Hi,
First, apologize for my english, sometimes i use Google Translator.
My name is David and I need to implement a SAML solution using an API in C# and Angular for Front.
First i can use OAUTH (with library ADAL Angular support this) but my client instead to me to use SAML with WS-Federation.
I have downloaded your test application and tested the SP to IdP solution against my development environment and it works correctly, but i have a problem, my client’s ADFS server is protected for all public connections from Internet rejecting all connections. This is a problem because SP (WebAPI) not able to connect directly with IdP (ADFS).
It would be possible to use the Angular application, as middleware, for the purpose of communicating with the IdP and returning the response to the SP?
I have thought of taking the final SAML answer to convert it into a JWT token to call an Angular endpoint to save it in Local Storage for later use when consuming REST services …
There is a solution?
Regards,
David
Hi David,
ADFS supports both WS-Federation and SAML SSO. Please note that these are separate specifications. We support SAML SSO but not WS-Federation. SAML SSO is the more popular SSO specification.
To support SP-initiated SAML SSO, you must be able to send HTTP requests to ADFS. Typically these are over HTTPS (ie port 443). Either these requests are sent to the ADFS server or the ADFS server sits behind an ADFS proxy. Either way, the IdP should be able to tell you the URLs you need to use for communicating with them. Normally they’ll supply your with their SAML metadata which includes these URLs and other configuration information.
SAML SSO is a browser based protocol meaning all messages sent between the SP and IdP sites are sent via the browser. These are not web/REST API calls.
It is possible to support SAML SSO using an Angular or other front end application and a web API back end application. However, our recommendation is to initiate the SSO flow via the browser rather than a web API call. Once SSO completes, the web API can return a JWT token or similar to the front end application which can then be presented on subsequent web API calls.
Is the requirement to write the web API in ASP.NET or could you use ASP.NET Core?
Our SAML for ASP.NET Core product includes an example Angular application and web API application demonstrating SAML SSO. Our Examples Guide documents these two examples. Please refer to the “Example Web API” and “Example Angular SPA” sections.
https://www.componentspace.com/Forums/8236/Examples-Guide
If you have to use ASP.NET, you can take a similar approach as described in the Examples Guide although the implementation in the web API will be different.
ADFS supports both WS-Federation and SAML SSO. Please note that these are separate specifications. We support SAML SSO but not WS-Federation. SAML SSO is the more popular SSO specification.
To support SP-initiated SAML SSO, you must be able to send HTTP requests to ADFS. Typically these are over HTTPS (ie port 443). Either these requests are sent to the ADFS server or the ADFS server sits behind an ADFS proxy. Either way, the IdP should be able to tell you the URLs you need to use for communicating with them. Normally they'll supply your with their SAML metadata which includes these URLs and other configuration information.
SAML SSO is a browser based protocol meaning all messages sent between the SP and IdP sites are sent via the browser. These are not web/REST API calls.
It is possible to support SAML SSO using an Angular or other front end application and a web API back end application. However, our recommendation is to initiate the SSO flow via the browser rather than a web API call. Once SSO completes, the web API can return a JWT token or similar to the front end application which can then be presented on subsequent web API calls.
Is the requirement to write the web API in ASP.NET or could you use ASP.NET Core?
Our SAML for ASP.NET Core product includes an example Angular application and web API application demonstrating SAML SSO. Our Examples Guide documents these two examples. Please refer to the "Example Web API" and "Example Angular SPA" sections.
https://www.componentspace.com/Forums/8236/Examples-Guide
If you have to use ASP.NET, you can take a similar approach as described in the Examples Guide although the implementation in the web API will be different.
Hi,
Thx for reply.
I download the example of Core .Net and I've seen how it works.
I will evaluate if it can be done in a non-core instance and if I can't use it as an external service so that in the end I return JWT and from angular call the api.
Regards,
Thanks for the update.
Hi,
One question.
I have a problems with certificate to signing SAML Messages to ADFS, the ADFS tell me an error “SAML Message Sign Validation Error” …
I have the URI of FederationMetadata.xml. I have seen that in the transcriber “<>” is the public key to be able to use it “” and take “X509Certificate” value to convert a PEM.
How use it to Sign SAML Messages? I need to convert PEM file to PFX? I have the next properties in example “appsettings.json”:
“LocalServiceProviderConfiguration”: {
“Name”: "<a href=“http://xxx.xxxxxxxxxxx.es/adfs/services/trust",">http://xxx.xxxxxxxxxxx.es/adfs/services/trust”,
“Description”: “Example Web API”,
“AssertionConsumerServiceUrl”: "<a href=“https://localhost:44319/SAML/AssertionConsumerService",">https://localhost:44319/SAML/AssertionConsumerService”,
“SingleLogoutServiceUrl”: "<a href=“https://localhost:44319/SAML/SingleLogoutService",">https://localhost:44319/SAML/SingleLogoutService”,
“LocalCertificates”: [
{
“FileName”: “certificates/xxxxxx.pfx”,
“Password”: “xxxxx”
}
]
},
Thx.
Regards,
Note the the configuration you list is for SAML for ASP.NET Core rather than SAML for ASP.NET. This forum is for SAML for ASP.NET related questions. I mention this just in case anyone else looking at this post is confused.
Please take a look at our ADFS Relying Party Integration Guide for information on integrating your SP width ADFS as the IdP.
https://www.componentspace.com/Forums/8239/ADFS-Integration-Guides
The LocalServiceProviderConfiguration.Name you have as the ADFS provider name. This should be your service provider name. You’ll also have a PartnerIdentityProviderConfiguration whose Name property will be"http://…/adfs/services/trust.
The LocalCertificate should be a PFX file. This format includes the private key associated with the certificate. It’s the private key that’s used to sign SAML messages sent to ADFS.
If ADFS is failing to verify signatures, it’s most likely that the certificate configured under the Signature tab of your relying party’s properties in ADFS doesn’t match the private key being used. Please double check that the configuration in ADFS is correct.
If there’s still an issue, please enable SAML trace at the SP and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
Also ask the ADFS admin to send screenshots of each of your relying party’s property tabs in ADFS so we can check the configuration looks correct.