to any AuthnRequest

The open SAML2 testing (or stub) Identity Provider (Idp) at has been improved and now answers any incoming AuthnRequests. The answer will automatically be sent to the Assertion Consumer Service URL contained in the AuthnRequest.

When working with applications using SAML2 authenticaiton we’ve found that handling authentication for the test and development environments is often troublesome. Existing Identity Providers, even if one is set up for test, requires registering of every Service Provider (i.e. web application) that is allowed to use it. Furthermore, a real identity provider provides real, controlled identities. That’s kind of the point of it, but when developing and testing, I want to be able to use a number of different accounts, without having to keep a stack of smart cards issued with with test identities on my desk.

2014-08-15 16_29_54-Kentor.AuthServices Stub IdpWhen testing it is also a good idea to be able to trigger some errors, to verify the user experience in case the SAML response isn’t valid – what error messages is presented to the user in that case? In a real environment there will be an error eventually, confusing users. But it can be hard to trigger an error at will with a real identity provider doing it’s best to provide correct responses.

That’s why we created the Kentor.AuthServices StubIdp. The stub idp will respond to any incoming AuthnRequest. It provides a simple form, where you can see and adjust the response before sending it. If you e.g. want to check error handling, you can reuse the same InResponseTo id and make sure that your service provider recognizes and reject that.

The stub idp is part of the Kentor.AuthServices package, which is licensed with LGPL and hosted over GitHub. You can download and install your own local instance, or even better, help us improve the existing free instance with new features through pull requests.

Software Development is a Job – Coding is a Passion

I'm Anders Abel, an independent systems architect and developer in Stockholm, Sweden.

profile for Anders Abel at Stack Overflow, Q&A for professional and enthusiast programmers

Code for most posts is available on my GitHub account.

Popular Posts



Powered by WordPress with the Passion for Coding theme.