ITfoxtec.Identity.Saml2 is an open-source SAML 2.0 / SAML-P library for .NET applications that need to act as a Service Provider (SP), Relying Party (RP), or Identity Provider (IdP).
The package is maintained by FoxIDs. The ITfoxtec name remains in the package and namespaces for compatibility with existing integrations.
- SAML 2.0 login, logout, single logout, and metadata.
- SP-initiated and IdP-initiated sign-on.
- Message signing, signature validation, and encrypted assertions.
- Redirect Binding, POST Binding, Artifact Binding, and SOAP support.
- Authn Request, Authn Response, Logout Request, and Logout Response handling.
- Signing and encryption certificates, including Azure Key Vault scenarios.
- RSA SHA1, SHA256, SHA384, SHA512, and RSA-PSS SHA256 message signing.
- ECDSA SHA256, SHA384, and SHA512 signing and signature validation on supported modern .NET targets.
- Signature algorithm and XML canonicalization validation allowlists for accepting multiple incoming signing profiles.
- Configurable assertion encryption with AES-CBC, AES-GCM, RSA key transport, and XML Encryption 1.1 RSA-OAEP support.
- Tested interoperability with Microsoft Entra ID (Azure AD), AD FS, Azure AD B2C, Danish NemLog-in3 (MitID), Danish Context Handler (Faelleskommunal Adgangsstyring), and other IdPs and RPs.
| Package | Purpose |
|---|---|
| ITfoxtec.Identity.Saml2 | Core SAML 2.0 protocol implementation. |
| ITfoxtec.Identity.Saml2.MvcCore | ASP.NET Core MVC integration helpers. |
| ITfoxtec.Identity.Saml2.Mvc | ASP.NET MVC 5 integration helpers for .NET Framework. |
- .NET 10.0
- .NET 9.0
- .NET 8.0
- .NET 7.0
- .NET 6.0
- .NET Standard 2.1
- .NET Framework 4.6.2 and 4.8
Install the core package:
dotnet add package ITfoxtec.Identity.Saml2For ASP.NET Core MVC applications, install:
dotnet add package ITfoxtec.Identity.Saml2.MvcCoreFor ASP.NET MVC 5 applications, install:
Install-Package ITfoxtec.Identity.Saml2.MvcStart with the project page, test samples, and the ASP.NET Core sample TestWebAppCore.
Restore and build the solution:
dotnet restore ITfoxtec.Identity.Saml2.sln
dotnet build ITfoxtec.Identity.Saml2.sln -c ReleaseRun the unit tests:
dotnet test UnitTest/ITfoxtec.Identity.Saml2.Tests/ITfoxtec.Identity.Saml2.Tests.csprojRun the ASP.NET Core sample application:
dotnet run --project test/TestWebAppCore/TestWebAppCore.csprojUse ITfoxtec.Identity.Saml2 when you need to implement SAML 2.0 directly in your .NET or ASP.NET application.
If your application already supports OpenID Connect or WS-Federation, FoxIDs can be the cleaner integration point. FoxIDs handles the SAML 2.0 connection to the external identity provider or relying party, while the application continues to use the protocol it already supports. This can avoid adding another federation protocol implementation to the application.
Consider FoxIDs when you need:
- A SAML 2.0 to OpenID Connect bridge, or SAML 2.0 to WS-Federation bridge.
- SAML 2.0 integration without changing an application that already supports OpenID Connect or WS-Federation.
- Hosted or self-hosted federation infrastructure across SAML 2.0, OpenID Connect, OAuth 2.0, and WS-Federation.
- A place to operate protocol translation, certificates, metadata, and partner-specific federation configuration outside the application code.
- Architecture guidance or implementation support for SAML 2.0 migrations and complex federation setups.
FoxIDs uses ITfoxtec.Identity.Saml2 for SAML 2.0 protocol handling. The library and FoxIDs are complementary: use the package when SAML 2.0 belongs in your application, and use FoxIDs when SAML 2.0 is better handled as an external identity bridge or federation service.
Use GitHub issues for bugs and feature requests. For implementation questions, use Stack Overflow with the itfoxtec-identity-saml2 tag.
Implementation help, architecture guidance, and custom samples are available from FoxIDs by contacting anders@foxids.com.
This project is released under the BSD-3-Clause license.