Saml2 Authentication services for ASP.NET
C# JavaScript CSS HTML PowerShell Smalltalk
Failed to load latest commit information.
Kentor.AuthServices.HttpModule Exclude extracted helper method from code coverage Jun 21, 2016
Kentor.AuthServices.IntegrationTests Removed AudienceMode.Never config from sample apps Feb 25, 2016
Kentor.AuthServices.Mvc Throw NotSupportedException in MVC controller on HandledResult May 2, 2016
Kentor.AuthServices.Owin Notification hook for per-request public origin (#609) Dec 12, 2016
Kentor.AuthServices.StubIdp Minor typo fixes May 10, 2016
Kentor.AuthServices.Tests Clarify error message for invalid service certificate Jan 2, 2017
Kentor.AuthServices Clarify error message for invalid service certificate Jan 2, 2017
SampleApplication Fix SampleApplication logout after URL expansion is gone Jun 21, 2016
SampleIdentityServer3 Added separate certificate for IdSrv3 sample Apr 6, 2016
SampleMvcApplication Minor typo fixes May 10, 2016
SampleOwinApplication Replace test cert with one that will work as default ServiceCertificate Apr 3, 2016
doc Fix documentation for httpmodule Dec 28, 2016
nuget Updating release notes for release 0.19.0 Jun 21, 2016
.gitignore Git ignore NDepend stuff. Jun 15, 2016 Minor fixes to integration test instructions Mar 4, 2016
CONTRIBUTORS.txt Added support for ForceAuthn on Saml2AuthenticationRequest. Jun 29, 2016
CodeCoverage.runsettings Removed exclusion of async methods Jan 10, 2016
CustomDictionary.xml Added AuthServices to custom dictionary. Mar 25, 2015
Kentor.AuthServices.ruleset Removed CA1059 rule Jan 26, 2016
Kentor.AuthServices.sln Single Logout Feb 22, 2016
LICENSE Initial commit Sep 16, 2013 Minor documentation updates Dec 7, 2016
VersionInfo.cs Updated version number to 0.19.0 for release. Jun 21, 2016

Build status Coverage Status Join the chat at

Kentor Authentication Services

The Kentor Authentication services is a library that adds SAML2P support to ASP.NET and IIS web sites, allowing the web site to act as a SAML2 Service Provider (SP).

Kentor.AuthServices is open sourced and contributions are welcome, please see contributing guidelines for info on coding standards etc.


The AuthServices library can be used through three different ways:

  • An Http Module, loaded into the IIS pipeline. The module is compatible with ASP.NET web forms sites.
  • An ASP.NET MVC Controller for better integration and error handling in ASP.NET Applications.
  • An Owin Middleware to use with the Owin Pipeline or for integration with ASP.NET Identity.

Note that this last usage scenario enables SAML identity providers to be integrated within IdentityServer3 package. Review this document to see how to configure AuthServices with IdentityServer3 and Okta to add Okta as an identity provider to an IdentityServer3 project. There is also a SampleIdentityServer3 project in the AuthServices repository.

There are four nuget packages available. The core Kentor.AuthServices contains the core functionality. The Kentor.AuthServices.HttpModule contains an IIS Http Module (previously this was included in the core package). The Kentor.AuthServices.Mvc package contains the MVC controller and the Kentor.AuthServices.Owin package contains the Owin middleware.

Once installed the web.config of the application must be updated with configuration. See configuration for details.



The Saml2AuthenticationModule is modeled after the WSFederationAuthenticationModule to provide Saml2 authentication to IIS web sites. In many cases it should just be configured in and work without any code written in the application at all (even though providing an own ClaimsAuthenticationManager for claims translation is highly recommended).

Mvc Controller

The MVC package contains an MVC controller that will be accessible in your application just by installing the package in the application. For MVC applications a controller is preferred over using the authentication module as it integrates with MVC's error handling.

Owin Middleware

The Owin middleware is modeled after the external authentication modules for social login (such as Google, Facebook, Twitter). This allows easy integration with ASP.NET Identity for keeping application specific user and role information. See the Owin Middleware page for information on how to set up and use the middleware.

Stub Idp

The solution also contains a stub (i.e. dummy) identity provider that can be used for testing. Download the solution, or use the instance that's provided for free at

Protocol Classes

The protocol handling classes are available as a public API as well, making it possible to reuse some of the internals for writing your own service provider or identity provider.