Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

  • Jacob Polden 67 posts 177 karma points
    Jan 31, 2014 @ 15:33
    Jacob Polden

    SAML and Umbraco

    Hi guys!


    We have just start work on an Umbraco 6 project that requires us to use SAML protocol to interface with a security provider. After having a brief Googling session there doesn't seem to be any kind of recent work with Umbraco using a SAML based membership provider. If anyone reading this knows of any projects or good examples of SAML and Umbraco implementation - if you could post your info that would be super!


    The only real Umbraco and SAML thing I have found so far:





  • Jacob Polden 67 posts 177 karma points
    Jan 31, 2014 @ 15:33
    Jacob Polden

    Didn't mean to post twice! (sorry!)

  • Matt Taylor 863 posts 2066 karma points
    Apr 23, 2014 @ 12:08
    Matt Taylor

    Hi Jacob,

    Did you find any resources?


  • Søren Mastrup 121 posts 555 karma points c-trib
    Aug 03, 2015 @ 10:50
    Søren Mastrup

    Did any find a solution to this?

  • Matt Taylor 863 posts 2066 karma points
    Aug 04, 2015 @ 08:03
    Matt Taylor

    Not me as my project didn't go ahead.

  • Jacob Polden 67 posts 177 karma points
    Aug 04, 2015 @ 08:12
    Jacob Polden

    We did get SAML working with Umbraco. Basically involved us writing our own membership provider. Any specifics you want to ask about?

  • Søren Mastrup 121 posts 555 karma points c-trib
    Aug 04, 2015 @ 08:17
    Søren Mastrup

    I am currently getting this exception: "System.ServiceModel.FaultException: ID3082: The request scope is not valid or is unsupported."

    I can't figure out how to solve this exception - The code I use is pasted in below.

    @inherits Umbraco.Web.Mvc.UmbracoTemplatePage
    @using System
    @using System.Text
    @using System.Net
    @using System.Net.Http
    @using System.Net.Http.Headers
    @using System.ServiceModel
    @using System.ServiceModel.Channels
    @using System.Security.Cryptography.X509Certificates
    @using System.IdentityModel
    @using System.IdentityModel.Tokens
    @using System.ServiceModel.Security
    @using System.IdentityModel.Protocols.WSFederation
    @using System.IdentityModel.Protocols.WSTrust
    @using Thinktecture.IdentityModel
    @using Thinktecture.IdentityModel.Http
    @using Thinktecture.IdentityModel.Extensions
    @using Thinktecture.IdentityModel.Constants
    @using Thinktecture.IdentityModel.Metadata
    @using Thinktecture.IdentityModel.Tokens
    @using Thinktecture.IdentityModel.WSTrust
        Layout = null;
        const string adfs = ""; 
        const string serviceIdentifier = "";
        const string serviceAccountUsername = "USERNAME";
        const string serviceAccountPassword = "PASSWORD";
        var tokenXml = GetSecurityToken(
            string.Format("https://{0}/adfs/services/trust/13/usernamemixed", adfs),
        var authorizationHeaderPayload = DeflatedSamlEncode(tokenXml);
        using (var client = new HttpClient()){
            client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer",authorizationHeaderPayload);
            var result = client.GetAsync("").Result;
            // work with result from service
        public static string GetSecurityToken(string wsTrustEndpoint, string identifier, string serviceAccountUsername, string serviceAccountPassword){
            WSTrustChannelFactory factory = new WSTrustChannelFactory(new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential), wsTrustEndpoint);
            factory.TrustVersion = TrustVersion.WSTrust13;
            factory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
            factory.Credentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;
            factory.Credentials.UserName.UserName = serviceAccountUsername;
            factory.Credentials.UserName.Password = serviceAccountPassword;
            var rst = new RequestSecurityToken {
                RequestType = WSTrust13Constants.RequestTypes.Issue,
                AppliesTo = new EndpointReference(identifier),
                KeyType = WSTrust13Constants.KeyTypes.Bearer,
            var channel = factory.CreateChannel();
            GenericXmlSecurityToken token = (GenericXmlSecurityToken)channel.Issue(rst);
            return token.TokenXml.OuterXml;
        public static string DeflatedSamlEncode(string token){
            var bytes = Encoding.UTF8.GetBytes(token);
            var deflatedBytes = new DeflateCookieTransform().Encode(bytes);
            var base64String = Convert.ToBase64String(deflatedBytes);
            var urlEncodedString = HttpUtility.UrlEncode(base64String);
            return urlEncodedString;
            return bytes.ToString();
  • Jacob Polden 67 posts 177 karma points
    Aug 04, 2015 @ 10:20
    Jacob Polden

    Is there any particular reason you are doing this logic in the view? This looks like it should be further up in the request pipeline.

  • Søren Mastrup 121 posts 555 karma points c-trib
    Aug 04, 2015 @ 11:10
    Søren Mastrup

    No not really - It's just a quick and dirty test!

    Got it to work though! There was an issue on the identity provider server.

  • Jacob Polden 67 posts 177 karma points
    Aug 04, 2015 @ 13:55
    Jacob Polden

    Yeah that's something we experienced with our client. A lot of the issues came from the configuration setup of the providing server.

  • Francisco Lino U. Ano 4 posts 74 karma points
    May 30, 2016 @ 10:52
    Francisco Lino U. Ano

    Hi guys,

    is the code coming from this link: still applicable to umbraco 7.3 or later?


Please Sign in or register to post replies

Write your reply to: