0

I have an ASP.NET MVC application which currently allows users to connect via two ThinkTecture IDP servers. The MVC app trusts both of these IDP servers and it authenticates users perfectly.

The current setup uses the < System.IdentityModel.Services.WSFederationAuthenticationModule > and the < System.IdentityModel.Services.SessionAuthenticationModule > in the < modules > section in the web.config to handle these.

We now have a new party who want to authenticate their users by sending us a SAML v2 token, but the MVC app doesn't seem to recognise it.

I've compared the POST response from both the IDP server (SAML1) and the new login server (SAML2) and there are some subtle differences, which maybe causing problems.

The IDP server seems to use < trust:RequestedSecurityToken > attributes to wrap to < saml:Assertion >. Whereas the new client sends a POST request body containing < saml >< samlp:Response >

My questions are:

1)Is this new < samlp:Response > a SAML2P version which is not supported by Microsoft WIF? Or is it just interested in the < saml:Assertion > element?

2) Where will WIF look for the SAML token? POST Body? Authentication header (Bearer)?

3)Currently, when the user is not authenticated, it redirects them to their local IDP servers, they login and it returns the SAML response, with is then picked up. But the new client, will simply pass a request to view a page with the SAML token (true single-sign-on). I wonder if this difference is causing problems. I currently manually handle redirects to the user's local IDP, so have tried to turn this off for the new client.

EDIT After much digging...

  1. SAML2 Protocol is not supported by Microsoft WIF and ever likely to be.

  2. SAML2 Protocol messages are usually as a form parameter (saml= < saml:Response>< etc... within the body of the HTTP POST. In my case it didn't use the standard parameter format of (saml=), the XML was just directly inline in the HTTP POST body.

peter.swallow
  • 905
  • 14
  • 38

3 Answers3

3

Indeed its not officially supported but you can do something like this to make it work.

http://blogs.msdn.com/b/bradleycotier/archive/2012/10/28/saml-2-0-tokens-and-wif-bridging-the-divide.aspx

Gaurav
  • 330
  • 7
  • 21
  • If this solved your problem then please mark it as answer so it helps others. – Gaurav Jul 30 '15 at 08:34
  • This solution doesn't work for me, because my SAML2-P message contains a digital signed SAML2 Assertion Token. I presume most people would sign it as well, not I'm not sure how helpful it solution would be. – peter.swallow Oct 29 '15 at 12:42
1

AFAIK, samlp is a protocol that is not (yet?) supported by WIF. It is a replacement for the querystring parameters used in WS-Federation. You should look for third party extensions (How should I implement SAMLP 2.0 in an ASP.NET MVC 4 service provider?). Since I haven't used any myself I cananot give further advice.

Community
  • 1
  • 1
Willy Van den Driessche
  • 1,619
  • 15
  • 23
  • You're right. Not supported. I've looked at the KentorServices in the link you sent, which seems to be a better, more flexible solution. – peter.swallow Oct 29 '15 at 12:44
0

The best solution I've found is the Kentor IT - AuthServices.

It handles digitally signed SAML tokens.

Although it will not work out of the box for me, as my third party seem to be using a non-standard binding technique (rather than the standard HTTP Post or HTTP Redirect), so I will have to build my own custom-binding.

peter.swallow
  • 905
  • 14
  • 38