WS Fed with SAML 1.1 and SAML 2.0 for multiple clients in MVC application

0
votes

We have a requirement that our MVC client application provides an SSO ability to multiple customers by logging to their own IDP. But some of these gives SAML 1.1 which we are already supporting using the WSFederationAuthenticationModule and some of them recently are sending SAML 2.0 token which is causing our MVC application to fail.

Can I use WSFederationAuthenticationModule to support SAML 2.0 token also?

What are any other alternate suggestions?

2
asp.net-mvcsamlsaml-2.0wifws-federation

2 Answers

0
votes

The problem is that 1.1 enforces the full URI e.g.

"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

whereas 1.2 allows just "emailaddress".

You can use GetOutputClaimsIdentity

and have something like:

outputIdentity.Claims.Add(new Claim(ClaimTypes.xxx, "rest of URI" + emailaddress));

0
votes

I think i found the solution to my problem. Extending the Saml2SecurityTokenHandler solved my problem. WsFedAuthenticationModule is able to successfully transform the saml2 token to saml 1.1 assertions.