Creating SAML protocol sign-in request programatically with .net libraries

3
votes

I have implemented Asp.net website which acts as relying party. Currently it supports WS-federation protocol for SSO. It uses “WSFederationAuthenticationModule” class to create a request and sends it to ADFS. It also verifies the SAML response with “SecurityTokenHandler” class and asserts users’ identity.

Now I have to support SAML protocol along with the WS-Fed protocol. Since the site is multi-tenant site I cannot rely just on the web.confing configuration and let framework take care of request and response processing. I will need to generate the SAML request programmatically.

Here are my questions:

It seems that I will need to create “SAMLRequest” which will be similar to : 

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7171b0b2-19f2-4ba2-8f94-24b5e56b7f1e" IssueInstant="2014-01-30T16:18:35Z" Version="2.0" AssertionConsumerServiceIndex="0" >
  <saml:Issuer>urn:federation:MicrosoftOnline</saml:Issuer>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
</samlp:AuthnRequest>

  1. Are there any .net classes/ libraries I can use to generate above request? Or do I need to create raw XML? If not, are there any free libraries to do this work?

  2. Since I support SAML 1.1 and SAML 2.0 while verifying the SAML response, I believe that I don’t need to worry about the response verification. I assume that WS-Fed and SAML are different only while sending the request to the IDP. The response that I will get from IDP will be same irrespective of the protocol.

Can someone please validate my assumptions point me to blogs or sample code?

1
c#asp.netsamlpingfederate
Have you found an answer since then? I've been struggling to find any answers. Either the info I find involves using ADFS as a sole ip or I find bits and pieces of code samples for creating your own STS. - user134363
@Brian, unfortunately no. I did lot of research and I didn't find any reliable "free" library. So what I have done is I have used the above XML as string and each time whenever I need to create a request I replace following attributes: 1. Id 2. IssuerInstant 3. Issuer. Then I encode and deflate the this string and set it to "SAMLRequest" parameter in the url and send it to the IDP. Hope this helps, otherwise in a day or two I will post the sample code here. - Amey
@Amey I am doing the same thing that you did. Replacing strings, deflating, etc.. I have tried to use xsd.exe to generate classes by the full schema but there weren't a lot of problems to do that and I couldn't get it. Have you found an answer for that? - Only a Curious Mind
@Brian Have you found an answer for that? - Only a Curious Mind
Yes I have but it was a very arduous process and the solution I used at the end may not even fit into the answer you're needing. The first important thing I learned, although not until the end, is that WIF does not handle the SAML protocol but only the WSFederated protocol. If you want to use the SAML protocol it has to be done through ADFS or some other tool like ADFS. Yes, they advertise that WIF can handle SAML tokens but that is not the same as the SAML protocol. The easiest solution is to have your local ADFS setup as your STS and config ADFS to comm w/ outside sources. - user134363

1 Answers

1
votes

Have you looked at https://github.com/i8beef/SAML2. I don't have personal experience on it thought.

Thanks //Sam (@MrADFS)