I am looking to implement single sign on functionality into an existing Asp.Net MVC 5 web application using SAML 2.0. My team and I have looked into a few different NuGet packages to help us get started with this implementation. We already have the IdP and metadata file, but now just need to implement the SSO functionality into our project.
We came across the Microsoft.IdentityModel.Tokens.Saml package and were interested in using this to set up our SAML configuration but have not been able to find any documentation on how this is actually implemented. I was wondering what is this package typically used for and can it be used to handle SAML requests and responses for the implementation of SSO functionality into a web application or should we look into using a different package? Thanks!
This package is for handling SAML assertion security tokens. It's not for handling the SAML SSO protocol. The WS-Trust protocol supports a number of different security token types including SAML assertions. The Microsoft.IdentityModel.Tokens.Saml package provides this support. SAML SSO also uses SAML assertions but is a completely different protocol from WS-Trust.
You'll find there are a number of open source implementations of the SAML v2.0 specification as well as our commercial offering.
Related
We are an ISV building an enterprise SaaS product.
We would like to enable our customers define their IDP SAML configuration.
We are a startup and would like to support SAML as lean as possible.
1. What is the minimal configuration needed to support the major IDPs?
After reading Okta's article I understand that:
Certificate
IDP Sign-in URL
Are a must.
Say that we use a single ACS endpoint (We will implement our own logic by looking at the SAML assertion)
Is there anything else mandatory?
What about bindings? Do all major IDPs support HTTP redirect?
2. What is needed to be defined on the IDP side?
We tend to use the HTTP redirect binding, should it work with most IDPs? Is a metadata endpoint important?
As for "what is required": in many cases, you will have to generate so called "metadata.xml" file to provide the information to the vendor, so they might install a testing environment for you.
I've implemented about 5 SAML integrations with different vendors so far. The truth is that not all of them require full-fledged SAML 2.0 standard, but some of them do. I think my article should be also helpful to you https://dev.to/optiklab/working-example-of-saml-single-sign-on-integration-using-c-39mb and my open sourced SAML integration project (https://github.com/optiklab/SAML-integration-utilities) contains both Metadata File generator and C# examples for forming both SAML response and assertions. They proved to be working with many vendors, like Ping Identity, etc.
Let me know if you have more specific questions.
After successfully implementing SAML-V2 Service Provider (SP); for supporting some specific use-case, I have to implement my own SAML-2 IdP. After going through OASIS Documentation and many others about the SAML protocol, I have started implementing it.
My Use-case is just a single profile (Web Browser SSO Profile) with SP-Initiated SSO: Redirect Bindings only.
I am looking for some lean third-party library or java based implementation which I can refer/use to speed up the implementation and customize on top of that.
Would love for any recommendation or suggestion in this direction.
To be specific I'm looking for any/all of below :
Easy to use open-source library for implementing SAML-V2 Identity Provider in Java.
Detailed documentation/specification for above profile.
Any advice from experts who have past experience in implementation such kind of IdP.
There is lots of material available for SP. However, very few and complex for IdP.
Some of the java-based implementation which I am already looking are : KeyCloak and Lite-IdP.
"Very few and complex" is true because building a real-world identity provider is a serious project. OpenSAML as the library is your best option in Java - many enterprise-grade implementations that we know about are built with it. A good, stripped-down example of how to use OpenSAML in IdP context is https://github.com/OpenConext/Mujina .
Lite IdP is written in Go. If you're open to non-Java options, SimpleSAMLphp is excellent, it's certainly better documented than many others.
I'd post it as comment, but I don't have enough reputation.
But here you have almost the same question, regarding Spring SAML:
using-spring-saml-as-an-idp-rather-than-an-sp
Take a look at Vladimir's answer, I think it's what you're looking for. Here is the link suggested by him.
Cheers
I have searched a lot for a good documentation on how to implement SSO as I am a beginner in this field. But got confused with documentations, available online. Is there any documentation that can help me directing :
How to Create/configure IDP , SP, how to implement SSO?
My web application uses, Java 8, angular JS , JSP, Spring ( with annotations), Hibernet, Maven, JBOSS.
Appreciate your time in advance.
Your question is kind of broad which is hard to give a definitive answer. Perhaps knowing better about what to research may help. Please let me try:
Your web application will be an SP. Thus, you don't need to research for how to implement an IdP.
You will need at least 1 IdP to test SSO for your application. Therefore, find out what IdP you want to use and research for how to set it up as well as how to configure a service provider trust against it.
What is the protocol you want to use for SSO? Is it SAML 2.0, WSFed, OAuth2, OpenId Connect or something else? Pick one.
Research a good library that you can use to implement the SP role for your application.
You've mentioned Java and Spring so typically you are looking at Spring Security and SAML.
If that's the case. then you need to implement a client side SAML stack.
Refer: SAML : SAML connectivity / toolkit.
I am currently integrating SAML with a custom Java web-app in order to put it behind Okta. I want to use the SAML Java Toolkit that is provided by Okta.
There are many examples on the internet of OpenSAML implementations in order for me to get a general idea of how to begin. However, I am wondering if there are any significant differences between OpenSAML and the SAML Toolkit provided by Okta.
Thanks!
OpenSAML is a set of open source C++ & Java libraries meant to support developers working with the SAML protocol. The current version supports SAML 1.0, SAML1.1, and SAML2.0 protocols. In other words, OpenSAML is a library for handling the low level SAMLx.x protocol implementations.
SAML Toolkits are mostly free and open-source, designed to shorten the development time and reduce the complexity to implement SAML2.0 enabled web-apps.
SAML Java Toolkits from Okta uses OpenSAML Java libraries to implement minimal features of SAML2.0 protocol for vendors to quickly deploy SAML Service Provider (SP) server and protect their web-apps. Otherwise, vendor has to employ developers who has to know and understand SAML2.0 specification and then use OpenSAML or other similar libraries to implement SAML2.0 protocol to protect their web-apps.
I've been tasked with determining the feasibility of building an application that would act as a proxy between platforms that offer single sign-on capabilities.
Our "platform" offers SAML Service Provider capabilities, and we have some customers that provide their own SAML IDP and Identity Store. We have other customers that use different single sign-on technologies, such as oAuth, OpenID, or third-party Web Services. Some customers use a combination of these technologies.
The goal of the proxy would be to standardize and reduce the complexity of each customer's SSO integration on the platform. Currently, we're required to customize each implementation between the platform and the customer's Website(s).
I'm having difficulty finding frameworks, libraries, or functions for proxying between SSO protocols such as SAML and oAuth, or SAML and a third-party Web Service.
I'm wondering if anyone has experience building something similar and can recommend solutions that worked for them.
I've put together a diagram that illustrates what we're trying to accomplish below.
Check this Bitly project on GitHub:
https://github.com/bitly/oauth2_proxy
It supports multiple identity providers
hth