SAML SP for ASP.NET installation guide - SSO

About this documentation

NOTE: Ubisecure product names were unified in autumn 2011. All products which started with term "Ubilogin" were renamed to start with term "Ubisecure". In documentation this name change is implemented retroactively, i.e., the new naming practice is used also when referring to old software versions which started with term "Ubilogin" at the time of their release.

Ubisecure SSO

This documentation describes how Ubisecure SAML Service Provider for ASP.NET (later Ubisecure SAML SP or SAML SP) is installed and configured on supported web and application servers.

The Ubisecure SSO (Single Sign-On) is an access management solution that enables single sign-on user authentication using a selection of authentication methods: username and password, One-Time Passwords, smart card (or other client certificate), or GSM short messages (plain text or signed) etc. 

The key functionality of Ubisecure SSO is to offer single sign-on to web applications with a selection of authentication methods to best serve the needs of the application or user level in question.

Ubisecure SSO authentication process

Ubisecure SSO product versions 3.1 and newer support the Oasis-Open's (http://www.oasis-open.org/) SAML 2.0 protocol. The trust model of Ubisecure and SAML is shown in Figure 1 below. Ubisecure Authentication Server (UAS) acts as the Identity Provider and Ubisecure SAML SP implements the Service Provider.

Figure 1. Client authenticates to the Identity Provider (IDP) and Service Provider (SP) trusts the assertions of IDP about Client's identity

Ubisecure SAML SP for ASP.NET

Ubisecure SAML SP for ASP.NET enables the SAML 2.0 protocol based sign-on and logout process on Microsoft .NET Framework 2.0 compliant web and application servers.

For more information regarding SAML integration, please refer to the /wiki/spaces/DOC/pages/43548672.

Requirements

System requirements

  • Ubisecure Server 4.x, 5.x, 6.x or later as an Identity Provider
  • Windows Server 2003 for Service Provider
    • Internet Information Services 6.0
    • Microsoft .NET Framework 2.0
  • Windows Server 2008 Server R2 for Service Provider
    • Internet Information Services 7.0/7.5
    • Microsoft .NET Framework 2.0, 3.5, or 4.0 or 4.5
  • Windows Server 2012 for Service Provider
    • Internet Information Services 8.0/8.5
    • Microsoft .NET Framework 2.0, 3.5, 4.0 or 4.5

System time of SP system must be continually synchronized with the time of the IDP by using an NTP server.

For security reasons, the SAML standard specifies strict time limits on transaction processing times to prevent unauthorized use. Failure to synchronize the time between the IDP and SP machines will cause authentication failures.

  • Before beginning installation, please ensure that you have a working application installed and running using ASP.NET

Installation Checklist

Installation and configuration of the SAML SP is performed in the order according to the table below. Instructions are provided in the following pages. 

Step

Task

1

Ensure all system requirements are met, clocks are synchronized and ASP.NET applications can be accessed from remote user's browsers

2

Install SAML SP for ASP.NET to the program files directory and the .Net application bin directory

3

Create the SAML Service Provider Identity file identity.properties

4

Generate the SAML Service Provider metadata and upload the metadata to the SAML IDP

5

Get the metadata of the SAML IDP and save it on SAML SP server

6

If necessary, get the Attribute Authority metadata of the SAML IDP and save on SAML SP server

7

Configure web.config for forms authentication using the ServiceProviderAuthentication module.

8

Confirm that web.config is correctly configured. Attempts to access resources that require authentication should be redirected to the IDP for authentication.

9

Check metadata is available from the address /spsso.ashx/saml2/metadata.xml

10

Complete application integration using IAssertionIdentity object or ASP.NET Roles, if required.

11

Configure timeouts at the application, server and Web Application levels.

12

Configure logout links appropriately

13

Review and test error handling process flows. Check cancelled login attempts.

14

Implement additional features as required using the API.

15

Perform security audit

Installing the software

Before installing Ubisecure SAML SP for ASP.NET, please make sure that the system requirements are met.

Required files

  • Ubilogin SAML SP for ASP.NET_1.3.30.zip
    • The Service Provider installer package.
  1. Unzip the file contents to the C:\Program Files\Ubisecure\ Ubisecure.SAML2.ServiceProvider directory. See Figure 2.

    Figure 2. Software extracted from the zip using Windows Extract All function.

    Figure 3. Software is installed in the Program Files directory
     Installer Package Contents
    Installation Directory:
    • Windows Server 2003/2008/2012:
      • C:\Program Files\Ubisecure\Ubisecure.SAML2.ServiceProvider
    • Bin\
      • Service Provider configuration tool
      • saml2.exe
      • Service Provider executables. These files must be copied to the bin directory of any integrated ASP.Net application.
        • Ubisecure.SAML2.dll
        • Ubisecure.SAML2.Schema.dll
        • Ubisecure.SAML2.ServiceProvider.dll
        • Ubisecure.SAML2.ServiceProvider.SharePoint.dll
        • Ubisecure.Util.dll
    • Samples\
      • Configuration and integration samples.
      • Sharepoint configuration files.
        • Sharepoint
      • web.config for IIS6
        • WebApplication
      • web.config for IIS7, /IIS7.5 and IIS8
        • WebApplication-2008
    • Docs\Ubisecure.SAML2.ServiceProvider.html
      • API documentation for Ubisecure.SAML2.ServiceProvider.dll
    Configuration Files:
    • Windows Server 2003:
      • C:\Documents and Settings\All Users\Application Data\Ubisecure\Ubisecure.SAML2.ServiceProvider
    • Windows Server 2008/2012:
      • C:\ProgramData\Ubisecure\Ubisecure.SAML2.ServiceProvider
    • The folder for Service Provider configuration files. Note ProgramData is often hidden by default.

    Figure 4. Installed DLL files
  2. Copy the 5 DLL files from the bin directory to the bin directory of the application.