Classic ASP SAML Single Sign-On (SSO)
module gives the ability to enable SAML Single Sign-On for your Classic ASP
applications. Using Single Sign-On you can use only one password to access
your Classic ASP application and services. Our module is compatible with all
the SAML compliant identity providers. Here we will go through a step-by-step
guide to configure SAML Single Sign-On (SSO) between Classic ASP and Okta
considering Okta as IdP.
Steps to configure Classic ASP SAML Single Sign-On (SSO) using Okta as IDP
1. Setup Connector for application on IIS
-
Extract the downloaded asp-net-saml-sso-connector zip file to get
ASP.NET SAML 2.0 Connector.
- Add the connector as separate application on IIS
-
To Add Application in IIS Manager, copy the extracted folder to the
following path: C:\inetpub\wwwroot.
-
Open IIS manager.In left panel right click on your site and click
Add Application.
- Add Alias Name for your application. For example: ssoapp
-
Give the Physical path where you have copied the Application:
C:\inetpub\wwwroot\asp-net-saml-sso-connector-xxx.
2. Steps to give authority/permission to users to use SAML Connector
- Go to this path C:\inetpub\wwwroot\
-
Right click the asp-net-saml-sso-connector-xxx and select
Properties
- Select the Security tab and click the Edit button.
- Select IIS_IUSRS in under Group or Usernames option.
-
Give Full Control permission for IIS_IUSRS container as shown in the
figure below:
3. Open miniOrange SAML ASP.NET Connector on Browser
-
Open any browser and go to the following link:
https://<new-application-base-url>/.
-
Login or Register to SAML connector in order to access the connector's admin
dashboard.
4. Configure Okta as IDP
-
You need to provide SP Entity ID and ACS URL values while
configuring your Identity Provider. Just copy and paste the SP Entity ID and
ACS URL from connector to your IdP configuration page.You can refer to the
image below.
-
Log in to
Okta Developer Console.
-
In Okta Developer site, navigate to Applications tab and select
Applications.
- Click on the Create App Integration button to create new app.
- Click on the SAML 2.0.
-
In General Settings tab, enter App Name and click on
Next button.
- In SAML Settings, enter the following:
Single Sign On URL |
Enter ACS (AssertionConsumerService) URL from the Service Provider
metadata tab of the module.
|
Audience URI (SP Entity ID) |
Enter SP Entity ID / Issuer from the Service Provider Metadata tab
of the module.
|
-
Configure Group Attribute Statements (Optional) and click on
Next button.
-
If you have integrated your Active Directory in Okta and want to map the AD
groups, please make sure that you have added the OUs used to import
groups.You will also need to map the member of attribute under the
integrated directory’s configuration.
5. Configure ASP.NET SAML Connector as Service Provider
-
After configuring your Identity Provider, it will provide you with
IDP Entity ID, IDP Single Sign On URL and
x.509 Certificate. Configure these values under IDP Entity ID, Single
Sign-On Url and SAML X509 Certificate fields respectively.
- Click Save to Save your IDP details.
6. Testing SAML SSO
-
Click on Test Configuration button to test whether the connector is
configured correctly or not.
- The below Screenshot shows a successful result.
7. Attribute Mapping
-
Attribute Mapping helps you to get attributes in your ASP.NET application
received from your IdP and map them to your user attributes in application.
-
Attributes received in successful test configuration are used for attribute
mapping.
- You can refer to the below image for attribute mapping:
8. Integration Code
-
miniOrange SSO connector will POST a signed JWT token on this endpoint which
will contain the authenticated user's info. So, first create a POST endpoint
in your application.
-
Download the integration library (.dll file ) using the download option in
the integration tab and add it to your project. This library contains the
classes and methods with which you can verify the JWT token signature and
also retrieve the user attributes from the token.
-
Use string token, string public_key function to verify the
token signature.It takes token (string) and
public_key (string) as parameters and returns a bool value
after verification.
-
Once the verification returns true, then use
getUserAttr(string token, string attr_name) function to
retrieve user attributes from the token. It takes
token (string) and attr_name (string) as
parameters and returns attribute value (string) on success otherwise it
returns an empty string.
-
Add the namespace as
"Miniorange.SSO.SAML.Integrate"
-
You can refer to the example below for the integration part:
Integrate intgtr= new Integrate(); // create instance for Integrate class
string public_key =
"1wEaPr7h34Ts+DbgPytEqwkcJlybYwOTyBVD4GryebjSIF....................";
//Your public key displayed above.
string token = Request.Form["token"];
string username ="";
if (!String.IsNullOrEmpty(token)) {
// Verifying if the token is received from the trusted source.
if ( intgtr.Verify(token, public_key))
{ username = intgtr.getUserAttr(token, "userid"); // retrieve the
attribute value using getUserAttr method }
} // using the received attributes from token you can create the session
for that user.
9. Login Setup
-
Provide the created endpoint URL for your ASP.NET application in
Login Setup where you will read the JWT Token with the user attributes.
- Click on the Save button.
10. Add SSO Link
-
Use the following URL as a link in your application from where you want to
perform SSO:
https://<application-base-url>/request.aspx
-
For example you can use it as:
<a href="https://<application-base-url>/request.aspx”>Log
in</a>"
11. Add SLO Link
-
Use the following URL as a link in your application from where you want to
perform SLO:
https://<application-base-url>/singlelogout.aspx
-
For example you can use it as:
<a
href="https://<application-base-url>/singlelogout.aspx”>Logout</a>"
Additional Resources
Need Help?
Not able to find your identity provider? Mail us on
aspnetsupport@xecurify.com
and we'll help you set up SSO into Classic ASP with your custom IDP. For
quick guidance (via email/meeting) on your requirement, our team will help
you to select the best suitable solution/plan as per your requirement.