C# SAML 2.0 SSO – Tips and Pitfalls

By Akbar

SAML 2.0

Recently, one of my clients decided to support the SAML 2.0 for SSO to their website. Since, the plan was to just support it as Service Provider, it was decided to use a custom implementation in C# as the overall concept and idea is of SAML sounds very simple. In the end, even though we were able to make the service work and running in less than 2 days for internal demo, we ran into many integration problem when working with Identity Providers of client using the different SAML 2.0 implementation on various platforms. We run into problems like:

– Some clients were using Deflated XML while others were not
– Encryption Algorithms Choice per client
– Difference in the NameID format being used
– Difference in how SAML attributes were being communicated/passed

Now when I look back, I think it may have been best if we have instead opted for a C# library to support SAML 2.0. If you ask for my recommendation on C# SAML 2.0 libraries , I would suggest these (in listed order):

Microsoft SAML 2.0 (WIF)
ComponentSpace.com SAML v2.0
C# SAML 2.0

Now even though I now think using library would have been rather best option, the custom implementation was great learning experience, and also provided us more control on enforcing some custom integration rules for clients. If you want to implement SAML or just just some existing library, here are some of the tools/tips I would like to share with you all:

1. XML Schema Definition Tool

The XML Schema Definition (Xsd.exe) tool generates XML schema or common language runtime classes from XDR, XML, and XSD files, or from classes in a runtime assembly. What I did was gave this tool the XML Schema for the SAML 2.0, and it automatically generated all the C# classes for the SAML 2.0 object hierarchy, which was of great help in overall implementation.

2. SAMLTool

This website not only provides very good documentation on the SAML, but its Online Tools are of great help in debugging and resolving various SAML integration issues. The common tools you would use during development and debugging are Base64 Encoder/Decoder, XML Inflate/Deflate, GZip, and Encrypt/Decrypt XML. Another tool worth exploring is the meta-data generator for Identity Provider and Service Provider.

3. TestShib – SAML Online Testing 

Once you have developed and deployed your SAML Identity or Service Provider, it’s common that you run into issues while working with various clients using different implementation of SAML 2.0. This can be due to some configuration issue on your end, or a problem in your implementation of SAML. In any case, I think this online testing tool is worth exploring and trying. To use this too, all you have to do is upload your metadata file, and you are ready to test your Identity or Service Provider.

Tip: When testing your Identity Provider, if you get “Unable to locate metadata for identity provider” error after just uploading an new Metadata file, then all you have to do is wait for few minutes. My experience is that it usually takes 2-3 minutes before metadata is accessible to their testing server after uploading.

In the end, either you do your custom implementation for SAML 2.0 or support this using some existing library, with right development, debugging and testing tools this tricky project becomes a fun project.

Tags: , , ,