0

Current State of web application: We have an existing web application designed in AngularJs, MVC5. Authentication is happening against our custom database.

SignIn: We did over ride Microsoft.AspNet.Identity.UserManager and other source classes to talk to our database to get user related information. adding the results to System.Security.Claims.ClaimsIdentity.

Passing on to "Microsoft.Owin.Security.IAuthenticationManager.SignIn(params System.Security.Claims.ClaimsIdentity[] identities)

What I need SSO: We would like to move the auhentication to SSO with SAML 2.0 token as we are planning to integrate 2 new vendors into our web application

Identity Provider: We are implementing Identity provider in F5 Big Ip which does the authentication by providing the login page and generates the saml2 token. Our web application would be configured as Service provider. On redirect to the web application it will pass on the saml2.0 token.

Consuming SAML2.0 in MVC .net framework 4.5.2 All my application would need is to consume saml2.0 token and integrate with existing authentication pipeline. Things to do: Meta data from Identity provider has public key to decrypt saml2.0 token and as well a key which is used to sign the meta data file

My assumption would be parse the request for SAML 2.0 token and verify if the token is valid and use the data from the attributes and query the database for more details and insert the results into "System.Security.Claims.ClaimsIdentity" and use the existing signin operation. Need to figure out how to configure the principle.. and do we still need Microsoft.AspNet.Identity.UserManager.

Research: In visual studio we had identity and access tool which doesnt exist from vs2013. Went through the article on windows identity foundation and claims identity principle www.codeproject.com/Articles/504399/Understanding-Windows-Identity-Foundation-WIF

I know wif support saml2.0 token but not saml2 protocols.

Here are the third party tools that was suggested to be used http://nzpcmad.blogspot.co.nz/2013/06/saml-saml-connectivity-toolkit.html

I am not sure just to consume do I need to used one of the tool? As we have our IDP configured in F5 bigip and not designed in .net

Another good article I found http://www.primaryobjects.com/2013/08/08/using-single-sign-on-with-windows-identity-foundation-in-mvc-net/

Also saw some suggestions about Saml2SecurityTokenHandler to process saml2.0 token.

I appreciate if someone can direct me to simpler solution to integrate to my existing web app. Just need to consume saml2.0 token and integrate with existing claims based authentication.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
shashank
  • 11
  • 5

1 Answers1

0

OK - then you have to use a SAML stack as per the link you used.

Have a look at Kentor - there's some examples on the site plus I did a write up

Update:

The way SAML works is that the client needs to send an AuthnRequest to the IDP, then the user authenticates and then the IDP sends a AuthnResponse to the client. The response contains the SAML token which contains the assertions (claims).

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • In you other block, I saw other options http://nzpcmad.blogspot.co.nz/2013/06/saml-saml-connectivity-toolkit.html – shashank May 18 '16 at 22:15
  • Yes - pick the one that suits you. I mentioned Kentor because I had a write-up about it. They all have the same functionality - client side SAML 2 protocol. – rbrayb May 18 '16 at 22:23
  • Thanks.. Added Kentor.AuthServices.Mvc package but it did not add any controller as instructed?? Did it change for version: 0.18.0 Any other article with detail explanation on it transforms from saml2.o attributes to claims? and how the sign in mechanism works. Assuming the following existing code is not required any more Microsoft.Owin.Security.IAuthenticationManager.SignIn(ClaimsIdentity[])" – shashank May 18 '16 at 22:27
  • Added Kentor tag so @Anders can jump in! – rbrayb May 18 '16 at 22:39
  • @shashank The controller is in the Kentor.AuthServices.Mvc dll, so it won't show up in your project. Start the project and point a browser to /AuthServices (relative the project main page). You should get an AuthServices error for missing config (if you didn't add anything to web.config) – Anders Abel May 19 '16 at 09:08