i have asp.net mvc application allows users connect via 2 thinktecture idp servers. mvc app trusts both of these idp servers , authenticates users perfectly.
the current setup uses < system.identitymodel.services.wsfederationauthenticationmodule > , < system.identitymodel.services.sessionauthenticationmodule > in < modules > section in web.config handle these.
we have new party want authenticate users sending saml v2 token, mvc app doesn't seem recognise it.
i've compared post response both idp server (saml1) , new login server (saml2) , there subtle differences, maybe causing problems.
the idp server seems use < trust:requestedsecuritytoken > attributes wrap < saml:assertion >. whereas new client sends post request body containing < saml >< samlp:response >
my questions are:
1)is new < samlp:response > saml2p version not supported microsoft wif? or interested in < saml:assertion > element?
2) wif saml token? post body? authentication header (bearer)?
3)currently, when user not authenticated, redirects them local idp servers, login , returns saml response, picked up. new client, pass request view page saml token (true single-sign-on). wonder if difference causing problems. manually handle redirects user's local idp, have tried turn off new client.
edit after digging...
saml2 protocol not supported microsoft wif , ever be.
saml2 protocol messages form parameter (saml= < saml:response>< etc... within body of http post. in case didn't use standard parameter format of (saml=), xml directly inline in http post body.
afaik, samlp protocol not (yet?) supported wif. replacement querystring parameters used in ws-federation. should third party extensions (how should implement samlp 2.0 in asp.net mvc 4 service provider?). since haven't used myself cananot give further advice.
Comments
Post a Comment