question

Sunil-9097 avatar image
1 Vote"
Sunil-9097 asked ·

SAML 2.0 and tokens

Hi,
I am trying to update my .net web application to work with SAML 2.0. I have configured SAML within the Azure Portal i.e created an Enterprise Application, assigned users in Azure Active Directory and set up single Sign-On with SAML.

Now on the web application side, I have the Windows Identity Foundation SDK installed on the server. Can the FedUtil.exe be used to update the web application wherein I can provide the "App Federation Metadata Url" from Azure Portal and it will update the application's web.config and add the FederationMetadata.xml file within the application folder?

I have previously used the FedUtil.exe to update a web application to work with ADFS 3.0 (WS-Fed). Can FedUtil.exe be used if we want the application to work with SAML and not WS-Fed?

Also, how do I ensure that the tokens are in SAML format (xml tags) and not WS-Fed protocol?

Thank you.

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered ·

@Sunil-9097 Please find below the answers to your questions.

How do I differentiate or know if the application using SAML and not WS-Fed?

  1. WS-Fed: If the request has below parameters, it means the application is using WS-Fed:

    • Wa=signin1.0: To invoke a login for the user.

    • Wtrealm: This tells IDP what application you are trying to get to.

    • Wctx: This is some session data that the application wants sent back to it after the user authenticates.

    • wct: This is the exact time I tried to gain access to the application.

  2. SAML: If the request has below parameters, it means the application is using SAML protocol:

    • SAMLRequest: This is a Base64 encoded XML value.

    • RelayState: This is some session data that the application wants sent back to it after I authenticate against IDP.

    • SigAlg: Which signature algorithm was used to sign the request.

    • Signature: The digital signature of the request above.

Is there any link available to implement SAML 2.0 (not WS-Fed) in ASP.NET C# web application to authenticate users?

Please refer to below GitHub link that includes SAML client library that allows adding SAML single-sign-on to your ASP.NET app:

Please "accept as answer" wherever the information provided helps you to help others in the community.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for all the information above. It helped me to get the SAML authentication to work.

0 Votes 0 ·
soumi-MSFT avatar image
1 Vote"
soumi-MSFT answered ·

@Sunil-9097, You can check the steps mentioned below inorder to use the FedUtil.exe:

Perform these steps in the Azure Portal:


  1. Navigate to the Azure Portal.

  2. Log in.

  3. Navigate to Azure Active Directory in the left navigation pane.

  4. In Azure Active Directory, click Enterprise Applications.

  5. Click All Applications.

  6. In Enterprise applications – All applications – Click Add.

  7. In Add an application, click the Non-gallery application tile.

  8. In Add your own application, type a name for the application, like DemoSAMLApp and click Add.

  9. In the list for the new application, click Single Sign-on.

  10. Select SAML-based Sign-on as the mode, by using the drop-down menu.

  11. New options will appear underneath the mode field.

  12. Define IDENTIFIER and REPLY URL. Use https://www.domain.com/DemoSAMLApp/ for both values. Replace domain.com with your domain information.

  13. Don’t forget to add the trailing slash.

  14. When done, scroll up and click Save in the top ribbon.

Next, perform these steps:


  1. Navigate to C:\Program Files (x86)\Windows Identity Foundation SDK\v3.5

  2. Double-click fedutil.exe to run the Federation Utility Wizard.

  3. For the Application configuration location, browse to the web.config file in C:\Inetpub\wwwroot\DemoSAMLApp. For the Application URI, specify https://www.domain.com/DemoSAMLApp/. Replace domain.com with your domain information. Click Next > when done.

  4. On the Security Token Service window, select Use an existing STS. Use https://login.microsoftonline.com/TenantID/federationmetadata/2007-06/federationmetadata.xml as the STS WS-Federation metadata document location. Replace TenantId with your Azure AD Tenant information.

  5. Select Test location… When you get a load of gibberish in Internet Explorer, you’ll know it works.

  6. Close Internet Explorer.

  7. Click Next > four times.

  8. On the Summary screen, select the option to Schedule a task to perform daily WS-Federation metadata updates. Click Finish.

  9. Click OK when the Federation Utility Wizard is done configuring.


Hope this helps.


Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!





























































· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks. I had already performed the same steps as you mentioned above. My question was after performing the above steps, how do I differentiate or know if the application using SAML and not WS-Fed? My requirement is to implemenent SAML 2.0 in my ASP.NET C# web application to authenticate users. After running FedUtil.exe, the web.config has the same keys as WS-Fed hence I am not sure if its specifically using SAML. Is this the correct approach to implement SAML?

I tried to write code to receive SAML tokens using Microsoft.IdentityModel.Tokens.Saml2 in HttpContext.Current.Request.Form["SAMLResponse"].
Is there any link available to implement SAML 2.0 (not WS-Fed) in ASP.NET C# web application to authenticate users?

0 Votes 0 ·