// Receive the SAML response from the identity provider.
private void ReceiveSAMLResponse(out SAMLResponse samlResponse, out string relayState)
{
// Receive the SAML response over the specified binding.
XmlElement samlResponseXml = null;
ServiceProvider.ReceiveSAMLResponseByHTTPPost(Request, out samlResponseXml, out relayState);
Session["SAML_XML"] = samlResponseXml.OuterXml;
// Verify the response's signature.
if (SAMLMessageSignature.IsSigned(samlResponseXml))
{
//Verifying response signature
X509Certificate2 x509Certificate = GetVendorCertificate();
if (!SAMLMessageSignature.Verify(samlResponseXml, x509Certificate))
{
throw new ArgumentException("The SAML response signature failed to verify.");
}
}
// Deserialize the XML.
samlResponse = new SAMLResponse(samlResponseXml);
}
// Receive the SAML response from the identity provider.
private void ReceiveSAMLResponse(out SAMLResponse samlResponse, out string relayState)
{
Trace.Write("SP", "Receiving SAML response");
// Receive the SAML response.
XmlElement samlResponseXml = null;
ServiceProvider.ReceiveSAMLResponseByHTTPPost(Request, out samlResponseXml, out relayState);
// Verify the response's signature.
if (SAMLMessageSignature.IsSigned(samlResponseXml))
{
Trace.Write("SP", "Verifying response signature");
X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.IdPX509Certificate];
if (!SAMLMessageSignature.Verify(samlResponseXml, x509Certificate))
{
throw new ArgumentException("The SAML response signature failed to verify.");
}
}
// Deserialize the XML.
samlResponse = new SAMLResponse(samlResponseXml);
Trace.Write("SP", "Received SAML response");
}
private static void VerifyMessage(XmlElement xmlElement)
{
Console.Error.WriteLine("Verifying SAML message");
try
{
if (SAMLMessageSignature.IsSigned(xmlElement))
{
bool verified = SAMLMessageSignature.Verify(xmlElement, x509Certificate);
Console.Error.WriteLine("Verified: " + verified);
}
else
{
Console.Error.WriteLine("The SAML message isn't signed");
}
}
catch (Exception exception)
{
Console.Error.WriteLine(exception.ToString());
}
foreach (XmlElement assertionElement in SAMLAssertion.Find(xmlElement))
{
VerifyAssertion(assertionElement);
}
}
// Receive the SAML response from the identity provider.
private void ReceiveSAMLResponse(out SAMLResponse samlResponse, out string relayState)
{
// Rather than separate endpoints per binding, we have a single endpoint and use a query string
// parameter to determine the identity provider to service provider binding type.
string bindingType = Request.QueryString[bindingQueryParameter];
Trace.Write("SP", "Receiving SAML response over binding " + bindingType);
// Receive the SAML response over the specified binding.
XmlElement samlResponseXml = null;
switch (bindingType)
{
case BindingTypes.Post:
ServiceProvider.ReceiveSAMLResponseByHTTPPost(Request, out samlResponseXml, out relayState);
break;
case BindingTypes.Artifact:
// Receive the artifact.
HTTPArtifact httpArtifact = null;
ServiceProvider.ReceiveArtifactByHTTPArtifact(Request, false, out httpArtifact, out relayState);
// Create an artifact resolve request.
ArtifactResolve artifactResolve = new ArtifactResolve();
artifactResolve.Issuer = new Issuer(CreateAbsoluteURL("~/"));
artifactResolve.Artifact = new Artifact(httpArtifact.ToString());
XmlElement artifactResolveXml = artifactResolve.ToXml();
// Send the artifact resolve request and receive the artifact response.
XmlElement artifactResponseXml = ArtifactResolver.SendRequestReceiveResponse(Configuration.ArtifactResolutionServiceURL, artifactResolveXml);
ArtifactResponse artifactResponse = new ArtifactResponse(artifactResponseXml);
// Extract the authentication request from the artifact response.
samlResponseXml = artifactResponse.SAMLMessage;
break;
default:
throw new ArgumentException("Unknown binding type");
}
// Verify the response's signature.
if (SAMLMessageSignature.IsSigned(samlResponseXml))
{
Trace.Write("SP", "Verifying response signature");
X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.IdPX509Certificate];
if (!SAMLMessageSignature.Verify(samlResponseXml, x509Certificate))
{
throw new ArgumentException("The SAML response signature failed to verify.");
}
}
// Deserialize the XML.
samlResponse = new SAMLResponse(samlResponseXml);
Trace.Write("SP", "Received SAML response");
}
// Receive the SAML response from the identity provider.
private void ReceiveSAMLResponse(ref SAMLResponse samlResponse, ref string relayState)
{
Trace.Write("SP", "Receiving SAML response");
// Determine the identity provider to service provider binding type.
// We use a query string parameter rather than having separate endpoints per binding.
string bindingType = Request.QueryString[bindingQueryParameter];
// Receive the SAML response over the specified binding.
XmlElement samlResponseXml = null;
switch (bindingType)
{
case SAMLIdentifiers.BindingURIs.HTTPPost:
ServiceProvider.ReceiveSAMLResponseByHTTPPost(Request, out samlResponseXml, out relayState);
break;
case SAMLIdentifiers.BindingURIs.HTTPArtifact:
// Receive the artifact.
HTTPArtifact httpArtifact = null;
ServiceProvider.ReceiveArtifactByHTTPArtifact(Request, false, out httpArtifact, out relayState);
// Create an artifact resolve request.
ArtifactResolve artifactResolve = new ArtifactResolve();
artifactResolve.Issuer = new Issuer(CreateAbsoluteURL("~/"));
artifactResolve.Artifact = new Artifact(httpArtifact.ToString());
XmlElement artifactResolveXml = artifactResolve.ToXml();
// Send the artifact resolve request and receive the artifact response.
string spArtifactResponderURL = WebConfigurationManager.AppSettings["idpArtifactResponderURL"];
XmlElement artifactResponseXml = ArtifactResolver.SendRequestReceiveResponse(spArtifactResponderURL, artifactResolveXml);
ArtifactResponse artifactResponse = new ArtifactResponse(artifactResponseXml);
// Extract the SAML response from the artifact response.
samlResponseXml = artifactResponse.SAMLMessage;
break;
default:
Trace.Write("SP", "Invalid identity provider to service provider binding");
return;
}
// Verify the response's signature.
X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.IdPX509Certificate];
if (!SAMLMessageSignature.Verify(samlResponseXml, x509Certificate))
{
throw new ArgumentException("The SAML response signature failed to verify.");
}
// Deserialize the XML.
samlResponse = new SAMLResponse(samlResponseXml);
Trace.Write("SP", "Received SAML response");
}
// Receive the authentication request and relay state.
private void ReceiveAuthnRequest(out AuthnRequest authnRequest, out string relayState)
{
Trace.Write("IdP", "Receiving authentication request over binding");
XmlElement authnRequestXml = null;
bool signed = false;
IdentityProvider.ReceiveAuthnRequestByHTTPRedirect(Request, out authnRequestXml, out relayState, out signed, null);
if (SAMLMessageSignature.IsSigned(authnRequestXml))
{
Trace.Write("IdP", "Verifying request signature");
if (!SAMLMessageSignature.Verify(authnRequestXml))
{
throw new ArgumentException("The authentication request signature failed to verify.");
}
}
authnRequest = new AuthnRequest(authnRequestXml);
Trace.Write("IdP", "Received authentication request");
}
// Receive the authentication request and relay state.
private void ReceiveAuthnRequest(out AuthnRequest authnRequest, out string relayState)
{
// Rather than separate endpoints per binding, we have a single endpoint and use a query string
// parameter to determine the service provider to identity provider binding type.
string bindingType = Request.QueryString[bindingQueryParameter];
Trace.Write("IdP", "Receiving authentication request over binding " + bindingType);
X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.SPX509Certificate];
XmlElement authnRequestXml = null;
switch (bindingType)
{
case BindingTypes.Redirect:
bool signed = false;
IdentityProvider.ReceiveAuthnRequestByHTTPRedirect(Request, out authnRequestXml, out relayState, out signed, x509Certificate.PublicKey.Key);
break;
case BindingTypes.Post:
IdentityProvider.ReceiveAuthnRequestByHTTPPost(Request, out authnRequestXml, out relayState);
break;
case BindingTypes.Artifact:
// Receive the artifact.
HTTPArtifact httpArtifact = null;
IdentityProvider.ReceiveArtifactByHTTPArtifact(Request, false, out httpArtifact, out relayState);
// Create an artifact resolve request.
ArtifactResolve artifactResolve = new ArtifactResolve();
artifactResolve.Issuer = new Issuer(CreateAbsoluteURL("~/"));
artifactResolve.Artifact = new Artifact(httpArtifact.ToString());
XmlElement artifactResolveXml = artifactResolve.ToXml();
// Send the artifact resolve request and receive the artifact response.
XmlElement artifactResponseXml = ArtifactResolver.SendRequestReceiveResponse(Configuration.ArtifactResolutionServiceURL, artifactResolveXml);
ArtifactResponse artifactResponse = new ArtifactResponse(artifactResponseXml);
// Extract the authentication request from the artifact response.
authnRequestXml = artifactResponse.SAMLMessage;
break;
default:
throw new ArgumentException("Invalid binding type");
}
if (SAMLMessageSignature.IsSigned(authnRequestXml))
{
Trace.Write("IdP", "Verifying request signature");
if (!SAMLMessageSignature.Verify(authnRequestXml, x509Certificate))
{
throw new ArgumentException("The authentication request signature failed to verify.");
}
}
authnRequest = new AuthnRequest(authnRequestXml);
Trace.Write("IdP", "Received authentication request");
}
public override bool VerifySignature()
{
return(IsSigned && SAMLMessageSignature.Verify(ResponseElement));
}
public ActionResult UploadSaml(FormCollection formCollection)
{
var attributes = new List <SAMLAttribute>();
var errorMessages = new List <string>();
var xmlDoc = null as XmlDocument;
SessionHelper.Set(SamlAttributesSessionKey, null);
SessionHelper.Set(SamlErrorMessagesSessionKey, null);
if (Request != null)
{
var file = Request.Files["SamlFile"];
if ((file != null) && (file.ContentLength > 0) && !string.IsNullOrEmpty(file.FileName))
{
try
{
xmlDoc = new XmlDocument();
xmlDoc.Load(file.InputStream);
var samlValidator = new SAMLValidator();
var isValid = samlValidator.Validate(xmlDoc);
if (!isValid)
{
errorMessages.AddRange(samlValidator.Warnings.Select(warning => string.Format("Warning:, {0}", warning.Message)));
errorMessages.AddRange(samlValidator.Errors.Select(error => error.Message));
}
if (SAMLMessageSignature.IsSigned(xmlDoc.DocumentElement))
{
if (!SAMLMessageSignature.Verify(xmlDoc.DocumentElement))
{
errorMessages.Add(string.Format("Failed to verify SAML response signature. [{0}]", xmlDoc.OuterXml));
}
}
var samlResponse = new SAMLResponse(xmlDoc.DocumentElement);
var assertions = samlResponse.GetAssertions();
var encryptedAssertions = samlResponse.GetEncryptedAssertions();
var signedAssertions = samlResponse.GetSignedAssertions();
var x509CertificateFilePath = Path.Combine(HttpRuntime.AppDomainAppPath, SAMLConfiguration.Current.ServiceProviderConfiguration.CertificateFile);
var x509Certificate = new X509Certificate2(x509CertificateFilePath, SAMLConfiguration.Current.ServiceProviderConfiguration.CertificatePassword);
encryptedAssertions.ForEach(a =>
{
var decryptedAssertion = a.DecryptToXml(x509Certificate);
assertions.Add(new SAMLAssertion(decryptedAssertion));
});
signedAssertions.ForEach(a =>
{
if (SAMLAssertionSignature.IsSigned(a))
{
if (!SAMLAssertionSignature.Verify(a))
{
errorMessages.Add(string.Format("Failed to verify SAML assertion signature. [{0}]", a.OuterXml));
}
}
assertions.Add(new SAMLAssertion(a));
});
assertions.ForEach(a =>
{
var nameId = a.GetNameID();
if (!string.IsNullOrEmpty(nameId))
{
attributes.Add("NameId", nameId);
}
a.GetAttributeStatements().ForEach(
s => attributes.AddRange(from object attribute in s.Attributes
select attribute as SAMLAttribute));
});
}
catch (Exception ex)
{
var saml = xmlDoc != null ? xmlDoc.OuterXml : string.Empty;
_logger.Log(ex);
errorMessages.Add(string.Format("{0} [{1}]", ex.Message, saml));
}
}
}
SessionHelper.Set(SamlAttributesSessionKey, attributes.ToArray());
SessionHelper.Set(SamlErrorMessagesSessionKey, errorMessages);
return(Redirect(TestTargetUrl));
}
// Receive the authentication request from the service provider.
private void ReceiveAuthnRequest(out AuthnRequest authnRequest, out string relayState)
{
// Determine the service provider to identity provider binding type.
// We use a query string parameter rather than having separate endpoints per binding.
string bindingType = Request.QueryString[bindingQueryParameter];
Trace.Write("IdP", "Receiving authentication request over binding " + bindingType);
// Receive the authentication request.
XmlElement authnRequestXml = null;
switch (bindingType)
{
case SAMLIdentifiers.BindingURIs.HTTPRedirect:
bool signed = false;
X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.SPX509Certificate];
IdentityProvider.ReceiveAuthnRequestByHTTPRedirect(Request, out authnRequestXml, out relayState, out signed, x509Certificate.PublicKey.Key);
break;
case SAMLIdentifiers.BindingURIs.HTTPPost:
IdentityProvider.ReceiveAuthnRequestByHTTPPost(Request, out authnRequestXml, out relayState);
break;
case SAMLIdentifiers.BindingURIs.HTTPArtifact:
// Receive the artifact.
HTTPArtifact httpArtifact = null;
IdentityProvider.ReceiveArtifactByHTTPArtifact(Request, false, out httpArtifact, out relayState);
// Create an artifact resolve request.
ArtifactResolve artifactResolve = new ArtifactResolve();
artifactResolve.Issuer = new Issuer(CreateAbsoluteURL("~/"));
artifactResolve.Artifact = new Artifact(httpArtifact.ToString());
XmlElement artifactResolveXml = artifactResolve.ToXml();
// Send the artifact resolve request and receive the artifact response.
string spArtifactResponderURL = WebConfigurationManager.AppSettings["spArtifactResponderURL"];
XmlElement artifactResponseXml = ArtifactResolver.SendRequestReceiveResponse(spArtifactResponderURL, artifactResolveXml);
ArtifactResponse artifactResponse = new ArtifactResponse(artifactResponseXml);
// Extract the authentication request from the artifact response.
authnRequestXml = artifactResponse.SAMLMessage;
break;
default:
throw new ArgumentException("Invalid service provider to identity provider binding");
}
// If using HTTP redirect the message isn't signed as the generated query string is too long for most browsers.
if (bindingType != SAMLIdentifiers.BindingURIs.HTTPRedirect)
{
if (SAMLMessageSignature.IsSigned(authnRequestXml))
{
// Verify the request's signature.
X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.SPX509Certificate];
if (!SAMLMessageSignature.Verify(authnRequestXml, x509Certificate))
{
throw new ArgumentException("The authentication request signature failed to verify.");
}
}
}
// Deserialize the XML.
authnRequest = new AuthnRequest(authnRequestXml);
Trace.Write("IdP", "Received authentication request");
}