I need a SAML stack — now!
I see this question over on stackoverflow every day.
“My boss says we have to make the application SAML compliant so we can authenticate with a SAML IDP. I’m lost”
or
“I’m trying to build up a SAML Request with the C# class xxx and it’s not working”.
First off, do not try and roll your own. SAML is complicated — just ask the people that wrote the stacks 😄
Let’s have a look at what’s out there:
(and chocolate fish for nzpcmad for his contribution).
Some of these are commercial; some are written and maintained by dedicated people who do a superb job. If you use their stack, please consider donating.
Disclaimer: I have not personally tried all of these — “*” marks the ones I have used.
By language:
C#
Once upon a time, Microsoft announced the WIF Extension for SAML 2.0. It never went anywhere, there were never any bug fixes, it was deprecated and the links have been removed. It was only applicable for .NET 3.5 and was buggy.
There is NO repeat NO official Microsoft C# client-side SAML protocol stack.
1. OneLogin
OneLogin has implemented and open-sourced SAML toolkits for five different web development platforms.
These are ASP.NET, Python, Ruby, PHP and Java.
Also, OneLogin’s Open-Source SAML Toolkits and Github.
2. Sustainsys *
The Sustainsys.Saml2 library adds SAML2P support to ASP.NET web sites, allowing the web site to act as a SAML2 Service Provider (SP).
The library was previously named Kentor.AuthServices.
They have implemented a stack for .Net Core 2 — use this version.
It can also be is a plugin for Indentityserver 4 (SP only).
3. OWIN.Security.SAML
Owin middleware to implement the SAML2 Protocol as a Service Provider.
Have a look at Owin.Security.Saml
4. OIOSAML
This is a Danish contribution and the web site is in Danish.
5. SAML2
A .NET implementation of the SAML 2.0 specification for SP integrations.
6. Safewhere SAML2
SAML 2.0 for WIF is a DLL-file that extends the Windows Identity Foundation with native support for the SAML 2.0 protocol.
7. AspNetSaml
A very simple SAML 2.0 “consumer” implementation in C# (i.e. allows adding SAML single-sign-on to your ASP.NET app, but not to provide auth services to other applications).
8. OldMusicBox
This provides an independent .NET Saml2 Client/Server Library. The implementation follows the official specification.
9. ITfoxtec
The ITfoxtec Identity Saml2 package adds SAML-P support for both Identity Provider (IdP) and Relying Party (RP).
- Support .NET 5.0
- Support .NET Core 3.1
- Support .NET Standard 2.1
- Support .NET Framework 4.6.1 and 4.7.2
10. Saml2.Authentication.Core
A SAML 2.0 authentication middleware for ASP.NET Core
This project is a fork of the OIOSAML.Net implementation of SAML 2.0 framework from digitaliser.dk. It has been ported and modified to support ASP.NET Core with all dependencies to ASP.NET removed.
Java
Onelogin and OIOSAML as above.
1. OpenSAML
OpenSAML is a set of open source C++ & Java libraries meant to support developers working with the Security Assertion Markup Language (SAML). OpenSAML 2, the current version, supports SAML 1.0, 1.1, and 2.0.
Good book on this — A Guide to OpenSAML V3.0 and the earlier version — A Guide to OpenSAML V2.0
2. Spring Security
Spring Security SAML Extension allows seamless combination of SAML 2.0 and authentication and federation mechanisms in a single application.
All products supporting SAML 2.0 in Identity Provider mode (e.g. ADFS, Okta, Shibboleth, OpenAM, Efecte EIM or Ping Federate) can be used to connect with the extension.
Note: This library is being superseded by the SAML feature set in Spring Security Core
3. auth10
This library speaks the WS-Federation protocol and SAML 1.1 and 2.0 tokens. It interops fine with Microsoft-related products like ADFS, Windows Azure Active Directory and Windows Identity Foundation.
4. Coveooss
“This library implements a very simple SAML 2.0 client that allows retrieving an authenticated identity from a compliant identity provider, using the HTTP POST binding.
It is based on the OpenSAML library, and only provides the necessary glue code to make it work in a basic scenario. This is by no means a complete implementation supporting all the nitty gritty SAML details, but it does perform the basic task of generating requests and validating responses. It’s useful if you need to authenticate with SAML but don’t want to bring in an uber large framework such as Spring Security”.
PHP
OneLogin as above.
1. SimpleSAMLphp
SimpleSAMLphp is an award-winning application written in native PHP that deals with authentication. The project is led by UNINETT, has a large user base, a helpful user community and a large set of external contributors. The main focus of SimpleSAMLphp is providing support for:
2. LightSAML
LightSAML is a stack of PHP libraries and bundles implementing OASIS’ SAML 2.0 protocol.
LightSAML
LightSaml implements basic SAML 2.0 data model classes, serialization/deserialization to/from xml with XML security and certificates support, and message encapsulations to bindings.
Covered with unit tests.
3. Laravel
The Laravel SAML IdP package allows you to implement your own Identification Provider (idP) using the SAML 2.0 standard to be used with supporting SAML 2.0 Service Providers (SP).
Ruby
OneLogin as above.
Python
- OneLogin as above.
2. PySAML2
PySAML2 is a pure Python implementation of SAML2. It contains all necessary pieces for building a SAML2 service provider or an identity provider.
Node.js
1. Passport SAML
The original implementation.
This is a SAML 2.0 authentication provider for Passport, the Node.js authentication library.
The code was originally based on Michael Bosworth’s express-saml library.
Passport-SAML has been tested to work with Onelogin, Okta, Shibboleth, SimpleSAMLphp based Identity Providers, and with Active Directory Federation Services.
2. Passport SAML (bergie)
This is “bergie SAML”, an alternative fork of Passport SAML
3. saml2.js (“clever SAML”)
saml2-js is a node module that abstracts away the complexities of the SAML protocol behind an easy-to-use interface.
4. Samlify
Samlify is a Node.js SAML2 API.
“It has:
- Simple and active maintenance
- Includes Identity and Service Provider
- Highly configurable
This module provides a library for scaling Single Sign On implementation. Developers can easily configure the entities by importing the metadata.
It provides a simple interface that’s highly configurable”.
Golang
1. Crewjam
The SAML package contains a partial implementation of the SAML standard in golang.
Commercial
1. ComponentSpace *
ComponentSpace SAML SSO solutions are fully functional and flexible components that quickly and easily plug directly into your existing ASP.NET and ASP.NET Core web applications.
There is also a SAML v2.0 for ASP.NET Core product.
It can also be is a plugin for Indentityserver 4.
2. Rock Solid Knowledge *
This is for .NET Core 2 and is a plugin for Indentityserver 4.
Rock Solid Knowledge
Identity aaS (as a service)
There are a number of SaaS products that can handle SAML.
Examples:
Tools
Just for completeness!
1. ADFSHelp
Tools to diagnose ADFS. Includes SAML functionality.
2. OneLogin
Set of SAML tools.
3. SAML decoder
Decoder from Auth0.
4. Create AuthnRequest
Good example here.
You can take the native SAML request and parse it (step 1) or you can just paste in the XML of the AuthnRequest that you want to send and alter it if you need to and then build it (step 2) and send it (step 3).
All good!
