Integrate SAML2 into Asp.Net using Component Space

By | Oct 10, 2018

Recently I had to do a implementation of SAML2 within .Net, .Net does not have any native support for SAML2 and as a result I had to approach a 3rd party provider called Component Space. Their support is really first class.

I was working with WIF in .Net with WS-federation which made use of the .Net authentication pipeline. Unfortunately the Component Space SAML2 component did not plug into this pipeline and this was a requirement of mine. I had to support both WS-federation and SAML2. So I set out to develop a module that would allow me to use the SAML2 component with the .Net authentication pipeline.

The SAML2 module can be downloaded here but please note that you still need to purchase the Component Space SAML2 component for it to function. I will attempt to assist those that wish to use it but there is no guarantee and no future maintenance.

The module I developed had to support;

  • Configuration by means of the web.config file.
  • Had to plug into the .Net Authentication pipeline.
  • Support Sign out requests
  • Metadata requests for integration

As a result of these requirements I was forced to use the low level API of component space for most of the module, the only exception being that of the metadata. To make the module able to recognize when metadata, sign in assertion and sign out request was initiated I had to define some constants and the module ended up being driven by means of parameters.  

  • Metadata request:  HTTP:\\company.com?inst=metadata
  • Sign in request: HTTP:\\company.com?inst=signIn
  • Sign out request: HTTP:\\company.com?inst=signOut

Below is a visual representation of a sign in request to give you an idea on how this would function.

Configuring the module.

The following changes need to be made to the web.config file of your application.

Below you can see how I switch between WS-Federation and SAML2.

<modules runAllManagedModulesForAllRequests="true"><add name="AuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule" preCondition="managedHandler" /><!-- SAML2 Module --><br /><add name="AuthenticationModule" type="Company.Security.SAML2Module.SAML2AuthenticationModule, Company.Security.SAML2Module" preCondition="managedHandler" /><!-- WS-Federation Module --><!-- <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />--></modules>

Setup the component space config for the metadata. This is the SAML.config file as per the component space documentation.

<?xml version="1.0"?><SAMLConfiguration xmlns="urn:componentspace:SAML:2.0:configuration"><ServiceProvider Name="https://SpDomain" Description="SP" AssertionConsumerServiceUrl="~Inst=SignIn" LocalCertificateSerialNumber ="123"/><PartnerIdentityProviders><!-- ADFS --><PartnerIdentityProvider Name="https://saml.domain/adfs/ls/" Description="ADFS" SignAuthnRequest="true" SignLogoutRequest="true" WantAssertionEncrypted="false" WantLogoutResponseSigned="true" SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" SingleSignOnServiceUrl="https://saml.domain/adfs/ls/" SingleLogoutServiceUrl="https://saml.domain/adfs/ls/" PartnerCertificateSerialNumber="456"/> <PartnerIdentityProvider Name="https://saml.domain/adfs/services/trust" Description="ADFS" SignAuthnRequest="true" SignLogoutRequest="true" WantAssertionEncrypted="false" WantLogoutResponseSigned="true" SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" SingleSignOnServiceUrl="https://saml2.domain/adfs/ls/" SingleLogoutServiceUrl="https://saml2.domain/adfs/ls/" PartnerCertificateSerialNumber="456"/> </PartnerIdentityProviders> </SAMLConfiguration>

The following app settings need to be added.

<!-- SAML2 Settings. --><br /><add key="IdpUrl" value="https://adfssrv.domain/adfs/ls/" /><add key="IdpCertificateSerialNumber" value="123" /><add key="SpCertificateSerialNumber" value="456" /><add key="SpCertificateDigestMethod" value="http://www.w3.org/2001/04/xmlenc#sha256" /><add key="SpCertificateSignatureMethods" value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><add key="RedirectUriOnSignOut" value="https://domain/SignoutPage"/><add key="SignAuthnRequest" value="false" /><add key="SignLogoutRequest" value="true" /><add key="IsPassive" value="false" /><add key="ForceAuthen" value="false" />

Feel free to use the module and drop me some feedback.

Related

Integrate Ws-Federation into Asp.Net Core
Integrate Ws-Federation into Asp.Net

3
Leave a Reply

avatar
3 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
0 Comment authors
Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
trackback

[…] Ws-Federation into Asp.Net Integrate SAML2 into Asp.Net using Component Space WS-Federation metadata generation […]

trackback

[…] Ws-Federation into Asp.Net Core Integrate SAML2 into Asp.Net using Component Space WCF Security Token Service Troubleshoot WCF Security connectivity Asp.net security […]

trackback

[…] Ws-Federation into Asp.Net Core Integrate SAML2 into Asp.Net using Component Space WCF Security Token Service Troubleshoot WCF Security connectivity Asp.net security […]