ASP.NET SAML SP Single Sign-On (SSO) module gives the ability to enable SAML Single Sign-On for your ASP.NET applications. Using Single Sign-On you can use only one password to access your ASP.NET application and services. Our module is compatible with all the SAML compliant Identity providers. Here we will go through a step-by-step guide to configure Single Sign-On (SSO) between ASP.NET and ADFS considering ADFS as IdP.

Download And Extract Package

• Download miniOrange ASP.NET SAML 2.0 Module.
• For Setting up the module, extract the asp-net-saml-sso-module-xxx.zip, you will find a DLL file miniorange-saml-sso.dll, a configuration file saml.config and a integration.md file which contain the steps for adding the module into your application.

Steps to configure ADFS Single Sign-On (SSO) Login into ASP.NET

1. Add module on DNN page

• Add miniorange-saml-sso.dll in the bin folder (where your other DLL files exist) for your application.
• Register miniorangesamlsso module in your application according to the provided steps in the integration.md file.
• Add the provided configuration file saml.config in the root directory for your application.
• After integration open browser and browse the module dashboard with URL below:
https://<your-application-base-url>?ssoaction=config
• If it pops up the registration page or login page, you have successfully added the miniOrange saml sso module for your application.


• Register or Login for configuring the module.

2. Configure ADFS as Identity Provider

• First, search for ADFS Management application on your ADFS server.

• In AD FS Management, select Relying Party Trust and click on Add Relying Party Trust.

• Select Claims aware from the Relying Party Trust Wizard and click on Start button.

 Select Data Source

• In Select Data Source, select the data source for adding a relying party trust.

• Metadata URL
• Metadata XML file
• Manual Configuration

• Navigate to Service Provider Metadata section from the ASP.NET SAML module and copy the Metadata URL.
• Select Import data about the relying party published online or on the local network option and add the metadata URL in Federation metadata address.
• Click on Next.


Note: In the next step enter the desired Display Name and click Next.

• Navigate to Service Provider Metadata section from the ASP.NET SAML module and click on the Download XML metadata button to download the plugin metadata file.
• Select Import data about the relying party from a file option and upload the downloaded metadata file.
• Click on Next.


Note: In the next step enter the desired Display Name and click Next.

• Navigate to Service Provider Metadata section of the ASP.NET SAML module to get the endpoints to configure Service Provider manually.
• In Add Relying Party Trust Wizard select option Enter data about the relying party manually and click on Next.

 Specify Display Name

• Enter Display Name and Click Next.

 Configure Certificate (Premium feature)

• Download the certificate from Service Provider Metadata Tab.
• Upload the certificate and click on Next.

 Configure URL

• Select Enable support for the SAML 2.0 WebSSO protocol option and enter ACS URLfrom the plugin's Service Provider Metadata Tab.
• Click on Next.

 Configure Identifiers

• In the Relying party trust identifier, add the SP-EntityID / Issuer from the plugin's Service Provider Metadata tab.

 Choose Access Control Policy

• Select Permit everyone as an Access Control Policy and click on Next.

 Ready to Add Trust

• In Ready to Add Trust click on Next and then Close.

 Edit Claim Issuance Policy

• In the list of Relying Party Trust, select the application you created and click on Edit Claim Issuance Policy.

• In Issuance Transform Rule tab click on Add Rule button.

 Choose Rule Type

• Select Send LDAP Attributes as Claims and click on Next.

 Configure Claim Rule

• Add a Claim Rule Name and select the Attribute Store as required from the dropdown.
• Under Mapping of LDAP Attributes to outgoing claim types, Select LDAP Attribute as E-Mail-Addresses and Outgoing Claim Type as Name ID.

• Once you have configured the attributes, click on Finish.
• After configuring ADFS as IDP, you will need the Federation Metadata to configure your Service Provider.
• To get the ADFS Federation Metadata, you can use this URL
  https://< ADFS_Server_Name >/federationmetadata/2007-06/federationmetadata.xml
• You have successfully configured ADFS as SAML IdP (Identity Provider) for achieving ADFS Single Sign-On (SSO) Login

Windows SSO (Optional)

Follow the steps below to configure Windows SSO

 Steps to configure ADFS for Windows Authentication

• Open elevated Command Prompt on the ADFS Server and execute the following command on it:

setspn -a HTTP/##ADFS Server FQDN## ##Domain Service Account##

FQDN is Fully Qualified Domain Name (Example : adfs4.example.com)

Domain Service Account is the username of the account in AD.

Example : setspn -a HTTP/adfs.example.com username/domain

• Open AD FS Management Console, click on Services and go to the Authentication Methods section. On the right, click on Edit Primary Authentication Methods. Check Windows Authentication in Intranet zone.

• Open Internet Explorer. Navigate to Security tab in Internet Options.
• Add the FQDN of AD FS to the list of sites in Local Intranet and restart the browser.
• Select Custom Level for the Security Zone. In the list of options, select Automatic Logon only in Intranet Zone.

• Open the powershell and execute following two commands to enable windows authentication in Chrome browser.

Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Chrome")

Get-AdfsProperties | Select -ExpandProperty WIASupportedUserAgents;

• You have successfully configured ADFS for Windows Authentication.

3. Configure ASP.NET SAML Module as Service Provider

• After configuring your Identity Provider, it will provide you with IDP Entity ID, IDP Single Sign On URL and x.509 Certificate. Configure these values under IDP Entity ID, Single Sign-On Url and SAML X509 Certificate fields respectively. (Refer to the Metadata provided by Identity Provider)
• Click Save to Save your IDP details.

4: Test Configuration

• Click on the Test Configuration button to test the configuration.

5: Attribute Mapping

• After testing the configuration, Map your application attributes with the Identity Provider (IdP) attributes.
• Note: All the mapped attributes will be stored in the session so that you can access them in your application.

6: Integration Code

• You can also find the Integration code in the Integration Code tab in the module. Just copy-paste that code snippet wherever you want to access the user attributes.
• Note: All the mapped attributes will be stored in the session so that you can access them in your application.

7: Login Settings

• Use the following URL as a link in your application from where you want to perform SSO:
• https://<your-application-base-url>/?ssoaction=login
• For example you can use it as:
• <a href="https://<your-application-base-url>/?ssoaction=login">Login</a>

8: Logout Settings

• Use the following URL as a link in your application from where you want to perform SLO:
• https://<your-application-base-url>/?ssoaction=logout
• For example you can use it as:
• <a href="https://<your-application-base-url>/?ssoaction=logout">Logout</a>

You can configure the DotNetNuke SAML 2.0 Single Sign-On (SSO) module with any Identity Provider such as ADFS, Azure AD, Bitium, centrify, G Suite, JBoss Keycloak, Okta, OneLogin, Salesforce, AWS Cognito, OpenAM, Oracle, PingFederate, PingOne, RSA SecureID, Shibboleth-2, Shibboleth-3, SimpleSAML, WSO2 or even with your own custom identity provider.

If you are looking to Single Sign-On into your sites with any SAML compliant Identity Provider then we have a separate solution for that. We do provide SSO solutions for the following: