The Sustainsys.Saml2 library adds SAML2P support to ASP.NET web sites, allowing the web site to act as a SAML2 Service Provider (SP). The library was previously named Kentor.AuthServices.
Sustainsys.Saml2 is open sourced and contributions are welcome, please see contributing guidelines for info on coding standards etc.
The Saml2 library can be used through three different ways:
- An Http Module, loaded into the IIS pipeline. The module is compatible with ASP.NET web forms sites.
- An ASP.NET MVC Controller for better integration and error handling in ASP.NET Applications.
- An Owin Middleware to use with the Owin Pipeline or for integration with ASP.NET Identity.
- An ASP.NET Core2 Handler for use with ASP.NET Core 2.x applications.
Note that the Owin & ASP.NET Core2 modules enables SAML identity providers to be integrated within IdentityServer3 and IdentityServer4 packages. Review this document to see how to configure Saml2 with IdentityServer3 and Okta to add Okta as an identity provider to an IdentityServer3 project. There is also a SampleIdentityServer3 project in the Saml2 repository.
There are five nuget packages available. The core Sustainsys.Saml2 contains the core functionality. The Sustainsys.Saml2.HttpModule contains an IIS Http Module. The Sustainsys.Saml2.Mvc package contains the MVC controller. The Sustainsys.Saml2.Owin package contains the Owin middleware. Finally the Sustainsys.Saml2.AspNetCore2 contains a Saml2 authentication handler for ASP.NET Core 2.x.
Once the nuget packages are installed you must provide configuration either through code
or through web.config
sections.
See configuration for details.
- Check the issues archive.
- Check the SAML2 specification, starting with the core section.
- Log your actual SAML2 conversation with SAML Chrome Panel or SAML Tracer for Firefox.
- Connect an
ILoggerAdapter
to yourSPOptions.Logger
. If you are using the OWIN middleware this is done for you automatically and you can see the output in the OWIN/Katana logging. - Last but not least, download the Saml2 source and check out what's really happening.
The Saml2AuthenticationModule provides Saml2 authentication to IIS web sites. In many cases it should just be configured in and work without any code written in the application at all (even though providing an own ClaimsAuthenticationManager for claims translation is highly recommended).
The MVC package contains an MVC controller that will be accessible in your application just by installing the package in the application. For MVC applications a controller is preferred over using the authentication module as it integrates with MVC's error handling.
The Owin middleware is modeled after the external authentication modules for social login (such as Google, Facebook, Twitter). This allows easy integration with ASP.NET Identity for keeping application specific user and role information. See the Owin Middleware page for information on how to set up and use the middleware.
The ASP.NET Core 2 Handler is compatbile with the ASP.NET Core 2.0 authentication model.
The solution also contains a stub (i.e. dummy) identity provider that can be used for testing. Download the solution, or use the instance that's provided for free at https://stubidp.sustainsys.com.
The protocol handling classes are available as a public API as well, making it possible to reuse some of the internals for writing your own service provider or identity provider.