notentra.com / sp-module
IIS Service Provider Module · Free forever

Protect any IIS app. Zero code changes.

A native IIS HTTP module that intercepts requests, validates SAML tokens, and injects claims — before your application sees a single line of code. Installed via MSI, configured in minutes, free on every server and every site.

Get the Module View Documentation
web.config — protected site
<!-- No application code changes required -->
<system.webServer>
  <modules>
    <add name="NotentraSP"
      type="Notentra.SP.IIS.SamlModule,
            Notentra.SP.IIS"
      preCondition="managedHandler" />
  </modules>
</system.webServer>

// Identity arrives as request headers:
//   X-Notentra-Upn
//   X-Notentra-Email
//   X-Notentra-Groups
// No domain join. No reverse proxy.
Distribution
MSI Installer
Runtime
.NET Framework 4.8
Works with
Any SAML 2.0 IdP
License
Free forever
Architecture

Pipeline-native protection. No proxy in the path.

Most SAML SP solutions require a reverse proxy. Notentra's module lives inside the IIS pipeline itself — the same place IIS already handles every request.

👤
User Browser
unauthenticated request
⚙️
IIS + SP Module
intercept · validate · inject
🖥️
Your Application
authenticated, claims in headers
Configuration Tool

A GUI for every setting. No XML editing.

The MSI installs a standalone configuration tool. It lists the IIS sites on the server, autodiscovers your Notentra IdP, and handles SAML, sessions, protected paths, and claim mappings — all from one window.

Notentra SP — Configuration Tool
Notentra SP configuration tool
Module capabilities

Everything you need. Nothing you don't.

DEPLOY

MSI installer + GAC

One MSI registers the module in the Global Assembly Cache, strong-name signed. No per-site DLL copying, no manual GAC work.

CONFIG

Per-site settings

Each IIS site has its own IdP, entity ID, claim mappings, and session policy — encrypted on disk, validated at startup.

DISCOVERY

SRV autodiscovery

A DNS SRV lookup finds your Notentra IdP automatically. IIS binding parsing and contact info resolved in the background.

SESSIONS

Three session modes

Stateless signed cookie, UDP multicast between nodes, or shared Redis with instant revocation — chosen per site.

INDEPENDENT

No domain join at SP

Claims injected straight into the IIS pipeline. The protected app server needs no AD or LDAP connectivity.

SECURE

Fail-closed by design

Any config or decryption error returns HTTP 503 — the site is never served anonymously. XML Signature Wrapping defenses built in.

Installation

Four steps. Done.

The SP module installs to a production IIS server in under 10 minutes. No reboots, no service interruption.

STEP 01

Run the MSI

Registers the module in the GAC, creates config storage, and installs the configuration tool — in one step.

Notentra-SP.msi
STEP 02

Open the config tool

Launch as Administrator. Your IIS sites are listed automatically. Pick the site to protect.

STEP 03

Configure IdP & claims

Autodiscover or paste your IdP URL. Map SAML attributes to the request headers your app reads.

STEP 04

Register & test

Approve the SP at the IdP admin console and run a test sign-in. No license file needed — it's free.

Get the SP Module

Protect your first IIS site in under 10 minutes.

Register for access, download the MSI, and have your application behind SSO before your next meeting.

Create Account Explore the Identity Provider