Connecting Azure AD and the Sustainsys SAML v2.0 for .NET Core stack
There’s some background here.
Our use case is:
Client → Sustainsys SAML stack → Azure AD
There are a number of samples in the project, I’ve used the SampleAspNetCore2ApplicationNETFramework one.
The metadata for this project is at:
https://localhost:44342/saml2/
The change to Startup.cs is:
services.AddAuthentication()
.AddSaml2(options =>
{
options.SPOptions.EntityId = new EntityId("https://localhost:44342/Saml2");
options.IdentityProviders.Add(
new IdentityProvider(
new EntityId("https://sts.windows.net/00d562e9-1704-...29816c79/"), options.SPOptions)
{
MetadataLocation = "https://login.microsoftonline.com/00d562e9-...16c79/federationmetadata/2007-06/federationmetadata.xml?appid=5f71ca6e-c0c6-...9d8a2e85"
});
options.SPOptions.ServiceCertificates.Add(new X509Certificate2("Sustainsys.Saml2.Tests.pfx"));
});The service certificate is required for enabling single logout (as SLO messages should be signed).
I followed this Azure AD guide for adding a custom SAML IDP provider.
With these settings, we can then configure Azure AD by following the instructions in the link above.
I created a new “Enterprise application” called Sustainsys .
Under “Azure Active Directory — Enterprise applications”.
Set up the entityID and the ACS endpoint.
Set the NameID to be user.mail (email).
The federation metadata link is copied across to the Sustainsys code.
Open the metadata link in a browser.
<EntityDescriptor ID=”_412e0b57–…6e354" entityID=”https://sts.windows.net/00d56…16c79/"> …
This is where you get the entityID to copy across to the Sustainsys code.
Remember to add your user to the users and groups in this enterprise application.
Run the SP example application.
Select “Log in”.
Then select the SAML2 button.
This takes you the the Azure AD login page:
Success!
All good!
