Calling all developers! We invite you to provide your input on Feature Experimentation by completing this brief survey.
Calling all developers! We invite you to provide your input on Feature Experimentation by completing this brief survey.
Hi Markus
I think you will come a long way by following this sample: https://github.com/Sustainsys/Saml2.Samples/blob/main/v2/AspNetCore/Program.cs. The only thing missing is the synchronization of claims upon succesful authentication.
You can probably extend the .AddCookie() call from the linked sample, with something like this (inspired from the CMS 12 documentation):
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
{
options.Events.OnSignedIn = async ctx =>
{
if (ctx.Principal?.Identity is ClaimsIdentity claimsIdentity)
{
// Syncs user and roles so they are available to the CMS
var synchronizingUserService = ctx.HttpContext.RequestServices.GetRequiredService<ISynchronizingUserService>();
await synchronizingUserService.SynchronizeAsync(claimsIdentity);
}
};
})
But I checked and it seems that library is quite old. It is not officially supported on .NET 5+.
If possible, try to use OpenID/OAuth instead. It is newer and easier to implement (Microsoft has an officially supported NuGet).
Not really implemented SAML2 generally we stick too OIDC, and have some examples for Okta and Azure AD floating about, (Netcel-Optimizely/Optimizely-Okta: Example Solution utilising Okta for Authentication and Authorisation (github.com))
Although taking your subject line and sticking it into Chat GPT it has come up with the following :
Here is an example code showing SAML2-login for Episerver CMS 12 (.Net 6) using Sustainsys for Editor and Admin authentication:
First, you need to install the Sustainsys.Saml2.AspNetCore package from NuGet.
Next, add the following code to your Startup.cs file:
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Sustainsys.Saml2.AspNetCore2;
public class Startup
{
public IConfiguration Configuration { get; }
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public void ConfigureServices(IServiceCollection services)
{
// Add SAML2 authentication services.
services
.AddAuthentication()
.AddSaml2(options =>
{
// Set the EntityId, SingleSignOnServiceUrl, and
// SingleLogoutServiceUrl from your SAML2 identity provider.
options.SPOptions.EntityId = Configuration["Saml2:EntityId"];
options.SPOptions.SingleSignOnServiceUrl = new System.Uri(Configuration["Saml2:SingleSignOnServiceUrl"]);
options.SPOptions.SingleLogoutServiceUrl = new System.Uri(Configuration["Saml2:SingleLogoutServiceUrl"]);
// Set the X509Certificate from your SAML2 identity provider.
options.SPOptions.ServiceCertificates.Add(new System.Security.Cryptography.X509Certificates.X509Certificate2(
Configuration["Saml2:CertificateFile"], Configuration["Saml2:CertificatePassword"]));
// Set the authentication scheme name.
options.SignInScheme = "Cookies";
// Set the SAML2 identity provider options.
options.IdentityProviders.Add(new IdentityProvider(
new EntityId(Configuration["Saml2:IdentityProviderEntityId"]), options.SPOptions)
{
LoadMetadata = true
});
});
services.AddCms();
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapContent();
endpoints.MapRazorPages();
});
}
}
3. In the appsettings.json file, add the following configuration settings:
{
"Saml2": {
"EntityId": "https://yourwebsite.com",
"SingleSignOnServiceUrl": "https://youridentityprovider.com/sso",
"SingleLogoutServiceUrl": "https://youridentityprovider.com/slo",
"IdentityProviderEntityId": "https://youridentityprovider.com",
"CertificateFile": "path/to/your/certificate.pfx",
"CertificatePassword": "yourcertificatepassword"
}
}
Replace the values with your own SAML2 identity provider configuration settings.
4. Redirect /util/login/ to the SAML page
Saml2P.GetRedirectUrl($"{Request.Url.Scheme}://{Request.Url.Authority}/Saml2/Acs", "Cookies");
Thanks both Stefan and Minesh!
Unfortunately we can't use OIDC in our own IDP yet. Think they're working on it, but the wheels turn slowly.
I'll point our developers to this page so that they have something to start with. If the ChatGPT example would work pretty much out the box it'd be both amazing and scary :-)
//Markus
Hello Minesh,
"Re: ChatGPT - I'm honestly excited by its potential although hope it does not bite me in the backside and make my job redundant lol. Having a quick look at what it generated it wont work exactly ootb, I made some changes to the startup.cs but hopefully gives your devs a good start"
Would you mind sharing the changes you made that you are reffering to?
Best Regards
/MIkael
Hi,
We're trying to implement a SAML2-login for CMS 12 using the Sustainsys library (https://saml2.sustainsys.com/en/v2/).
Does anyone have any boilerplate code on how to implement the above?
Right now we're using plain user accounts for logging in to the CMS.
Any help appreciated!
Regards
Markus