4

I have implemented Asp.net website which acts as relying party. Currently it supports WS-federation protocol for SSO. It uses “WSFederationAuthenticationModule” class to create a request and sends it to ADFS. It also verifies the SAML response with “SecurityTokenHandler” class and asserts users’ identity.

Now I have to support SAML protocol along with the WS-Fed protocol. Since the site is multi-tenant site I cannot rely just on the web.confing configuration and let framework take care of request and response processing. I will need to generate the SAML request programmatically.

Here are my questions:

It seems that I will need to create “SAMLRequest” which will be similar to : 

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7171b0b2-19f2-4ba2-8f94-24b5e56b7f1e" IssueInstant="2014-01-30T16:18:35Z" Version="2.0" AssertionConsumerServiceIndex="0" >
  <saml:Issuer>urn:federation:MicrosoftOnline</saml:Issuer>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
</samlp:AuthnRequest>

  1. Are there any .net classes/ libraries I can use to generate above request? Or do I need to create raw XML? If not, are there any free libraries to do this work?

  2. Since I support SAML 1.1 and SAML 2.0 while verifying the SAML response, I believe that I don’t need to worry about the response verification. I assume that WS-Fed and SAML are different only while sending the request to the IDP. The response that I will get from IDP will be same irrespective of the protocol.

Can someone please validate my assumptions point me to blogs or sample code?

Amey
  • 1,216
  • 18
  • 28
  • 1
    Have you found an answer since then? I've been struggling to find any answers. Either the info I find involves using ADFS as a sole ip or I find bits and pieces of code samples for creating your own STS. –  Nov 17 '16 at 16:06
  • 1
    @Brian, unfortunately no. I did lot of research and I didn't find any reliable "free" library. So what I have done is I have used the above XML as string and each time whenever I need to create a request I replace following attributes: 1. Id 2. IssuerInstant 3. Issuer. Then I encode and deflate the this string and set it to "SAMLRequest" parameter in the url and send it to the IDP. Hope this helps, otherwise in a day or two I will post the sample code here. – Amey Nov 18 '16 at 12:43
  • @Amey I am doing the same thing that you did. Replacing strings, deflating, etc.. I have tried to use xsd.exe to generate classes by the full schema but there weren't a lot of problems to do that and I couldn't get it. Have you found an answer for that? – Only a Curious Mind Mar 06 '17 at 16:54
  • @Brian Have you found an answer for that? – Only a Curious Mind Mar 06 '17 at 16:55
  • Yes I have but it was a very arduous process and the solution I used at the end may not even fit into the answer you're needing. The first important thing I learned, although not until the end, is that WIF does not handle the SAML protocol but only the WSFederated protocol. If you want to use the SAML protocol it has to be done through ADFS or some other tool like ADFS. Yes, they advertise that WIF can handle SAML tokens but that is not the same as the SAML protocol. The easiest solution is to have your local ADFS setup as your STS and config ADFS to comm w/ outside sources. –  Mar 07 '17 at 20:14
  • That said, I did finish this by using WIF programmatically but we will only be able to comm w/ ADFS WSFederated providers. What helped me and the only source I could find for a programmtic solution are: http://www.wiktorzychla.com/2014/11/simplest-saml11-federated-authentication.html and http://www.wiktorzychla.com/2014/11/forms-authentication-revisited-for-net.html. This guy never responded to my e-mails so keep that in mind. Finally, what caused a big issue for us was that we have multiple web servers on an F5 load balanced system. The standard out of pocket solution for WIF does not work... –  Mar 07 '17 at 20:18
  • So, the solution I found for that is to create an x509 cert and add that to my web.config and have the asp.net code encrypt the cookie. Here is a link for that: https://gist.github.com/talves/6151710. I realize that this is all fairly vague but honestly it was a very lengthy project and if I had my way we would've had ADFS as our sole ADFS from the start which is what Microsoft created WIF to use but it would've been easier and we could support both protocols. –  Mar 07 '17 at 20:23

1 Answers1

1

Have you looked at https://github.com/i8beef/SAML2. I don't have personal experience on it thought.

Thanks //Sam (@MrADFS)

Andrii Litvinov
  • 12,402
  • 3
  • 52
  • 59
SamuelD MSFT
  • 781
  • 4
  • 5
  • 2
    Thanks for the Suggestion @SamuelD MSFT. I took a look at it. For single tenant system it's really useful. But I need generate the request programmatically as I need to create it for different clients with different metadata scheme. But anyway it's seems like a useful library. – Amey Aug 24 '16 at 06:20