.net core and SAML 2.0 - asp.net-core

Our University has migrated to a SAML based authentication/authorization method using Shibboleth.
I have been researching for at least a day on how to use SAML with .net core web applications. I can't use Identity server 4 because it is for OaTH/Open ID. I found some documentation on msdn which points to a commercial implementation. I came across this SO answer from a year ago saying Kentor may support it in the future but couldn't find anything on the github page about support for .net core or a .net core sample web app. As of January it was still planned but no date.
The University has the identity provider running. What I don't understand is the following:
How do I set my web application to use that identity provider?
How do I check if that identity provider has already been authenticated for another application, so SSO use?
Also, any sample applications that use SAML without commercial plugins would be greatly appreciated.

ITfoxtec has a ASP.NET MVC Core 1.0 SAML2 plugin, but it requires the .NET Full Framework, and won't run on linux. There's some missing APIs that are preventing full .NET Core support right now for SAML2 (around Crypto XML namespace). https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2
Not exactly what you're looking for I know, but it's an interim solution until probably .NET Standard 2.0, which will probably bring the missing API's to .NET Core.

ITfoxtec Identity Saml2 support .NET Core 2.1 (without the .NET Framework) from version 3.0.0. Project: https://itfoxtec.com/IdentitySaml2
ITfoxtec Identity Saml2 MVC Core support ASP.NET MVC Core 2.1. NuGet package: https://www.nuget.org/packages/ITfoxtec.Identity.Saml2.MvcCore/

Related

OWIN Authentication, Authorization code migration from .net framework to .net 6 (Token based Authentication)

We have implemented OWIN Authorization to our Web Api's in .Net framework project. Now we are migrating this to .Net6. It seems in .net6/.net core owin authentication is not supported.
I don't find any documentation around this.
It seems Microsoft.Owin.OwinMiddleware is not exits in .net core.Also I don't find any Microsoft.Owin.Security.Infrastructure.AuthenticationTokenProvider corresponding nuget packages in .net core.
How can we use OWIN Authorization in .Net core(.net6)? If it is not supported what is alternative to this in .net core
ASP.NET Core using a new authentication middleware which could work like OWIN.
So you could directly using this middleware instead of using owin inside the asp.net core.
For example, if you want to include the MSFT, Goolge, facebook or else, you could refer to this article.

Migration of ASP.NET 4.6 Help Pages to .NET 6 (.net core)

In .NET framework we have support of Creating Help Page for Web API.
https://learn.microsoft.com/en-us/aspnet/web-api/overview/getting-started-with-aspnet-web-api/creating-api-help-pages
Does this feature supported in .NET 6. We are migrating our legacy ASP.NET framework application to .NET6.
How to migrate this feature to .NET6? If it is not supported in .Net6(.net core) how can we achieve the similar functionality in .Net core
I am trying to migrate this feature to .net core but I am facing issues on how to load the app data, register HelpdataConfig in .net core.
ITNOA
As you can see in ASP.NET help page for ASP.NET Core Web API, the Microsoft.AspNet.WebApi.HelpPage is for ASP.NET and does not for ASP.NET CORE or .NET 6, so you have to migrate this library to some popular Web API documentation libraries like Swagger
As you can see in ASP.NET Core web API documentation with Swagger / OpenAPI, you can use below documentation
By Christoph Nienaber and Rico Suter
Swagger (OpenAPI) is a language-agnostic specification for describing REST APIs. It allows both computers and humans to understand the capabilities of a REST API without direct access to the source code. Its main goals are to:
Minimize the amount of work needed to connect decoupled services.
Reduce the amount of time needed to accurately document a service.
The two main OpenAPI implementations for .NET are Swashbuckle and NSwag, see:
Getting Started with Swashbuckle
Getting Started with NSwag

SAML 2.0 on .net 4.0

I am implementing a saml2.0 on a .NET 4.0 what do you recommend on building the metadata for Service Provider ? How should I build it. and the certificate How could I generate on a production environment
I do not want to upgrade the application to 4.5 yet as it can have an effect to some implementation.
Any help would be appreciated.
Thank you
The problem is that .NET 4.0 do not implement the needed SAML 2.0 token handling and signing functionality required for implementing the SAML 2.0 standard. These needed functionalities first came in .NET 4.5.
The ITfoxtec Identity Saml2 packaged add support for the SAML 2.0 standard on top of the functionality implemented in .NET. The package is really a thin rapper adding extra functionality.
There are maybe other SAML 2.0 implementation which have implemented the holde SAML 2.0 standard without relying on the .NET functionality and thereby support .NET 4.0.

DocumentDb Identity Provider for ASP.NET Core

I am trying to provide authorization to the user, using DocumentDb at the backend - But I am unable to find any resources regarding the same. The documentation provided is for SQL based ones (https://docs.asp.net/en/latest/security/authentication/identity.html).
Any help?
To provide you with a starting point, there are several important issues to bear in mind when looking at using Identity with ASP.Net Core:
Framework Compatibility
You mention that you will be using ASP.Net Core, and this can be used with either .Net Core, or the 'full' .Net Framework (e.g. .Net Framework 4.5.1), which can be specified in your project.json under the frameworks property.
The Microsoft DocumentDB native .Net client does not support .Net Core; so, you must configure ASP.Net Core to target the 'full' .Net Framework. If you are unsure how to do this, you can create a new project in Visual Studio 2015, and select the 'ASP.Net Core (.Net Framework)' Project Template; the project.json will have its framework property correctly configured for you.
'Identity' Version
There are several versions of ASP.Net Identity; be aware when selecting a provider, that most currently reference ASP.Net Identity 2.2.1; however, the latest version is 3, released alongside ASP.Net Core, supported by the NuGet package Microsoft.AspNetCore.Identity 1.0.0, which has some differences and additional features. (Note that you can use this latter package with the full .Net Framework.)
No Official Implementation
Microsoft has decided not to create an official DocumentDB implementation for ASP.Net Identity, citing that 'there are two community projects available' (reference here)
Third-Party Support
Of the available third-party implementations, this one by Adrian Fernandez is the most widely used that provides support for ASP.Net Identity 3 using the Microsoft native DocumentDB client. Samples are included in the GitHub repository. (Please see update below.)
Example Usage
An example of using this DocumentDB provider with ASP.Net, including additional features, can be found here.
An additional example of using ASP.Net Core with the Microsoft DocumentDB provider can be found here.
I have written my own Identity 3 provider for DocumentDB; if I release this on GitHub I will update this answer with a link.
UPDATE 19/04/2017
For those looking for a solution, I now recommend the AspNetCore.Identity.DocumentDb project by Bernhard Koenig. It is feature-complete, includes Unit Tests, and a sample ASP.Net Core project. Also available via Nuget. It supports netstandard1.6 an net46 profiles.
my understanding is the Microsoft made it possible to use Mongo drivers with DocumentDb so maybe you could use this Mongo implementation for asp.net core identity
or google further for existing work that others may have done in this direction.
To implement it yourself you would need to implement at minimum IUserStore and IRoleStore you can also refer to the EF implementations UserStore and RoleStore for inspiration and guidance on implementing those.
The best solution would be using a DocumentDB provider for the .NET Core Identity framework. But there were none so far which is why I created AspNetCore.Identity.DocumentDB and decided to publish it on GitHub under the MIT license.
It is a port of an existing mongodb provider for .NET Core Identity and stores Claims, Tokens & Logins as nested objects. Although one could use DocumentDB with a mongodb interface it's recommended to use the native SDK if possible.
The library is already quite stable and available as a NuGet package.
Notice:
The DocumentDB SDK for C# itself does not support .NET Core as a target platform in the stable release. Fortunately Microsoft is already working on adding .NET Core support and published a preview of the DocumentDB SDK with :NET Standard support at the Connect(); 2016 event.
AspNetCore.Identity.DocumentDB supports both SDKs.
.NET Standard is a specification of APIs that should be available on all .NET runtimes and is currently supported by .NET Core and .NET Framework.

Where did the Saml2AuthenticationModule class go?

The Microsoft identity team released a CTP package for WIF back in 2011 adding support for the SAML 2.0 authentication protocol.
http://www.cloudidentity.com/blog/2011/05/16/ATTENTION-ASP-NET-DEVELOPERS-SAML-P-COMES-TO-WIF/
Unfortunately the link to the Microsoft Connect site is dead. Since most WIF functionality has been moved into .NET 4.5 System.IdentityModel namespace, I was hoping to find the Saml2AuthenticationModule class there. However, I cannot find that class anywhere in the identity model assemblies.
Does anyone knows what happened to the SAML 2.0 support classes? Where they migrated to .NET 4.5 System.IdentityModel namespace? If not, is the original CTP package available somewhere?
The WIF SAML stack never made it out of CTP. Had a look around and can't find it anywhere.
It was based on WIF 3.5 so wouldn't run under WIF 4.5 anyway.
My guess it that it was removed because SAML support is non-trivial and you can get the same functionality by federating via ADFS or Azure Active Directory.
There are other libraries available - refer: SAML : SAML connectivity / toolkit.