Tag Archives: service provider

Ultimate SAML now supports ASP.NET MVC

MVC support feature and an illustrative example have been requested by so many customers and today we would like to introduce the IdP-Initiated SAML MVC application example using the latest version of the Ultimate SAML component.

To open the MVC example solution, navigate to “Samples\Mvc\Saml\CS\Saml2IdpInitiatedMvc” and double-click on the solution file. The example is very similar to the ASP.NET Saml2IdPInitiated. They share the same logic to authenticate users, check SAML data and navigate to the provider sites. The only difference in SAML code segments is that the MVC’s apps use overloads that have the HttpRequestBase and HttpResponseBase classes as parameters’ types instead of ASP.NET’s HttpRequest and HttpResponse classes. If you open a file named ConsumerService.aspx.cs in the SP project, you will see similar syntax as shown below:

C#:

// Create a SAML response from the HTTP request.
ComponentPro.Saml2.Response samlResponse = ComponentPro.Saml2.Response.Create(Request);

// Is it signed?
if (samlResponse.IsSigned())
{
    // Loaded the previously loaded certificate.
    X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.CertKeyName];

    // Validate the SAML response with the certificate.
    if (!samlResponse.Validate(x509Certificate))
    {
        throw new ApplicationException("SAML response signature is not valid.");
    }
}

VB.NET:

' Create a SAML response from the HTTP request.
Dim samlResponse As ComponentPro.Saml2.Response = ComponentPro.Saml2.Response.Create(Request)

' Is it signed?
If samlResponse.IsSigned() Then
    ' Loaded the previously loaded certificate.
    Dim x509Certificate As X509Certificate2 = CType(Application([Global].CertKeyName), X509Certificate2)

    ' Validate the SAML response with the certificate.
    If (Not samlResponse.Validate(x509Certificate)) Then
        Throw New ApplicationException("SAML response signature is not valid.")
    End If
End If

Here are some screenshots of the examples:

Identity Provider MVC website:

Service Provider MVC website:

 

Shibboleth Web Applications

After successfully installing the UltimateSaml for SAML v2.0 setup package you will see ten web sample projects in the folder WebFormsC# for C# and WebFormsVB.NET for VB.NET (By default UltimateSaml is installed in folder C:\ComponentPro with Vista, 2008 and above, C:\Program files\ComponentPro with XP, 2003, 2000). To run these web sample projects, open the solution file Saml2_Shibboleth_WebDemo.XXXX.sln for C# or Saml2_Shibboleth_WebDemoVB.XXXX.sln for VB.NET, and then select Saml2Shibboleth.IdentityProviderWebDemo or Saml2Shibboleth.ServiceProviderWebDemo.

These applications may also be used to demonstrate interoperability with Shibboleth. Shibboleth (http://shibboleth.internet2.edu) is an open source SSO software package using Java and C++ technologies. Installation and configuration of the Shibboleth software is beyond the scope of this document and is not required for this demonstration.

Identity Provider Web Application – Saml2Shibboleth.IdentityProviderWebDemo or Saml2Shibboleth.IdentityProviderWebDemoVB

This sample is configured to run at port 1423 (you can easily change the port number in the project property page). The identity provider web application, in conjunction with Service Provider web application, demonstrates SP initiated single sign-on. The following steps will guide you how to run this sample project:

1. Login to the system with the user name iuser and a password of password.

ShiIP

2. You are now presented with the Identity Provider’s default page.

ShiIPLoggedIn

3. Click on the link to access the Service Provider site. You should be presented with the Service Provider’s default page.

ShiSPIP

You have successfully completed a SAML 2.0 Single Sign-On and are logged in at the Service Provider with your Identity Provider user name.

How to configure?

You can easily configure the ID Provider web application by modifying the settings within its web.config file’s <appSettings> section:

Service Provider Web Application – Saml2Shibboleth.ServiceProviderWebDemo or Saml2Shibboleth.ServiceProviderWebDemoVB

This sample is configured to run at port 1424 (you can easily change the port number in the project property page). The service provider web application, in conjunction with Identity Provider web application, demonstrates SP initiated single sign-on. You can directly login to the local system by entering credentials (suser/password) and clicking on the Login button (login to SP without Single Sign-On) or follow the steps below to run the application with Single Sign-On (In this scenario, the user is attempting to access a protected resource on the service provider and, rather than performing a local login at the service provider, SSO is initiated with a local login occurring at the identity provider and the asserted identity, passed to the service provider in a SAML assertion, is used to perform an automatic login at the service provider):

1. Click on the Login button under the text Login at the Identity Provider

ShiSP

2. You should then be presented with the Identity Provider’s login page as you will be logging in at the identity provider.

ShiIP

3. Login with user name iuser and a password of password. You should then be presented with the service provider’s default page.

ShiIPIP

You have successfully completed a SAML 2.0 Single Sign-On and are logged in at the Service Provider with your Identity Provider user name.

How to configure?

You can easily configure the Service Provider web application by modifying the settings within its web.config file’s <appSettings> section:

How to setup a Google SSO web application using Ultimate SAML component

This tutorial illustrates how to configure your Google account to work with your IdP Web Application using Ultimate SAML.

Configuring the Saml2GoogleSSO Identify Provider Web Application

You only need to change the list of user credentials in web.config file. The user name specified in web.config file must match with an account name in Google Apps.

Configuring Google Apps to work with your Identity Provider

To enable and configure single sign-on in Google Apps, you can follow the following steps:

  1. Login to Google Apps.
  2. Select “Advanced tools”.
  3. Then select “Set up single sign-on (SSO)”.
  4. Upload certificate, such as the SP_X509Certificate_ForGoogleSP.cer in the Idp web application.
  5. Set Sign-in page URL, Sign-out page URL, and Change password URL. For example, when you deploy the test application on your server with domain name mydomain.com, the following URLs should be specified:
    1. Sign-in page URL: http://www.mydomain.com/service.aspx
    2. Sign-out page URL: http://www.mydomain.com/UserLogout.aspx
    3. Change password URL: http://www.mydomain.com/changepassword.aspx

  6. Add a user in Google Apps that is known to the IdP web application.

Testing the Identify Provider Web Application

The identity provider web application, in conjunction with Google Apps, demonstrates SP initiated single sign-on. To test the application with Ultimate SAML, follow the steps below:

  1. Browse to a Google App (e.g Google Calendar at http://www.google.com/calendar/hosted/mydomain.com).
  2. You should then be redirected to the Idp’s Login page
  3. Login with the credentials configured in Google App. You need to make sure that the user name specified in web.config file matches with the user name used to login to Google App.
  4. You should then be redirected and signed into the Google App.
    LoggedIn
  5. If you wish to change the account password, click on Settings, and then Google Account Settings->Change password
  6. To Logout from the Google App, click on the Sign out link on the Google App page.
  7. You should then be redirected to the Idp Sample Web Application logout page.Click here to download the Ultimate SAML SSO Component for ASP.NET.