See saml Menu

Code Your C#/ASP.NET App to Provide SSO via OneLogin

Get the toolkit: 

Toolkit Overview

Let’s take a high-level look at the contents of the SAML Toolkit for C# and ASP.NET (dotnet-saml-master):

Content Description

/App_code

Copy these files into your ASP.NET application.

     AccountSettings.cs

Provided as a stub for you to customize with required account settings.

     AppSettings.cs

 

     Saml.cs

 

Consume.aspx

Along with Default.aspx, actually handles the SAML conversation. Use them as templates for making your application a SAML relying party/service provider.

Receives the SAML assertion.

Consume.aspx.cs

Along with Default.aspx, actually handles the SAML conversation. Use them as templates for making your application a SAML relying party/service provider.

Receives the SAML assertion.

Default.aspx

Along with Consume.aspx, actually handles the SAML conversation. Use them as templates for making your application a SAML relying party/service provider.

Acts as an initiator for the SAML conversation, if it needs to be initiated by the application. This is called service-provider-initiated SAML.

Default.aspx.cs

Along with Consume.aspx, actually handles the SAML conversation. Use them as templates for making your application a SAML relying party/service provider.

Acts as an initiator for the SAML conversation, if it needs to be initiated by the application. This is called service-provider-initiated SAML.

README

 

Web.Config

 

Using the Toolkit

In the case of service-provider-initiated SAML, the service provider creates a SAML authentication request and sends it to the identity provider (IdP):

Default.aspx.cs

using OneLogin.Saml;

  public partial class _Default : System.Web.UI.Page
  {
      protected void Page_Load(object sender, EventArgs e)
      {
          AccountSettings accountSettings = new AccountSettings();

          OneLogin.Saml.AuthRequest req = new AuthRequest(new AppSettings(), 
          accountSettings);
         
          Response.Redirect(accountSettings.idp_sso_target_url + "?SAMLRequest=" +
              Server.UrlEncode(req.GetRequest(AuthRequest.AuthRequestFormat.Base64)));
      }
  }

To know where to redirect the user with the authentication request, we need to establish the user’s identity provider. This depends on your application. If accounts have a dedicated subdomain name (e.g. mycompany.accountingapp.com) or if SAML authentication for accounts is limited to certain IP ranges, you need to look up account information based on whatever information you already have about the user.

For the purposes of this example, these settings are provided by AccountSettings.cs, which is meant as a stub for you to customize:

AccountSettings.CS

public class AccountSettings
{
    public string certificate = "-----BEGIN CERTIFICATE-----\nMIIBrTCCAaGgAwIBAgIBATADBg
    EAMGcxCzAJBgNVBAYTAlVTMRMwEQYDAQQIDApD\nYWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2Ex
    ETAPBgNVBAoMCE9uZUxv\nZ2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMB4XDTEwMDMwOTA5NTgzNF
    oX\nDTE1MDMwATA5NTgzNFowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3Ju\naWExFTATBgNVBA
    cMDFNhbnRhIE1vbmljYTERMA8GA1UECgwIT25lTG9naW4xGTAX\nBgNVBAMMEGFwcC5vbmVsA2dpbi5Ab20w
    gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ\nAoGBANtmwriqGBbZy5Dwy2CmJEtHEENVPoATCZP3UDESRDQmXy
    9Q0Kq1lBt+KyV4\nkJNHYAAQ9egLGWQ8/1atkPBye5s9fxROtf8VO3uk/x/X5VSROEIrhFISGmKUnVXa\nUh
    LFIXkGSCAIVfoR5S2ggdfpINKUWGsWS/lEzLNYMBkURXuVAgMBAAEwAwYBAAMB\nAA==\n-----END CERTI
    FICATE-----";

    public string idp_sso_target_url = "https://app.onelogin.com/saml/signon/12345";
}

The Consume.aspx script receives the SAML assertion. Once again, you’ll need to know the user’s identity provider, but this time you get a clue: the username or email address in the SAML assertion. Use samlResponse.GetNameID() to retrieve it.

Next you’ll use this information to retrieve the identity provider information. After that, you can verify that the SAML assertion is actually from the identity provider configured on the account:

Consume.aspx.cs

public partial class _Default : System.Web.UI.Page 
{
    protected void Page_Load(object sender, EventArgs e)
    {
        // replace with an instance of the users account.
        AccountSettings accountSettings = new AccountSettings();
        
        OneLogin.Saml.Response samlResponse = new Response(accountSettings);
        samlResponse.LoadXmlFromBase64(Request.Form["SAMLResponse"]);

        if (samlResponse.IsValid())
        {
            Response.Write("OK!");
            Response.Write(samlResponse.GetNameID());
        }
        else
        {
            Response.Write("Failed");
        }
    }
}

What Needs to be Configured

In the example above, SAML settings are divided into two parts:

  1. The application-specific (assertionConsumerServiceUrl, issuer) placed in AppSettings.cs.

  2. The user/account specific (certificate, idp_sso_target_url) placed in AccountSettings.cs.

You’ll need to add your own code here to identify the user or user origin (e.g. by subdomain or ip_address, for example).

The following information needs to be available on the account:

  • assertionConsumerServiceUrl

    The URL at which the SAML assertion should be received. In this example, http://localhost/SamlConsumer/Consume.aspx would be correct.

  • issuer

    The name of your application. Some identity providers might need this to establish the identity of the service provider requesting the login.

  • idp_sso_target_url

    The URL to which the authentication request should be sent. This would be on the identity provider.

?tags=onelogin+saml+c%23+%2Enet” target=”_blank”>StackOverflow.


Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.