Showing posts with label Web App SSO. Show all posts
Showing posts with label Web App SSO. Show all posts

Friday, February 21, 2025

Azure AD SAML SSO for Web Application

Requirement:

External vendor having SAML based app registered in their Azure AD and wanted to do SSO from web application.


Prerequisites:

- Create a SAML app in Azure AD and then provide us the Metadata, EntityId details. (This usually would be done by external vendor side, we can mock ourside to test internally)

- Will use SustainSys library for SAML setup in C#. Refer: https://saml2.sustainsys.com/en/v2/

- Web application with .Net Core, C#, Razor

Implementation Steps:

- Create SAML App in Azure AD (For mock test). Go to Entra Id -> Enterprise applications -> Add New Application -> Create Your Own Application -> Provide Some App Name + Choose "Integrate any other application you don't find in the gallery (Non-gallery)"

- Go to your web project, add Sustainsys.Saml2.AspNetCore2 from Nuget. 

- Update the startup to include SAML2 steps, something like below

using Microsoft.AspNetCore.Authentication.Cookies;

using Sustainsys.Saml2;

using Sustainsys.Saml2.AspNetCore2;

using Sustainsys.Saml2.Metadata;

          .....

builder.Services.AddAuthentication(opt =>

{

    // Default scheme that maintains session is cookies.

    opt.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;

 

    // If there's a challenge to sign in, use the Saml2 scheme.

    opt.DefaultChallengeScheme = Saml2Defaults.Scheme;

})

.AddCookie()

.AddSaml2(opt =>

{

    // Set up our EntityId, this is our application.

    opt.SPOptions.EntityId = new EntityId("YourAppName"); //This would be the External AD SAML App's Identifier (Entity ID)

 

    opt.IdentityProviders.Add(

        new IdentityProvider(

            new EntityId("SamlAppIdentiferURL"), //Saml App's Microsoft Entra Identifier

            opt.SPOptions)

        {

            MetadataLocation = "SamlAppMetadataUrl", //Saml App's Meatadata Url

            LoadMetadata = true

        });

});

 

- Now we can initiate the Challenge in code 

var props = new AuthenticationProperties

 {

     RedirectUri = "/"

 };

 return Challenge(props, Saml2Defaults.Scheme); 

//You can set some different default scheme in startup and change in runtime here too



- Read the claims as below

  var authResult = await HttpContext.AuthenticateAsync();

  Properties = authResult.Properties!.Items;

  Claims = authResult.Principal!.Claims;


Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)