it:ad:oiosaml:home

IT:AD:OIOSAML

Summary

Denmark has an open source (MPL 1.1. license) .Net toolkit supporting our OIOSAML 2.0 profile which is almost identical to the Liberty SAML 2.0 eGov profile. It requires Net 3.0 or higher - and includes a sample app integrating with IIS.

Note that the original library compiled, but ran incorrectly, in .NET45. Had to recompile a custom copy to get rid of that (as well as the dependency on Log4Net, which failed hard if it wasn't configured correctly). See IT:AD:OIOSAML:HowTo.

After using the library in production, I'm going to suggest that you consider carefully whether this is the right library for your project. There are other libraries out there. They are not free. But they are probably better.

This library's default configuration and classes has a strong dependendence on Session, and will require considerable effort to make it available in a load-balanced environment. Then again, with correct vendor compartimentalization, you can start with this library, and revisit the problem when you grow.

IT:AD:SAML, which the IT:AD:OIOSAML works with, isn't well understood by most developers, making it hard to understand what the library is expected to work, and therefore how to configure it, and how to debug it.

It's high level, but the following sequence diagram is intended to demonstrate the main steps of an the interactions between a user accessing a website, without a valid site cookie (cookie #1) and being redirected to the signon handler, which prepares a request (working from info in the config file) that is sent off to the SSO (via the browser), where the user/pwd is entered, and when authenticated, an SSO cookie is generated (cookie #2), and the browser sent back to the signon handler (again), where the response package is decoded into an OIOSAML identity, and a FormsAuthentication cookie for the website (cookie #1) and …finally 302'ed back to the original webpage in the cookie…butthis time, with a valid site cookie (cookie #1).

It's a WIP/.


!includeurl http://skysigal.com/_media/resources/configuration/plantuml/minimalist.txt

Participant UserAgent
Participant FormsAuthenticationModule
Participant UrlAuthorisationModule
Participant SSO

UserAgent -> FormsAuthenticationModule : Request Protected.aspx
FormsAuthenticationModule -> UrlAuthorisationModule : Anonymous Request
UrlAuthorisationModule --> FormsAuthenticationModule : 401 (Unauthorized)
FormsAuthenticationModule --> UserAgent : 302 (redirect to SignOn.ashx)
UserAgent -> FormsAuthenticationModule : Request SignOn.ashx
FormsAuthenticationModule -> UrlAuthorisationModule : Anonymous Request
UrlAuthorisationModule -> SignOn.ashx : Unauthorized
SignOn.ashx --> UserAgent : 302 (redirect to SSO)
UserAgent -> SSO : Postback credentials
SSO -> SSO : Authenticate User
SSO --> UserAgent: 302 (redirect to SignOn.ashx)
UserAgent -> FormsAuthenticationModule : Request SignOn.ashx
FormsAuthenticationModule -> UrlAuthorisationModule : Anonymous Request
UrlAuthorisationModule -> SignOn.ashx : Authorized
SignOn.ashx -> SignOn.ashx : Create SAML Identity\nin Session or Datastore
SignOn.ashx -> UserAgent : 302 (redirect to Protected.aspx)
UserAgent -> FormsAuthenticationModule : Postback Credentials
FormsAuthenticationModule -> UrlAuthorisationModule : Anonymous Request
UrlAuthorisationModule -> SignOn.ashx : Authorized
SignOn.ashx --> UserAgent : 302 (redirect to Protected.aspx, adding Auth Ticket to Cookie)
UserAgent -> FormsAuthenticationModule : Request Protected.aspx
FormsAuthenticationModule -> FormsAuthenticationModule : Attach Identity to Thread
FormsAuthenticationModule -> UrlAuthorisationModule : Authenticated
UrlAuthorisationModule -> Protected.aspx : Authorized
Protected.aspx -> UserAgent : Render Resource