All geek questions in one place

How to implement SAML2 authentication in .net 4.5 against AzureAD? (Consumed Tokens)

I would like to enable SAML authentication for my web application, including against AzureAD as an identity provider, as well as ADFS. (Can someone point me to a good tutorial or walkthrough?) So far I have received a SAML request, received a response from SAMLP from AzureAD and verified its signature (including the fact that SHA256 , which by default does not work).

Now I want to extract information from it in order to check the issuer and receive an email from the user to identify them. Is it "normal" to do this manually via XML, or should I use classes like Saml2SecurityTokenHandler ? They look like they should do the trick, but it's hard for me to understand all the necessary configuration and whether it is necessary to use such classes from a security point of view.

My application is multi-user, so I want the code, not the configuration, to handle Saml, since different tenants will use different authentication settings.

This blog says that it does not use ConfigurationBasedIssuerNameRegistry and instead points to [ValidatingIssuerNameRegistry][3] . Well, that seems appropriate for my scenario.

There is code in this question for programmatically setting up a trusted issuer, so I can configure to use ValidatingIssuerNameRegistry, and then, presumably, I can use tokenHandlers to read Assertion from the SAMLP response and then retrieve the claims, including the name (email address). But where can I get the fingerprint and name to go to it from the AzureAD metadata? And what exactly is the meaning when using these classes instead of independently analyzing the answer? It definitely looks like using a library because it is the right thing, but the complexity of WIF and the lack of cross-cutting articles about it make it feel something inappropriate, except for those deep in the world of identity.

I assume that if I already have a certificate stored locally to verify the identity of the issuer of the SAML response, and I verify the signature in XML, I can happily use the contents of the SAML response. those. user identification. However, it seems like the wrong approach to do it manually, though, but I'm fine with this if there are no obvious flaws.

Some related questions and articles:

+5
source share
1 answer

As you can see, the built-in .NET support for the SAML2 protocol is not supported, although SAML2 tokens are supported.

Instead of doing it yourself, I suggest you familiarize yourself with the available source and commercial libraries for SAML2P for ASP.NET. There is a lot of work to create a reliable service provider in addition to what is offered in the .NET framework. (I know, because I built it, and if I knew that I knew now, I don’t think I will do it again).

If you decide to go ahead, Saml2SecurityTokenHandler contains an important tool for reading claims from XML, converting them into claim identifiers, and verifying approval signatures. Note that the handler expects claims to be signed - there AFAIK is not built-in to support handling the case when the entire SAML response has been signed (which also covers the built-in claims).

Using Kentor.AuthServices

The script described here directly uses the Kentor.AuthServices API, which is an advanced script that is not recommended as a first choice. For web APIs and modern MVC applications, it is much better to use the Owin middleware from Kentor.AuthServices.Owin.

This code uses the APIs from Kentor.AuthServices.HttpModule.

Config

To use AuthServices API directly, you will first need to create a configuration as described in docs . This can be done both in code and in web.config. In this example, I simply refer to the Options property, which is an instance of IOptions . It can be downloaded from web.config via the Options.FromConfiguration property.

Submit AuthnRequest

The first step for authentication is to send AuthnRequest. dummyUrl is any non-zero Uri object. It will not be used in this scenario, but cannot be empty.

 var idp = Options.IdentityProviders.Default; var urls = new AuthServicesUrls(fullUrlOfYourAcsService, dummyUrl, applicationUrl); var authnRequest = idp.CreateAuthenticateRequest(dummyUrl, urls); // Apply will call Response.End idp.Bind(authnRequest).Apply(new HttpResponseWrapper(HttpContext.Current.Response));

Even the OP has already managed to do this, it must be done through AuthServices to correctly register the pending request, which is then mapped to the returned response.

Receive Response

The next step is to get the returned SAML2Response response. This code must be in the location "fullUrlOfYourAcsService" specified when sending AuthnRequest.

 var result = CommandFactory.GetCommand(CommandFactory.AcsCommandName) .Run(new HttpRequestWrapper(HttpContext.Current.Response), Options); // result.Principal will now contain the received identity.
+6
source

Source: https://habr.com/ru/post/1242927/

More articles:


All Articles