// ReSharper disable once InconsistentNaming
        public ActionResult SAWPost(string returnUrl)
        {
            using (var sawSamlResponse = new SawSamlResponse(CertificateHelpers.GetX509Certificate2FromUri(FirmaWebConfiguration.SAWEndPoint)))
            {
                try
                {
                    // SAML providers usually POST the data into this var
                    var base64SawSamlResponse = Request.Form["SAMLResponse"];
                    Logger.Debug($"SAML Debugging - SAWPost Received Base64 Encoded Form Variable SAMLResponse: {base64SawSamlResponse}");

                    sawSamlResponse.LoadXmlFromBase64(base64SawSamlResponse);
                    if (sawSamlResponse.IsValid(userDisplayableValidationErrorMessage: out var userDisplayableValidationErrorMessage))
                    {
                        var firstName        = sawSamlResponse.GetFirstName();
                        var lastName         = sawSamlResponse.GetLastName();
                        var email            = sawSamlResponse.GetEmail();
                        var roleGroups       = sawSamlResponse.GetRoleGroups();
                        var sawAuthenticator = sawSamlResponse.GetWhichSawAuthenticator();
                        ProcessLogin(firstName, lastName, email, roleGroups, sawAuthenticator);
                    }
                    else
                    {
                        SitkaHttpApplication.Logger.Error($"Processing SAW login, SAML Response invalid. Validation error: {userDisplayableValidationErrorMessage}, SAW SAML XML:\r\n{sawSamlResponse.GetSamlAsPrettyPrintXml()}");
                        SetErrorForDisplay($"There was a SAW validation problem while trying to log into your account. {userDisplayableValidationErrorMessage} Please try again in a few minutes. If this issue keeps happening, please contact support: <a href=\"mailto:{FirmaWebConfiguration.SitkaSupportEmail}\">{FirmaWebConfiguration.SitkaSupportEmail}</a>");
                    }
                    return(new RedirectResult(HomeUrl));
                }
Beispiel #2
0
        public void TestSawSamlResponseDateValidity()
        {
            var samlXml = @"
<samlp:Response xmlns:saml=""urn:oasis:names:tc:SAML:2.0:assertion"" xmlns:samlp=""urn:oasis:names:tc:SAML:2.0:protocol"" xmlns:xs=""http://www.w3.org/2001/XMLSchema"" xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" Destination=""https://wadnrforesthealth.qa.projectfirma.com/Account/SAWPost"" ID=""FIMRSP_d38b3f33-0175-192a-8f59-a9b3208be3fe"" IssueInstant=""2020-11-17T00:11:59Z"" Version=""2.0"">
  <saml:Issuer Format=""urn:oasis:names:tc:SAML:2.0:nameid-format:entity"">https://test-secureaccess.wa.gov/FIM2/sps/sawidp/saml20</saml:Issuer>
  <samlp:Status>
    <samlp:StatusCode Value=""urn:oasis:names:tc:SAML:2.0:status:Success"">
    </samlp:StatusCode>
  </samlp:Status>
  <saml:Assertion ID=""Assertion-uuidd38b3f13-0175-16c6-b3b5-a9b3208be3fe"" IssueInstant=""2020-11-17T00:11:59Z"" Version=""2.0"">
    <saml:Issuer Format=""urn:oasis:names:tc:SAML:2.0:nameid-format:entity"">https://test-secureaccess.wa.gov/FIM2/sps/sawidp/saml20</saml:Issuer>
    <ds:Signature xmlns:ds=""http://www.w3.org/2000/09/xmldsig#"" Id=""uuidd38b3f18-0175-1072-a058-a9b3208be3fe"">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm=""http://www.w3.org/2001/10/xml-exc-c14n#"">
        </ds:CanonicalizationMethod>
        <ds:SignatureMethod Algorithm=""http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"">
        </ds:SignatureMethod>
        <ds:Reference URI=""#Assertion-uuidd38b3f13-0175-16c6-b3b5-a9b3208be3fe"">
          <ds:Transforms>
            <ds:Transform Algorithm=""http://www.w3.org/2000/09/xmldsig#enveloped-signature"">
            </ds:Transform>
            <ds:Transform Algorithm=""http://www.w3.org/2001/10/xml-exc-c14n#"">
              <xc14n:InclusiveNamespaces xmlns:xc14n=""http://www.w3.org/2001/10/xml-exc-c14n#"" PrefixList=""xs saml xsi"">
              </xc14n:InclusiveNamespaces>
            </ds:Transform>
          </ds:Transforms>
          <ds:DigestMethod Algorithm=""http://www.w3.org/2001/04/xmlenc#sha256"">
          </ds:DigestMethod>
          <ds:DigestValue>4JDoIy8WFOLjFGGNcJB/fUTA9rLVU8RtCMx9VJZzXU0=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>RUkq+y/ccsfJVrlvTZuoSirJktnSUhiK7NYeJ/oO8kScR7E8ZcVViSlvjbSYZOTc5dlDbCqdNlDpEu/s/FGjBcGHSLnBrbdJid/8aJhdn2h05l/2vGrbhKnP3X3b7PHwMGC2HCARr0w9VxT/yoXwfoYi9caaJ2UhrEfZNQ4QBHAv3uYHumvEEmkMepW+RfRCGVmn84Hx0DyAN98Q8E2e9+r+UT2Tsv0jIpCocFXiVl4hvSCdLZE88hr8HSJWryvgh4DCdi4bsxWusXjPA1VeULwslH7EPWBWOLMt+vejE3Q7s3TiEwDF0eFoqYOQXsTiCIfu/ZjYzfY5RR20aBUehg==</ds:SignatureValue>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>MIIGzjCCBbagAwIBAgIRANppqRydHQpiAAAAAFEEi1wwDQYJKoZIhvcNAQELBQAwgboxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykgMjAxMiBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxLjAsBgNVBAMTJUVudHJ1c3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBMMUswHhcNMjAwNTE1MjAyMDExWhcNMjEwNjE1MjA1MDEwWjB1MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHT2x5bXBpYTEcMBoGA1UEChMTU3RhdGUgb2YgV2FzaGluZ3RvbjEhMB8GA1UEAxMYdGVzdC1zZWN1cmVhY2Nlc3Mud2EuZ292MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhHAT/51sNgiyQlnbo688AD7xm0ETWFQWq2Xo1yCF6CQWTtQnoWmEUqIFsXuKzcBP87eZVSJdugpcpAo0CTgKwS4LkGJ0Wxvs1yufa2GCqGsK1NVWArv/fDTJNskZCeOxUWM9qHg/v9ltr1uNlWYvyqv3n1xObacrirUsBM7x/8/yg/5ge+rmRlS/8xxiEWT1aJCvdTtSIf6D/IHsvAq9zS4CRk8JTTgP9bv+bkqP40/nml+p+XxKhrDnx//3rDOxk/w+2y/oww5v5tyiDiCdygnuoRqGglP1q86+6XxzUeq/q3juCcgO5DvNDjbVSnOmqnvhENLAFHLRiOglY9zx1wIDAQABo4IDETCCAw0wIwYDVR0RBBwwGoIYdGVzdC1zZWN1cmVhY2Nlc3Mud2EuZ292MIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6odBxPTDAAAAXIaGgVSAAAEAwBHMEUCIHSGURb7+W6aVQKfNjChAe3fG/E8hr5DsWqhfrriqIK8AiEAmABVgqvYclpWtLEpHgJcWIotAudZORppP7caH0fCvjIAdgBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ3QAAAXIaGgVxAAAEAwBHMEUCIQCP07yFr1c9+2rWIiEoHrKm4scoK/ID9Z44w0ZctyjwXgIgLnRSbXA9o9VvPejUmxci4ByTf3OXh8Ww3aj338qHRF0AdgB9PvL4j/+IVWgkwsDKnlKJeSvFDngJfy5ql2iZfiLw1wAAAXIaGgWQAAAEAwBHMEUCIHQ4WjlZWbAAJZl1awfHih8H7vu04o4xt17aUvEoF61SAiEA48/P6Ej2f9ceE3394h6O9S4mu1ar7+dWEAJMzQjUbMEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1c3QubmV0L2xldmVsMWsuY3JsMEsGA1UdIAREMEIwNgYKYIZIAYb6bAoBBTAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAIBgZngQwBAgIwaAYIKwYBBQUHAQEEXDBaMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAzBggrBgEFBQcwAoYnaHR0cDovL2FpYS5lbnRydXN0Lm5ldC9sMWstY2hhaW4yNTYuY2VyMB8GA1UdIwQYMBaAFIKicHTdvFM/z3vU981/p2DGCky/MB0GA1UdDgQWBBQz02paHjOMwByIcMH/BQQw7YufrjAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQB6ZBRCOb36s/VyW3zYY7d2PtAxn+HFlNf+0vBP3Ux6F2pGkPs4xEeMJtchimOYxGhM++nEGAeZOww9Ai533Jo0dGZDKei+bCjkzalO3Z0D3xFqPAR7F9SmuIGVLD5ofgrtENYZzx6+CtHeqjGNC9/Y6xebTyCVLnkbbfe+q/tVrutqit1JsG+RxwVQdHmAUJcBYTNQGwFh1EZA+bDWw5bWOWxIFUPTbibQc3DxSxGqUAU+NUPw7E+fS7/F6JbV/81M2zA3RO3tODluUp+mFj4AzZbGLVzgb1ZdgKG5TGSAt0ih1rwVsidUrFUxFMir7ZClFnE4MtiVsMWCr/uGrVQa</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </ds:Signature>
    <saml:Subject>
      <saml:NameID Format=""urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"">DP4VD4ZP8QQ6L-1PF0ZV2FF4-D1LW4VZ0FD-DW9QW8ZL9Q</saml:NameID>
      <saml:SubjectConfirmation Method=""urn:oasis:names:tc:SAML:2.0:cm:bearer"">
        <saml:SubjectConfirmationData NotOnOrAfter=""2020-11-17T00:12:59Z"" Recipient=""https://wadnrforesthealth.qa.projectfirma.com/Account/SAWPost"">
        </saml:SubjectConfirmationData>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore=""2020-11-17T00:10:59Z"" NotOnOrAfter=""2020-11-17T00:12:59Z"">
      <saml:AudienceRestriction>
        <saml:Audience>https://wadnrforesthealth.qa.projectfirma.com</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant=""2020-11-17T00:11:59Z"" SessionIndex=""uuidd35793e5-0175-1dc9-afb8-a9b3208be3fe"" SessionNotOnOrAfter=""2020-11-17T01:11:59Z"">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name=""level"" NameFormat=""urn:oasis:names:tc:SAML:2.0:assertion"">
        <saml:AttributeValue xsi:type=""xs:string"">1</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name=""groups"" NameFormat=""urn:oasis:names:tc:SAML:2.0:assertion"">
        <saml:AttributeValue xsi:type=""xs:string"">f3_users</saml:AttributeValue>
        <saml:AttributeValue xsi:type=""xs:string"">DNR-ForestHealthTrackerQA-USER-REG</saml:AttributeValue>
        <saml:AttributeValue xsi:type=""xs:string"">DNR-ForestHealthTrackerQA-DEFAULT_UMG-USER-REG</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name=""guid"" NameFormat=""urn:oasis:names:tc:SAML:2.0:assertion"">
        <saml:AttributeValue xsi:type=""xs:string"">DP4VD4ZP8QQ6L-1PF0ZV2FF4-D1LW4VZ0FD-DW9QW8ZL9Q</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name=""user"" NameFormat=""urn:oasis:names:tc:SAML:2.0:assertion"">
        <saml:AttributeValue xsi:type=""xs:string"">[email protected]</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name=""name"" NameFormat=""urn:oasis:names:tc:SAML:2.0:assertion"">
        <saml:AttributeValue xsi:type=""xs:string"">Michael Ferrante</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name=""email"" NameFormat=""urn:oasis:names:tc:SAML:2.0:assertion"">
        <saml:AttributeValue xsi:type=""xs:string"">[email protected]</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>
";

            using (var sawSamlResponse = new SawSamlResponse(CertificateHelpers.GetX509Certificate2FromUri(FirmaWebConfiguration.SAWEndPoint)))
            {
                sawSamlResponse.LoadXmlFromString(samlXml);
                Console.Write(DateTimeOffset.Now);
                //  NotOnOrAfter=""2020-11-17T00:12:59Z""
                var now = DateTimeOffset.Parse("11/16/2020 4:11:59 PM -08:00");
                var isResponseStillWithinValidTimePeriod = sawSamlResponse.IsResponseStillWithinValidTimePeriod(now);
                Assert.That(sawSamlResponse.IsResponseStillWithinValidTimePeriod(now), Is.True, "Should be valid date");
                Assert.That(sawSamlResponse.IsResponseStillWithinValidTimePeriod(now.AddMinutes(5)), Is.False, "Should be invalid date too old");
            }
        }