Skip to content

Overview

SAML for ASP.NET Core enables ASP.NET Core applications to act as either a SAML v2.0 service provider (SP) or identity provider (IdP).

When acting as a service provider, it allows users to authenticate using an external identity provider such as Entra ID (Azure AD), Okta, ADFS, or any other SAML compliant provider.

It provides a complete implementation of the SAML protocol, handling message creation, transport, validation, and security enforcement, while integrating cleanly with the ASP.NET Core authentication and authorization pipeline.

What Problem This Solves

SAML is widely used in enterprise environments to provide single sign-on (SSO), centralized identity management, and federation between organizations.

Implementing SAML correctly involves careful handling of:

  • XML signatures and encryption
  • Replay protection and time validation
  • Interoperability differences between SAML providers

SAML for ASP.NET Core abstracts those complexities, allowing ASP.NET Core applications to add standards-compliant SAML SSO without implementing the protocol directly.

Supported Scenarios

SAML for ASP.NET Core supports all the common SAML scenarios, including:

  • SP-initiated SSO

  • IdP-initiated SSO

  • Single Logout (SLO)

  • SAML metadata generation and consumption

  • Multiple partner SAML providers

These features allow SAML for ASP.NET Core to be used in both simple single partner provider deployments and more advanced multi-tenant or federated environments.

Platform and Hosting Support

SAML for ASP.NET Core is designed specifically for ASP.NET Core applications and supports:

  • ASP.NET Core running on supported .NET runtimes

  • Hosting on IIS, Azure App Service, and containerized environments

  • Deployment on Windows and Linux

Security Responsibilities

SAML for ASP.NET Core enforces all protocol-level security requirements, including:

  • Validation of XML signatures and certificates

  • Audience, issuer, and destination validation

  • Assertion lifetime and clock skew enforcement

  • Protection against replay attacks

Application-level responsibilities such as authorization, role management, user provisioning, and session lifetime remain under the control of the host application.