Using the toolkit

The App_Code folder contains the files you’ll copy into your ASP.Net application. The files Default.aspx and Consume.aspx are the ones that actually handle the SAML conversation, so let's have a look at those. They will act as a template for making your application a SAML relying party/service provider.

The Default.aspx file acts as an initiater for the SAML conversation, if it should be initiated by the application. This is called Service Provider Initiated SAML. The service provider creates a SAML Authentication Request and sends it to the identity provider (IdP):

using OneLogin.Saml;

public partial class _Default : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        AccountSettings accountSettings = new AccountSettings();

        OneLogin.Saml.AuthRequest req = new AuthRequest(new AppSettings(), accountSettings);
       
        Response.Redirect(accountSettings.idp_sso_target_url + "?SAMLRequest=" +
            Server.UrlEncode(req.GetRequest(AuthRequest.AuthRequestFormat.Base64)));
    }
}

In order to know where to redirect the user with the authentication request, we need to establish the user's identity provider affinity. This depends on your application. Perhaps accounts have dedicated subdomain name (e.g. mycompany.accountingapp.com) or SAML-authentication for accounts is limited to certain IP-ranges. In those situations, you need to look up account information based on whatever information you already have about the user. In this example, those settings are provided by AccountSettings.cs, which is meant as a stub for you customization:

public class AccountSettings
{
    public string certificate = "-----BEGIN CERTIFICATE-----\nMIIBrTCCAaGgAwIBAgIBATADBgEAMGcxCzAJBgNVBAYTAlVTMRMwEQYDAQQIDApD\nYWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoMCE9uZUxv\nZ2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMB4XDTEwMDMwOTA5NTgzNFoX\nDTE1MDMwATA5NTgzNFowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3Ju\naWExFTATBgNVBAcMDFNhbnRhIE1vbmljYTERMA8GA1UECgwIT25lTG9naW4xGTAX\nBgNVBAMMEGFwcC5vbmVsA2dpbi5Ab20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ\nAoGBANtmwriqGBbZy5Dwy2CmJEtHEENVPoATCZP3UDESRDQmXy9Q0Kq1lBt+KyV4\nkJNHYAAQ9egLGWQ8/1atkPBye5s9fxROtf8VO3uk/x/X5VSROEIrhFISGmKUnVXa\nUhLFIXkGSCAIVfoR5S2ggdfpINKUWGsWS/lEzLNYMBkURXuVAgMBAAEwAwYBAAMB\nAA==\n-----END CERTIFICATE-----";

    public string idp_sso_target_url = "https://app.onelogin.com/saml/signon/12345";
}

The Consume.aspx script receives the SAML assertion. Again, you need to know the identity provider to which the user belongs, but now you get a clue, since the username or email address is in the SAML assertion - use samlResponse.GetNameID() to retrieve it. Next you’ll use this information to retrieve the identity provider information, and after that, you can verify that the SAML assertion is actually from the identity provider configured on the account:

public partial class _Default : System.Web.UI.Page 
{
    protected void Page_Load(object sender, EventArgs e)
    {
        // replace with an instance of the users account.
        AccountSettings accountSettings = new AccountSettings();
        
        OneLogin.Saml.Response samlResponse = new Response(accountSettings);
        samlResponse.LoadXmlFromBase64(Request.Form["SAMLResponse"]);

        if (samlResponse.IsValid())
        {
            Response.Write("OK!");
            Response.Write(samlResponse.GetNameID());
        }
        else
        {
            Response.Write("Failed");
        }
    }
}

What needs to be configured

In the example above, SAML settings are divided into two parts, the application specific (assertionConsumerServiceUrl, issuer) placed in AppSettings.cs and the user/account specific (certificate, idp_sso_target_url) placed in AccountSettings.cs. You’ll need to add your own code here to identify the user or user origin (e.g. by subdomain, ip_address etc.).

The following information needs to be available on the account:

assertionConsumerServiceUrl
The URL at which the SAML assertion should be received. In this example "http://localhost/SamlConsumer/Consume.aspx" would be correct.

issuer
The name of your application. Some identity providers might need this to establish the identity of the service provider requesting the login.

idp_sso_target_url
The URL to which the authentication request should be sent. This would be on the identity provider.

certificate
The x509 certificate fingerprint. This is provided from the identity provider when setting up the relationship.