Connecting ADFS 5.0 and the Sustainsys SAML v2.0 for .NET Core stack

Rory Braybrook

Published in

The new control plane

3 min readOct 4, 2018

Connecting ADFS 5.0 and the Sustainsys SAML v2.0 for .NET Core stack

Sustainsys is a free SAML 2.0 stack that now includes a .NET Core component.

It was previously called Kentor Auth Services.

The Github repository is here and the documentation is here.

The stack has support for:

ASP.NET web forms
ASP.NET MVC
OWIN middleware
ASP.NET Core 2
identityserver integration

It also has a built-in stub IDP that is useful for testing. This is part of the project but also running on the Internet.

At the moment, the stack can only run as a SP.

This means that you can use it as a SAML stack for a client connecting to an IDP or you can use it inside identityserver (both versions 3 and 4) to connect to another IDP.

Some examples:

Client → Sustainsys SAML stack → ADFS / Azure AD / Auth0/ identityserver / another IDP
Client → identityserver (as a SP running Sustainsys SAML stack) → another IDP
Client → Sustainsys SAML stack → identityserver (as an IDP running ComponentSpace or Rock Solid Knowledge SAML stacks) → identityserver (as a SP running Sustainsys SAML stack) → another IDP

This post is about the first option that connects to ADFS. As Windows Server 2019 is now in preview, I’ve used that so we are using ADFS 5.0. The same instructions apply to earlier versions.

There are a number of samples in the project, I’ve used the SampleAspNetCore2ApplicationNETFramework one.

The metadata for this project is at:

https://localhost:44342/saml2/

The change to Startup.cs is:

services.AddAuthentication()
                .AddSaml2(options => 
                {
                    options.SPOptions.EntityId = new EntityId("https://localhost:44342/Saml2");
                    options.IdentityProviders.Add(
                        new IdentityProvider(
                            // new EntityId("http://localhost:52071/Metadata"), options.SPOptions)
                            new EntityId("http://myadfs.cloudapp.azure.com/adfs/services/trust"), options.SPOptions)
                        {
                            MetadataLocation = "https://myadfs.cloudapp.azure.com/FederationMetadata/2007-06/FederationMetadata.xml"
                        });

                    options.SPOptions.ServiceCertificates.Add(new X509Certificate2("Sustainsys.Saml2.Tests.pfx"));
                });

The service certificate is required for enabling single logout (as SLO messages should be signed).

You need to explicitly specify the metadata location because ADFS has different URI for the entityID and the location of the metadata.

Save the metadata as a file and copy over to the Windows server.

In ADFS, add a new RP trust and import the metadata from the file:

Then just click through the wizard accepting the default options.

Note: Some of the samples have endpoints that run on http rather than https. ADFS will not accept http endpoints so these need to be changed to https. Those are automatically generated based on the current request. So if you switch the sample to run on https, then the metadata will automatically be updated.

For the claims rules, we just need a simple email claim: