1. The sample is using https://www.onelogin.com/
- as identity provider supporting SAML2
2. Kenthor auth services as third party library that adds SAML2P support for IdentityServer 3 (Sitefinity 10 authentication is base on identity server 3), blog post with sample code for using kentor library here: https://coding.abel.nu/2015/01/saml2-for-thinktecture-identityserver-3-with-kentor-authservices//*The below steps is specific to onelogin.com*/
3. Create an account in onelogin.com and in Apps->Add App menu create new with “SAML Test Connector (IdP w/attr)
”, enter the app from Apps->Company Apps when it is created with the following configurations:
in Configuration tab, note the host name I have used for the sample is http://sitefinitylocal.com :
ACS(Consumer) URL Validatior* : http\:\/\/sitefinitylocal\.com\/Sitefinity\/Authenticate\/OpenID\/AuthServices\/Acs (note that every special character must be escaped)
ACS (Consumer) URL* : http://sitefinitylocal.com/Sitefinity/Authenticate/OpenID/AuthServices/Acs
in the SSO tab:
X.509 Certificate: Standard Strength Certificate (2048-bit)
SAML Signature Algorithm: SHA - 256
Note 1: Copy the url in textbox Issuer URL: this url will be used in Sitefintiy e.g. https://app.onelogin.com/saml/metadata/660765
Check the checkbox: Allow assumed users to sign into this app
Click save to save the config:
4. Create new authentication provider in Sitefinity from Administration->Settings->Advanced->Authentication->SecurityTokenService->AuthenticationProviders and click Create New and select AuthenticationProviderElement.
Configure the new provider with:
Data Provider: Default (this is the membership provider where to create the user that gets authenticated)
Title : SAML2p
Enabled: check the checkbox
Auto assigned roles: specify the name of the Sitefintiy role that will be assigned to the user logging in.
5. Install kentor nuget packages:https://www.nuget.org/packages/Kentor.AuthServices.HttpModule/https://www.nuget.org/packages/Kentor.AuthServices.Owin/
6.. Add the attached class from the attached file (CustomAuthenticationProvider.zip) which is extended AuthenticationProviderIntializer that plugs into the newly created provider from step 4 and adds specific configurations to it. In class CustomAuthenticationProvidersInitializer method GetAdditionalIdentityProviders is extended to plugin more configs for provider created in step 4. Note it uses the data filled in step 4 keep an eye on this if you change the provider name and title when you test this with your provider;
additionalProviders["saml2p"] = <-- this is the Name of the provider from step 4.
AuthenticationType = "saml2p", <-- this is the Name of the provider from step 4.
Caption = "SAML2p", <-- this is the Title of the provider from step 4.
EntityId = new EntityId("http://sitefinitylocal.com"), <---- this is the url of the site to which the sample authenticates
new EntityId("https://app.onelogin.com/saml/metadata/660765"), <-- this is the metadata url from step 3 added as Note 1.(update this with the metadata url from your onelogin account)
7. Register the CustomAuthenticationProviderIntializer in Global.asax like below:
protected void Application_Start(object sender, EventArgs e)
SystemManager.ApplicationStart += SystemManager_ApplicationStart;
private void SystemManager_ApplicationStart(object sender, EventArgs e)
ObjectFactory.Container.RegisterType<AuthenticationProvidersInitializer, CustomAuthenticationProvidersInitializer>(new ContainerControlledLifetimeManager());