Roadmap for WS-Fed/SAML token support

[leastprivilege]

Hi @brentschmaltz (and @polita)

in the last update you said "April timeframe" -

I need to know more details.

What exactly will be released in April?

• IdentityModel update to support SAML tokens?
• WsFederationConfiguration, WsFederationMessage and related classes?

How is that related to the WS-Federation middleware for ASP.NET Core? Is this planned in the same timeframe? Or IdentityModel first - and then the middleware later? If yes - when (roughly) ?

I have a couple of customers that need that functionality soon - otherwise I will port those things myself for the time being.

https://github.com/chrisdrobison/aspnetcore-wsfed is a good start - but there's the versioning conflict which makes it impractical to use.

thanks

[Tratcher]

@leastprivilege for ASP.NET, once @brentschmaltz's work is done then we'll first use it to update Katana. After that's done we'll port the middleware to ASP.NET Core.

[brentschmaltz]

@leastprivilege @Tratcher We are getting close, the WsFed topic branch has the code for Saml and WsFed. I was hoping for a prototype this week, but it will most likely push out to next week. The code is in 5.x and will have support for Core and Desktop.

@leastprivilege @PinpointTownes @Tratcher I was thinking of dropping support for Saml1 tokens for the first release (they are messy with multiple key as each subject can have a key). Do you think that would be OK?

NOTE: I wack, rebase and squash that topic branch all the time.

See: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/tree/WsFed

[leastprivilege]

ADFS uses SAML1.1 tokens by default IIRC - so not supporting that would miss the main reason we need SAML in the first place.

[leastprivilege]

Do you have an approx ETA when the WS-Fed part is complete - so we can build our own middleware.

[chrisdrobison]

As soon as this is done, I'm going to update the one I did until the official one is out. On Thu, Apr 6, 2017 at 12:40 AM Dominick Baier notifications@github.com wrote:

Do you have an approx ETA when the WS-Fed part is complete - so we can build our own middleware.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/595#issuecomment-292083081, or mute the thread https://github.com/notifications/unsubscribe-auth/ABu24d87raXCQXajMJfVYabsKlS07CY1ks5rtIjCgaJpZM4Mz7Yp .

[leastprivilege]

great! I will help out!

[kevinchalet]

Do you think that would be OK?

I agree with @leastprivilege.

[brentschmaltz]

@leastprivilege @PinpointTownes @chrisdrobison alright, we will include Saml1. Should have an E2E in a week or so.

[rtaylor72]

Any update on this since it has been a week or so? We are also waiting for this!

[brentschmaltz]

@rtaylor72 we are working in the WsFed topic branch. I expect to have an End to End within days. Basic xmldsig, saml2 tokens and wsfedmetadata. Once we the E2E is stable, we will merge into the 'dev' branch and start nightly signed builds pushed out to myget.

This will ship in the 5.2.0 milestone.

[leastprivilege]

..and? ;)

[brentschmaltz]

@leastprivilege it's moving along nicely... hit a snag with core will have to drop the netstandard 1.4 target for wsfed. Will have to use core2.0.

https://github.com/dotnet/corefx/issues/18682#issuecomment-296108348

[leastprivilege]

But full framework support is still planned? When do you merge to dev?

[brentschmaltz]

@leastprivilege full framework support is planned. We are currently testing against a forked version of katana. When we have that working, we will push to dev. It's close.

[brentschmaltz]

@leastprivilege we merged our WsFed topic branch into dev. It was a bit premature due to vacations. But justified as Katana and asp.net can start. We have a fork of Katana that we manually tested samples against here: https://github.com/lovemaths/AspNetKatana/tree/integration . So I am closing this. I expect a couple of weeks work to complete the effort. Probably end of May or Early June.

[leastprivilege]

Update?

[brentschmaltz]

The dev branch has Saml2 reading, xml enveloped signature validation, wsfed metadata (light I admit). We have successfully run against Katana, coreFx has put in a fix for C14n. We are now looking at end of June for a solid preview.

[DaleMckeown]

Looking forward to WS-Fed for ASP.NET core. ADFS signin is the last thing preventing me from pushing a load of new & upgraded sites.

[ClintRhea]

Also (patiently) waiting for ADFS in core. It's the only reason we're avoiding the move to core for new projects at the moment.

Excited to see the preview!

[northof490]

Any update?

[brentschmaltz]

@northof490 we are moving along nicely. Our 5.2.0 drops on myget https://www.myget.org/gallery/azureadwebstacknightly have the latest.

We have the primitive support for WsFed metadata, Saml2Tokens with signature validation.

[WayneCBarker]

Haven't had an update in a while. Whats the current status?

[brentschmaltz]

@northof490 @WayneCBarker We will be issuing a preview with Katana (https://github.com/aspnet/AspNetKatana/) next week using the 5.2.0 bits. These will have the same API set that asp.net Core will use. The date for Asp.net Core WsFed support has not been set yet.

[Zoxive]

Is there an Issue for tracking WSTrust13 support? It looks like the latest https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/src/Microsoft.IdentityModel.Protocols.WsFederation/WsFederationMessage.cs#L184 only supports WsTrust2005

You can see the old one would try WSTrust13 first. https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/master/src/Microsoft.IdentityModel.Protocols.WsFederation/WsFederationMessage.cs#L170

[brentschmaltz]

@Zoxive nice we need to support both. https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/688

We are working our way through back-compat test to ensure SAML1 (4.x) == SAML1 (5.2.0), etc. We haven't gotten to WsFed yet.

For example, for Saml1 we have: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/668

[lovemaths]

@Zoxive I made a PR https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/703 for WSTrust13 support, please take a look.

[brentschmaltz]

@leastprivilege @Zoxive @WayneCBarker @ClintRhea @northof490 @ClintRhea closing this as we dropped Preveiw1 and it has been integrated into Katana and Core. We will open issues as needed.

[domedellolio]

@brentschmaltz It is not clear for me if the support to WSFed/Saml has been released or not. I mean, is there a middleware available?

[kevinchalet]

@domedellolio the WS-Federation middleware is being ported ATM. You can track the progress here: https://github.com/aspnet/Security/tree/tratcher/wsfed. It will be released as an out-of-band package for ASP.NET Core 2.0.

[domedellolio]

@PinpointTownes same for SAML?

[kevinchalet]

@domedellolio you mean the SAML 2.0 protocol? (SAMLP)

[domedellolio]

Yes of course @PinpointTownes

[kevinchalet]

SAMLP has never been supported by Microsoft and AFAIK, there's no plan to support it in .NET Core.

[domedellolio]

You're right. I was looking to a way to authenticate with ADFS, so my question Thanks @PinpointTownes

[brentschmaltz]

@PinpointTownes correct, we still have no POR for SAMLP.

[homam1]

Any update here guys ? Supporting WSTrust13 in ASP.Net Core?