Kentor Authentication Services
The Kentor Authentication services is a library that adds SAML2P support to ASP.NET and IIS web sites, allowing the web site to act as a SAML2 Service Provider (SP).
Kentor.AuthServices is open sourced and contributions are welcome, please see contributing guidelines for info on coding standards etc.
The AuthServices library can be used through three different ways:
- An Http Module, loaded into the IIS pipeline. The module is compatible with ASP.NET web forms sites.
- An ASP.NET MVC Controller for better integration and error handling in ASP.NET Applications.
- An Owin Middleware to use with the Owin Pipeline or for integration with ASP.NET Identity.
Note that this last usage scenario enables SAML identity providers to be integrated within IdentityServer3 package. Review this document to see how to configure AuthServices with IdentityServer3 and Okta to add Okta as an identity provider to an IdentityServer3 project. There is also a SampleIdentityServer3 project in the AuthServices repository.
There are four nuget packages available. The core Kentor.AuthServices contains the core functionality. The Kentor.AuthServices.HttpModule contains an IIS Http Module (previously this was included in the core package). The Kentor.AuthServices.Mvc package contains the MVC controller and the Kentor.AuthServices.Owin package contains the Owin middleware.
Once installed the
web.config of the application must be updated with configuration.
See configuration for details.
- Check the issues archive.
- Check the SAML2 specification, starting with the core section.
- Log your actual SAML2 conversation with SAML Chrome Panel or SAML Tracer for Firefox.
- Last but not least, download the AuthServices source and check out what's really happening.
The Saml2AuthenticationModule is modeled after the WSFederationAuthenticationModule to provide Saml2 authentication to IIS web sites. In many cases it should just be configured in and work without any code written in the application at all (even though providing an own ClaimsAuthenticationManager for claims translation is highly recommended).
The MVC package contains an MVC controller that will be accessible in your application just by installing the package in the application. For MVC applications a controller is preferred over using the authentication module as it integrates with MVC's error handling.
The Owin middleware is modeled after the external authentication modules for social login (such as Google, Facebook, Twitter). This allows easy integration with ASP.NET Identity for keeping application specific user and role information. See the Owin Middleware page for information on how to set up and use the middleware.
The solution also contains a stub (i.e. dummy) identity provider that can be used for testing. Download the solution, or use the instance that's provided for free at http://stubidp.kentor.se.
The protocol handling classes are available as a public API as well, making it possible to reuse some of the internals for writing your own service provider or identity provider.