I need a SAML stack — now!

I see this question over on stackoverflow every day.

“My boss says we have to make the application SAML compliant so we can authenticate with a SAML IDP. I’m lost”

or

“I’m trying to build up a SAML Request with the C# class xxx and it’s not working”.

First off, do not try and roll your own. SAML is complicated — just ask the people that wrote the stacks 😄

Let’s have a look at what’s out there:

(and chocolate fish for nzpcmad for his contribution).

Some of these are commercial; some are written and maintained by dedicated people who do a superb job. If you use their stack, please consider donating.

Disclaimer: I have not personally tried all of these — “*” marks the ones I have used.

By language:

C#

Once upon a time, Microsoft announced the WIF Extension for SAML 2.0. It never went anywhere, there were never any bug fixes, it was deprecated and the links have been removed. It was only applicable for .NET 3.5 and was buggy.

There is NO repeat NO official Microsoft C# client-side SAML protocol stack.

1. OneLogin

OneLogin has implemented and open-sourced SAML toolkits for five different web development platforms.

These are ASP.NET, Python, Ruby, PHP and Java.

Also, OneLogin’s Open-Source SAML Toolkits and Github.

2. Sustainsys *

The Sustainsys.Saml2 library adds SAML2P support to ASP.NET web sites, allowing the web site to act as a SAML2 Service Provider (SP).

The library was previously named Kentor.AuthServices.

They have implemented a stack for .Net Core 2 — use this version.

It can also be is a plugin for Indentityserver 4 (SP only).

3. OWIN.Security.SAML

Owin middleware to implement the SAML2 Protocol as a Service Provider.

Have a look at Owin.Security.Saml

4. OIOSAML

This is a Danish contribution and the web site is in Danish.

OIOSAML.

5. SAML2

A .NET implementation of the SAML 2.0 specification for SP integrations.

SAML2

6. Safewhere SAML2

SAML 2.0 for WIF is a DLL-file that extends the Windows Identity Foundation with native support for the SAML 2.0 protocol.

7. AspNetSaml

A very simple SAML 2.0 “consumer” implementation in C# (i.e. allows adding SAML single-sign-on to your ASP.NET app, but not to provide auth services to other applications).

8. OldMusicBox

This provides an independent .NET Saml2 Client/Server Library. The implementation follows the official specification.

9. ITfoxtec

The ITfoxtec Identity Saml2 package adds SAML-P support for both Identity Provider (IdP) and Relying Party (RP).

  • Support .NET 5.0
  • Support .NET Core 3.1
  • Support .NET Standard 2.1
  • Support .NET Framework 4.6.1 and 4.7.2

Java

Onelogin and OIOSAML as above.

1. OpenSAML

OpenSAML is a set of open source C++ & Java libraries meant to support developers working with the Security Assertion Markup Language (SAML). OpenSAML 2, the current version, supports SAML 1.0, 1.1, and 2.0.

OpenSAML

Good book on this — A Guide to OpenSAML V3.0 and the earlier version — A Guide to OpenSAML V2.0

2. Spring Security

Spring Security SAML Extension allows seamless combination of SAML 2.0 and authentication and federation mechanisms in a single application.

All products supporting SAML 2.0 in Identity Provider mode (e.g. ADFS, Okta, Shibboleth, OpenAM, Efecte EIM or Ping Federate) can be used to connect with the extension.

Spring security

Note: This library is being superseded by the SAML feature set in Spring Security Core

3. auth10

This library speaks the WS-Federation protocol and SAML 1.1 and 2.0 tokens. It interops fine with Microsoft-related products like ADFS, Windows Azure Active Directory and Windows Identity Foundation.

auth10-java

4. Coveooss

“This library implements a very simple SAML 2.0 client that allows retrieving an authenticated identity from a compliant identity provider, using the HTTP POST binding.

It is based on the OpenSAML library, and only provides the necessary glue code to make it work in a basic scenario. This is by no means a complete implementation supporting all the nitty gritty SAML details, but it does perform the basic task of generating requests and validating responses. It’s useful if you need to authenticate with SAML but don’t want to bring in an uber large framework such as Spring Security”.

Coveooss

PHP

OneLogin as above.

1. SimpleSAMLphp

SimpleSAMLphp is an award-winning application written in native PHP that deals with authentication. The project is led by UNINETT, has a large user base, a helpful user community and a large set of external contributors. The main focus of SimpleSAMLphp is providing support for:

SimpleSAMLphp

2. LightSAML

LightSAML is a stack of PHP libraries and bundles implementing OASIS’ SAML 2.0 protocol.

LightSAML

LightSaml implements basic SAML 2.0 data model classes, serialization/deserialization to/from xml with XML security and certificates support, and message encapsulations to bindings.

Covered with unit tests.

3. Laravel

The Laravel SAML IdP package allows you to implement your own Identification Provider (idP) using the SAML 2.0 standard to be used with supporting SAML 2.0 Service Providers (SP).

Ruby

OneLogin as above.

Python

  1. OneLogin as above.

2. PySAML2

PySAML2 is a pure Python implementation of SAML2. It contains all necessary pieces for building a SAML2 service provider or an identity provider.

Node.js

1. Passport SAML

The original implementation.

This is a SAML 2.0 authentication provider for Passport, the Node.js authentication library.

The code was originally based on Michael Bosworth’s express-saml library.

Passport-SAML has been tested to work with Onelogin, Okta, Shibboleth, SimpleSAMLphp based Identity Providers, and with Active Directory Federation Services.

2. Passport SAML (bergie)

This is “bergie SAML”, an alternative fork of Passport SAML

3. saml2.js (“clever SAML”)

saml2-js is a node module that abstracts away the complexities of the SAML protocol behind an easy to use interface.

Golang

1. Crewjam

The SAML package contains a partial implementation of the SAML standard in golang.

Commercial

1. ComponentSpace *

ComponentSpace SAML SSO solutions are fully functional and flexible components that quickly and easily plug directly into your existing ASP.NET and ASP.NET Core web applications.

Componentspace

There is also a SAML v2.0 for ASP.NET Core product.

It can also be is a plugin for Indentityserver 4.

2. Rock Solid Knowledge *

This is for .NET Core 2 and is a plugin for Indentityserver 4.

Rock Solid Knowledge

Identity aaS (as a service)

There are a number of SaaS products that can handle SAML.

Examples:

Tools

Just for completeness!

1. ADFSHelp

Tools to diagnose ADFS. Includes SAML functionality.

2. OneLogin

Set of SAML tools.

3. SAML decoder

Decoder from Auth0.

4. Create AuthnRequest

Good example here.

You can take the native SAML request and parse it (step 1) or you can just paste in the XML of the AuthnRequest that you want to send and alter it if you need to and then build it (step 2) and send it (step 3).

All good!

--

--

--

“Identity is the new control plane”. Articles around Microsoft Identity, Auth0 and identityserver. Click the “Archive” link at the bottom for more posts.

Recommended from Medium

How To Learn Three quick sorting tips for Access and Excel

Revolutionizing the product update with WSO2 Update 2.0

New Native Network Token: TOAST

Why should I go to a hackathon?

Reference Architecture — Deploying WSO2 API Manager on Microsoft Azure

Reference Architecture — Deploying WSO2 API Manager on Azure

How to setup REST API JSON Server in Angular

Initializers in Swift — Part 1/3 (Structures and enumerations)

How to use auto-fit, auto-fill and minmax on Grid(CSS) for better responsiveness.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rory Braybrook

Rory Braybrook

NZ Microsoft Identity dude and MVP. Azure AD/B2C/ADFS/Auth0/identityserver. StackOverflow: https://bit.ly/2XU4yvJ Presentations: http://bit.ly/334ZPt5

More from Medium

Fixing one of the Azure AD B2C samples that blocks a disabled federated user.

Image showing “No entry”.

How to Add the Report Viewer Component to an ASP.NET Core Application

How to Add the Report Viewer Component to an ASP.NET Core Application| Bold Reports

Getting rid of credentials in Azure — Part 2 (EasyAuth)

Configuring Test Suite Separately By The Test Scopes