Implementing WIF SAML 2.0 Extension CTP

The WIF runtime has limited support for SAML 2.0 specifications. In Chapter 3, Advanced Programming with Windows Identity Foundation, we have seen how we can extend the SAML 2.0 protocol support in WIF to implement SAML 2.0 profiles for web browser SSO. We created Identity and Service Providers to generate and consume SAML 2.0 Response tokens. By popular demand, the Identity and Access Management team at Microsoft has released the SAML 2.0 Extension CTP for WIF. The CTP contains the Microsoft.IdentityModel.Protocols assembly that extends the WIF runtime to provide extensive support for SAML 2.0 specification. It also provides samples, demonstrating the steps to create SP Lite (OASIS SAML v2.0) compliant Service Providers using the extension API. In this recipe, we will explore the steps to create SAML 2.0 compatible Identity and Service Providers using the SAML 2.0 Extension CTP for WIF.

Getting ready

The prerequisites for creating SP Lite compliant applications using the SAML 2.0 Extension CTP are as follows:

  • Windows Identity Foundation Runtime for .NET Framework 4.0
  • Internet Information Server 7.0
  • Windows Server 2008 machine configured with AD FS 2.0 (In our solution we will use the AD FS 2.0 server configured in Chapter 5, Identity Management with Active Directory Federation Services)

Download the SAML 2.0 Extension CTP from http://connect.microsoft.com/site1168/Downloads/DownloadDetails.aspx?DownloadID=36088. Extract the ZIP package to an accessible location to explore the samples. The Microsoft.IdentityModel.Protocols.dll extension assembly is located under the Commonin folder. The Identity and Service Provider samples can be opened and compiled using Visual Studio 2010.

How to do it...

Follow these steps to create a Service Provider using the SAML 2.0 Extension CTP that can consume claims from a SAML 2.0 compliant Identity Provider such as AD FS 2.0:

  1. Create a new Visual Studio 2010 empty solution and name it SpLiteSSO.
  2. Add a new Visual Studio C# ASP.NET Web Application project named ServiceProvider and host it in IIS over HTTPS.
  3. Add a reference to the Microsoft.IdentityModel and Microsoft.IdentityModel.Protocols (from the extracted Extension CTP zip package's Commonin folder) assemblies, as shown in the following screenshot:
    How to do it...
  4. Open the SamlConfigTool solution from the CommonSamlConfigTool folder under the extracted package. Compile the solution. Copy the SamlConfigTool.exe and the Microsoft.IdentityModel.Protocols.dll files from the bin folder and place it under the ServiceProvider project root folder.
  5. Run SamlConfigTool.exe.
  6. In the SamlConfigTool console, enter the ServiceProvider application URL as the Entity ID and SAML endpoint under the Relying Party Information step. Hit enter. Select the Signing and Encryption certificates:
    How to do it...
  7. In the Identity Provider Information step, specify the AD FS 2.0 Federation Metadata URL (configured in Chapter 5, Identity Management with Active Directory Federation Services) as the partner's metadata URL:
    How to do it...
  8. SamlConfigTool generates a few files in the ServiceProvider application. First is the Changes_To_Web-Config.xml file. This file specifies all the changes required in the ServiceProvider project's Web.config file. Make the necessary changes in the Web.config file as specified, that includes adding the Saml2AuthenticationModule HttpModule and the microsoft.identityModel.saml configuration sections:
    How to do it...
    • The sections shown in the following screenshot will be required to be added to the Web.config file:
    How to do it...

    Note

    Notice that the SAML myconfig.xml metadata file is also generated by the SamlConfigTool.

  9. A Federation metadata file for the ServiceProvider application is also generated by SamlConfigTool. Use this file to add the ServiceProvider application as a Relying Party Trust in AD FS 2.0 (follow the steps discussed in Chapter 5, Identity Management with Active Directory Federation Services). Now, you have successfully configured the ServiceProvider application to consume SAML 2.0 tokens issued by AD FS 2.0.

How it works...

When you launch the ServiceProvider application you will be redirected to AD FS for authentication. SamlConfigTool in conjunction with Saml2AuthenticationModule allows identity developers on .NET applications to easily configure support for SAML 2.0 Identity Providers such as AD FS 2.0.

There's more...

The default ASP.NET Web Application comes with an implementation of authentication. You can override the default sign-in and sign-out experience with the Saml2AuthenticationModule methods. For example, the SignIn button-click event handler could implement the following code: 

Saml2AuthenticationModule.Current.SignIn("~Default.aspx");

Extensibility

The CTP also provides guidelines on extensibility points in the Microsoft.IdentityModel.Protocols assembly such as providing the ability to request attributes from a SAML attribute authority. Refer to the samples provided under the Extensibility folder.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset