ASP.Net Core SAML authentication

Question

I am trying to add SAML 2.0 authentication to an ASP.Net Core solution. I can't find any documentation on the subject, so I am unsure where to start. There is probably documentation out there, but I don't want to spend 3 days becoming an expert on this.

From what I can see ASP.Net Core has changed something from the old OWIN assemblies/namespaces. There are third party libraries to simplify SAML 2.0 implementation such as Kentor.AuthServices.

I am unsure how to combine this with ASP.Net 5 RC 1 / ASP.Net Core. For example making use of the AspNet* tables in SQL.

ASP.Net 5 RC 1 comes with several libraries to implement authentication (client).

For example:

Implementing these is a matter of calling a simple extension method in Startup.cs:

app.UseIdentity()
.UseFacebookAuthentication(new FacebookOptions
{
    AppId = "ID",
    AppSecret = "KEY"
})
.UseGoogleAuthentication(new GoogleOptions
{
    ClientId = "ID",
    ClientSecret = "SECRET"
})
.UseTwitterAuthentication(new TwitterOptions
{
    ConsumerKey = "KEY",
    ConsumerSecret = "SECRET"
});

Once that is done the ASP.Net sample project automatically shows social buttons for login/manage account:

In the backend code the authentication providers are retrieved using var otherLogins = _signInManager.GetExternalAuthenticationSchemes().Where(auth => userLogins.All(ul => auth.AuthenticationScheme != ul.LoginProvider)).ToList();. This means the authentication providers are registered somewhere that makes them available by calling _signInManager.GetExternalAuthenticationSchemes().

How can I implement SAML 2.0 authentication in ASP.Net 5 RC1 / ASP.Net Core?

Have a look at https://github.com/IdentityServer/IdentityServer4. No SAML but maybe some clues? — rbrayb, Feb 09 '16 at 18:29
Did you manage to implement SAML2 into your aspnet core application? Would love an example if you did... — Gillardo, Nov 16 '16 at 22:44
No, sorry. Skipped implementing it and found another solution. — Tedd Hansen, Nov 17 '16 at 11:42
I ended up using locally stored users using ASP.Net Identity. — Tedd Hansen, Jul 04 '18 at 17:26

score 15 · Answer 1 · answered Apr 27 '19 at 17:47

This is probably basically an updated version of Anders Abel's answer, but:

I used https://github.com/Sustainsys/Saml2. They have a nuget package with 36k downloads called "Sustainsys.Saml2.AspNetCore2".

They have a helpful example .net core app using it that also uses .net core identity here: https://github.com/Sustainsys/Saml2/tree/master/Samples/SampleAspNetCore2ApplicationNETFramework (take a look at their startup.cs and also their external login razor pages for implementation details).

They also host a nice test IdP here: https://stubidp.sustainsys.com. That way, you can confirm your app's ACS (Assertion Consumer Service) endpoint works along with your login page and whatnot.

They mention on their github: "The library was previously named Kentor.AuthServices."

Anders Abel · Accepted Answer · 2016-06-09T11:14:31.213

13

~~As far as I know, there is no SAML2 implementation for ASP.NET Core. I'm planning to make an ASP.NET Core Middleware for Kentor.AuthServices (I'm the maintainer), but it's just plans yet.~~

There is now a working prototype of a ASP.NET Core middleware at https://github.com/KentorIT/authservices/pull/489. It will be included in the official release when tests have been added.

It's also important to know that while such a middleware would be compatible with the ASP.NET Core security model, it would only run on the full .NET Framework and not on .NET Core. The reason is that SignedXml and the SAML2 support in System.IdentityModel is not yet available in .NET Core.

edited Jun 09 '16 at 11:14

answered Feb 09 '16 at 13:37

Anders Abel

67,989
17
150
217

Any ETA on making Kentor.AuthServices support ASP.Net Core? – Tedd Hansen Feb 09 '16 at 14:21
@TeddHansen Can't say anything on time frame unfortunately. Depends very much on if I'll be doing it in my free time or if I get a paying customer so that I can do it during office hours. – Anders Abel Feb 09 '16 at 21:47
@m0s LGPLv3, which is a huge difference. Link to whatever you want. Is it still a problem? Then mail me and explain why. – Anders Abel Mar 28 '16 at 18:21
2

@Anders Abel Is there any known middleware to implement SAML2 SSO in a asp.net core?? – S M Jun 09 '16 at 08:23
1

@Manu ComponentSpace has done it. But documentation on the finer details is a little lacking and it's a paid product. – HTTP 501 Aug 31 '17 at 00:12
Just curious how ComponentSpace has done it if SignedXml and SAML2 support isn't yet available in .NET Core. – Preetham Reddy Nov 11 '17 at 05:54
.NET Core 2.0 added support for System.Security.Cryptography.Xml. Our product is a .NET standard library and includes an ASP.NET Core authentication handler (middleware) so it's definitely possible. – ComponentSpace Nov 11 '17 at 23:59
1

Got the latest from Ander's version, and it has a hard dependency on .Net Framework. Not compatible with a pure core environment. :( – Brian Webb Jun 28 '18 at 07:16

score 3 · Answer 3 · answered Jan 24 '19 at 15:12

ITfoxtec Identity Saml2 now support .NET Core 2.1.

Project: https://itfoxtec.com/IdentitySaml2 and code samples: https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test

To implement SAML 2.0 in a ASP.NET MVC Core 2.1 project you need the following NuGet package: https://www.nuget.org/packages/ITfoxtec.Identity.Saml2.MvcCore/

Alex from Jitbit · Answer 4 · 2023-02-13T12:18:41.827

[Disclaimer: I'm a contributor of the OSS project mentioned below]

The free AspNetSaml library has been around since 2016 and works perfectly with ASP.NET Core, available as a NET Standard 2.0 nuget package (270K downloads at nuget).

Redirecting a user to an IdP provider is as simple as:

var request = new AuthRequest(
    "http://myapp.com", //your app's "entity ID" here
    "http://myapp.com/SamlConsume" //URL to send users back to
);

//MVC redirect
return Redirect(request.GetRedirectUrl("http://saml-provider.com/login/"));

score 0 · Answer 5 · answered Dec 24 '20 at 06:20

For the ASP.NET core sites you can give a try for this SSO connector solution. I installed this connector as a separate .NET application (a proxy app) which was handling the SSO requests for my ASP.NET core application and then I integrated this connector with my app using some code. All required integration code was already there in the connector itself, which I just copy and pasted in my application. It was quite a simple setup for adding the SSO. I think this connector can be very useful for adding the SSO in ASP.NET core apps.

Hello and welcome to SO! Please read the [tour](https://stackoverflow.com/tour), and [How do I write a good answer?](https://stackoverflow.com/help/how-to-answer) For example you can add a code snippet using this solution that solves the question. — Tomer Shetah, Dec 24 '20 at 07:32

ASP.Net Core SAML authentication

5 Answers5

Linked