public void RestrictToAudience(string uri)
{
var restriction = new AudienceRestriction();
restriction.Add(uri);
Add(restriction);
}
/// <summary>
/// Returns an instance of the class with meaningful default values set.
/// </summary>
/// <returns></returns>
public static Saml20AuthnRequest GetDefault()
{
SAML20FederationConfig config = SAML20FederationConfig.GetConfig();
if (config.ServiceProvider == null || string.IsNullOrEmpty(config.ServiceProvider.ID))
{
throw new Saml20FormatException(Resources.ServiceProviderNotSet);
}
Saml20AuthnRequest result = new Saml20AuthnRequest();
result.Issuer = config.ServiceProvider.ID;
List <ConditionAbstract> audienceRestrictions = new List <ConditionAbstract>(1);
AudienceRestriction audienceRestriction = new AudienceRestriction();
audienceRestriction.Audience = new List <string>(1);
audienceRestriction.Audience.Add(config.ServiceProvider.ID);
audienceRestrictions.Add(audienceRestriction);
result.SetConditions(audienceRestrictions);
return(result);
}
private static AudienceRestriction GetAudienceRestriction(Saml2AuthenticationOptions options)
{
if (!options.TokenValidationParameters.ValidateAudience)
{
return(new AudienceRestriction(AudienceUriMode.Never));
}
var audienceRestriction = new AudienceRestriction(AudienceUriMode.Always);
if (!string.IsNullOrWhiteSpace(options.Wtrealm))
{
audienceRestriction.AllowedAudienceUris.Add(new Uri(options.Wtrealm));
}
if (!string.IsNullOrWhiteSpace(options.TokenValidationParameters.ValidAudience))
{
audienceRestriction.AllowedAudienceUris.Add(new Uri(options.TokenValidationParameters.ValidAudience));
}
if (options.TokenValidationParameters.ValidAudiences != null)
{
foreach (var audience in options.TokenValidationParameters.ValidAudiences)
{
audienceRestriction.AllowedAudienceUris.Add(new Uri(audience));
}
}
return(audienceRestriction);
}
protected override void BuildInternal(AuthnRequest request, AuthnRequestConfiguration configuration)
{
var audienceRestriction = new AudienceRestriction();
configuration.AudienceRestriction.Aggregate(audienceRestriction, (a, next) => { a.Audience.Add(next); return(a); });
request.Conditions.Items.Add(audienceRestriction);
}
// Create a SAML response with the user's local identity.
private SAMLResponse CreateSAMLResponse()
{
Trace.Write("IdP", "Creating SAML response");
SAMLResponse samlResponse = new SAMLResponse();
samlResponse.Destination = Configuration.AssertionConsumerServiceURL;
Issuer issuer = new Issuer(Configuration.Issuer);
samlResponse.Issuer = issuer;
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
// For simplicity, a configured Salesforce user name is used.
// NB. You must update the web.config to specify a valid Salesforce user name.
// In a real world application you would perform some sort of local to Salesforce identity mapping.
Subject subject = new Subject(new NameID(Configuration.SalesforceLoginID, null, null, SAMLIdentifiers.NameIdentifierFormats.Unspecified, null));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.Recipient = Configuration.AssertionConsumerServiceURL;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
Conditions conditions = new Conditions(new TimeSpan(1, 0, 0));
AudienceRestriction audienceRestriction = new AudienceRestriction();
audienceRestriction.Audiences.Add(new Audience(audienceURI));
conditions.ConditionsList.Add(audienceRestriction);
samlAssertion.Conditions = conditions;
subjectConfirmationData.NotOnOrAfter = conditions.NotOnOrAfter;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Unspecified);
samlAssertion.Statements.Add(authnStatement);
AttributeStatement attributeStatement = new AttributeStatement();
attributeStatement.Attributes.Add(new SAMLAttribute(AttributeNames.SSOStartPage, SAMLIdentifiers.AttributeNameFormats.Unspecified, null, CreateAbsoluteURL("~/Login.aspx")));
attributeStatement.Attributes.Add(new SAMLAttribute(AttributeNames.LogoutURL, SAMLIdentifiers.AttributeNameFormats.Unspecified, null, CreateAbsoluteURL("~/Logout.aspx")));
samlAssertion.Statements.Add(attributeStatement);
samlResponse.Assertions.Add(samlAssertion);
Trace.Write("IdP", "Created SAML response");
return(samlResponse);
}
public Saml2AuthnRequest CreateAuthnRequest(string providerName, string authnRequestId, string assertionConsumerServiceUrl)
{
var identityProviderConfiguration = _configurationProvider.GetIdentityProviderConfiguration(providerName);
var request = new Saml2AuthnRequest
{
ID = authnRequestId,
Issuer = ServiceProviderConfiguration.EntityId,
ForceAuthn = identityProviderConfiguration.ForceAuth,
IsPassive = identityProviderConfiguration.IsPassive,
Destination = identityProviderConfiguration.SingleSignOnService,
IssuerFormat = identityProviderConfiguration.IssuerFormat,
IssueInstant = DateTime.UtcNow,
ProtocolBinding = identityProviderConfiguration.ProtocolBinding
};
request.Request.AssertionConsumerServiceURL = assertionConsumerServiceUrl;
var audienceRestrictions = new List <ConditionAbstract>(1);
var audienceRestriction =
new AudienceRestriction {
Audience = new List <string>(1)
{
ServiceProviderConfiguration.EntityId
}
};
audienceRestrictions.Add(audienceRestriction);
request.Request.Conditions = new Conditions {
Items = audienceRestrictions
};
if (identityProviderConfiguration.AllowCreate.HasValue &&
identityProviderConfiguration.NameIdPolicyFormat.IsNotNullOrEmpty())
{
request.Request.NameIDPolicy = new NameIDPolicy
{
AllowCreate = identityProviderConfiguration.AllowCreate,
Format = identityProviderConfiguration.NameIdPolicyFormat
};
}
if (identityProviderConfiguration.AuthnContextComparisonType.IsNotNullOrEmpty())
{
request.Request.RequestedAuthnContext = new RequestedAuthnContext
{
Comparison = (AuthnContextComparisonType)Enum.Parse(typeof(AuthnContextComparisonType), identityProviderConfiguration.AuthnContextComparisonType),
ComparisonSpecified = true,
Items = identityProviderConfiguration.AuthnContextComparisonItems
};
}
return(request);
}
// Create a SAML response with the user's local identity, if any, or indicating an error.
private SAMLResponse CreateSAMLResponse(AuthnRequest authnRequest)
{
Trace.Write("IdP", "Creating SAML response");
SAMLResponse samlResponse = new SAMLResponse();
samlResponse.InResponseTo = authnRequest.ID;
samlResponse.Destination = authnRequest.AssertionConsumerServiceURL;
Issuer issuer = new Issuer(CreateAbsoluteURL("~/"));
samlResponse.Issuer = issuer;
if (User.Identity.IsAuthenticated)
{
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
samlAssertion.Conditions = new Conditions(new TimeSpan(0, 10, 0));
AudienceRestriction audienceRestriction = new AudienceRestriction();
audienceRestriction.Audiences.Add(new Audience(authnRequest.AssertionConsumerServiceURL));
samlAssertion.Conditions.ConditionsList.Add(audienceRestriction);
Subject subject = new Subject(new NameID(User.Identity.Name));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.InResponseTo = authnRequest.ID;
subjectConfirmationData.Recipient = authnRequest.AssertionConsumerServiceURL;
subjectConfirmationData.NotBefore = samlAssertion.Conditions.NotBefore;
subjectConfirmationData.NotOnOrAfter = samlAssertion.Conditions.NotOnOrAfter;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Password);
samlAssertion.Statements.Add(authnStatement);
samlResponse.Assertions.Add(samlAssertion);
}
else
{
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Responder, SAMLIdentifiers.SecondaryStatusCodes.AuthnFailed, "The user is not authenticated at the identity provider");
}
Trace.Write("IdP", "Created SAML response");
return(samlResponse);
}
private static AudienceRestriction GetAudienceRestriction(bool audienceRestricted, IEnumerable <string> allowedAudienceUris)
{
var audienceRestriction = new AudienceRestriction(audienceRestricted ? System.IdentityModel.Selectors.AudienceUriMode.Always : System.IdentityModel.Selectors.AudienceUriMode.Never);
if (audienceRestricted)
{
foreach (var audienceUri in allowedAudienceUris)
{
audienceRestriction.AllowedAudienceUris.Add(new Uri(audienceUri));
}
}
return(audienceRestriction);
}
/// <summary>
/// Check if an audience restriction from configuration should be
/// applied or if we should revert to the default behaviour of
/// restricting the audience to the entity id.
/// </summary>
/// <param name="spOptions">Sp Options with configuration</param>
/// <returns>Configured or created audience restriction.</returns>
private static AudienceRestriction GetAudienceRestriction(SPOptions spOptions)
{
var audienceRestriction = spOptions.SystemIdentityModelIdentityConfiguration.AudienceRestriction;
if (audienceRestriction.AudienceMode != AudienceUriMode.Never &&
!audienceRestriction.AllowedAudienceUris.Any())
{
// Create a new instance instead of modifying the one from the
// configuration.
audienceRestriction = new AudienceRestriction(audienceRestriction.AudienceMode);
audienceRestriction.AllowedAudienceUris.Add(new Uri(spOptions.EntityId.Id));
}
return(audienceRestriction);
}
static MorePublicSaml2SecurityTokenHandler()
{
var audienceRestriction = new AudienceRestriction(AudienceUriMode.Always);
audienceRestriction.AllowedAudienceUris.Add(
new Uri(KentorAuthServicesSection.Current.EntityId));
defaultInstance = new MorePublicSaml2SecurityTokenHandler()
{
Configuration = new SecurityTokenHandlerConfiguration()
{
IssuerNameRegistry = new ReturnRequestedIssuerNameRegistry(),
AudienceRestriction = audienceRestriction
}
};
}
public void ThrowsExceptionWhenAudienceRestrictionAudienceFormatIsInvalid()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
var validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false);
var audienceRestriction = new AudienceRestriction
{
Audience = new List <string>(new[] { "malformed uri" })
};
assertion.Conditions.Items = new List <ConditionAbstract>(new ConditionAbstract[] { audienceRestriction });
// Act
validator.ValidateAssertion(assertion);
}
public void ThrowsExceptionWhenAudienceRestrictionAudienceFormatIsInvalid()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
var validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false);
var audienceRestriction = new AudienceRestriction
{
Audience = new List <string>(new[] { "malformed uri" })
};
assertion.Conditions.Items = new List <ConditionAbstract>(new ConditionAbstract[] { audienceRestriction });
// Act
Assert.Throws <Saml20FormatException>(() => validator.ValidateAssertion(assertion), "Audience element has value which is not a wellformed absolute uri");
}
/// <summary>
/// Returns an instance of the class with meaningful default values set.
/// </summary>
/// <returns></returns>
public static Saml20AuthnRequest GetDefault(string issuer)
{
Saml20AuthnRequest result = new Saml20AuthnRequest();
result.Issuer = issuer;
List <ConditionAbstract> audienceRestrictions = new List <ConditionAbstract>(1);
AudienceRestriction audienceRestriction = new AudienceRestriction();
audienceRestriction.Audience = new List <string>(1);
audienceRestriction.Audience.Add(issuer);
audienceRestrictions.Add(audienceRestriction);
result.SetConditions(audienceRestrictions);
return(result);
}
public Saml2PSecurityTokenHandler(SAML2AuthenticationOptions spOptions)
{
if (spOptions == null)
{
throw new ArgumentNullException(spOptions.GetType().Name);
}
var audienceRestriction = new AudienceRestriction(AudienceUriMode.Always);
audienceRestriction.AllowedAudienceUris.Add(
new Uri(spOptions.EntityId.Id, UriKind.RelativeOrAbsolute));
Configuration = new SecurityTokenHandlerConfiguration
{
IssuerNameRegistry = new ReturnRequestedIssuerNameRegistry(),
AudienceRestriction = audienceRestriction,
// SaveBootstrapContext = spOptions.SystemIdentityModelIdentityConfiguration.SaveBootstrapContext
};
}
public void ValidatesAudienceRestrictionWithMultipleAudienceRestrictions()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
var validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false);
var audienceConditions = new List <ConditionAbstract>(assertion.Conditions.Items);
var audienceRestriction = new AudienceRestriction
{
Audience = new List <string>(new[] { "urn:borger.dk:id" })
};
audienceConditions.Add(audienceRestriction);
assertion.Conditions.Items = audienceConditions;
// Act
validator.ValidateAssertion(assertion);
}
public void ThrowsExceptionWhenAudienceRestrictionAnyAudienceRestrictionIsNotMet()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
var validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false);
var audienceConditions = new List <ConditionAbstract>(assertion.Conditions.Items);
var audienceRestriction = new AudienceRestriction
{
Audience = new List <string>(new[] { "http://well/formed.uri" })
};
audienceConditions.Add(audienceRestriction);
assertion.Conditions.Items = audienceConditions;
// Act
validator.ValidateAssertion(assertion);
}
public void ThrowsExceptionWhenAudienceRestrictionAnyAudienceRestrictionIsNotMet()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
var validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false);
var audienceConditions = new List <ConditionAbstract>(assertion.Conditions.Items);
var audienceRestriction = new AudienceRestriction
{
Audience = new List <string>(new[] { "http://well/formed.uri" })
};
audienceConditions.Add(audienceRestriction);
assertion.Conditions.Items = audienceConditions;
// Act
Assert.Throws <Saml20FormatException>(() => validator.ValidateAssertion(assertion), "The service is not configured to meet the given audience restrictions");
}
public Saml2PSecurityTokenHandler(ISPOptions spOptions)
{
if (spOptions == null)
{
throw new ArgumentNullException(nameof(spOptions));
}
var audienceRestriction = new AudienceRestriction(AudienceUriMode.Always);
audienceRestriction.AllowedAudienceUris.Add(
new Uri(spOptions.EntityId.Id));
Configuration = new SecurityTokenHandlerConfiguration
{
IssuerNameRegistry = new ReturnRequestedIssuerNameRegistry(),
AudienceRestriction = audienceRestriction,
SaveBootstrapContext = spOptions.SystemIdentityModelIdentityConfiguration.SaveBootstrapContext
};
}
/// <summary>
/// Validates the saml20Assertion's list of conditions.
/// </summary>
private void ValidateConditions(Assertion saml20Assertion)
{
bool audienceRestrictionPresent = false;
foreach (ConditionAbstract condition in saml20Assertion.Conditions.Items)
{
if (condition is AudienceRestriction)
{
audienceRestrictionPresent = true;
AudienceRestriction audienceRestriction = (AudienceRestriction)condition;
if (audienceRestriction.Audience == null || audienceRestriction.Audience.Count == 0)
{
throw new DKSaml20FormatException(
"The DK-SAML 2.0 profile requires that an \"AudienceRestriction\" element contains the service provider's unique identifier in an \"Audience\" element.");
}
}
}
if (!audienceRestrictionPresent)
{
throw new DKSaml20FormatException("The DK-SAML 2.0 profile requires that an \"AudienceRestriction\" element is present on the saml20Assertion.");
}
}
private ReadOnlyCollection <ClaimsIdentity> ValidateAssertion(string assertionXml)
{
ReadOnlyCollection <ClaimsIdentity> claimsIdentities = null;
Saml2SecurityToken securityToken;
StringReader reader = new StringReader(assertionXml);
using (XmlReader xmlReader = XmlReader.Create(reader))
{
if (!xmlReader.ReadToFollowing("saml2:Assertion"))
{
throw new SecurityTokenValidationException("SAML2 Assertion not found.");
}
FixedSaml2SecurityTokenHandler tokenHandler = new FixedSaml2SecurityTokenHandler(Recipient);
SecurityTokenHandler[] tokenHandlers = new SecurityTokenHandlers[] { tokenHandler };
SecurityTokenHandlerCollection handlerCollection = new SecurityTokenHandlerCollection(tokenHandlers);
ConfigurationBasedIssuerNameRegistry issuerNameRegistry = new ConfigurationBasedIssuerNameRegistry();
foreach (TrustedIssuer issuer in TrustedIssuers)
{
issuerNameRegistry.AddTrustedIssuer(issuer.CertificateThumbprint, issuer.IssuerName);
}
handlerCollection.Configuration.IssuerNameRegistry = issuerNameRegistry;
AudienceRestriction restriction = new AudienceRestriction(AudienceUriMode.Always);
foreach (Uri allowedAudience in AllowedAudiences)
{
restriction.AllowedAudiencesUris.Add(allowedAudience);
}
handlerCollection.Configuration.AudienceRestriction = restriction;
securityToken = (Saml2SecurityToken)handlerCollection.ReadToken(xmlReader.ReadSubtree());
claimsIdentities = handlerCollection.ValidateToken(securityToken);
}
return(claimsIdentities);
}
// Create a SAML response with the user's local identity.
private SAMLResponse CreateSAMLResponse()
{
Trace.Write("IdP", "Creating SAML response");
SAMLResponse samlResponse = new SAMLResponse();
samlResponse.Destination = Configuration.AssertionConsumerServiceURL;
Issuer issuer = new Issuer(Configuration.Issuer);
samlResponse.Issuer = issuer;
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
// For simplicity, a configured Salesforce user name is used.
// NB. You must update the web.config to specify a valid Salesforce user name.
// In a real world application you would perform some sort of local to Salesforce identity mapping.
Subject subject = new Subject(new NameID(Configuration.SalesforceLoginID, null, null, SAMLIdentifiers.NameIdentifierFormats.Unspecified, null));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.Recipient = Configuration.AssertionConsumerServiceURL;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
Conditions conditions = new Conditions(new TimeSpan(1, 0, 0));
AudienceRestriction audienceRestriction = new AudienceRestriction();
audienceRestriction.Audiences.Add(new Audience(audienceURI));
conditions.ConditionsList.Add(audienceRestriction);
samlAssertion.Conditions = conditions;
subjectConfirmationData.NotOnOrAfter = conditions.NotOnOrAfter;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Unspecified);
samlAssertion.Statements.Add(authnStatement);
AttributeStatement attributeStatement = new AttributeStatement();
attributeStatement.Attributes.Add(new SAMLAttribute(AttributeNames.SSOStartPage, SAMLIdentifiers.AttributeNameFormats.Unspecified, null, CreateAbsoluteURL("~/Login.aspx")));
attributeStatement.Attributes.Add(new SAMLAttribute(AttributeNames.LogoutURL, SAMLIdentifiers.AttributeNameFormats.Unspecified, null, CreateAbsoluteURL("~/Logout.aspx")));
samlAssertion.Statements.Add(attributeStatement);
samlResponse.Assertions.Add(samlAssertion);
Trace.Write("IdP", "Created SAML response");
return samlResponse;
}
public void AddAudienceRestriction(string audience)
{
if (Conditions == null)
{
Conditions = new ConditionGroup();
}
var restriction = Conditions.Conditions.OfType<AudienceRestriction>().FirstOrDefault();
if (restriction == null)
{
restriction = new AudienceRestriction();
Conditions.Add(restriction);
}
restriction.Add(audience);
}
private void BuildSamlRequest()
{
ClientScript.RegisterStartupScript(typeof(Page), "OpaqueDivider",
@"
<script language=""javascript"">
<!--
var dividerID = '" + this.SamlAgentDiv.ClientID + @"';
var divider = document.getElementById(dividerID);
divider.style.visibility = 'visible';
//-->
</script>" );
//Creating SAML response
X509Certificate2 vendorCertificate = GetVendorCertificate();
X509Certificate2 selerixCertificate = GetSelerixCertificate();
//string assertionConsumerServiceURL = "SamlResponse.aspx";
string assertionConsumerServiceURL = "http://localhost:49000/login.aspx?Path=SAML_TEST";
string audienceName = "whatever audience";
SAMLResponse samlResponse = new SAMLResponse();
samlResponse.Destination = assertionConsumerServiceURL;
Issuer issuer = new Issuer("Vendor");
samlResponse.Issuer = issuer;
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
Subject subject = null;
//subject = new Subject(new EncryptedID(new NameID(this._EmailText.Text), selerixCertificate, new EncryptionMethod(EncryptedXml.XmlEncTripleDESUrl)));
subject = new Subject(new NameID(this._EmailText.Text));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.Recipient = assertionConsumerServiceURL;
subjectConfirmationData.NotOnOrAfter = DateTime.UtcNow.AddHours(1);
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
Conditions conditions = new Conditions(new TimeSpan(1, 0, 0));
AudienceRestriction audienceRestriction = new AudienceRestriction();
audienceRestriction.Audiences.Add(new Audience(audienceName));
conditions.ConditionsList.Add(audienceRestriction);
samlAssertion.Conditions = conditions;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Unspecified);
samlAssertion.Statements.Add(authnStatement);
AttributeStatement attributeStatement = new AttributeStatement();
Transmittal transmittal = BuildTransmittal();
if (transmittal != null && !string.IsNullOrEmpty(this._FirstName.Text) && !string.IsNullOrEmpty(this._LastName.Text))
{
attributeStatement.Attributes.Add(new SAMLAttribute("Transmittal", SAMLIdentifiers.AttributeNameFormats.Basic, null, SerializationHelper.SerializeToString(transmittal)));
}
samlAssertion.Statements.Add(attributeStatement);
// EncryptedAssertion encryptedAssertion = new EncryptedAssertion(samlAssertion, selerixCertificate, new EncryptionMethod(EncryptedXml.XmlEncTripleDESUrl));
// samlResponse.Assertions.Add(encryptedAssertion);
samlResponse.Assertions.Add(samlAssertion);
//Created SAML response
//Sending SAML response
// Serialize the SAML response for transmission.
XmlElement samlResponseXml = samlResponse.ToXml();
// Sign the SAML response.
SAMLMessageSignature.Generate(samlResponseXml, vendorCertificate.PrivateKey, vendorCertificate);
HttpContext.Current.Response.AddHeader("Cache-Control", "no-cache");
HttpContext.Current.Response.AddHeader("Pragma", "no-cache");
IdentityProvider.SendSAMLResponseByHTTPPost(HttpContext.Current.Response, assertionConsumerServiceURL, samlResponseXml, "");// for test purposes
}
/// <summary>
/// Returns an instance of the class with meaningful default values set.
/// </summary>
/// <returns>The default <see cref="Saml20AuthnRequest"/>.</returns>
public static Saml20AuthnRequest GetDefault(Saml2Configuration config)
{
var result = new Saml20AuthnRequest {
Issuer = config.ServiceProvider.Id
};
if (config.ServiceProvider.Endpoints.DefaultSignOnEndpoint.Binding != BindingType.NotSet)
{
var baseUrl = new Uri(config.ServiceProvider.Server);
result.AssertionConsumerServiceUrl = new Uri(baseUrl, config.ServiceProvider.Endpoints.DefaultSignOnEndpoint.LocalPath).ToString();
}
// Binding
switch (config.ServiceProvider.Endpoints.DefaultSignOnEndpoint.Binding)
{
case BindingType.Artifact:
result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpArtifact;
break;
case BindingType.Post:
result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpPost;
break;
case BindingType.PostSimpleSign:
result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpPostSimpleSign;
break;
case BindingType.Redirect:
result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpRedirect;
break;
case BindingType.Soap:
result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpSoap;
break;
}
// NameIDPolicy
if (config.ServiceProvider.NameIdFormats.Count > 0)
{
result.NameIdPolicy = new NameIdPolicy
{
AllowCreate = false,
Format = config.ServiceProvider.NameIdFormats[0].Format
};
if (result.NameIdPolicy.Format != Saml20Constants.NameIdentifierFormats.Entity)
{
result.NameIdPolicy.SPNameQualifier = config.ServiceProvider.Id;
}
}
// RequestedAuthnContext
if (config.ServiceProvider.AuthenticationContexts.Count > 0)
{
result.RequestedAuthnContext = new RequestedAuthnContext();
switch (config.ServiceProvider.AuthenticationContexts.Comparison)
{
case AuthenticationContextComparison.Better:
result.RequestedAuthnContext.Comparison = AuthnContextComparisonType.Better;
result.RequestedAuthnContext.ComparisonSpecified = true;
break;
case AuthenticationContextComparison.Minimum:
result.RequestedAuthnContext.Comparison = AuthnContextComparisonType.Minimum;
result.RequestedAuthnContext.ComparisonSpecified = true;
break;
case AuthenticationContextComparison.Maximum:
result.RequestedAuthnContext.Comparison = AuthnContextComparisonType.Maximum;
result.RequestedAuthnContext.ComparisonSpecified = true;
break;
case AuthenticationContextComparison.Exact:
result.RequestedAuthnContext.Comparison = AuthnContextComparisonType.Exact;
result.RequestedAuthnContext.ComparisonSpecified = true;
break;
default:
result.RequestedAuthnContext.ComparisonSpecified = false;
break;
}
result.RequestedAuthnContext.Items = new string[config.ServiceProvider.AuthenticationContexts.Count];
result.RequestedAuthnContext.ItemsElementName = new Schema.Protocol.AuthnContextType[config.ServiceProvider.AuthenticationContexts.Count];
var count = 0;
foreach (var authenticationContext in config.ServiceProvider.AuthenticationContexts)
{
result.RequestedAuthnContext.Items[count] = authenticationContext.Context;
switch (authenticationContext.ReferenceType)
{
case "AuthnContextDeclRef":
result.RequestedAuthnContext.ItemsElementName[count] = Schema.Protocol.AuthnContextType.AuthnContextDeclRef;
break;
default:
result.RequestedAuthnContext.ItemsElementName[count] = Schema.Protocol.AuthnContextType.AuthnContextClassRef;
break;
}
count++;
}
}
// Restrictions
var audienceRestrictions = new List <ConditionAbstract>(1);
var audienceRestriction = new AudienceRestriction {
Audience = new List <string>(1)
{
config.ServiceProvider.Id
}
};
audienceRestrictions.Add(audienceRestriction);
result.SetConditions(audienceRestrictions);
return(result);
}
/// <summary>
/// Validates the Assertion's conditions
/// Audience restrictions processing rules are:
/// - Within a single audience restriction condition in the assertion, the service must be configured
/// with an audience-list that contains at least one of the restrictions in the assertion ("OR" filter)
/// - When multiple audience restrictions are present within the same assertion, all individual audience
/// restriction conditions must be met ("AND" filter)
/// </summary>
private void ValidateConditions(Assertion assertion)
{
// Conditions are not required
if (assertion.Conditions == null)
{
return;
}
bool oneTimeUseSeen = false;
bool proxyRestrictionsSeen = false;
ValidateConditionsInterval(assertion.Conditions);
foreach (ConditionAbstract cat in assertion.Conditions.Items)
{
if (cat is OneTimeUse)
{
if (oneTimeUseSeen)
{
throw new Saml20FormatException("Assertion contained more than one condition of type OneTimeUse");
}
oneTimeUseSeen = true;
continue;
}
if (cat is ProxyRestriction)
{
if (proxyRestrictionsSeen)
{
throw new Saml20FormatException("Assertion contained more than one condition of type ProxyRestriction");
}
proxyRestrictionsSeen = true;
ProxyRestriction proxyRestriction = (ProxyRestriction)cat;
if (!String.IsNullOrEmpty(proxyRestriction.Count))
{
uint res;
if (!UInt32.TryParse(proxyRestriction.Count, out res))
{
throw new Saml20FormatException("Count attribute of ProxyRestriction MUST BE a non-negative integer");
}
}
if (proxyRestriction.Audience != null)
{
foreach (string audience in proxyRestriction.Audience)
{
if (!Uri.IsWellFormedUriString(audience, UriKind.Absolute))
{
throw new Saml20FormatException("ProxyRestriction Audience MUST BE a wellformed uri");
}
}
}
}
// AudienceRestriction processing goes here (section 2.5.1.4 of [SAML2.0std])
if (cat is AudienceRestriction)
{
// No audience restrictions? No problems...
AudienceRestriction audienceRestriction = (AudienceRestriction)cat;
if (audienceRestriction.Audience == null || audienceRestriction.Audience.Count == 0)
{
continue;
}
// If there are no allowed audience uris configured for the service, the assertion is not
// valid for this service
if (_allowedAudienceUris == null || _allowedAudienceUris.Count < 1)
{
throw new Saml20FormatException("The service is not configured to meet any audience restrictions");
}
string match = null;
foreach (string audience in audienceRestriction.Audience)
{
//In QuirksMode this validation is omitted
if (!_quirksMode)
{
// The given audience value MUST BE a valid URI
if (!Uri.IsWellFormedUriString(audience, UriKind.Absolute))
{
throw new Saml20FormatException("Audience element has value which is not a wellformed absolute uri");
}
}
match =
_allowedAudienceUris.Find(
delegate(string allowedUri) { return(allowedUri.Equals(audience)); });
if (match != null)
{
break;
}
}
// if (Trace.ShouldTrace(TraceEventType.Verbose))
// {
// string intended = "Intended uris: " + Environment.NewLine + String.Join(Environment.NewLine, audienceRestriction.Audience.ToArray());
// string allowed = "Allowed uris: " + Environment.NewLine + String.Join(Environment.NewLine, _allowedAudienceUris.ToArray());
// Trace.TraceData(TraceEventType.Verbose, Trace.CreateTraceString(GetType(), "ValidateConditions"), intended, allowed);
// }
if (match == null)
{
throw new Saml20FormatException("The service is not configured to meet the given audience restrictions");
}
}
}
}
private static Assertion CreateAssertion(SamlResponseFactoryArgs args)
{
var assertionId = AssertionIdFactory();
var issueInstant = IssueInstantFactory();
var version = VersionFactory();
var notOnOrAfter = issueInstant.DateTime.Add(args.TimeToBeExpired);
var authnInstant = issueInstant.DateTime;
var sessionIndex = string.IsNullOrEmpty(args.SessionIndex.Value)
? SessionIndexFactory() : args.SessionIndex.Value;
var assertion = new Assertion
{
Issuer = new NameId(),
Id = assertionId,
IssueInstant = issueInstant.DateTime,
Version = version,
};
assertion.Issuer.Value = args.Issuer.Value;
assertion.Subject = new Subject();
var subjectConfirmation = new SubjectConfirmation
{
Method = SubjectConfirmation.BearerMethod,
SubjectConfirmationData = new SubjectConfirmationData
{
NotOnOrAfter = notOnOrAfter,
Recipient = args.Recipient.Value,
InResponseTo = args.RequestId.Value,
},
};
assertion.Subject.Items = new object[]
{
new NameId
{
Format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
Value = args.Email.Value
},
subjectConfirmation
};
assertion.Conditions = new Conditions {
NotOnOrAfter = notOnOrAfter
};
var audienceRestriction = new AudienceRestriction
{
Audience = new List <string>(new[] { args.Audience.Value })
};
assertion.Conditions.Items = new List <ConditionAbstract>(new ConditionAbstract[]
{
audienceRestriction
});
AuthnStatement authnStatement;
{
authnStatement = new AuthnStatement();
assertion.Items = new StatementAbstract[] { authnStatement };
authnStatement.AuthnInstant = authnInstant;
authnStatement.SessionIndex = sessionIndex;
authnStatement.AuthnContext = new AuthnContext
{
Items = new object[]
{
"urn:oasis:names:tc:SAML:2.0:ac:classes:X509"
},
ItemsElementName = new[]
{
AuthnContextType.AuthnContextClassRef
}
};
}
AttributeStatement attributeStatement;
{
attributeStatement = new AttributeStatement();
var email = new SamlAttribute
{
Name = "User.email",
NameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
AttributeValue = new[] { args.Email.Value }
};
attributeStatement.Items = new object[] { email };
}
assertion.Items = new StatementAbstract[] { authnStatement, attributeStatement };
return(assertion);
}
/// <summary>
/// Assembles our basic test assertion
/// </summary>
/// <returns></returns>
public static Assertion GetBasicAssertion()
{
Assertion assertion = new Assertion();
{
assertion.Issuer = new NameID();
assertion.ID = "_b8977dc86cda41493fba68b32ae9291d";
assertion.IssueInstant = DateTime.UtcNow;
assertion.Version = "2.0";
assertion.Issuer.Value = GetBasicIssuer();
}
{
assertion.Subject = new Subject();
SubjectConfirmation subjectConfirmation = new SubjectConfirmation();
subjectConfirmation.Method = SubjectConfirmation.BEARER_METHOD;
subjectConfirmation.SubjectConfirmationData = new SubjectConfirmationData();
subjectConfirmation.SubjectConfirmationData.NotOnOrAfter = DateTime.UtcNow.AddMinutes(1);
subjectConfirmation.SubjectConfirmationData.Recipient = "http://borger.dk";
assertion.Subject.Items = new object[] { subjectConfirmation };
}
{
assertion.Conditions = new Conditions();
assertion.Conditions.NotOnOrAfter = DateTime.UtcNow.AddMinutes(1);
AudienceRestriction audienceRestriction = new AudienceRestriction();
audienceRestriction.Audience = GetAudiences();
assertion.Conditions.Items = new List <ConditionAbstract>(new ConditionAbstract[] { audienceRestriction });
}
AuthnStatement authnStatement;
{
authnStatement = new AuthnStatement();
assertion.Items = new StatementAbstract[] { authnStatement };
authnStatement.AuthnInstant = new DateTime(2008, 1, 8);
authnStatement.SessionIndex = "70225885";
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.Items = new object[] { "urn:oasis:names:tc:SAML:2.0:ac:classes:X509", "http://www.safewhere.net/authncontext/declref" };
authnStatement.AuthnContext.ItemsElementName = new ItemsChoiceType5[] { ItemsChoiceType5.AuthnContextClassRef, ItemsChoiceType5.AuthnContextDeclRef };
}
AttributeStatement attributeStatement;
{
attributeStatement = new AttributeStatement();
SamlAttribute surName = new SamlAttribute();
surName.FriendlyName = "SurName";
surName.Name = "urn:oid:2.5.4.4";
surName.NameFormat = SamlAttribute.NAMEFORMAT_URI;
surName.AttributeValue = new string[] { "Fry" };
SamlAttribute commonName = new SamlAttribute();
commonName.FriendlyName = "CommonName";
commonName.Name = "urn:oid:2.5.4.3";
commonName.NameFormat = SamlAttribute.NAMEFORMAT_URI;
commonName.AttributeValue = new string[] { "Philip J. Fry" };
SamlAttribute userName = new SamlAttribute();
userName.Name = "urn:oid:0.9.2342.19200300.100.1.1";
userName.NameFormat = SamlAttribute.NAMEFORMAT_URI;
userName.AttributeValue = new string[] { "fry" };
SamlAttribute eMail = new SamlAttribute();
eMail.FriendlyName = "Email";
eMail.Name = "urn:oid:0.9.2342.19200300.100.1.3";
eMail.NameFormat = SamlAttribute.NAMEFORMAT_URI;
eMail.AttributeValue = new string[] { "*****@*****.**" };
attributeStatement.Items = new object[] { surName, commonName, userName, eMail };
}
assertion.Items = new StatementAbstract[] { authnStatement, attributeStatement };
return(assertion);
}
/// <summary>
/// Assembles our basic test assertion
/// </summary>
/// <returns>The <see cref="Assertion"/>.</returns>
public static Assertion GetBasicAssertion()
{
var assertion = new Assertion
{
Issuer = new NameId(),
Id = "_b8977dc86cda41493fba68b32ae9291d",
IssueInstant = DateTime.UtcNow,
Version = "2.0"
};
assertion.Issuer.Value = GetBasicIssuer();
assertion.Subject = new Subject();
var subjectConfirmation = new SubjectConfirmation
{
Method = SubjectConfirmation.BearerMethod,
SubjectConfirmationData =
new SubjectConfirmationData
{
NotOnOrAfter = new DateTime(2008, 12, 31, 12, 0, 0, 0),
Recipient = "http://borger.dk"
}
};
assertion.Subject.Items = new object[] { subjectConfirmation };
assertion.Conditions = new Conditions {
NotOnOrAfter = new DateTime(2008, 12, 31, 12, 0, 0, 0)
};
var audienceRestriction = new AudienceRestriction {
Audience = GetAudiences().Select(u => u.ToString()).ToList()
};
assertion.Conditions.Items = new List <ConditionAbstract>(new ConditionAbstract[] { audienceRestriction });
AuthnStatement authnStatement;
{
authnStatement = new AuthnStatement();
assertion.Items = new StatementAbstract[] { authnStatement };
authnStatement.AuthnInstant = new DateTime(2008, 1, 8);
authnStatement.SessionIndex = "70225885";
authnStatement.AuthnContext = new AuthnContext
{
Items = new object[]
{
"urn:oasis:names:tc:SAML:2.0:ac:classes:X509",
"http://www.safewhere.net/authncontext/declref"
},
ItemsElementName = new[]
{
AuthnContextType.AuthnContextClassRef,
AuthnContextType.AuthnContextDeclRef
}
};
}
AttributeStatement attributeStatement;
{
attributeStatement = new AttributeStatement();
var surName = new SamlAttribute
{
FriendlyName = "SurName",
Name = "urn:oid:2.5.4.4",
NameFormat = SamlAttribute.NameformatUri,
AttributeValue = new[] { "Fry" }
};
var commonName = new SamlAttribute
{
FriendlyName = "CommonName",
Name = "urn:oid:2.5.4.3",
NameFormat = SamlAttribute.NameformatUri,
AttributeValue = new[] { "Philip J. Fry" }
};
var userName = new SamlAttribute
{
Name = "urn:oid:0.9.2342.19200300.100.1.1",
NameFormat = SamlAttribute.NameformatUri,
AttributeValue = new[] { "fry" }
};
var email = new SamlAttribute
{
FriendlyName = "Email",
Name = "urn:oid:0.9.2342.19200300.100.1.3",
NameFormat = SamlAttribute.NameformatUri,
AttributeValue = new[] { "*****@*****.**" }
};
attributeStatement.Items = new object[] { surName, commonName, userName, email };
}
assertion.Items = new StatementAbstract[] { authnStatement, attributeStatement };
return(assertion);
}
// Create a SAML response with the user's local identity, if any, or indicating an error.
private SAMLResponse CreateSAMLResponse(AuthnRequest authnRequest)
{
Trace.Write("IdP", "Creating SAML response");
SAMLResponse samlResponse = new SAMLResponse();
samlResponse.Destination = authnRequest.AssertionConsumerServiceURL;
Issuer issuer = new Issuer(CreateAbsoluteURL("~/"));
samlResponse.Issuer = issuer;
if (User.Identity.IsAuthenticated) {
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
samlAssertion.Conditions = new Conditions(new TimeSpan(0, 10, 0));
AudienceRestriction audienceRestriction = new AudienceRestriction();
audienceRestriction.Audiences.Add(new Audience(authnRequest.AssertionConsumerServiceURL));
samlAssertion.Conditions.ConditionsList.Add(audienceRestriction);
Subject subject = new Subject(new NameID(User.Identity.Name));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.InResponseTo = authnRequest.ID;
subjectConfirmationData.Recipient = authnRequest.AssertionConsumerServiceURL;
subjectConfirmationData.NotBefore = samlAssertion.Conditions.NotBefore;
subjectConfirmationData.NotOnOrAfter = samlAssertion.Conditions.NotOnOrAfter;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Password);
samlAssertion.Statements.Add(authnStatement);
samlResponse.Assertions.Add(samlAssertion);
} else {
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Responder, SAMLIdentifiers.SecondaryStatusCodes.AuthnFailed, "The user is not authenticated at the identity provider");
}
Trace.Write("IdP", "Created SAML response");
return samlResponse;
}
private Assertion CreateAssertion(User user, string receiver, string nameIdFormat)
{
Assertion assertion = new Assertion();
{ // Subject element
assertion.Subject = new Subject();
assertion.ID = "id" + Guid.NewGuid().ToString("N");
assertion.IssueInstant = DateTime.Now.AddMinutes(10);
assertion.Issuer = new NameID();
assertion.Issuer.Value = IDPConfig.ServerBaseUrl;
SubjectConfirmation subjectConfirmation = new SubjectConfirmation();
subjectConfirmation.Method = SubjectConfirmation.BEARER_METHOD;
subjectConfirmation.SubjectConfirmationData = new SubjectConfirmationData();
subjectConfirmation.SubjectConfirmationData.NotOnOrAfter = DateTime.Now.AddHours(1);
subjectConfirmation.SubjectConfirmationData.Recipient = receiver;
NameID nameId = new NameID();
nameId.Format = nameIdFormat;
if (nameIdFormat == Saml20Constants.NameIdentifierFormats.Transient)
{
nameId.Value = $"https://data.gov.dk/model/core/eid/{user.Profile}/uuid/" + Guid.NewGuid();
}
else
{
nameId.Value = $"https://data.gov.dk/model/core/eid/{user.Profile}/uuid/{user.uuid}";
}
assertion.Subject.Items = new object[] { nameId, subjectConfirmation };
}
{ // Conditions element
assertion.Conditions = new Conditions();
assertion.Conditions.Items = new List <ConditionAbstract>();
assertion.Conditions.NotOnOrAfter = DateTime.Now.AddHours(1);
AudienceRestriction audienceRestriction = new AudienceRestriction();
audienceRestriction.Audience = new List <string>();
audienceRestriction.Audience.Add(receiver);
assertion.Conditions.Items.Add(audienceRestriction);
}
List <StatementAbstract> statements = new List <StatementAbstract>(2);
{ // AuthnStatement element
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnInstant = DateTime.Now;
authnStatement.SessionIndex = Convert.ToString(new Random().Next());
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.Items =
new object[] { "urn:oasis:names:tc:SAML:2.0:ac:classes:X509" };
// Wow! Setting the AuthnContext is .... verbose.
authnStatement.AuthnContext.ItemsElementName =
new ItemsChoiceType5[] { ItemsChoiceType5.AuthnContextClassRef };
statements.Add(authnStatement);
}
{ // Generate attribute list.
AttributeStatement attributeStatement = new AttributeStatement();
List <SamlAttribute> attributes = new List <SamlAttribute>(user.Attributes.Count);
foreach (KeyValuePair <string, string> att in user.Attributes)
{
var existingAttribute = attributes.FirstOrDefault(x => x.Name == att.Key);
if (existingAttribute != null)
{
var attributesValues = new List <string>();
attributesValues.AddRange(existingAttribute.AttributeValue);
attributesValues.Add(att.Value);
existingAttribute.AttributeValue = attributesValues.ToArray();
}
else
{
SamlAttribute attribute = new SamlAttribute();
attribute.Name = att.Key;
attribute.AttributeValue = new string[] { att.Value };
attribute.NameFormat = SamlAttribute.NAMEFORMAT_URI;
attributes.Add(attribute);
}
}
attributeStatement.Items = attributes.ToArray();
statements.Add(attributeStatement);
}
assertion.Items = statements.ToArray();
return(assertion);
}
private static XmlElement CreateSamlResponse(string assertionConsumerServiceUrl, List <SAMLAttribute> attributes, string requestId = null, bool signAssertion = false, bool signResponse = false, bool encryptAssertion = false)
{
var samlResponse = new SAMLResponse {
Destination = assertionConsumerServiceUrl
};
var issuer = new Issuer(SAMLConfiguration.Current.IdentityProviderConfiguration.Name);
var issuerX509CertificateFilePath = Path.Combine(HttpRuntime.AppDomainAppPath, SAMLConfiguration.Current.IdentityProviderConfiguration.CertificateFile);
var issuerX509Certificate = new X509Certificate2(issuerX509CertificateFilePath, SAMLConfiguration.Current.IdentityProviderConfiguration.CertificatePassword);
var partner = SessionHelper.Get <string>(PartnerSpSessionKey) ?? SAMLConfiguration.Current.ServiceProviderConfiguration.Name;
var partnerConfig = SAMLConfiguration.Current.PartnerServiceProviderConfigurations[partner];
var partnerX509CertificateFilePath = string.Empty;
var partnerX509Certificate = null as X509Certificate2;
if (partnerConfig != null)
{
partnerX509CertificateFilePath = Path.Combine(HttpRuntime.AppDomainAppPath, partnerConfig.CertificateFile);
partnerX509Certificate = new X509Certificate2(partnerX509CertificateFilePath);
signAssertion = partnerConfig.SignAssertion;
signResponse = partnerConfig.SignSAMLResponse;
encryptAssertion = partnerConfig.EncryptAssertion;
}
samlResponse.Issuer = issuer;
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
samlResponse.IssueInstant = DateTime.Now;
samlResponse.InResponseTo = requestId;
var samlAssertion = new SAMLAssertion {
Issuer = issuer, IssueInstant = samlResponse.IssueInstant
};
var profileId = attributes.Where(a => a.Name == PortalClaimTypes.ProfileId).Select(a => a.Values[0].ToString()).FirstOrDefault();
var subject = new Subject(new NameID(profileId));
var subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
var subjectConfirmationData = new SubjectConfirmationData {
Recipient = assertionConsumerServiceUrl
};
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
var conditions = new Conditions(DateTime.Now, DateTime.Now.AddDays(1));
var audienceRestriction = new AudienceRestriction();
audienceRestriction.Audiences.Add(new Audience(partner));
conditions.ConditionsList.Add(audienceRestriction);
samlAssertion.Conditions = conditions;
var authnStatement = new AuthnStatement {
AuthnContext = new AuthnContext(), AuthnInstant = samlResponse.IssueInstant
};
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.X509);
samlAssertion.Statements.Add(authnStatement);
attributes.ForEach(a =>
{
var attributeStatement = new AttributeStatement();
attributeStatement.Attributes.Add(a);
samlAssertion.Statements.Add(attributeStatement);
});
var samlAssertionXml = samlAssertion.ToXml();
if (signAssertion)
{
SAMLAssertionSignature.Generate(samlAssertionXml, issuerX509Certificate.PrivateKey, issuerX509Certificate);
}
if (encryptAssertion)
{
var encryptedAssertion = new EncryptedAssertion(samlAssertionXml, partnerX509Certificate);
samlResponse.Assertions.Add(encryptedAssertion.ToXml());
}
else
{
samlResponse.Assertions.Add(samlAssertionXml);
}
var samlResponseXml = samlResponse.ToXml();
if (signResponse)
{
SAMLMessageSignature.Generate(samlResponseXml, issuerX509Certificate.PrivateKey, issuerX509Certificate);
}
return(samlResponseXml);
}
/// <summary>
/// Handles the Click event of the submitButton control.
/// </summary>
/// <param name="sender">The source of the event.</param>
/// <param name="e">The <see cref="System.EventArgs"/> instance containing the event data.</param>
private void submitButton_Click(object sender, EventArgs e)
{
Transmittal transmittal = null;
string employeeID = this._EmployeeID.Text;
if (!string.IsNullOrEmpty(this._XMLText.Text))
{
try
{
transmittal = (Transmittal)SerializationHelper.DeserializeFromString(this._XMLText.Text, typeof(Transmittal));
}
catch (Exception exception)
{
this._XMLText.Text = exception.Message;
Exception inner = exception.InnerException;
while (inner != null)
{
this._XMLText.Text += "\n" + inner.Message;
inner = inner.InnerException;
}
this._XMLText.Text = PrepareSourceCode(this._XMLText.Text);
}
}
if (!string.IsNullOrEmpty(employeeID) && transmittal != null && transmittal.Applicants != null && transmittal.Applicants.Count > 0)
{
transmittal.Applicants[0].EmployeeIdent = employeeID;
}
Session["Transmittal"] = transmittal;
//Creating SAML responce
X509Certificate2 vendorCertificate = GetVendorCertificate();
X509Certificate2 selerixCertificate = GetSelerixCertificate();
string assertionConsumerServiceURL = "SamlResponse.aspx";
string audienceName = "whatever audience";
SAMLResponse samlResponse = new SAMLResponse();
samlResponse.Destination = assertionConsumerServiceURL;
Issuer issuer = new Issuer("Vendor");
samlResponse.Issuer = issuer;
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
Subject subject = null;
// subject = new Subject(new EncryptedID(new NameID(employeeID), selerixCertificate, new EncryptionMethod(EncryptedXml.XmlEncTripleDESUrl))); //employee ID
subject = new Subject(new NameID(employeeID)); //employee ID
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.Recipient = assertionConsumerServiceURL;
subjectConfirmationData.NotOnOrAfter = DateTime.UtcNow.AddHours(1);
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
Conditions conditions = new Conditions(new TimeSpan(1, 0, 0));
AudienceRestriction audienceRestriction = new AudienceRestriction();
audienceRestriction.Audiences.Add(new Audience(audienceName));
conditions.ConditionsList.Add(audienceRestriction);
samlAssertion.Conditions = conditions;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Unspecified);
samlAssertion.Statements.Add(authnStatement);
AttributeStatement attributeStatement = new AttributeStatement();
if (transmittal != null)
{
attributeStatement.Attributes.Add(new SAMLAttribute("Transmittal", SAMLIdentifiers.AttributeNameFormats.Basic, null, SerializationHelper.SerializeToString(transmittal)));
if (transmittal.Applicants != null && transmittal.Applicants.Count > 0)
{
transmittal.Applicants[0].EmployeeIdent = employeeID;
}
}
//Check for Transmittal Options
for (int i = 0; i < _TransmittalOptionsList.Items.Count; i++)
{
string answer = "no";
if (_TransmittalOptionsList.Items[i].Selected)
{
answer = "yes";
}
if (_TransmittalOptionsList.Items[i].Value == "HeaderAndFooter")
{
attributeStatement.Attributes.Add(new SAMLAttribute("HeaderAndFooter", SAMLIdentifiers.AttributeNameFormats.Basic, null, answer));
}
else if (_TransmittalOptionsList.Items[i].Value == "Sidebar")
{
attributeStatement.Attributes.Add(new SAMLAttribute("Sidebar", SAMLIdentifiers.AttributeNameFormats.Basic, null, answer));
}
else if (_TransmittalOptionsList.Items[i].Value == "PersonalInfo")
{
attributeStatement.Attributes.Add(new SAMLAttribute("PersonalInfo", SAMLIdentifiers.AttributeNameFormats.Basic, null, answer));
}
else if (_TransmittalOptionsList.Items[i].Value == "Welcome")
{
attributeStatement.Attributes.Add(new SAMLAttribute("Welcome", SAMLIdentifiers.AttributeNameFormats.Basic, null, answer));
}
else if (_TransmittalOptionsList.Items[i].Value == "Review")
{
attributeStatement.Attributes.Add(new SAMLAttribute("Review", SAMLIdentifiers.AttributeNameFormats.Basic, null, answer));
}
}
samlAssertion.Statements.Add(attributeStatement);
// EncryptedAssertion encryptedAssertion = new EncryptedAssertion(samlAssertion, selerixCertificate, new EncryptionMethod(EncryptedXml.XmlEncTripleDESUrl));
// samlResponse.Assertions.Add(encryptedAssertion);
samlResponse.Assertions.Add(samlAssertion);
//Created SAML response
//Sending SAML response
// Serialize the SAML response for transmission.
XmlElement samlResponseXml = samlResponse.ToXml();
// Sign the SAML response.
SAMLMessageSignature.Generate(samlResponseXml, vendorCertificate.PrivateKey, vendorCertificate);
HttpContext.Current.Response.AddHeader("Cache-Control", "no-cache");
HttpContext.Current.Response.AddHeader("Pragma", "no-cache");
IdentityProvider.SendSAMLResponseByHTTPPost(HttpContext.Current.Response, assertionConsumerServiceURL, samlResponseXml, "");// for test purposes
}
