Migrating from .Net Framework to .Net Core which SAML approach better

We have been using ComponentSpace .Net library in our ASP.NET MVC application for some time now. We just authenticate users using ADFS, once authenticated we handle Authorization in our database. For this we used SP-Initiated-SSO with FormsAuthentication & have put [Authorize] attribute on top of all of our controllers.

Now we have converted that same application to .Net Core and we have a licensed version of ComponentSpace .Net Core library. I understand that there are two approaches SAML API and SAML Middleware. I have tried both in a test application using ExampleIdentityProvider as the IDP. Based on my understanding SAML middleware seems to be align the way we were doing the Authentication in the .Net version of that application. But SAML middleware is based on Microsoft identity and I my application does not use it, so I was wondering what to configure to capture the SAML assertion back. I tried to add a SAML controller and a AssertionConsumerService method and configured it this way added something like this :
services.AddAuthentication().AddSaml(options =>
options.PartnerName = () => Configuration[“PartnerName”];
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.AssertionConsumerServicePath = Configuration[“AssertionConsumerServicePath”];

Also i added a MVC controller with a Authorize attribute like this :
[Authorize(AuthenticationSchemes = SamlAuthenticationDefaults.AuthenticationScheme)]
public class HomeController : Controller
public IActionResult Index()
string user = HttpContext.Session.GetString(“user”);

return View();

And the AssertionConsumerService is same as it would be SAML API

public async Task AssertionConsumerService()

var ssoResult = await _samlServiceProvider.ReceiveSsoAsync();
HttpContext.Session.SetString(“user”, ssoResult.UserID);
return RedirectToAction(“About”, “Home”);

But this seems to go in a recurring cycle of App-IDP-App-IDP…

So Is my approach incorrect ? Should I use SAML API instead of Middleware ?


Hi Ankit
I suggest using the SAML API rather than SAML middleware.
This gives you more control and is closer to how SAML works for ASP.NET.

ComponentSpace - 4/2/2019
Hi Ankit
I suggest using the SAML API rather than SAML middleware.
This gives you more control and is closer to how SAML works for ASP.NET.


Thanks for a prompt reply. So if I use the SAML Api, only thing I am struggling with at this point is how every controller/page would check if the user is a logged in already or if logged in is his SAML session expired ? In my .Net version it was Forms.Authentication and I had [Authorize] keyword for all controllers which used to check the FormsAuthentication cookie I guess.

Any idea about this ?

Just use the standard ASP.NET Core authorization which is similar to what you do in ASP.NET.
Just add an [Authorize] to those pages that require it.
Our ExampleServiceProvider’s Claims page specifies [Authorize].