SSO using SAML2.0 in asp.net

Question

My requirement is to implement SSO using SAML2.0 in asp.net. I do have 2 vendors at my end. Wanna pass the user from one site to other site without logging into the second. I have never used SAML2.0 before. Can anyone help me out how can I get it done.

Answer 1

https://github.com/onelogin/dotnet-saml Saml with Asp.net, Saml Authentication is done with this code . :)

Answer 2

You can try out miniOrange’s SAML SSO module for your asp.net site. It’s actually a httpmodule which can add SSO as a login method for your ASP.NET site and the main thing here is that it was a quite simple setup. The module itself provides an admin console for the SSO configuration. It helped in protecting my site’s private pages from public access and giving access to only my clients users stored in his AD. I think this can be a best suit for you. Cheers!!

Answer 3

We wrote a very simple open-source C# component to use with ASP.NET apps: https://github.com/jitbit/AspNetSaml (code samples included)

It is very short and basic, but that was the goal. Instead of adding a huge 3rd-party package, just throw one short C# file into your project and you're SAML-ready. This thing has worked for us for years, even on .NET 3.x

[Disclaimer] I'm one of the contributors.

PS. Forks and contributions are very welcome.

Answer 4

I would recommend using ComponentSpace. They provide library to suit all use cases of a SAML 2.0 token and SAML 2.0 Protocol. WIF currently doesn't provide support for SAML 2.0 protocol and token format except in a CTP.

Answer 5

First let's differentiate protocol with token format. I assume you are talking about the protocol and not the token format. But just in case here are the differences:

• SAML 2 token format. This is simply the format of the token that your application will udenrstand. This is supported by WIF out of the box.
• SAML 2 Protocol. This is the HTTP interactions your application will have to understand to get a token in the app. This is not supported by WIF but there is an extension you can download (http://connect.microsoft.com/site1168/Downloads/DownloadDetails.aspx?DownloadID=36088)

On the other hand you have a scenario in which there are multiple identity providers. The book that Wiktor suggested (which I co-authored) explains this scenario in more detail on the Federated Identity with Multiple Partners chapter. I recommend you to read it to get the concepts behind identity federation. Let me give you the short version of the article and some implementation details. There are two ways of solving this:

• Implementing it at the application level. WIF will allow you to trust on more than one identity provider token (this is done with X509 certificates). Then you will have to generate sign in requests for each identity provider depending on a url (like https://idp1.yourapp.com or https://yourapp.com/idp1) or the user choosing (by having a home page with two links, one for each identity provdier). You will also have to normalize the claims coming from those identity provider (maybe one of them will send you a "name" claim and the other a "upn" claim).

  YourApp --> Identity Provider 1
          \-> Identity Provider 2
  

• Using what is called a "federation provider". This is another server that will issue tokens to your application and it will have the trust relationships against your identity provider. Instead of having your application trust the two identity providers, you trust only on your federation provider and the fed provider will trust the identity providers. It's a trust chain.

  YourApp --> Federation Provider --> Identity Provider 1
                                  \-> Identity Provider 2
  

This architecture allows you to:

• grow your identity providers without touching your application
• if you later have a second application you just copy your implementation of the first one
• you get single sign on for free
• you get a claim transformation engine (if you use something like ADFS)
• if you use something like ADFS you get SAML 2 protocol built in (instead of having to implement it by hand with the extension mentioned below)

Of course the downside is that you now have something else to mantain (the ADFS server).

Answer 6

I recommend you use the Windows Identity Foundation subsystem which simplifies dealing with SAML-based authentication.

The topic is rather broad so you need a good handbook and fortunately there is one, for free from MS:

http://msdn.microsoft.com/en-us/library/ff423674.aspx

In short: to pass the identity between two servers, one of them should implement Identity Provider service (Security Token Service) and the second one has to accept SAML tokens created and signed by the first one.