We would like to use SAML 2.0 for a Single Sign On solution. As a typical Microsoft shop, we prefer to use Microsoft components as much as possible. Windows Identity Foundation supports SAML 2.0, but the extension is still in Community Technology Preview (CTP) for more than a year, with no information anywhere on future course. See http://blogs.msdn.com/b/alikl/archive/2011/05/16/windows-identity-foundation-wif-extension-for-saml-2-0-protocol-community-technology-preview-ctp.aspx
I came across an inspiring article by Michèle Bustamante: http://www.devproconnections.com/article/federated-security/generate-saml-tokens-using-windows-identity-foundation She actively promotes WIF + SAML 2.0, but nowhere in the article she talks about CTP or final release. Neither could I reach her for a clarification.
With this background, is it safe to use WIF Community Technology Preview for SAML 2.0 or stick with SAML 1.1? Does SAML 2.0 offer significant advantage over SAML 1.1? Is the future of SAML 1.1 in question?
Any other alternatives?
You should clarify whether you're talking about SAML 2.0 protocol (e.g SAMLP) or just the token type. WIF RTM supports SAML 2.0 tokens, but not SAMLP.
So if it's just SAML 2.0 token support you need, WIF RTM is sufficient, though WIF extensions CTP does add some SAMLP support.
If you're looking for a SAMLP solution and you're a Microsoft shop then you should consider ADFS 2.0.
ADFS 2.0 would do "protocol transition": it will talk SAMLP with the Identity Provider and WS-Federation with your app (both use SAML "Tokens"). WIF supports WS-Federation.
Take a look at Identity Server which is a STS that does use SQL Server for authentication. You can easily federate this with ADFS.
From what I remember about reading the licence agreement for the CTP release, it's just out there for comment - you can't use it e.g. in a Production environment.
As per #Eugenio, WIF only supports WS-Federation.
How were you intending to "stick with SAML 1.1"?
Update: What I suggest is that you use Identity Server to do the authentication against the DB. Your WIF applications are bound using FedUtil to Identity Server. You then federate Identity Server with ADFS. Your external parties use SAML to talk to ADFS and ADFS will handle the plumbing to enable them to authenticate with the Identity Server DB.
Note that WIF doesn't support SAML at all.
Related
We use ADFS 3.0 (Windows 2012 R2) server to access an ASP.NET browser (.NET 4.5) application, which uses ClaimsPrincipal class (part of the Windows Identity Foundation library). The ADFS servers authenticates to our Active Directory. The ASP.NET application runs properly if we use WS-Federation sign-in protocol but fails if we use SAML sign-in protocol. The error message is not helpful "An error occurred"
The ASP.NET is a web form application, developed using VB.NET
My questions:
1) Does ADFS 3.0 with SAML sign in protocol work with ASP.NET web form application which uses ClaimsPrincipal class, which is part of the Windows Identity Foundation libraries?
2) What are the changes (as compared to WS-Federation) we must make to web config in the ASP.NET application, to us SAML sign in protocol?
Thank you.
Chong Chin
To get WS-Fed to work, you either will be using WIF or the WS-Fed NuGet OWIN package?
There is no Microsoft equivalent for SAML.
You need a SAML stack (in the same way that WIF provides a WS-Fed stack).
I'm new to SAML, but I'm tasked to integrate a website with a shibboleth 2.2 service provider.
Now simpleSAMLphp (the latest release) has configuration files for SAML 2.0 and Shibboleth 1.3.
But I thought Shibboleth was merely on implementation of SAML; I would not have thought the simpleSAMLphp side would have to be configured differently for a different SAML server; that would seem to defeat the point of a standard.
My hope is that Shibboleth 2.2 IS a standard SAML 2.0 implementation, and for Shibboleth 2.x, you would use the regular SAML2.0 configuration files in simpleSAML, rather than special shibboleth configuration.
But is that correct? If not, how do you configure simplesaml for shibboleth 2?
Thanks,
Chris
Yes - you use the "regular" SAML2 configuration.
Not sure what Shibboleth 1.3 did but it's classed as another identity protocols
"But also supports some other identity protocols, such as Shibboleth 1.3, A-Select, CAS, OpenID, WS-Federation and OAuth."
This is a classic example of too much information = too much confusion.
I have a ASP.NET web application that uses the usual POST form authentication and would like to implement SSO.
Since we're a Microsoft shop we will use the ADFS 2.0. In order to implement SSO I understand that I will need to have also WIF to process SAML requests?
Do I install the WIF under the same server as the ADFS?
I still want to re-direct failed SSO requests or non SSO requests to use the form, how do I handle this?
Can someone please describe the flow?
Thanks!
ADFS Supports two protocol for authenication.
1) WS-Federation Protocol
2) Web SSO SAML Protocol
*In Ws-Federation scenario*
For SSO between your Application and ADFS (Build trust relationship).
1) Install ADFS & WIF on one server , Create some users in AD.
2) Generate Federation Metadata.xml file in ADFS, save it one place for
future need.
3) Use Windows Azure Access Control Service(ACS) for
simplicity. (It will do all heavy lifting of your authentication
process of token coming from ADFS)
4) Generate Federation
Metadata.xml file in ACS and Import in your ADFS server as relying
party. (give some claims as well)
[http://blogs.msdn.com/b/card/archive/2010/06/25/using-federation-metadata-to-establish-a-relying-party-trust-in-ad-fs-2-0.aspx?Redirected=true][1]
5) Import federation metadata.xml
file from ADFS server to ACS and Add it as Identity provider. (add
claim processing rule)
6) Now in your web Application use WIF
FedUtil Tool and import ACS federation metadata.xml file.
That's it.. you are good to go..
For Web SSO SAML protocol you have to do manual job of coding.
UseCase:
User will hit your application.
User is not authenticated so he will go to ACS and ACS will redirect it to ADFS login page.
User enters credentials. ADFS issue token to ACS with some claims. ACS will
transform incoming ADFS claims and give it to your application.
your application is now authenticated so you can use claims and do
authorization stuff.
You can use URL scheme to check where this request should go to your forms authentication or ADFS authentication.
eg. : http://somedomain.com/forms or http://somedomain.com/ADFS
So you are using SAML to some 3rd party STS?
WIF (out the box) does not support SAML.
There is a WIF SAML extension but this is only CTP (Community Technology Preview) at this point.
WIF is integrated with your ASP.NET application. For .NET 4 and below, there is a separate download. For .NET 4.5, it's integrated.
WIF is just a set of .NET classes inside your application.
You integrate WIF with your ASP.NET application using a tool called FedUtil which is part of the WIF SDK download. (Invoked by "Add STS" inside VS).
The ADFS install installs WIF on the server but this is seperate to your application.
The flow is:
.NET Application --> (WIF) --> (WS-Federation) --> ADFS --> (SAML) --> STS
I'm currently assessing ways to impelement authentication&authorzation in a .NET SOA environment(ASP.NET MVC, WCF).
I have concluded that using Windows Identity Foundation with a STS should fullfill our criteria.
I'm having hard time finding any suitable STS to work with WIF other than ADFS. I know there are multiple options, but there is no documentation/experience available how well these play together with WIF.
Summa summarum, multiple questions:
Is this dumb idea?
Is there any STS product that plays together with WIF smoothly? Any resources on this?
Are there products that allows me to implement centralized(yet scalable) authorization(even with XACML support)?
What is your experience using WSO2 Identity Server with ADFS/WIF?
WSO2 Identity Server has some XACML capabilities but how can these be used in authorization with WCF services?
There is Starter STS
http://startersts.codeplex.com/
which has lately been replaced by the IdentityServer:
http://identityserver.codeplex.com/
It's been for a while and has some features ADFS lacks (like the ability to use a MembershipProvider to authenticate users).
Also, crafting your own STS is relatively easy. There are some good tutorials around, I've also written few posts on this:
http://netpl.blogspot.com/2011/08/quest-for-customizing-adfs-sign-in-web.html
WSO2 Identity Server can be integrated with ADFS. Also it can be run as an XACML engine. XACML engine is exposed to out side as a SOAP end point as well as a Thrift end point.
Disclaimer : I am an architect at WSO2.
No experience of WSO2 but if you don't want to use ADFS you'll have no problems with Identity Server. Both ADFS and Identity Server and more commercial products such as Ping Identity play very nicely with WIF.
I have a requirement to integrate Umbraco membership with SAML Web SSO.
I have never integrated with it before and would like to have a bit of advise:
Are there some existing modules for SAML WebSSO login in Umbraco?
Could you recommend the approach/articles to start with?
How hard could that be?
Thanks in advance, Anton.
If you're new to SAML 2.0, the wikipedia page is a worthwhile read to understand the main concepts of SAML.
A toolkit for Umbraco seems to exist: http://digitaliser.dk/resource/404629
This toolkit explains the integration with a specific SAML 2.0 Identity Provider, but as SAML 2.0 is norm, it should be compatible with any SAML 2.0-compliant IdP.
The other solution is to add the SAML 2.0 Service Provider manually in Umbraco. A good start point may be the Windows Identity Foundation SAML 2.0 toolkit released by Microsoft in May, that include code samples: http://connect.microsoft.com/site1168/Downloads/DownloadDetails.aspx?DownloadID=36088