C# SAML 2.0 SSO – Tips and Pitfalls

By AkbarJune 25th, 2016

Recently, one of my clients decided to support SAML 2.0 for SSO on their website. Since the plan was to just support it as Service Provider, it was decided to use a custom implementation in C# given the overall concept and idea of SAML sounds very simple at the start. In the end, even though we were able to make the service work and run in less than 2 days for an internal demo, we ran into many integration problems when working with Identity Providers of clients using the different SAML 2.0 implementations on various platforms. A few examples of these issues were:

– Some clients were using Deflated XML while others were not.
– Encryption Algorithms choice per client was quite different.
– There were differences in the NameID format being used.
– Differences in how SAML attributes were being communicated/passed.

Now when I look back, I think it may have been best if we have instead opted for an existing C# library to support SAML. If you ask for my recommendation on C# SAML 2.0 libraries, I would suggest these (in listed order):

Microsoft SAML 2.0 (WIF)
ComponentSpace.com SAML v2.0
C# SAML 2.0

Even though I now think using a pre-built library would have been the rather best option, the custom implementation was a great learning experience, and also provided us more control on enforcing some custom integration rules for our clients. If you want to implement SAML or just are exploring existing libraries, here are some of the tools/tips I would like to share:

1. XML Schema Definition Tool

The XML Schema Definition (Xsd.exe) tool generates XML schema or common language runtime classes from XDR, XML, and XSD files, or from classes in a runtime assembly. What I did in my case was to give this tool an XML Schema for the SAML 2.0, and it automatically generated all the C# classes for the SAML 2.0 object hierarchy. This was of great help in overall implementation.

2. SAMLTool

This website not only provides very good documentation on the SAML, but its Online Tools are of great help in debugging and resolving various SAML integration issues. The common tools you would use during development and debugging are Base64 Encoder/Decoder, XML Inflate/Deflate, GZip, and Encrypt/Decrypt XML. Another tool worth exploring is the meta-data generator for Identity Provider and Service Provider.

3. TestShib – SAML Online Testing 

Once you have developed and deployed your SAML Identity or Service Provider, it’s common that you will run into issues while working with various clients who are using different implementations of SAML 2.0 protocol. This can be due to some configuration issue on your/client end, or a problem in your implementation of SAML. In any case, I think this online testing tool is worth exploring and trying. To use this too, all you have to do is upload your metadata file, and you are ready to test your Identity or Service Provider.

Tip: When testing your Identity Provider, if you get “Unable to locate metadata for identity provider” error after just uploading an new Metadata file, then all you have to do is wait for few minutes. My experience is that it usually takes 2-3 minutes before metadata is accessible to their testing server after uploading.

In the end, I would say it doesn’t matter if you either do your custom implementation for SAML, or decide to use an existing library, but with the right development, debugging and testing tools this tricky project becomes a lot of fun and is a great learning experience.

Tags: , , ,

This entry was posted on Saturday, June 25th, 2016 at 11:16 am and is filed under ASP.Net, C#. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.