We frequently coach Product Owners and Development Teams on how to add SAML 2.0 authentication to C# and ASP.NET applications, and we wanted to share an overview of what is involved with moving from username/password based authentication to single sign-on via SAML.
This article is not meant to be an in-depth tutorial on the SAML authentication protocol. We give you an overview of the different implementation options and trade-offs as well as addressing common questions about the effort required to turn your C# or ASP.NET application into a SAML Service Provider.
There are three main approaches to adding SAML authentication to a C# or ASP.NET application – using a commercial SAML component, using Shibboleth as your SAML Service Provider integrated with IIS or using an open source SAML library.
Option #1 – Commercial SAML Component
There are two popular commercial SAML components available for C# and ASP.NET – ComponentSpace ($499 for a single developer license) and ComponentPro’s Ultimate SAML ($299 for Standard Edition single developer license). Both of these libraries give you a software-based SAML Service Provider complete with documentation, examples and support. These libraries also include a SAML Identity Provider, which is useful for testing. You can download a free evaluation version of both libraries.
- You will not have to implement any of the SAML protocol in your application
- Commercial support and software updates are available
- Test IdP is included
- Ideal for SaaS applications (i.e. if you are not using IIS to host your app, your app is multi-tenant and/or your want to implement self-service for users to add their IdP metadata)
- You could say cost is a con, but going with a commercial SAML component is typically more cost effective than trying to adapt an open source SAML library or writing the SAML authentication code by hand
- If your application is redistributed (eg. white labeled), you need to read the license terms carefully
Other implementation considerations:
- If you are selling your app to higher-education customers, you may want to pick Shibboleth as your SAML Service Provider solution because it is widely used in higher-education, and it will likely save you some headaches
Option #2 – Shibboleth Service Provider
Shibboleth is a mature open source SAML Service Provider implementation that integrates with IIS as an ISAPI filter. You protect a location on your web server (eg. /secure), and when you browse to the “Shibboleth-protected” URL, the Shibboleth web server module is triggered and takes care of all of the SAML authentication steps. Control will only be passed to your application after a successful IdP authentication, and in your application, you will look for Server Variables to get information about the user who logged in.
- Shibboleth is open source software, so there are no license costs
- Shibboleth is ideal for situations where you run your own IIS server, and you do not have a requirement to allow self-service configuration changes
- Shibboleth is the preferred SAML Service Provider for Identity Federations like InCommon
- A Shibboleth implementation could save you time over a software based SAML service provider implementation and might be the best approach if you have legacy software that you need to SAML-enable. The only code modification required would be to look for Server Variables set by Shibboleth after a successful IdP login
- Commercial support for Shibboleth is available
- Shibboleth uses configuration files. The Shibboleth Service must be restarted when the config files are updated
- Shibboleth is Java based and can be a bit of a memory hog when running on Windows, especially if you join an Identity Federation or turn on debugging
- Advanced Shibboleth configurations can be a little tricky to implement and may require support
- You will likely need a test Identity Provider. TestShib is one available option
Option #3 – Open Source SAML Service Provider Libraries
We typically do not recommend using the available open source C# and ASP.NET SAML Service Provider libraries for production implementations. The available open source libraries are typically missing key features of the SAML protocol (eg. logout, decrypting assertions, etc.). You may be able to get away with using an open source SAML SP implementation, but your Dev Team will likely be spending valuable cycles implementing missing functionality, and your total cost of ownership will likely be higher than if you just purchased a commercial SAML component.
If you want to experiment with open source SAML Service Provider libraries, these are two that are easy to work with: