The WIF runtime has limited support for SAML 2.0 specifications. In Chapter 3, Advanced Programming with Windows Identity Foundation, we have seen how we can extend the SAML 2.0 protocol support in WIF to implement SAML 2.0 profiles for web browser SSO. We created Identity and Service Providers to generate and consume SAML 2.0 Response tokens. By popular demand, the Identity and Access Management team at Microsoft has released the SAML 2.0 Extension CTP for WIF. The CTP contains the Microsoft.IdentityModel.Protocols
assembly that extends the WIF runtime to provide extensive support for SAML 2.0 specification. It also provides samples, demonstrating the steps to create SP Lite (OASIS SAML v2.0) compliant Service Providers using the extension API. In this recipe, we will explore the steps to create SAML 2.0 compatible Identity and Service Providers using the SAML 2.0 Extension CTP for WIF.
The prerequisites for creating SP Lite compliant applications using the SAML 2.0 Extension CTP are as follows:
Download the SAML 2.0 Extension CTP from http://connect.microsoft.com/site1168/Downloads/DownloadDetails.aspx?DownloadID=36088. Extract the ZIP package to an accessible location to explore the samples. The Microsoft.IdentityModel.Protocols.dll
extension assembly is located under the Commonin
folder. The Identity and Service Provider samples can be opened and compiled using Visual Studio 2010.
Follow these steps to create a Service Provider using the SAML 2.0 Extension CTP that can consume claims from a SAML 2.0 compliant Identity Provider such as AD FS 2.0:
SpLiteSSO
. ServiceProvider
and host it in IIS over HTTPS. Commonin
folder) assemblies, as shown in the following screenshot: SamlConfigTool
solution from the CommonSamlConfigTool
folder under the extracted package. Compile the solution. Copy the SamlConfigTool.exe
and the Microsoft.IdentityModel.Protocols.dll
files from the bin
folder and place it under the ServiceProvider
project root folder. SamlConfigTool.exe
. SamlConfigTool
console, enter the ServiceProvider
application URL as the Entity ID and SAML endpoint under the Relying Party Information step. Hit enter. Select the Signing and Encryption certificates: SamlConfigTool
generates a few files in the ServiceProvider
application. First is the Changes_To_Web-Config.xml
file. This file specifies all the changes required in the ServiceProvider
project's Web.config
file. Make the necessary changes in the Web.config
file as specified, that includes adding the Saml2AuthenticationModule HttpModule
and the microsoft.identityModel.saml
configuration sections: Web.config
file: ServiceProvider
application is also generated by SamlConfigTool
. Use this file to add the ServiceProvider
application as a Relying Party Trust in AD FS 2.0 (follow the steps discussed in Chapter 5, Identity Management with Active Directory Federation Services). Now, you have successfully configured the ServiceProvider
application to consume SAML 2.0 tokens issued by AD FS 2.0.When you launch the ServiceProvider
application you will be redirected to AD FS for authentication. SamlConfigTool
in conjunction with Saml2AuthenticationModule
allows identity developers on .NET applications to easily configure support for SAML 2.0 Identity Providers such as AD FS 2.0.
The default ASP.NET Web Application comes with an implementation of authentication. You can override the default sign-in and sign-out experience with the Saml2AuthenticationModule
methods. For example, the SignIn
button-click event handler could implement the following code:
Saml2AuthenticationModule.Current.SignIn("~Default.aspx");