Over a million developers have joined DZone.

SAML2 for Thinktecture IdentityServer 3 with Kentor.AuthServices

DZone's Guide to

SAML2 for Thinktecture IdentityServer 3 with Kentor.AuthServices

· ·
Free Resource

Using the Kentor.AuthServices SAML2 Service Provider with Thinktecture IdentityServer 3 bridges the gap between SAML2 and OAuth2/OpenID Connect. Thinktecture IdentityServer 3 support clients using the modern OAuth2 and OpenID Connect protocols. It can either have a local account database through e.g. ASP.NET Identity, or use external authentication services. By registering Kentor.AuthServices with IdentityServer, IdentityServer can authenticate to a SAML2 Idp.

I know that SAML2 is often regarded as legacy, but the truth is that there is still vast amounts of infrastructure out there that supports SAML2, but has not yet taken the leap to OpenID Connect. When the client applications prefer modern standards, a bridge between them is needed. With Kentor.AuthServices, Thinktecture IdentityServer can be that bridge.

Get It Running

To add SAML2 to IdentityServier, changes are needed in three places: Installing theKentor.AuthServices.Owin package, alter the startup configuration method for IdentityServer and add two lines to the web/app.config file.

IdentityServer configures external authentication in a callback method, which is registered inIdentityServerOptions.AuthenticationOptions.IdentityProviders. In that method, additional owin middleware to use for authentication can be used. Kentor.AuthServices is registered in the same way as the owin middleware is registered in any other owin application. In this example (with Kentor.AuthServices 0.12.0) everything is done in code, but using the web/app.config is also supported. Change the options constructor parameter to true to load the config from file.

var authServicesOptions = new KentorAuthServicesAuthenticationOptions(false)
SPOptions = new SPOptions
EntityId = new EntityId("http://sp.example.com")

SignInAsAuthenticationType = signInAsType,
AuthenticationType = "saml2p",
Caption = "SAML2p",

authServicesOptions.IdentityProviders.Add(new IdentityProvider(
new EntityId("http://stubidp.kentor.se/Metadata"),
LoadMetadata = true,


For the web/app.config, there must be a <System.identityModel&gt section. It might be empty, but it has to be there.

First register the section.

<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=, Culture=neutral, PublicKeyToken=B77A5C561934E089" />

Then add an empty section.


With these changes, IdentityServer will offer SAML2p as an external authentication type, redirecting to the AuthServices Stub Idp. As it allows the user to enter any name id, I wouldn’t recommend using it in production code…

No Discovery Service (yet)

There is unfortunately one limitation for this setup: Discovery Service won’t work. This is due to AuthServices not handling owin authentication state across the redirect to the discovery service. It is on the todo list (#182), but until it is fixed it simply won’t work.


Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}