Hacker News new | ask | show | jobs
by quickthrower2 2538 days ago
I rolled my own at work based on https://github.com/displayr/AspNetSaml which I forked from https://github.com/jitbit/AspNetSaml

There is a PR to make it work with .NET core at the moment.

Once you understand the protocol it’s a case of storing some fields relating to the IdP in your database, for each tenant. Redirect to the IdP website and they’ll redirect back to you and post a signed XML doc to daub Joe is authenticated and belongs to these groups.
1 comments
gtsteve 2538 days ago
I gave this code a quick skim and it seems reasonably well thought out and I wish I'd seen it before I rolled my own at work. There are numerous security flaws that one can accidentally introduce with SAML and it seems you've avoided the obvious ones at the very least (i.e. not checking there's only a single assertion, etc).

Just in case you weren't aware of it, I found this page very helpful when developing mine: https://github.com/OWASP/CheatSheetSeries/blob/master/cheats...

link
quickthrower2 2538 days ago
Thanks. I can’t take too much credit: Jitbit did most of that work, I added some integration testing and added a couple of methods.
link