Adding SAML11 and SAML2 Support to Katana/OWIN

Katana has pretty straightforward extensibility for adding support for token formats. It ships with built-in support for JWT (consuming) and their internal token format (consuming & producing).

By implementing ISecureDataFormat, you can add your own. The following class is a bridge from Katana to WIF’s security token handler:

public class WifTokenFormat : ISecureDataFormat<AuthenticationTicket>

{

    SecurityTokenHandler _handler;

 

    public WifTokenFormat(SecurityTokenHandler handler)

    {

        _handler = handler;

    }

 

 

    public string Protect(AuthenticationTicket data)

    {

        throw new NotSupportedException();

    }

 

    public AuthenticationTicket Unprotect(string protectedText)

    {

        if (string.IsNullOrWhiteSpace(protectedText))

        {

            throw new ArgumentNullException(“protectedText”);

        }

 

        var token = _handler.ReadToken(protectedText);

        var identity = _handler.ValidateToken(token);

 

        return new AuthenticationTicket(
          identity.First(),
         
new AuthenticationProperties
());

    }

}

 

You can then use the token format class with Katana’s built-in OAuth2 bearer authentication middleware like:

public static IAppBuilder UseTokenHandlerAuthentication(this IAppBuilder app, SecurityTokenHandler handler)

{

    var options = new OAuthBearerAuthenticationOptions

    {

        AccessTokenFormat = new WifTokenFormat(handler)

    };

 

    app.UseOAuthBearerAuthentication(options);

 

    return app;

}

 

And since WIF supports SAML 1.1 and SAML 2 out of the box – and with a little syntactic sugar you end up here:

public class Startup

{

    public void Configuration(IAppBuilder app)

    {

        //app.UseSaml11BearerAuthentication(

        //    audience:         new Uri(“urn:testrp”),

        //    issuerThumbprint: “973…5F8”,

        //    issuerName:       “sts”);

 

        app.UseSaml2BearerAuthentication(

            audience: new Uri(“urn:testrp”),

            issuerThumbprint: “973…5F8”,

            issuerName: “sts”);

 

 

        app.UseWebApi(WebApiConfig.Register());

    }

}

 

Which is a Web API that supports SAML 2 (or SAML 1.1) tokens. Of course any other WIF token handler that supports stringified tokens – and also any other OWIN/Katana compatible framework would work as well. QED.

Sample is here.

This entry was posted in IdentityModel, OWIN, WebAPI. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s