A SAML 2.0 authentication middleware for ASP.NET Core
NB: WORK IN PROGRESS!
This project is a fork of the OIOSAML.Net implementation of SAML 2.0 framework from digitaliser.dk. It has been ported and modified to support ASP.NET Core with all dependencies to ASP.NET removed.
Supports the following SAML 2.0 features for Web Browser SSO and Single Logout profiles
- HTTP Redirect Binding
SP Redirect Request; IdP POST/Redirect Response - HTTP Artifact Binding
SP Redirect Request; IdP Redirect Artifact Response (Not fully tested) - SP-Initiated Single Logout with Multiple SPs
- HTTP POST Binding
- IDP-Initiated Single Logout
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddScoped<IUserClaimsPrincipalFactory<TUser>, DemoWebAppClaimsPrincipalFactory>();
services.Configure<Saml2Configuration>(Configuration.GetSection("Saml2"));
services.AddSaml();
services.AddSigningCertificates(
Configuration["Saml2:ServiceProviderConfiguration:SigningCertificateThumprint"],
Configuration["Saml2:IdentityProviderConfiguration:SigningCertificateThumprint"]);
services.AddAuthentication()
.AddCookie()
.AddSaml(options => { options.SignInScheme = "SignInSchemeName"; });
services.AddMvc();
}
"Saml2": {
"ForceAuth": "false",
"IsPassive": "false",
"IdentityProviderConfiguration": {
"EntityId": "EntityId of idp",
"Name": "Name of idp",
"SigningCertificateThumprint": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"SingleSignOnService": "https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"SingleSignOutService": "https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"ProtocolBinding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},
"ServiceProviderConfiguration": {
"EntityId": "EntityId of sp",
"Name": "Name of sp",
"SigningCertificateThumprint": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}
}
The SessionIndex and Subject claims are required for SLO. These needs to be stored and availed during logout. This example keeps all the claims from the idp in session cookie if using Identity
public class DemoWebAppClaimsPrincipalFactory : UserClaimsPrincipalFactory<ApplicationUser>
{
private readonly IHttpContextAccessor _httpContextAccessor;
public DemoWebAppClaimsPrincipalFactory(UserManager<ApplicationUser> userManager,
IOptions<IdentityOptions> optionsAccessor, IHttpContextAccessor httpContextAccessor) : base(userManager,
optionsAccessor)
{
_httpContextAccessor = httpContextAccessor;
}
protected override async Task<ClaimsIdentity> GenerateClaimsAsync(ApplicationUser user)
{
var service = (SignInManager<ApplicationUser>) _httpContextAccessor.HttpContext.RequestServices.GetService(
typeof(SignInManager<ApplicationUser>));
var info = await service.GetExternalLoginInfoAsync();
var claimsIdentity = await base.GenerateClaimsAsync(user);
claimsIdentity.AddClaims(info.Principal.Claims);
return claimsIdentity;
}
}