A ASP.NET Core 2.0 Middelware to allow SAML authentication. It supports
- Single Sign-on
- IdP initiated
- SP initiated
- Single Sign-out
- IdP initiated
- SP initiated
- Signatures
- Signing outgoing Requests & Responses
- Validating signatures of incoming Requests & Responses
- Encryption
- EncryptedAssertion
- Bindings
- HTTP Redirect Binding w/ SAML Deflate Encoding
- HTTP Post Binding
This application was built for academical purposes only. If you need a production ready framework you might want to check out Anders Abel's Sustainsys. Do not use the library in production environment unless you know exactly what you are doing!
dotnet add package SamlOida --source https://www.myget.org/F/samloida/api/v3/index.json
nuget.exe install SamlOida -Source https://www.myget.org/F/samloida/api/v3/index.json
public void ConfigureServices(IServiceCollection services) {
var spCert = new X509Certificate2(File.ReadAllBytes("spPrivateCertificate.pfx"), PASSWORD);
var idpCert = new X509Certificate2(File.ReadAllBytes("idpPublicCertificate.cer"));
services
.AddAuthentication(options => {
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = SamlAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignOutScheme = SamlAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(options => {
})
.AddSaml(options => {
options.ServiceProviderEntityId = "your-entity-id";
options.IdentityProviderSignOnUrl = "your-identity-provider-sign-on-url";
options.IdentityProviderLogOutUrl = "your-identity-provider-log-out-url";
options.CallbackPath = "your-sign-on-url";
options.LogoutPath = "your-logout-url";
options.IssueInstantExpiration = TimeSpan.FromMinutes(20);
options.AcceptSignedMessagesOnly = true;
options.SignOutgoingMessages = true;
options.AcceptSignedAssertionsOnly = false;
options.ServiceProviderCertificate = spCert;
options.IdentityProviderCertificate = idpCert;
options.ClaimsSelector = (attributes) =>
{
return attributes.Select(attr => new Claim(attr.Name, attr.Values.FirstOrDefault()))
.ToList();
};
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
}| Methods |
|---|
| AddSaml(Action <SamlOptions>) |
| AddSaml(string authenticationScheme, Action <SamlOptions> options) |
| AddSaml(string authenticationScheme, string displayName, Action<SamlOptions> options) |
: Microsoft.AspNetCore.Authentication.RemoteAuthenticationOptions
| Property | Type | DefaultValue |
|---|---|---|
| ServiceProviderEntityId | string | null |
| IdentityProviderSignOnUrl | string | null |
| IdentityProviderLogOutUrl | string | null |
| CallbackPath | string | "/saml-auth" |
| LogoutPath | string | "/saml-logout" |
| IssueInstantExpiration | TimeSpan | null |
| AcceptSignedMessagesOnly | bool | true |
| SignOutgoingMessages | bool | true |
| AcceptSignedAssertionsOnly | bool | false |
| ServiceProviderCertificate | X509Certificate2 | null |
| IdentityProviderCertificate | X509Certificate2 | null |
| LogoutResponseBinding | SamlBindingBehavior | HttpRedirectBinding |
| LogoutRequestBinding | SamlBindingBehavior | HttpRedirectBinding |
| AuthnRequestBinding | SamlBindingBehavior | HttpRedirectBinding |
| ClaimsSelector | Func <ICollection<SamlAttribute>, ICollection<Claim>> | _ => Array.Empty<Claim>() |
Please read CONTRIBUTING.md for details on our contribution process.
This project is licensed under the MIT License - see the LICENSE file for details.