How to implement SAML in asp.net?

Question

Anyone can you please try to clarify my questions regarding single sign on using SAML.

• a) Can we get the identity provider SAML response by string rawSamlData = Request["SAMLResponse"]; this code?
• b) What is token in SAML response?
• c) How can we receive token values in asp.net C# (vs2005)?
• d) Can we force the identity provider to send the user value as a token values?

Thanks in advance.

Answer 1

1. Yes, the SAML Response is generally send in a HTTP-POST Request, you can simply retrieve it using HttpContext.Current.Request["SAMLResponse"]. Some IdPs also send it in a GET Request you might need to just manage the Encoding part

2. SAML Response is itself an XML-Token, you need to validate it's signature and retrieve User-Details from the saml:Assertion node of it.

3. same as no.2

4. No its standard which is defined and we can't alter it.

Instead of writing custom code I would recommend using an pre-made solutions as it's quite complex to manage the security using SAML.

You can choose any open-source or commercial solution like miniOrange, Sustainsys

Answer 2

We wrote a free open-source module that adds SAML to ASP.NET apps, and we specifically targeted .NET 4.0 and lower (where there's no built-in SAML, and no built-in XML SHA256 signature support). https://github.com/jitbit/AspNetSaml

You can still use it in .NET 4.5 and higher to avoid unnecessary dependencies from .NET libs like System.Deployment etc. It's just one short C# file you can drop in your project.

[Disclaimer] I'm one of the contributors!

Answer 3

Rolling your own SAML is indeed possible, but it is a bit of work. I've done it on .NET 4.5 where there is support for validating the assertions, but I had to build my own handling of the saml protocol. On VS2005 you have far less support from the framework, but it's still doable.

To answer your questions:

A. Yes, Request["SAMLResponse"] should contain the saml response from the idp.

B. The SAMLResponse will consist of BASE64-encoded xml with the SAML response.

C. The SAML <Response> message contains an <assertion> node which is the data of the user. You have to create a .NET Identity out of it yourself. Then you can use the forms auth cookie mechanism to keep the user signed in.

D. Don't understand the question.

You should be much better off if you could upgrade to .NET 4.5 that has better support for SAML and claims authentication built in. Nevertheless I think that the code I've done in Kentor.AuthServices is possible to backport to .NET 3.5.

Answer 4

It sounds like you are trying to roll your own SAML stack?

It's going to be a lot easier to use an existing library - refer SAML : SAML connectivity / toolkit .

These provide all the plumbing you require.

VS 2005 may provide some problems though. At the bare minimum, you require ASP.NET 3.5. All the Identity tooling is missing as well (FedUtil / Identity and Access Tool etc.)