Azure Active Directory SSO with Asp.net Webforms

Question

We have an Asp.Net Webforms application in .Net 3.5, which is already having an authentication module with FormsAuthentication. For a new requirement, we need to implement SSO(SAML) with Azure Active Directory.

We have made required configurations in Azure AD by following the article https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications . Next step is to retrieve a claim value from the SAML Response from Azure AD. We identified the SAML response using SAML Tracer extension in Firefox. The SAML response screenshot follows.

How to parse this response in the Login page of the application using C# and extract the claim value?

Answer 1

I recommend you to use ADFS 2.0 , it is very helpful in terms of claims mapping and works with AD.

http://msdn.microsoft.com/en-us/magazine/ee335705.aspx

Your app would receive and parse the final claims returned to your web server after the authentication loop.

Only problem is ADFS only works with AD, so it would work as an IdP if we assume all identity providers are AD-based. For other LDAPs you have to look for other solutions.

Also for the SAML response, it's an XML input which you can read like below

XDocument responseDoc = XDocument.Load(@"XMLFile1.xml");
XNamespace pr = "urn:oasis:names:tc:SAML:1.0:protocol";
XNamespace ast = "urn:oasis:names:tc:SAML:1.0:assertion";


XElement status = responseDoc.Element(pr + "Response").Element(pr + "Status");
string statusCode = (string)status.Element(pr + "StatusCode").Attribute("Value");
string statusMessage = (string)status.Element(pr + "StatusMessage");

Console.WriteLine("Status code: {0}; message: {1}.", statusCode, statusMessage);

XElement attStatement = responseDoc.Element(pr + "Response").Element(ast + "Assertion").Element(ast + "AttributeStatement");
string surname = (string)attStatement.Elements(ast + "Attribute").First(a => a.Attribute("AttributeName").Value == "Surname").Element(ast + "AttributeValue");
string firstname = (string)attStatement.Elements(ast + "Attribute").First(a => a.Attribute("AttributeName").Value == "FirstName").Element(ast + "AttributeValue");
string nrn = (string)attStatement.Elements(ast + "Attribute").First(a => a.Attribute("AttributeName").Value == "NRN").Element(ast + "AttributeValue");

Console.WriteLine("First name: {0}, last name: {1}; NRN: {2}", firstname, surname, nrn);

Check this thread for further information

https://forums.asp.net/t/1490469.aspx?parse+SAML+XML+response

Hope it helps.

Answer 2

You can use Windows Identity Foundation 3.5 that adds support of WS-Federation protocol to ASP.NET applications. .Net Framework 3.5 doesn't support SAML protocol. Azure AD supports both WS-Federation and SAML protocols for SSO.

Azure AD SSO Configuration instructions for WS-Federation protocol. Instructions are similar to SAML ones.

Windows Identity Foundation 3.5 provides two HttpModules for IIS that supports WS-Federation authentication: WSFederationAuthenticationModule and SessionAuthenticationModule .

Windows Identity Foundation 3.5 SDK

If you can upgrade your application to .Net Framework 4.5, you will benefit from having Windows Identity Foundation 4.5 fully integrated into .Net Framework itself.