Rory Braybrook
Oct 4, 2018 · 3 min read

Connecting ADFS 5.0 and the Sustainsys SAML v2.0 for .NET Core stack

Sustainsys is a free SAML 2.0 stack that now includes a .NET Core component.

It was previously called Kentor Auth Services.

The Github repository is here and the documentation is here.

The stack has support for:

  • ASP.NET web forms
  • ASP.NET MVC
  • OWIN middleware
  • ASP.NET Core 2
  • identityserver integration

It also has a built-in stub IDP that is useful for testing. This is part of the project but also running on the Internet.

At the moment, the stack can only run as a SP.

This means that you can use it as a SAML stack for a client connecting to an IDP or you can use it inside identityserver (both versions 3 and 4) to connect to another IDP.

Some examples:

  • Client → Sustainsys SAML stack → ADFS / Azure AD / Auth0/ identityserver / another IDP
  • Client → identityserver (as a SP running Sustainsys SAML stack) → another IDP
  • Client → Sustainsys SAML stack → identityserver (as an IDP running ComponentSpace or Rock Solid Knowledge SAML stacks) → identityserver (as a SP running Sustainsys SAML stack) → another IDP

This post is about the first option that connects to ADFS. As Windows Server 2019 is now in preview, I’ve used that so we are using ADFS 5.0. The same instructions apply to earlier versions.

There are a number of samples in the project, I’ve used the SampleAspNetCore2ApplicationNETFramework one.

The metadata for this project is at:

https://localhost:44342/saml2/

The change to Startup.cs is:

services.AddAuthentication()
.AddSaml2(options =>
{
options.SPOptions.EntityId = new EntityId("https://localhost:44342/Saml2");
options.IdentityProviders.Add(
new IdentityProvider(
// new EntityId("http://localhost:52071/Metadata"), options.SPOptions)
new EntityId("http://myadfs.cloudapp.azure.com/adfs/services/trust"), options.SPOptions)
{
MetadataLocation = "https://myadfs.cloudapp.azure.com/FederationMetadata/2007-06/FederationMetadata.xml"
});

options.SPOptions.ServiceCertificates.Add(new X509Certificate2("Sustainsys.Saml2.Tests.pfx"));
});

The service certificate is required for enabling single logout (as SLO messages should be signed).

You need to explicitly specify the metadata location because ADFS has different URI for the entityID and the location of the metadata.

Save the metadata as a file and copy over to the Windows server.

In ADFS, add a new RP trust and import the metadata from the file:

Then just click through the wizard accepting the default options.

Note: Some of the samples have endpoints that run on http rather than https. ADFS will not accept http endpoints so these need to be changed to https. Those are automatically generated based on the current request. So if you switch the sample to run on https, then the metadata will automatically be updated.

For the claims rules, we just need a simple email claim:

and a Transform claim for creating NameID.

When we run the sample:

Select “Log in”.

Then select the SAML2 button.

This takes you the the ADFS login page:

Success!

All good!

The new control plane

“Identity is the new control plane”. Articles around Microsoft Identity, Auth0 and identityserver. Click the “Archive” link at the bottom for more posts.

Rory Braybrook

Written by

NZ Microsoft Identity dude. Microsoft MVP. Azure AD/B2C/ADFS. Plus Auth0/identityserver. N. Shore .NET UG Admin. Presentations: http://bit.ly/334ZPt5

The new control plane

“Identity is the new control plane”. Articles around Microsoft Identity, Auth0 and identityserver. Click the “Archive” link at the bottom for more posts.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade