private static void Serialize(SamlRequest samlRequest, XmlDocument document, XmlNode root)
{
if (samlRequest == null)
{
throw new ArgumentNullException(nameof(samlRequest));
}
if (document == null)
{
throw new ArgumentNullException(nameof(document));
}
if (root == null)
{
throw new ArgumentNullException(nameof(root));
}
var samlRequestNode = document.CreateElement(Constants.XmlPrefixes.Samlp, Constants.XmlRootNames.SamlRequest, Constants.XmlNamespaces.Samlp);
samlRequestNode.SetAttribute($"xmlns:{Constants.XmlPrefixes.Ds}", Constants.XmlNamespaces.Ds);
samlRequestNode.SetAttribute($"xmlns:{Constants.XmlPrefixes.Saml}", Constants.XmlNamespaces.Saml);
samlRequestNode.SetAttribute(Constants.XmlAttributeNames.SamlIssueInstant, ConvertToCurrentTime(samlRequest.IssueInstant));
samlRequestNode.SetAttribute(Constants.XmlAttributeNames.SamlMajorVersion, samlRequest.MajorVersion.ToString());
samlRequestNode.SetAttribute(Constants.XmlAttributeNames.SamlMinorVersion, samlRequest.MinorVersion.ToString());
samlRequestNode.SetAttribute(Constants.XmlAttributeNames.SamlRequestId, samlRequest.Id);
Serialize(samlRequest.SamlAttributeQuery, document, samlRequestNode);
root.AppendChild(samlRequestNode);
}
public SoapEnvelope Build()
{
CheckInit();
var samlAssertionId = GenerateId("assertion");
var requestId = GenerateId("request");
var bodyId = GenerateId("id");
var timeStampId = GenerateId("TS");
var x509Id = GenerateId("X509");
var ssin = GetSsin(_x509Certificate.Subject);
if (string.IsNullOrWhiteSpace(ssin))
{
throw new EhealthException(Constants.ErrorCodes.NoSerialNumber);
}
var identitySubject = ParseSubject(_x509Certificate.Subject);
var issuerSubject = ParseSubject(_x509Certificate.Issuer);
_samlAttributes.Add(new SamlAttribute(Constants.EhealthStsNames.SsinCertHolderAttributeName, Constants.EhealthStsNames.SsinAttributeNamespace, ssin));
_samlAttributes.Add(new SamlAttribute(Constants.EhealthStsNames.SsinAttributeName, Constants.EhealthStsNames.SsinAttributeNamespace, ssin));
_samlAttributeDesignators.Add(new SamlAttributeDesignator(Constants.EhealthStsNames.SsinCertHolderAttributeName, Constants.EhealthStsNames.SsinAttributeNamespace));
_samlAttributeDesignators.Add(new SamlAttributeDesignator(Constants.EhealthStsNames.SsinAttributeName, Constants.EhealthStsNames.SsinAttributeNamespace));
var issueInstant = DateTime.Now;
var samlNameIdentifier = new SamlNameIdentifier(
Constants.EhealthStsNames.NameIdentifierFormat,
issuerSubject,
identitySubject);
var samlSubject = new SamlSubject(samlNameIdentifier);
var samlConditions = new SamlConditions(issueInstant);
var samlAttributeStatement = new SamlAttributeStatement(samlSubject, _samlAttributes);
var samlAssertion = new SamlAssertion(samlAssertionId, issueInstant, identitySubject, samlConditions, samlAttributeStatement);
var subjectConfirmationData = new SamlSubjectConfirmationData(samlAssertion);
var subjectConfirmation = new SamlSubjectConfirmation(Constants.EhealthStsNames.SubjectConfirmationMethod, _x509Certificate, subjectConfirmationData);
var samlSubjectO = new SamlSubject(samlNameIdentifier, subjectConfirmation);
var samlAttributeQuery = new SamlAttributeQuery(samlSubjectO, _samlAttributeDesignators);
var samlRequest = new SamlRequest(requestId, samlAttributeQuery);
var body = new SoapBody(samlRequest, bodyId);
var soapSecurity = new SoapSecurity(DateTime.UtcNow, timeStampId, x509Id, _x509Certificate);
var header = new SoapHeader(soapSecurity);
var soapEnvelope = new SoapEnvelope(header, body);
return(soapEnvelope);
}
public SoapBody(SamlRequest request, string id)
{
Request = request;
Id = id;
}
public void ProcessRequest(HttpContext context)
{
try
{
if (!SetupInfo.IsVisibleSettings(ManagementType.SingleSignOnSettings.ToString()))
{
_log.DebugFormat("Single sign-on settings are disabled");
context.Response.Redirect(AUTH_PAGE + "?m=" + HttpUtility.UrlEncode(Resource.SsoSettingsDisabled), false);
context.ApplicationInstance.CompleteRequest();
return;
}
var settings = SettingsManager.Instance.LoadSettings <SsoSettings>(TenantProvider.CurrentTenantID);
if (!settings.EnableSso)
{
_log.DebugFormat("Single sign-on is disabled");
context.Response.Redirect(AUTH_PAGE + "?m=" + HttpUtility.UrlEncode(Resource.SsoSettingsDisabled), false);
context.ApplicationInstance.CompleteRequest();
return;
}
if (context.User.Identity.IsAuthenticated)
{
_log.DebugFormat("User {0} already authenticated");
context.Response.Redirect(CommonLinkUtility.GetDefault(), false);
context.ApplicationInstance.CompleteRequest();
return;
}
UserInfo userInfo;
if (settings.TokenType != TokenTypes.SAML)
{
_log.Error("Settings TokenType is not SAML");
context.Response.Redirect(AUTH_PAGE + "?m=" + HttpUtility.UrlEncode(Resource.SsoSettingsEnexpectedTokenType), false);
context.ApplicationInstance.CompleteRequest();
return;
}
if (context.Request["auth"] == "true")
{
SamlRequest req = new SamlRequest(settings);
string assertionConsumerServiceUrl = context.Request.Url.AbsoluteUri.Substring(0,
context.Request.Url.AbsoluteUri.IndexOf("?"));
context.Response.Redirect(settings.SsoEndPoint + "?" +
req.GetRequest(SamlRequestFormat.Base64,
assertionConsumerServiceUrl,
Path.Combine(context.Request.PhysicalApplicationPath, "App_Data\\certificates\\sp.pfx"),
ConfigurationManager.AppSettings["saml.request.certificate.password"] ?? PASSWORD),
false);
context.ApplicationInstance.CompleteRequest();
return;
}
var samlEncodedString = context.Request.Form[SAML_RESPONSE];
if (string.IsNullOrWhiteSpace(samlEncodedString))
{
_log.Error("SAML response is null or empty");
context.Response.Redirect(AUTH_PAGE + "?m=" + HttpUtility.UrlEncode(Resource.SsoSettingsEmptyToken), false);
context.ApplicationInstance.CompleteRequest();
return;
}
_log.Debug("Trying to authenticate using SAML");
SamlResponse samlResponse = new SamlResponse(settings);
samlResponse.LoadXmlFromBase64(samlEncodedString);
if (!samlResponse.IsValid())
{
_log.Error("SAML response is not valid");
context.Response.Redirect(AUTH_PAGE + "?m=" + HttpUtility.UrlEncode(Resource.SsoSettingsNotValidToken), false);
context.ApplicationInstance.CompleteRequest();
return;
}
SamlUserCreator userCreator = new SamlUserCreator();
userInfo = userCreator.CreateUserInfo(samlResponse);
if (userInfo == Constants.LostUser)
{
_log.Error("Can't create userInfo using current SAML response");
context.Response.Redirect(AUTH_PAGE + "?m=" + HttpUtility.UrlEncode(Resource.SsoSettingsCantCreateUser), false);
context.ApplicationInstance.CompleteRequest();
return;
}
if (userInfo.Status == EmployeeStatus.Terminated)
{
_log.Error("Current user is terminated");
context.Response.Redirect(AUTH_PAGE + "?m=" + HttpUtility.UrlEncode(Resource.SsoSettingsUserTerminated), false);
context.ApplicationInstance.CompleteRequest();
return;
}
AddUser(samlResponse, userInfo);
MessageService.Send(context.Request, MessageAction.LoginSuccessViaSSO);
context.Response.Redirect(CommonLinkUtility.GetDefault(), false);
context.ApplicationInstance.CompleteRequest();
}
catch (Exception e)
{
_log.ErrorFormat("Unexpected error. {0}", e);
context.Response.Redirect(AUTH_PAGE + "?m=" + HttpUtility.UrlEncode(e.Message), false);
context.ApplicationInstance.CompleteRequest();
}
}
