The Microsoft identity team released a CTP package for WIF back in 2011 adding support for the SAML 2.0 authentication protocol.
http://www.cloudidentity.com/blog/2011/05/16/ATTENTION-ASP-NET-DEVELOPERS-SAML-P-COMES-TO-WIF/
Unfortunately the link to the Microsoft Connect site is dead. Since most WIF functionality has been moved into .NET 4.5 System.IdentityModel namespace, I was hoping to find the Saml2AuthenticationModule class there. However, I cannot find that class anywhere in the identity model assemblies.
Does anyone knows what happened to the SAML 2.0 support classes? Where they migrated to .NET 4.5 System.IdentityModel namespace? If not, is the original CTP package available somewhere?
The WIF SAML stack never made it out of CTP. Had a look around and can't find it anywhere.
It was based on WIF 3.5 so wouldn't run under WIF 4.5 anyway.
My guess it that it was removed because SAML support is non-trivial and you can get the same functionality by federating via ADFS or Azure Active Directory.
There are other libraries available - refer: SAML : SAML connectivity / toolkit.
Related
I am implementing a saml2.0 on a .NET 4.0 what do you recommend on building the metadata for Service Provider ? How should I build it. and the certificate How could I generate on a production environment
I do not want to upgrade the application to 4.5 yet as it can have an effect to some implementation.
Any help would be appreciated.
Thank you
The problem is that .NET 4.0 do not implement the needed SAML 2.0 token handling and signing functionality required for implementing the SAML 2.0 standard. These needed functionalities first came in .NET 4.5.
The ITfoxtec Identity Saml2 packaged add support for the SAML 2.0 standard on top of the functionality implemented in .NET. The package is really a thin rapper adding extra functionality.
There are maybe other SAML 2.0 implementation which have implemented the holde SAML 2.0 standard without relying on the .NET functionality and thereby support .NET 4.0.
I am in need of a solution for using ADFS 3.0 identities in a ASP.NET Core 2 Web Api application. The Windows Enterprise Support team at my organization has informed me that they are only familiar with SAML or WS-Fed based relying parties within ADFS, and are not interested in allowing me to help them configure OAuth, which I could consume directly within the application. As far as I am aware, neither SAML nor WS-Fed are compatible with anything currently available targeting netcore or netstandard.
I've been looking at Identity Server 4, and it's so-called "Federation Gateway" functionality, but I can't find much in the way of documentation. Is this something that could be useful for my use case? I'm guessing that it's only set up to interface via OAuth or OpenID, but I could be wrong.
I've also looked at using Amazon Cognito as the middleman to issue JWTs based on the SAML response, but after I got a proof of concept working with this configuration, I realized the cost at $0.45/MAU is prohibitively high, as the application will have around 10-15k regular users.
If Identity Server isn't the solution, are there any other similar "Federation Gateway" type solutions available as preferably open source/free software? Even if the solution wasn't .NET-based, I'd be interested in looking at it. I'm toying with the idea of building something like this in Java or Ruby as a last resort.
As of version 2.0, IDS4 can be a WS-Fed relying party. This would allow it to act as a middleman between ADFS and OIDC/OAuth RPs.
This vid from the IDS4 guys covers the available options: https://vimeo.com/254635632
It's also worth noting that you can run ADFS 2016 servers in a 2008R2 or higher domain and that natively supports OpenID Connect but given what you've said about your internal "support" team, deploying IDS4 may be a better option, although probably more work.
Just for completeness, the issue with WS-Fed was cyptographic support in .NET Core. This is now resolved so WS-Fed is supported.
SAML support is available via Sustainsys or Rock Solid Knowledge.
You can implement SAML 2.0 federation with AD FS 3.0 in ASP.NET Core 2.1 using the ITfoxtec Identity Saml2 package. NuGet package: https://www.nuget.org/packages/ITfoxtec.Identity.Saml2.MvcCore/
Project https://itfoxtec.com/IdentitySaml2 and code samples https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test
Our University has migrated to a SAML based authentication/authorization method using Shibboleth.
I have been researching for at least a day on how to use SAML with .net core web applications. I can't use Identity server 4 because it is for OaTH/Open ID. I found some documentation on msdn which points to a commercial implementation. I came across this SO answer from a year ago saying Kentor may support it in the future but couldn't find anything on the github page about support for .net core or a .net core sample web app. As of January it was still planned but no date.
The University has the identity provider running. What I don't understand is the following:
How do I set my web application to use that identity provider?
How do I check if that identity provider has already been authenticated for another application, so SSO use?
Also, any sample applications that use SAML without commercial plugins would be greatly appreciated.
ITfoxtec has a ASP.NET MVC Core 1.0 SAML2 plugin, but it requires the .NET Full Framework, and won't run on linux. There's some missing APIs that are preventing full .NET Core support right now for SAML2 (around Crypto XML namespace). https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2
Not exactly what you're looking for I know, but it's an interim solution until probably .NET Standard 2.0, which will probably bring the missing API's to .NET Core.
ITfoxtec Identity Saml2 support .NET Core 2.1 (without the .NET Framework) from version 3.0.0. Project: https://itfoxtec.com/IdentitySaml2
ITfoxtec Identity Saml2 MVC Core support ASP.NET MVC Core 2.1. NuGet package: https://www.nuget.org/packages/ITfoxtec.Identity.Saml2.MvcCore/
Since I'm new to WIF.
I want to create a custom STS on WIF, but these document only for .net 3.5:
http://msdn.microsoft.com/en-us/library/ee748498.aspx
and I can't find these template in vs 2012.
So what should I do? Can anybody provide some information to me ?
Thanks !
Writing a custom STS service is still available under WIF in .NET 4.5 or WIF 4.5 for short.
"To create an STS you must derive from the SecurityTokenService class. In your custom class you must, at a minimum, override the GetScope and GetOutputClaimsIdentity methods...", Microsoft 1
You start by deriving a new type from System.IdentityModel.SecurityTokenService.
Note that we now use the SecurityTokenService which is apart of .NET 4.5's System.IdentityModel and not the pre .NET 4.5 Microsoft.IdentityModel.
Please refer to the link below to see an example of a passive STS.
Microsoft's Federation Metadata example is a reasonably complete example of custom STS.
MSDN:
This sample will show you how to dynamically consume WS-Federation metadata at run time in an ASP.NET Web Application. You will also see how to create a basic STS that produces WS-Federation metadata and issues tokens.
In addition this sample shows the basics of how claims have been integrated into the .NET framework. You will learn how a web application is enabled to use WIF. You will see how they are useful from within existing properties and functions, and how you can take the next step to using them directly using the ClaimsPrincipal class in System.Security.Claims. You also will also learn how to work with the local STS that is part of the Identity and Access tool for Visual Studio 2012. Tell me more
[1] System.IdentityModel.SecurityTokenService
The templates have been replaced with the Identity and Access Tool.
Refer Windows Identity Foundation in the .NET Framework 4.5 Beta: Tools, Samples, Claims Everywhere
There is no custom STS facility option anymore in the sense of a wizard as per FedUtil. As other posts allude to, you can still roll your own.
Refer: What's New in Windows Identity Foundation 4.5.
Have a look at Identity Server which is a very good custom STS and alter as required.
If you're completely new then writing a custom STS might not be such a good idea :-) I would suggest having a look at the implementation given in ThinkTecture STS (https://github.com/thinktecture/Thinktecture.IdentityServer.v2) This is a sample STS that handles different tokens types (SAML, SWT and JWT) as well as different procotols (WSFederation, OAuth, ...) There is too much in here for many simple cases but at least the code works.
I have a scenario whereby i need to build a WCF service to provide custom authentication to 3rd parties non-web application connecting in an "Active" mode - i.e. i cannot present a web login page.
The login mechanism is also custom (i.e. not necessarily username/password), and so i cannot use ADFS or ACS.
I have read up on building active STS using WCF, but they mostly relate to .NET 3.5 and not much has been written around using .NET 4.5 since WIF has been integrated into the framework.
I have read Examples of how to a STS in .Net 4.5 using WCF but it doesn't seem to fit my scenario.
Any pointers appreciated.
Maybe you want to have a look at
http://thinktecture.github.com/Thinktecture.IdentityServer.v2/
This is an open source STS that includes active endpoints.