ASP.NET Core SAML IDP Setup Guide

        

            
      
      using Microsoft.AspNetCore.Authentication.Cookies;
      using miniOrange.saml;
      
      var builder = WebApplication.CreateBuilder(args);
      
      builder.Services.AddRazorPages();
      // Add authentication services
      builder.Services.AddControllersWithViews();
      builder.Services.AddAuthentication(options =>
       {
         options.DefaultAuthenticateScheme = "SSO_OR_Admin";
        options.DefaultScheme = "SSO_OR_Admin";
        options.DefaultChallengeScheme = "SSO_OR_Admin";
       })
      .AddCookie("moAdmin", options =>
       {
       })
      .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
       {
        // Configure cookie options as needed for SSO Users
      })
      .AddPolicyScheme("SSO_OR_Admin", "SSO_OR_Admin", options =>
      {
        // runs on each request
        options.ForwardDefaultSelector = context =>
        {
// filter by auth type, here if the moAdmin cookie is coming in any request the Admin Authentication will work
            foreach (var cookie in context.Request.Cookies)
            {
                if (cookie.Key.Contains(".AspNetCore.Cookies"))
                {
                    return CookieAuthenticationDefaults.AuthenticationScheme;
                }
            }
      // otherwise always check for cookie auth
           return "moAdmin";
           };
      });
      var app = builder.Build();
      
      if (!app.Environment.IsDevelopment())
       {
          app.UseExceptionHandler("/Error");
      
          app.UseHsts();
       }
      
      app.UseHttpsRedirection();
      app.UseRouting();
      app.UseAuthorization();
      app.MapRazorPages();
      
      app.UseCookiePolicy();
      app.UseAuthentication();
      app.UseStaticFiles();
      app.UseminiOrangeSAMLSSOMiddleware();
      app.Run();
      
      
      

• After integration, open your browser and browse the middleware dashboard with the URL below:
  https://<your-application-base-url>/?ssoaction=config

• Register into the ASP.NET Core as SAML IDP

2. Configure your service provider

• You need to send your IDP metadata to your service provider. For IDP metadata, use the IDP metadata URL or download the IDP metadata as a .xml file and upload it at your SP end. You can find both these options under the Identity Provider Settings tab.

• Alternatively, you can manually add the IDP Entity ID and ACS URL from Identity Provider Settings tab in the plugin to your SP configurations.

3. Configure ASP.NET Core as Identity Provider

Note: After installation of the plugin, we need to setup the trust between your ASP.NET Core application and your service provider. SAML metadata is shared with identity provider so they can update their inbuilt configuration to support SAML Single Sign-On.

3.1: Share SAML Metadata with identity provider

• Click on Add New SP to configure ASP.NET Core SAML Single Sign-On (SSO) using your identity provider.

• Under Identity Provider Settings tab, you can either copy-paste the metadata URL on your IDP side or download the SP metadata as an XML file. Additionally, you have the choice to manually copy and paste Base URL, SP Entity ID, and ACS URL.
• Share SAML metadata with your service provider.

3.2: Import service provider SAML metadata

• Select your service provider from the list shown.

There are two ways detailed below with which you can configure your ASP.NET Core SAML identity provider metadata in the middleware.

A] Upload metadata using Upload SP Metadata option

• If your service provider has provided you with the metadata URL or metadata file (.xml format only), then you can simply configure the service provider metadata in the ASP.NET Core application using the Upload SP Metadata option.
• You may refer to the screenshot below:

• You can choose any one of the options according to the metadata format you have available.

B] Configure the Service Provider metadata manually

• After configuring your Service Provider, it will provide you with IDP Entity ID, IDP Single Sign On URL and SAML X509 Certificate fields respectively.
• Click Save to save your IDP details.

4. Code Integration

To send the details from ASP.NET Core application to your service provider in the form of SAML tokens first, we will be required to set the authenticated user details in user claims.

• Suppose, if you want to send user details like username, email address, firstname,lastname,phonenumber etc., you can put those details in user claims after your authentication mechanism. Refer to the sample code below:

        

            
      
      var UserClaims = new List<claim>()
      {
      new Claim(ClaimTypes.NameIdentifier, "test.user@gmail.com") 
      };
      
      // Add your additional Claims
      UserClaims.Add(new Claim("email", "test.user@xecurify.com"));
      UserClaims.Add(new Claim("firstname", "test"));
      UserClaims.Add(new Claim("lastname", "user"));
      UserClaims.Add(new Claim("PhoneNumber", "9876543210"));
      
      // Set the User Identity with your User Claims and set your Authentication Scheme
      var identity = new ClaimsIdentity(UserClaims, CookieAuthenticationDefaults.AuthenticationScheme);
      var principal = new ClaimsPrincipal(identity);
      await httpContextAccessor.HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, 
        principal);
    
      
      
      

• Map these same user claims in the ASP.NET Core SAML IdP plugin so that the plugin understands which claim values needs to be sent actually in the SAML tokens.
• NameID is the default SAML attribute which you can set to the given values.

5. Copy SSO Link

• Hover on Select Actions and click on Copy SAML SSO Link.

• Once everything above is completed, you can initiate the SSO from your .NET application using the following link for the authenticated user: <a href="https://<your-application-base-url>/?ssoaction=idpinitiatedsso"
• For example, you can use it as HTML anchor tag or HTML button on your site after a user is authenticated on .NET application. <a href=”https://<your-application-base-url>/?ssoaction=idpinitiatedsso”>Login</a>