Feedback
Did this article resolve your question/issue?

   

Article

How to configure external STS Login using SAML2 token for onelogin.com

« Go Back

Information

 
TitleHow to configure external STS Login using SAML2 token for onelogin.com
URL NameHow-to-configure-external-STS-Login-using-SAML-token
Article Number000188412
EnvironmentProduct: Sitefinity
Version: 10.x, 11.x, 12.x, 13.x
OS: All supported OS versions
Database: All supported Microsoft SQL Server versions
Question/Problem Description
How to configure external STS login with https://onelogin.com .Onelogin.com uses SAML2 token for authentication.
Steps to Reproduce
Clarifying Information
Error Message
Defect Number
Enhancement Number
Cause
Resolution
1. The sample is using https://www.onelogin.com/ - as identity provider supporting SAML2 
2. Kenthor auth services as third party library that adds SAML2P support for IdentityServer 3 (Sitefinity 10 authentication is base on identity server 3), blog post with sample code for using kentor library here: https://coding.abel.nu/2015/01/saml2-for-thinktecture-identityserver-3-with-kentor-authservices/
/*The below steps is specific to onelogin.com*/
3. Create an account in onelogin.com and in Apps->Add App menu create new with “SAML Test Connector (IdP w/attr)”, enter the app from Apps->Company Apps when it is created with the following configurations:
in Configuration tab, note the host name I have used for the sample is http://sitefinitylocal.com :
Audience: http://sitefinitylocal.com
Recipient: http://sitefinitylocal.com
ACS(Consumer) URL Validatior* : http\:\/\/sitefinitylocal\.com\/Sitefinity\/Authenticate\/OpenID\/AuthServices\/Acs (note that every special character must be escaped)
ACS (Consumer) URL* : http://sitefinitylocal.com/Sitefinity/Authenticate/OpenID/AuthServices/Acs

in the SSO tab:
X.509 Certificate: Standard Strength Certificate (2048-bit)
SAML Signature Algorithm: SHA - 256
Note 1: Copy the url in textbox Issuer URL: this url will be used in Sitefintiy e.g. https://app.onelogin.com/saml/metadata/660765
Check the checkbox: Allow assumed users to sign into this app

Click save to save the config:

4. Create new authentication provider in Sitefinity from Administration->Settings->Advanced->Authentication->SecurityTokenService->AuthenticationProviders and click Create New and select AuthenticationProviderElement.
Configure the new provider with:
Data Provider: Default (this is the membership provider where to create the user that gets authenticated)
Name: saml2p
Title : SAML2p
Enabled: check the checkbox
Auto assigned roles: specify the name of the Sitefintiy role that will be assigned to the user logging in.
Save changes.

5. Install kentor nuget packages:
https://www.nuget.org/packages/Kentor.AuthServices.HttpModule/
https://www.nuget.org/packages/Kentor.AuthServices.Owin/

6.. Add the attached class from the attached file (CustomAuthenticationProvider.zip) which is extended AuthenticationProviderIntializer that plugs into the newly created provider from step 4 and adds specific configurations to it. In class CustomAuthenticationProvidersInitializer method GetAdditionalIdentityProviders is extended to plugin more configs for provider created in step 4. Note it uses the data filled in step 4 keep an eye on this if you change the provider name and title when you test this with your provider;
additionalProviders["saml2p"] = <-- this is the Name of the provider from step 4.
AuthenticationType = "saml2p", <-- this is the Name of the provider from step 4.
Caption = "SAML2p", <-- this is the Title of the provider from step 4.

EntityId = new EntityId("http://sitefinitylocal.com"), <---- this is the url of the site to which the sample authenticates
new EntityId("https://app.onelogin.com/saml/metadata/660765"), <-- this is the metadata url from step 3 added as Note 1.(update this with the metadata url from your onelogin account)

7. Register the CustomAuthenticationProviderIntializer in Global.asax like below:
using Telerik.Microsoft.Practices.Unity;
using Telerik.Sitefinity.Authentication;

protected void Application_Start(object sender, EventArgs e)
{
SystemManager.ApplicationStart += SystemManager_ApplicationStart;
}

private void SystemManager_ApplicationStart(object sender, EventArgs e)
{
ObjectFactory.Container.RegisterType<AuthenticationProvidersInitializer, CustomAuthenticationProvidersInitializer>(new ContainerControlledLifetimeManager());
}

 
Workaround
Notes

If need to migrate the Kentor to Sustainsys, the following article could be used:

https://coding.abel.nu/2018/01/renaming-kentor-authservices-nuget-packages-to-sustainsys-saml2/

Last Modified Date10/27/2020 8:57 AM
Attachment 
Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.