// Create a SAML response with the user's local identity, if any, or indicating an error.
private SAMLResponse CreateSAMLResponse(SSOState ssoState)
{
Trace.Write("IdP", "Creating SAML response");
SAMLResponse samlResponse = new SAMLResponse();
string issuerURL = CreateAbsoluteURL("~/");
Issuer issuer = new Issuer(issuerURL);
samlResponse.Issuer = issuer;
if (User.Identity.IsAuthenticated) {
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
Subject subject = new Subject(new NameID(User.Identity.Name));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.InResponseTo = ssoState.authnRequest.ID;
subjectConfirmationData.Recipient = ssoState.assertionConsumerServiceURL;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Password);
samlAssertion.Statements.Add(authnStatement);
// Attributes may be included in the SAML assertion.
AttributeStatement attributeStatement = new AttributeStatement();
attributeStatement.Attributes.Add(new SAMLAttribute("Membership", SAMLIdentifiers.AttributeNameFormats.Basic, null, "Gold"));
samlAssertion.Statements.Add(attributeStatement);
samlResponse.Assertions.Add(samlAssertion);
} else {
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Responder, SAMLIdentifiers.SecondaryStatusCodes.AuthnFailed, "The user is not authenticated at the identity provider");
}
Trace.Write("IdP", "Created SAML response");
return samlResponse;
}
public Tx parse(SSOReader _reader)
{
if (_reader == null)
{
throw new SSOUserSyncException("SSOReader has to be initialized");
}
reader = _reader;
Tx tx = action.DoInitTx(DateTime.Now.Ticks.ToString());
string title = "";
while (reader.Read())
{
try
{
string value;
SSOState state = reader.CheckCondition(out value);
action.DoAction((int)state, value);
if (state == SSOState.getMemberID)
{
action.DoSetTitle(value); title = value;
}
}
catch (Exception ex)
{
action.DoAction((int)SSOState.OnError, ex.Message);
logger.Error(title + " handling error: " + ex.Message);
reader.Eatup();
}
}
return(tx);
}
public void encoding_and_decoding_state(string testString)
{
var state = new SSOState()
{
Path = testString
};
var afterCoding = Coding.DecodeState(Coding.EncodeState(state));
Assert.AreEqual(testString, afterCoding.Path);
}
protected void Page_Load(object sender, EventArgs e)
{
try
{
// Get the saved SSO state, if any.
// If there isn't saved state then receive the authentication request.
// If there is saved state then we've just completed a local login in response to a prior authentication request.
SSOState ssoState = (SSOState)Session[ssoSessionKey];
if (ssoState == null)
{
Trace.Write("IdP", "SSO service");
// Receive the authentication request and relay state.
AuthnRequest authnRequest = null;
string relayState = null;
ReceiveAuthnRequest(out authnRequest, out relayState);
// Process the request.
bool forceAuthn = authnRequest.ForceAuthn;
ssoState = new SSOState();
ssoState.AuthnRequest = authnRequest;
ssoState.RelayState = relayState;
// Determine whether or not a local login is required.
bool requireLocalLogin = IsLocalLoginRequired(forceAuthn);
// If a local login is required then save the session state and initiate a local login.
if (requireLocalLogin)
{
Session[ssoSessionKey] = ssoState;
FormsAuthentication.RedirectToLoginPage();
return;
}
}
// Create a SAML response with the user's local identity, if any.
SAMLResponse samlResponse = CreateSAMLResponse(ssoState.AuthnRequest);
// Send the SAML response to the service provider.
SendSAMLResponse(samlResponse, ssoState.RelayState);
// Clear the SSO state.
Session[ssoSessionKey] = null;
}
catch (Exception exception)
{
Trace.Write("IdP", "Error in SSO service", exception);
}
}
protected void Page_Load(object sender, EventArgs e)
{
try {
// Get the saved SSO state, if any.
// If there isn't saved state then receive the authentication request.
// If there is saved state then we've just completed a local login in response to a prior authentication request.
SSOState ssoState = (SSOState)Session[ssoSessionKey];
if (ssoState == null) {
Trace.Write("IdP", "SSO service");
// Receive the authentication request and relay state.
AuthnRequest authnRequest = null;
string relayState = null;
ReceiveAuthnRequest(out authnRequest, out relayState);
// Process the request.
bool forceAuthn = authnRequest.ForceAuthn;
ssoState = new SSOState();
ssoState.AuthnRequest = authnRequest;
ssoState.RelayState = relayState;
// Determine whether or not a local login is required.
bool requireLocalLogin = IsLocalLoginRequired(forceAuthn);
// If a local login is required then save the session state and initiate a local login.
if (requireLocalLogin) {
Session[ssoSessionKey] = ssoState;
FormsAuthentication.RedirectToLoginPage();
return;
}
}
// Create a SAML response with the user's local identity, if any.
SAMLResponse samlResponse = CreateSAMLResponse(ssoState.AuthnRequest);
// Send the SAML response to the service provider.
SendSAMLResponse(samlResponse, ssoState.RelayState);
// Clear the SSO state.
Session[ssoSessionKey] = null;
}
catch (Exception exception) {
Trace.Write("IdP", "Error in SSO service", exception);
}
}
// Create a SAML response with the user's local identity, if any, or indicating an error.
private SAMLResponse CreateSAMLResponse(SSOState ssoState)
{
Trace.Write("IdP", "Creating SAML response");
SAMLResponse samlResponse = new SAMLResponse();
string issuerURL = CreateAbsoluteURL("~/");
Issuer issuer = new Issuer(issuerURL);
samlResponse.Issuer = issuer;
if (User.Identity.IsAuthenticated)
{
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
Subject subject = new Subject(new NameID(User.Identity.Name));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.InResponseTo = ssoState.authnRequest.ID;
subjectConfirmationData.Recipient = ssoState.assertionConsumerServiceURL;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Password);
samlAssertion.Statements.Add(authnStatement);
// Attributes may be included in the SAML assertion.
AttributeStatement attributeStatement = new AttributeStatement();
attributeStatement.Attributes.Add(new SAMLAttribute("Membership", SAMLIdentifiers.AttributeNameFormats.Basic, null, "Gold"));
samlAssertion.Statements.Add(attributeStatement);
samlResponse.Assertions.Add(samlAssertion);
}
else
{
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Responder, SAMLIdentifiers.SecondaryStatusCodes.AuthnFailed, "The user is not authenticated at the identity provider");
}
Trace.Write("IdP", "Created SAML response");
return(samlResponse);
}
// Send the SAML response over the specified binding.
private void SendSAMLResponse(SAMLResponse samlResponse, SSOState ssoState)
{
Trace.Write("IdP", "Sending SAML response");
// Serialize the SAML response for transmission.
XmlElement samlResponseXml = samlResponse.ToXml();
// Sign the SAML response
X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.IdPX509Certificate];
SAMLMessageSignature.Generate(samlResponseXml, x509Certificate.PrivateKey, x509Certificate);
// Send the SAML response to the service provider.
switch (ssoState.idpProtocolBinding)
{
case SAMLIdentifiers.Binding.HTTPPost:
IdentityProvider.SendSAMLResponseByHTTPPost(Response, ssoState.assertionConsumerServiceURL, samlResponseXml, ssoState.relayState);
break;
case SAMLIdentifiers.Binding.HTTPArtifact:
// Create the artifact.
string identificationURL = CreateAbsoluteURL("~/");
HTTPArtifactType4 httpArtifact = new HTTPArtifactType4(HTTPArtifactType4.CreateSourceId(identificationURL), HTTPArtifactType4.CreateMessageHandle());
// Cache the authentication request for subsequent sending using the artifact resolution protocol.
HTTPArtifactState httpArtifactState = new HTTPArtifactState(samlResponseXml, null);
HTTPArtifactStateCache.Add(httpArtifact, httpArtifactState);
// Send the artifact.
IdentityProvider.SendArtifactByHTTPArtifact(Response, ssoState.assertionConsumerServiceURL, httpArtifact, ssoState.relayState, false);
break;
default:
Trace.Write("IdP", "Invalid identity provider binding");
break;
}
Trace.Write("IdP", "Sent SAML response");
}
protected void Page_Load(object sender, EventArgs e)
{
try {
Trace.Write("IdP", "SSO service");
// Get the saved SSO state, if any.
// If there isn't saved state then receive the authentication request.
// If there is saved state then we've just completed a local login in response
// to a prior authentication request.
SSOState ssoState = (SSOState) Session[ssoSessionKey];
if (ssoState == null) {
// Receive the authentication request.
AuthnRequest authnRequest = null;
string relayState = null;
ReceiveAuthnRequest(out authnRequest, out relayState);
if (authnRequest == null) {
Trace.Write("IdP", "No authentication request");
return;
}
// Process the authentication request.
bool forceAuthn = authnRequest.ForceAuthn;
ssoState = new SSOState();
ssoState.authnRequest = authnRequest;
ssoState.relayState = relayState;
if (!string.IsNullOrEmpty(authnRequest.ProtocolBinding)) {
ssoState.idpProtocolBinding = SAMLIdentifiers.BindingURIs.URIToBinding(authnRequest.ProtocolBinding);
} else {
ssoState.idpProtocolBinding = SAMLIdentifiers.Binding.HTTPPost;
}
if (!string.IsNullOrEmpty(authnRequest.AssertionConsumerServiceURL)) {
ssoState.assertionConsumerServiceURL = authnRequest.AssertionConsumerServiceURL;
} else {
ssoState.assertionConsumerServiceURL = WebConfigurationManager.AppSettings["spAssertionConsumerServiceURL"];
}
// Determine whether or not a local login is required.
bool requireLocalLogin = IsLocalLoginRequired(forceAuthn);
// If a local login is required then save the authentication request
// and initiate a local login.
if (requireLocalLogin) {
// Save the SSO state.
Session[ssoSessionKey] = ssoState;
// Initiate a local login.
FormsAuthentication.RedirectToLoginPage();
return;
}
}
// Create a SAML response with the user's local identity, if any.
SAMLResponse samlResponse = CreateSAMLResponse(ssoState);
// Send the SAML response to the service provider.
SendSAMLResponse(samlResponse, ssoState);
// Clear the SSO state.
Session[ssoSessionKey] = null;
}
catch (Exception exception) {
Trace.Write("IdP", "Error in SSO service", exception);
}
}
// Send the SAML response over the specified binding.
private void SendSAMLResponse(SAMLResponse samlResponse, SSOState ssoState)
{
Trace.Write("IdP", "Sending SAML response");
// Serialize the SAML response for transmission.
XmlElement samlResponseXml = samlResponse.ToXml();
// Sign the SAML response
X509Certificate2 x509Certificate = (X509Certificate2) Application[Global.IdPX509Certificate];
SAMLMessageSignature.Generate(samlResponseXml, x509Certificate.PrivateKey, x509Certificate);
// Send the SAML response to the service provider.
switch (ssoState.idpProtocolBinding) {
case SAMLIdentifiers.Binding.HTTPPost:
IdentityProvider.SendSAMLResponseByHTTPPost(Response, ssoState.assertionConsumerServiceURL, samlResponseXml, ssoState.relayState);
break;
case SAMLIdentifiers.Binding.HTTPArtifact:
// Create the artifact.
string identificationURL = CreateAbsoluteURL("~/");
HTTPArtifactType4 httpArtifact = new HTTPArtifactType4(HTTPArtifactType4.CreateSourceId(identificationURL), HTTPArtifactType4.CreateMessageHandle());
// Cache the authentication request for subsequent sending using the artifact resolution protocol.
HTTPArtifactState httpArtifactState = new HTTPArtifactState(samlResponseXml, null);
HTTPArtifactStateCache.Add(httpArtifact, httpArtifactState);
// Send the artifact.
IdentityProvider.SendArtifactByHTTPArtifact(Response, ssoState.assertionConsumerServiceURL, httpArtifact, ssoState.relayState, false);
break;
default:
Trace.Write("IdP", "Invalid identity provider binding");
break;
}
Trace.Write("IdP", "Sent SAML response");
}
// https://api.anytimefitness.com/Help/SSO#login-styling
public static string EncodeState(SSOState state)
{
var json = JsonConvert.SerializeObject(state);
return(Base64UrlEncoder.Encode(json));
}
protected void Page_Load(object sender, EventArgs e)
{
try
{
Trace.Write("IdP", "SSO service");
// Get the saved SSO state, if any.
// If there isn't saved state then receive the authentication request.
// If there is saved state then we've just completed a local login in response
// to a prior authentication request.
SSOState ssoState = (SSOState)Session[ssoSessionKey];
if (ssoState == null)
{
// Receive the authentication request.
AuthnRequest authnRequest = null;
string relayState = null;
ReceiveAuthnRequest(out authnRequest, out relayState);
if (authnRequest == null)
{
Trace.Write("IdP", "No authentication request");
return;
}
// Process the authentication request.
bool forceAuthn = authnRequest.ForceAuthn;
ssoState = new SSOState();
ssoState.authnRequest = authnRequest;
ssoState.relayState = relayState;
if (!string.IsNullOrEmpty(authnRequest.ProtocolBinding))
{
ssoState.idpProtocolBinding = SAMLIdentifiers.BindingURIs.URIToBinding(authnRequest.ProtocolBinding);
}
else
{
ssoState.idpProtocolBinding = SAMLIdentifiers.Binding.HTTPPost;
}
if (!string.IsNullOrEmpty(authnRequest.AssertionConsumerServiceURL))
{
ssoState.assertionConsumerServiceURL = authnRequest.AssertionConsumerServiceURL;
}
else
{
ssoState.assertionConsumerServiceURL = WebConfigurationManager.AppSettings["spAssertionConsumerServiceURL"];
}
// Determine whether or not a local login is required.
bool requireLocalLogin = IsLocalLoginRequired(forceAuthn);
// If a local login is required then save the authentication request
// and initiate a local login.
if (requireLocalLogin)
{
// Save the SSO state.
Session[ssoSessionKey] = ssoState;
// Initiate a local login.
FormsAuthentication.RedirectToLoginPage();
return;
}
}
// Create a SAML response with the user's local identity, if any.
SAMLResponse samlResponse = CreateSAMLResponse(ssoState);
// Send the SAML response to the service provider.
SendSAMLResponse(samlResponse, ssoState);
// Clear the SSO state.
Session[ssoSessionKey] = null;
}
catch (Exception exception)
{
Trace.Write("IdP", "Error in SSO service", exception);
}
}
