IT:AD:OIOSAML

Summary

Denmark has an open source (MPL 1.1. license) .Net toolkit supporting our OIOSAML 2.0 profile which is almost identical to the Liberty SAML 2.0 eGov profile. It requires Net 3.0 or higher - and includes a sample app integrating with IIS.

Note that the original library compiled, but ran incorrectly, in .NET45. Had to recompile a custom copy to get rid of that (as well as the dependency on Log4Net, which failed hard if it wasn't configured correctly). See IT:AD:OIOSAML:HowTo.

After using the library in production, I'm going to suggest that you consider carefully whether this is the right library for your project. There are other libraries out there. They are not free. But they are probably better.

This library's default configuration and classes has a strong dependendence on Session, and will require considerable effort to make it available in a load-balanced environment. Then again, with correct vendor compartimentalization, you can start with this library, and revisit the problem when you grow.

IT:AD:SAML, which the IT:AD:OIOSAML works with, isn't well understood by most developers, making it hard to understand what the library is expected to work, and therefore how to configure it, and how to debug it.

It's high level, but the following sequence diagram is intended to demonstrate the main steps of an the interactions between a user accessing a website, without a valid site cookie (cookie #1) and being redirected to the signon handler, which prepares a request (working from info in the config file) that is sent off to the SSO (via the browser), where the user/pwd is entered, and when authenticated, an SSO cookie is generated (cookie #2), and the browser sent back to the signon handler (again), where the response package is decoded into an OIOSAML identity, and a FormsAuthentication cookie for the website (cookie #1) and …finally 302'ed back to the original webpage in the cookie…butthis time, with a valid site cookie (cookie #1).

It's a WIP/.

UserAgentFormsAuthenticationModuleUrlAuthorisationModuleSSOSignOn.ashxProtected.aspxRequest Protected.aspxAnonymous Request401 (Unauthorized)302 (redirect to SignOn.ashx)Request SignOn.ashxAnonymous RequestUnauthorized302 (redirect to SSO)Postback credentialsAuthenticate User302 (redirect to SignOn.ashx)Request SignOn.ashxAnonymous RequestAuthorizedCreate SAML Identityin Session or Datastore302 (redirect to Protected.aspx)Postback CredentialsAnonymous RequestAuthorized302 (redirect to Protected.aspx, adding Auth Ticket to Cookie)Request Protected.aspxAttach Identity to ThreadAuthenticatedAuthorizedRender Resource