Implementing Single sign-on in ASP.NET Web Forms with Azure AD using SAML

Last Updated: 8/10/2023

Create New ASP.NET Application

Skip this step if you have existing application

  • Open Visual Studio 2019
  • Create New Project
  • Choose ASP.NET Web Application (.Net Framework)
  • Enter Project Name: AspNetWebFormsSSO
  • Choose Framework: .Net Framework 4.7.2
  • Choose Template: Web Forms
  • Authentication : No
  • Configure for HTTP: checked
  • Run the project and copy the url. eg https://localhost:44308/

Install Nuget Packages

  • Microsoft.IdentityModel.Protocol.Extensions
  • Microsoft.Owin.Security.WSFederation
  • Microsoft.Owin.Security.Cookies
  • Microsoft.Owin.Host.SystemWeb

Add Startup Code in ASP.NET Application

  • In the App_Startfolder, create a class Startup.Auth.cs and add following code
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;


// The following using statements were added for this sample.
using Owin;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.WsFederation;
using System.Configuration;
using System.Globalization;
using System.Threading.Tasks;
using System.Diagnostics;
using System.IdentityModel.Tokens;
using Microsoft.Owin.Extensions;

namespace AspNetWebFormsSSO
{
    public partial class Startup
    {
        private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
        private static string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"];

        public void ConfigureAuth(IAppBuilder app)
        {
            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

            app.UseCookieAuthentication(new CookieAuthenticationOptions());

            app.UseWsFederationAuthentication(
                new WsFederationAuthenticationOptions
                {
                    Wtrealm = realm,
                    MetadataAddress = adfsMetadata,
                    Wreply = "<Your website url>"
                });

            // This makes any middleware defined above this line run before the Authorization rule is applied in web.config
            app.UseStageMarker(PipelineStage.Authenticate);
        }
    }
}
  • Replace the webite url in Wreply
  • In root folder, create Startup.cs and add the following code
using Microsoft.Owin;
using Owin;
using System;
using System.Threading.Tasks;

[assembly: OwinStartup(typeof(AspNetWebFormsSSO.Startup))]

namespace AspNetWebFormsSSO
{
    public partial class Startup
    {
        public void Configuration(IAppBuilder app)
        {
            ConfigureAuth(app);
        }
    }
}

Create New Application in Azure AD

  • Open azure portal
  • Open portal menu > Azure Active Directory
  • In Manage > Enterprise Applications > New Application
  • Click create your own application
  • Name of your app: AspNetWebFormsSSO
  • Choose Integrate any other application you don't find in the gallery
  • Click Create

Create an Azure AD test user

In this section, you'll create a test user in the Azure portal called a.user

  1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
  2. Select New user at the top of the screen.
  3. In the User properties, follow these steps:
    1. In the Name field, enter A.User.
    2. In the User name field, enter the username@primarydomainname. For example, a.user@primarydomain.
    3. Select the Show password check box, and then write down the value that's displayed in the Password box.
    4. Click Create.

Assign the Azure AD test user

In this section, you'll enable A.User to use Azure single sign-on by granting access.

  1. In the Azure portal, select Enterprise Applications, and then select All applications.
  2. In the applications list, select AspNetWebFormsSSO.
  3. In the app's overview page, find the Manage section and select Users and groups.
  4. Select Add user, then select Users and groups in the Add Assignment dialog.
  5. In the Users and groups dialog, select A.User from the Users list, then click the Select button at the bottom of the screen.
  6. If you are expecting a role to be assigned to the users, you can select it from the Select a role dropdown. If no role has been set up for this app, you see "Default Access" role selected.
  7. In the Add Assignment dialog, click the Assign button.

Enable SSO SAML in Azure AD

Follow these steps to enable Azure AD SSO in the Azure portal.

  • In the Azure portal, on the AspNetWebFormsSSO application integration page, find the Manage section and select single sign-on.
  • On the Select a single sign-on method page, select SAML.
  • Edit Basic SAML Configuration
    • Click Add Identifier (Entity ID), copy and Paste website url. eg https://localhost:44308/
    • Click Add Reply Url, copy and paste website url. eg https://localhost:44308/
    • Click Save
  • Copy the App federation Metadata url from SAML Certificates Section

Configure Website

Web.config

  • In web.config, add the following settings
<appSettings>
	<add key="ida:ADFSMetadata" value="<App Federation Metadata Url>" />
	<add key="ida:Wtrealm" value="<Your website Url>" />
</appSettings>
  • Copy and Paste the App federation Metadata url
  • Copy and Paste the website url

Site master

In Site.Master, add the following code after the navbar

<asp:LoginView runat="server" ViewStateMode="Disabled">
    <LoggedInTemplate>
        <ul class="nav navbar-nav  navbar-right">
            <li class="navbar-text">Hello, <%: Context.User.Identity.Name  %>!</li>
            <li>
                <asp:LoginStatus runat="server" LogoutAction="Redirect" LogoutText="Sign out"
                    LogoutPageUrl="~/" OnLoggingOut="Unnamed_LoggingOut" />
            </li>
        </ul>
    </LoggedInTemplate>
    <AnonymousTemplate>
        <ul class="nav navbar-nav  navbar-right">
         <li><asp:LinkButton Text="Sign in" runat="server" OnClick="Unnamed_Click" />
         </li>
        </ul>
    </AnonymousTemplate>
</asp:LoginView>
  • In Site.Master.cs, add the folowing code
protected void Unnamed_LoggingOut(object sender, LoginCancelEventArgs e)
{
    // Redirect to ~/Account/SignOut after signing out.
    string callbackUrl = Request.Url.GetLeftPart(UriPartial.Authority) + Response.ApplyAppPathModifier("~/Account/SignOut");

    HttpContext.Current.GetOwinContext().Authentication.SignOut(
        new AuthenticationProperties { RedirectUri = callbackUrl },
        WsFederationAuthenticationDefaults.AuthenticationType,
        CookieAuthenticationDefaults.AuthenticationType);
}

protected void Unnamed_Click(object sender, EventArgs e)
{
    if (!Request.IsAuthenticated)
    {
        HttpContext.Current.GetOwinContext().Authentication.Challenge(
            new AuthenticationProperties { RedirectUri = "/" },
            WsFederationAuthenticationDefaults.AuthenticationType);
    }
}

Signout

  • Create new folder Account
  • Add file Signout.aspx in Account Folder
  • Place the code in Signout.aspx
<%@ Page Title="Sign Out" Language="C#" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="SignOut.aspx.cs" Inherits="AspNetWebFormsSSO.Account.SignOut" %>
<asp:Content ID="BodyContent" ContentPlaceHolderID="MainContent" runat="server">
    <h2><%: Title %>.</h2>
    <p>You have successfully signed out.</p>
</asp:Content>
  • Place the code in Signout.aspx.cs
 protected void Page_Load(object sender, EventArgs e)
 {
     if (Request.IsAuthenticated)
     {
         // Redirect to home page if the user is authenticated.
         Response.Redirect("~/");
     }
 }

Test the Application

  • Run and test the application
  • Login using the user a.user@primarydomainname