Architecture to use .Net Core and SAML2 external IDP for Authorisation

Question

We are starting a new project, the year is 2016, however we need to use an external SAML2 IDP for authentication (existing client accounts), no OpenId Connect. It will be predominantly an API written in C#.

I'm struggling to work out the best way to turn with the available technologies I know about. We'd really prefer to use .Net Core, but there seem to be no SAML functionality available. Which leaves us going back to Owin/MVC5/etc.

I believe Identity Server 3 has the functionality, but not Identity Server 4 yet.

There is also mention of JWT, with Aurelia.

Without stepping too far back down the older technology route, what would be the best modern solution to use SAML2 authenication in a 2016 c# web api application? I assume also using Claim based for authorisation.

EDIT: Due to people proposing closure of the question.

What I want to know, the ideal answer to the question would be... What is the way for me to be able to work with .Net Core, but have functionality to generate SAML2 tokens to pass to the external IDP.

Answer 1

The best way is to use a bridge using OpenID Connect / OAuth into the bridge and SAML out.

You could use IdentityServer 3 for this or ADFS 4.0 (Server 2016).

Update

.NET Core currently has no SAML support. It does support OpenID Connect / OAuth. So you could go:

RP --> OIDC --> RP IDP --> SAML --> IDP

where the RP IDP is the bridge.

If you don't want to use .NET Core, then there are SAML OWIN libraries available. Note that these are all open source - not supplied by Microsoft.

One of these is Kentor.