Adding SAML11 and SAML2 Support to Katana/OWIN

Katana has pretty straightforward extensibility for adding support for token formats. It ships with built-in support for JWT (consuming) and their internal token format (consuming & producing).

By implementing ISecureDataFormat, you can add your own. The following class is a bridge from Katana to WIF’s security token handler:

public class WifTokenFormat : ISecureDataFormat<AuthenticationTicket>


    SecurityTokenHandler _handler;


    public WifTokenFormat(SecurityTokenHandler handler)


        _handler = handler;




    public string Protect(AuthenticationTicket data)


        throw new NotSupportedException();



    public AuthenticationTicket Unprotect(string protectedText)


        if (string.IsNullOrWhiteSpace(protectedText))


            throw new ArgumentNullException(“protectedText”);



        var token = _handler.ReadToken(protectedText);

        var identity = _handler.ValidateToken(token);


        return new AuthenticationTicket(
new AuthenticationProperties




You can then use the token format class with Katana’s built-in OAuth2 bearer authentication middleware like:

public static IAppBuilder UseTokenHandlerAuthentication(this IAppBuilder app, SecurityTokenHandler handler)


    var options = new OAuthBearerAuthenticationOptions


        AccessTokenFormat = new WifTokenFormat(handler)





    return app;



And since WIF supports SAML 1.1 and SAML 2 out of the box – and with a little syntactic sugar you end up here:

public class Startup


    public void Configuration(IAppBuilder app)



        //    audience:         new Uri(“urn:testrp”),

        //    issuerThumbprint: “973…5F8”,

        //    issuerName:       “sts”);



            audience: new Uri(“urn:testrp”),

            issuerThumbprint: “973…5F8”,

            issuerName: “sts”);







Which is a Web API that supports SAML 2 (or SAML 1.1) tokens. Of course any other WIF token handler that supports stringified tokens – and also any other OWIN/Katana compatible framework would work as well. QED.

Sample is here.

This entry was posted in IdentityModel, OWIN, WebAPI. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s