Contents

ASP.NET Core SAML IDP Setup Guide

ASP.NET Core as SAML identity provider provides a ready-to-use solution for SAML 2.0 login using ASP.NET credentials. ASP.NET Core SAML IdP acts as a SAML 2.0 identity provider which can be configured to establish the trust between the ASP.NET Core application and various SAML 2.0 supported service providers such as WordPress,Tableau, Moodle and many more to securely authenticate the users using the ASP.NET Core application credentials.

Choose your SAML service provider to configure Single Sign-On (SSO)

Not able to find your IdP? Contact us at aspnetsupport@xecurify.com and we will help you setup ASP.NET Core SSO with your SP in no time.

Couldn't find your IdP?

Reach out to us at aspnetsupport@xecurify.com and we will help you setup Blazor SAML SSO with your identity provider (IdP) in no time.

Steps to configure ASP.NET Core as SAML Identity Provider

1. Pre-requisites:Installation

To install the ASP.NET Core SAML IDP using the NuGet package, follow the steps given below:

NuGet Package
.NET CLI

PM> NuGet\Install-Package miniOrange.SAML.IDP

        
            
      
      using Microsoft.AspNetCore.Authentication.Cookies;
      using miniOrange.saml;
      
      var builder = WebApplication.CreateBuilder(args);
      
      builder.Services.AddRazorPages();
      // Add authentication services
      builder.Services.AddControllersWithViews();
      builder.Services.AddAuthentication(options =>
       {
         options.DefaultAuthenticateScheme = "SSO_OR_Admin";
        options.DefaultScheme = "SSO_OR_Admin";
        options.DefaultChallengeScheme = "SSO_OR_Admin";
       })
      .AddCookie("moAdmin", options =>
       {
       })
      .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
       {
        // Configure cookie options as needed for SSO Users
      })
      .AddPolicyScheme("SSO_OR_Admin", "SSO_OR_Admin", options =>
      {
        // runs on each request
        options.ForwardDefaultSelector = context =>
        {
// filter by auth type, here if the moAdmin cookie is coming in any request the Admin Authentication will work
            foreach (var cookie in context.Request.Cookies)
            {
                if (cookie.Key.Contains(".AspNetCore.Cookies"))
                {
                    return CookieAuthenticationDefaults.AuthenticationScheme;
                }
            }
      // otherwise always check for cookie auth
           return "moAdmin";
           };
      });
      var app = builder.Build();
      
      if (!app.Environment.IsDevelopment())
       {
          app.UseExceptionHandler("/Error");
      
          app.UseHsts();
       }
      
      app.UseHttpsRedirection();
      app.UseRouting();
      app.UseAuthorization();
      app.MapRazorPages();
      
      app.UseCookiePolicy();
      app.UseAuthentication();
      app.UseStaticFiles();
      app.UseminiOrangeSAMLSSOMiddleware();
      app.Run();

After integration, open your browser and browse the middleware dashboard with the URL below:
https://<your-application-base-url>/?ssoaction=config

ASP.NET as SAML Identity Provider | ASP.NET SAML IDP | .NET IDP - Register for ASP.NET IDP middleware

2. Configure your service provider

You need to send your IDP metadata to your service provider. For IDP metadata, use the IDP metadata URL or download the IDP metadata as a .xml file and upload it at your SP end. You can find both these options under the Identity Provider Settings tab.

ASP.NET as SAML Identity Provider | ASP.NET SAML IDP | .NET IDP - upload idp metadata

Alternatively, you can manually add the IDP Entity ID and ACS URL from Identity Provider Settings tab in the plugin to your SP configurations.

ASP.NET as SAML Identity Provider | ASP.NET SAML IDP | .NET IDP - upload idp metadata manually

3. Configure ASP.NET Core as Identity Provider

Note: After installation of the plugin, we need to setup the trust between your ASP.NET Core application and your service provider. SAML metadata is shared with identity provider so they can update their inbuilt configuration to support SAML Single Sign-On.

3.1: Share SAML Metadata with identity provider

Click on Add New SP to configure ASP.NET Core SAML Single Sign-On (SSO) using your identity provider.

Under Identity Provider Settings tab, you can either copy-paste the metadata URL on your IDP side or download the SP metadata as an XML file. Additionally, you have the choice to manually copy and paste Base URL, SP Entity ID, and ACS URL.
Share SAML metadata with your service provider.

3.2: Import service provider SAML metadata

Select your service provider from the list shown.

ASP.NET SAML SSO - Select service provider

There are two ways detailed below with which you can configure your ASP.NET Core SAML identity provider metadata in the middleware.

A] Upload metadata using Upload SP Metadata option

If your service provider has provided you with the metadata URL or metadata file (.xml format only), then you can simply configure the service provider metadata in the ASP.NET Core application using the Upload SP Metadata option.
You may refer to the screenshot below:

You can choose any one of the options according to the metadata format you have available.

B] Configure the Service Provider metadata manually

After configuring your Service Provider, it will provide you with IDP Entity ID, IDP Single Sign On URL and SAML X509 Certificate fields respectively.
Click Save to save your IDP details.

4. Code Integration

To send the details from ASP.NET Core application to your service provider in the form of SAML tokens first, we will be required to set the authenticated user details in user claims.

Suppose, if you want to send user details like username, email address, firstname,lastname,phonenumber etc., you can put those details in user claims after your authentication mechanism. Refer to the sample code below:

        
            
      
      var UserClaims = new List<claim>()
      {
      new Claim(ClaimTypes.NameIdentifier, "test.user@gmail.com") 
      };
      
      // Add your additional Claims
      UserClaims.Add(new Claim("email", "test.user@xecurify.com"));
      UserClaims.Add(new Claim("firstname", "test"));
      UserClaims.Add(new Claim("lastname", "user"));
      UserClaims.Add(new Claim("PhoneNumber", "9876543210"));
      
      // Set the User Identity with your User Claims and set your Authentication Scheme
      var identity = new ClaimsIdentity(UserClaims, CookieAuthenticationDefaults.AuthenticationScheme);
      var principal = new ClaimsPrincipal(identity);
      await httpContextAccessor.HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, 
        principal);

Map these same user claims in the ASP.NET Core SAML IdP plugin so that the plugin understands which claim values needs to be sent actually in the SAML tokens.
NameID is the default SAML attribute which you can set to the given values.

5. Copy SSO Link

Hover on Select Actions and click on Copy SAML SSO Link.

ASP.NET Core as SAML Identity Provider | ASP.NET SAML IDP | .NET IDP Copy SSO Link

Once everything above is completed, you can initiate the SSO from your .NET application using the following link for the authenticated user: <a href="https://<your-application-base-url>/?ssoaction=idpinitiatedsso"
For example, you can use it as HTML anchor tag or HTML button on your site after a user is authenticated on .NET application. <a href=”https://<your-application-base-url>/?ssoaction=idpinitiatedsso”>Login</a>

Additional Resources

Need Help?

Not able to find your service provider? Mail us on aspnetsupport@xecurify.com and we'll help you set up SSO with your SP and for quick guidance (via email/meeting) on your requirement and our team will help you to select the best suitable solution/plan as per your requirement.