Connecting ADFS 5.0 and the Sustainsys SAML v2.0 for .NET Core stack
Sustainsys is a free SAML 2.0 stack that now includes a .NET Core component.
It was previously called Kentor Auth Services.
The stack has support for:
- ASP.NET web forms
- ASP.NET MVC
- OWIN middleware
- ASP.NET Core 2
- identityserver integration
It also has a built-in stub IDP that is useful for testing. This is part of the project but also running on the Internet.
At the moment, the stack can only run as a SP.
This means that you can use it as a SAML stack for a client connecting to an IDP or you can use it inside identityserver (both versions 3 and 4) to connect to another IDP.
- Client → Sustainsys SAML stack → ADFS / Azure AD / Auth0/ identityserver / another IDP
- Client → identityserver (as a SP running Sustainsys SAML stack) → another IDP
- Client → Sustainsys SAML stack → identityserver (as an IDP running ComponentSpace or Rock Solid Knowledge SAML stacks) → identityserver (as a SP running Sustainsys SAML stack) → another IDP
This post is about the first option that connects to ADFS. As Windows Server 2019 is now in preview, I’ve used that so we are using ADFS 5.0. The same instructions apply to earlier versions.
There are a number of samples in the project, I’ve used the SampleAspNetCore2ApplicationNETFramework one.
The metadata for this project is at:
The change to Startup.cs is:
options.SPOptions.EntityId = new EntityId("https://localhost:44342/Saml2");
// new EntityId("http://localhost:52071/Metadata"), options.SPOptions)
new EntityId("http://myadfs.cloudapp.azure.com/adfs/services/trust"), options.SPOptions)
MetadataLocation = "https://myadfs.cloudapp.azure.com/FederationMetadata/2007-06/FederationMetadata.xml"
The service certificate is required for enabling single logout (as SLO messages should be signed).
You need to explicitly specify the metadata location because ADFS has different URI for the entityID and the location of the metadata.
Save the metadata as a file and copy over to the Windows server.
In ADFS, add a new RP trust and import the metadata from the file:
Then just click through the wizard accepting the default options.
Note: Some of the samples have endpoints that run on http rather than https. ADFS will not accept http endpoints so these need to be changed to https. Those are automatically generated based on the current request. So if you switch the sample to run on https, then the metadata will automatically be updated.
For the claims rules, we just need a simple email claim:
and a Transform claim for creating NameID.
When we run the sample:
Select “Log in”.
Then select the SAML2 button.
This takes you the the ADFS login page: