Thursday, December 11, 2014

C# SAML

I recently had to develop SSO Authentication for our hosted application using SAML, and hopefully this will help you.

WHY SAML?
If you have a Web application, and would like to implement SSO (Single Sign On), then you need to ask this key questions.
1) Where is the application hosted ? Is it in house or hosted in cloud ?

In House Hosting: In this case you really don't need SAML, as you can work directly with Active Directory or Windows Authentication etc

Hosted in Cloud: This is where you typically implement SAML. As most clients wont be interested in opening up their AD to internet.

You can check SAML for more info, but here are few key concepts.

Your Web application (Service Provider SP) will contact Client's SSO (Identity Provider IDP) to authenticate an user trying to login to your application. IDP will provide the authentication information in a base 64 encoded XML string called  SAML Assertion. Your application needs to parse the assertion string and figure out the Authentication information ( typically user name and how long a session is valid)

Here is how the information flows

1) User tries to access your application
2) Your code needs to check if an SAMLResponse variable is available in the "Form Parameters"
3) If SAMLResponse is Null, you need to redirect to Clients SSO Page ( could be Ping, F5 etc.,)
4) User will enter his credentials there, and if successful, it will redirect back to your application login page.
5) When the redirect comes back from client SSO, SAML Response vairable will be set and it wont be null
6) SAML Response or SAML Assetion is a Base64 encoded string. You may need a certificate from client to decode the string to a XML Document
7) You parse the XML Document, get the authentication information, and let them in.

There are 3 things you need before you start your coding

1) Clients SSO URL.
2) You need to provide an URL of your application to the client. This is where Client's SSO will redirect upon successful login  (step 1)
3) Certificate information from client ( to read the SAML Assertion string)

Here is my code