SAML 2.0 and tokens

Sunil 26 Reputation points
2020-01-10T07:45:03.723+00:00

Hi,
I am trying to update my .net web application to work with SAML 2.0. I have configured SAML within the Azure Portal i.e created an Enterprise Application, assigned users in Azure Active Directory and set up single Sign-On with SAML.

Now on the web application side, I have the Windows Identity Foundation SDK installed on the server. Can the FedUtil.exe be used to update the web application wherein I can provide the "App Federation Metadata Url" from Azure Portal and it will update the application's web.config and add the FederationMetadata.xml file within the application folder?

I have previously used the FedUtil.exe to update a web application to work with ADFS 3.0 (WS-Fed). Can FedUtil.exe be used if we want the application to work with SAML and not WS-Fed?

Also, how do I ensure that the tokens are in SAML format (xml tags) and not WS-Fed protocol?

Thank you.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,459 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2020-01-13T07:58:47.613+00:00

    @Sunil Please find below the answers to your questions.

    How do I differentiate or know if the application using SAML and not WS-Fed?

    1. WS-Fed: If the request has below parameters, it means the application is using WS-Fed:
      • Wa=signin1.0: To invoke a login for the user.
      • Wtrealm: This tells IDP what application you are trying to get to.
      • Wctx: This is some session data that the application wants sent back to it after the user authenticates.
      • wct: This is the exact time I tried to gain access to the application.
    2. SAML: If the request has below parameters, it means the application is using SAML protocol:
      • SAMLRequest: This is a Base64 encoded XML value.
      • RelayState: This is some session data that the application wants sent back to it after I authenticate against IDP.
      • SigAlg: Which signature algorithm was used to sign the request.
      • Signature: The digital signature of the request above.

    Is there any link available to implement SAML 2.0 (not WS-Fed) in ASP.NET C# web application to authenticate users?

    Please refer to below GitHub link that includes SAML client library that allows adding SAML single-sign-on to your ASP.NET app:

    Please "accept as answer" wherever the information provided helps you to help others in the community.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-01-10T09:42:13.883+00:00

    @Sunil , You can check the steps mentioned below inorder to use the FedUtil.exe:

    Perform these steps in the Azure Portal:

    1. Navigate to the Azure Portal.
    2. Log in.
    3. Navigate to Azure Active Directory in the left navigation pane.
    4. In Azure Active Directory, click Enterprise Applications.
    5. Click All Applications.
    6. In Enterprise applications – All applications – Click Add.
    7. In Add an application, click the Non-gallery application tile.
    8. In Add your own application, type a name for the application, like DemoSAMLApp and click Add.
    9. In the list for the new application, click Single Sign-on.
    10. Select SAML-based Sign-on as the mode, by using the drop-down menu.
    11. New options will appear underneath the mode field.
    12. Define IDENTIFIER and REPLY URL. Use https://www.domain.com/DemoSAMLApp/ for both values. Replace domain.com with your domain information.
    13. Don’t forget to add the trailing slash.
    14. When done, scroll up and click Save in the top ribbon.

    Next, perform these steps:

    1. Navigate to C:\Program Files (x86)\Windows Identity Foundation SDK\v3.5
    2. Double-click fedutil.exe to run the Federation Utility Wizard.
    3. For the Application configuration location, browse to the web.config file in C:\Inetpub\wwwroot\DemoSAMLApp. For the Application URI, specify https://www.domain.com/DemoSAMLApp/. Replace domain.com with your domain information. Click Next > when done.
    4. On the Security Token Service window, select Use an existing STS. Use https://login.microsoftonline.com/TenantID/federationmetadata/2007-06/federationmetadata.xml as the STS WS-Federation metadata document location. Replace TenantId with your Azure AD Tenant information.
    5. Select Test location… When you get a load of gibberish in Internet Explorer, you’ll know it works.
    6. Close Internet Explorer.
    7. Click Next > four times.
    8. On the Summary screen, select the option to Schedule a task to perform daily WS-Federation metadata updates. Click Finish.
    9. Click OK when the Federation Utility Wizard is done configuring.

    Hope this helps.

    ---------------------------------------------------------------------------------------------------------------------------------------

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    1 person found this answer helpful.