private void HandleSOAP(HttpContext context, Stream inputStream)
{
Trace.TraceMethodCalled(GetType(), "HandleSOAP");
HttpArtifactBindingParser parser = new HttpArtifactBindingParser(inputStream);
HttpArtifactBindingBuilder builder = new HttpArtifactBindingBuilder(context);
SAML20FederationConfig config = SAML20FederationConfig.GetConfig();
IDPEndPoint idp = RetrieveIDPConfiguration(parser.Issuer);
var shaHashingAlgorithm = SignatureProviderFactory.ValidateShaHashingAlgorithm(idp.ShaHashingAlgorithm);
AuditLogging.IdpId = idp.Id;
if (parser.IsArtifactResolve())
{
Trace.TraceData(TraceEventType.Information, Tracing.ArtifactResolveIn);
if (!parser.CheckSamlMessageSignature(idp.metadata.Keys))
{
HandleError(context, "Invalid Saml message signature");
AuditLogging.logEntry(Direction.UNDEFINED, Operation.ARTIFACTRESOLVE, "Signature could not be verified", parser.SamlMessage);
}
AuditLogging.AssertionId = parser.ArtifactResolve.ID;
AuditLogging.logEntry(Direction.IN, Operation.ARTIFACTRESOLVE, "", parser.SamlMessage);
builder.RespondToArtifactResolve(idp, parser.ArtifactResolve);
}
else if (parser.IsArtifactResponse())
{
Trace.TraceData(TraceEventType.Information, Tracing.ArtifactResponseIn);
Status status = parser.ArtifactResponse.Status;
if (status.StatusCode.Value != Saml20Constants.StatusCodes.Success)
{
AuditLogging.logEntry(Direction.UNDEFINED, Operation.ARTIFACTRESOLVE, string.Format("Unexpected status code for artifact response: {0}, expected 'Success', msg: {1}", status.StatusCode.Value, parser.SamlMessage));
HandleError(context, status);
return;
}
if (parser.ArtifactResponse.Any.LocalName == LogoutRequest.ELEMENT_NAME)
{
if (Trace.ShouldTrace(TraceEventType.Information))
{
Trace.TraceData(TraceEventType.Information, string.Format(Tracing.LogoutRequest, parser.ArtifactResponse.Any.OuterXml));
}
//Send logoutresponse via artifact
Saml20LogoutResponse response = new Saml20LogoutResponse();
response.Issuer = config.ServiceProvider.ID;
LogoutRequest req = Serialization.DeserializeFromXmlString <LogoutRequest>(parser.ArtifactResponse.Any.OuterXml);
response.StatusCode = Saml20Constants.StatusCodes.Success;
response.InResponseTo = req.ID;
IDPEndPointElement destination =
DetermineEndpointConfiguration(SAMLBinding.REDIRECT, idp.SLOEndpoint, idp.metadata.SLOEndpoints());
builder.RedirectFromLogout(idp, destination, response);
}
else if (parser.ArtifactResponse.Any.LocalName == LogoutResponse.ELEMENT_NAME)
{
DoLogout(context);
}
else
{
AuditLogging.logEntry(Direction.UNDEFINED, Operation.ARTIFACTRESOLVE, string.Format("Unsupported payload message in ArtifactResponse: {0}, msg: {1}", parser.ArtifactResponse.Any.LocalName, parser.SamlMessage));
HandleError(context,
string.Format("Unsupported payload message in ArtifactResponse: {0}",
parser.ArtifactResponse.Any.LocalName));
}
}
else if (parser.IsLogoutReqest())
{
if (Trace.ShouldTrace(TraceEventType.Information))
{
Trace.TraceData(TraceEventType.Information, string.Format(Tracing.LogoutRequest, parser.SamlMessage.OuterXml));
}
Saml20LogoutResponse response = new Saml20LogoutResponse();
if (!parser.IsSigned())
{
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTREQUEST, "Signature not present in SOAP logout request, msg: " + parser.SamlMessage.OuterXml);
response.StatusCode = Saml20Constants.StatusCodes.RequestDenied;
}
if (idp.metadata == null)
{
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTREQUEST, "Cannot find metadata for IdP: " + parser.Issuer);
// Not able to process the request as we do not know the IdP.
response.StatusCode = Saml20Constants.StatusCodes.NoAvailableIDP;
}
else
{
Saml20MetadataDocument metadata = idp.metadata;
if (!parser.CheckSignature(metadata.GetKeys(KeyTypes.signing)))
{
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTREQUEST, "Request has been denied. Invalid signature SOAP logout, msg: " + parser.SamlMessage.OuterXml);
response.StatusCode = Saml20Constants.StatusCodes.RequestDenied;
}
}
if (parser.GetNameID() != null && !string.IsNullOrEmpty(parser.GetNameID().Value))
{
DoSoapLogout(context, parser.GetNameID().Value);
}
else
{
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTREQUEST, "Request has been denied. No user ID was supplied in SOAP logout request, msg: " + parser.SamlMessage.OuterXml);
response.StatusCode = Saml20Constants.StatusCodes.NoAuthnContext;
}
LogoutRequest req = parser.LogoutRequest;
//Build the response object
response.Issuer = config.ServiceProvider.ID;
response.StatusCode = Saml20Constants.StatusCodes.Success;
response.InResponseTo = req.ID;
XmlDocument doc = response.GetXml();
var signingCertificate = FederationConfig.GetConfig().SigningCertificate.GetCertificate();
var signatureProvider = SignatureProviderFactory.CreateFromShaHashingAlgorithmName(shaHashingAlgorithm);
signatureProvider.SignAssertion(doc, response.ID, signingCertificate);
if (doc.FirstChild is XmlDeclaration)
{
doc.RemoveChild(doc.FirstChild);
}
builder.SendResponseMessage(doc.OuterXml);
}
else
{
Status s = parser.GetStatus();
if (s != null)
{
HandleError(context, s);
}
else
{
AuditLogging.logEntry(Direction.UNDEFINED, Operation.ARTIFACTRESOLVE, string.Format("Unsupported SamlMessage element: {0}, msg: {1}", parser.SamlMessageName, parser.SamlMessage));
HandleError(context, string.Format("Unsupported SamlMessage element: {0}", parser.SamlMessageName));
}
}
}
/// <summary>
/// Performs the attribute query against the specified IdP endpoint and adds the resulting attributes to Saml20Identity.Current.
/// </summary>
/// <param name="context">The http context.</param>
/// <param name="endPoint">The IdP to perform the query against.</param>
/// <param name="nameIdFormat">The nameid format.</param>
public void PerformQuery(HttpContext context, IDPEndPoint endPoint, string nameIdFormat)
{
Trace.TraceMethodCalled(GetType(), "PerformQuery()");
HttpSOAPBindingBuilder builder = new HttpSOAPBindingBuilder(context);
NameID name = new NameID();
name.Value = Saml20Identity.Current.Name;
name.Format = nameIdFormat;
_attrQuery.Subject.Items = new object[] { name };
_attrQuery.SamlAttribute = _attributes.ToArray();
XmlDocument query = new XmlDocument();
query.LoadXml(Serialization.SerializeToXmlString(_attrQuery));
XmlSignatureUtils.SignDocument(query, ID);
if (query.FirstChild is XmlDeclaration)
{
query.RemoveChild(query.FirstChild);
}
Stream s;
if (Trace.ShouldTrace(TraceEventType.Information))
{
Trace.TraceData(TraceEventType.Information, string.Format(Tracing.SendAttrQuery, endPoint.metadata.GetAttributeQueryEndpointLocation(), query.OuterXml));
}
try
{
s = builder.GetResponse(endPoint.metadata.GetAttributeQueryEndpointLocation(), query.OuterXml,
endPoint.AttributeQuery);
}catch (Exception e)
{
Trace.TraceData(TraceEventType.Error, e.ToString());
throw;
}
HttpSOAPBindingParser parser = new HttpSOAPBindingParser(s);
Status status = parser.GetStatus();
if (status.StatusCode.Value != Saml20Constants.StatusCodes.Success)
{
Trace.TraceData(TraceEventType.Error,
string.Format(Tracing.AttrQueryStatusError, Serialization.SerializeToXmlString(status)));
throw new Saml20Exception(status.StatusMessage);
}
bool isEncrypted;
XmlElement xmlAssertion = Saml20SignonHandler.GetAssertion(parser.SamlMessage, out isEncrypted);
if (isEncrypted)
{
Saml20EncryptedAssertion ass =
new Saml20EncryptedAssertion(
(RSA)FederationConfig.GetConfig().SigningCertificate.GetCertificate().PrivateKey);
ass.LoadXml(xmlAssertion);
ass.Decrypt();
xmlAssertion = ass.Assertion.DocumentElement;
}
Saml20Assertion assertion =
new Saml20Assertion(xmlAssertion, null,
AssertionProfile.Core, endPoint.QuirksMode);
if (Trace.ShouldTrace(TraceEventType.Information))
{
Trace.TraceData(TraceEventType.Information, string.Format(Tracing.AttrQueryAssertion, xmlAssertion == null ? string.Empty : xmlAssertion.OuterXml));
}
if (!assertion.CheckSignature(Saml20SignonHandler.GetTrustedSigners(endPoint.metadata.Keys, endPoint)))
{
Trace.TraceData(TraceEventType.Error, Resources.SignatureInvalid);
throw new Saml20Exception(Resources.SignatureInvalid);
}
foreach (SamlAttribute attr in assertion.Attributes)
{
Saml20Identity.Current.AddAttributeFromQuery(attr.Name, attr);
}
}
/// <summary>
/// Handles the selection of an IDP. If only one IDP is found, the user is automatically redirected to it.
/// If several are found, and nothing indicates to which one the user should be sent, this method returns null.
/// </summary>
public IDPEndPoint RetrieveIDP(HttpContext context)
{
SAML20FederationConfig config = SAML20FederationConfig.GetConfig();
config.Endpoints.Refresh();
//If idpChoice is set, use it value
if (!string.IsNullOrEmpty(context.Request.Params[IDPChoiceParameterName]))
{
AuditLogging.logEntry(Direction.IN, Operation.DISCOVER,
"Using IDPChoiceParamater: " + context.Request.Params[IDPChoiceParameterName]);
IDPEndPoint endPoint = config.FindEndPoint(context.Request.Params[IDPChoiceParameterName]);
if (endPoint != null)
{
return(endPoint);
}
}
//If we have a common domain cookie, use it's value
//It must have been returned from the local common domain cookie reader endpoint.
if (!string.IsNullOrEmpty(context.Request.QueryString["_saml_idp"]))
{
CommonDomainCookie cdc = new CommonDomainCookie(context.Request.QueryString["_saml_idp"]);
if (cdc.IsSet)
{
IDPEndPoint endPoint = config.FindEndPoint(cdc.PreferredIDP);
if (endPoint != null)
{
if (Trace.ShouldTrace(TraceEventType.Information))
{
Trace.TraceData(TraceEventType.Information, "IDP read from Common Domain Cookie: " + cdc.PreferredIDP);
}
return(endPoint);
}
AuditLogging.logEntry(Direction.IN, Operation.DISCOVER, "Invalid IdP in Common Domain Cookie, IdP not found in list of IdPs: " + cdc.PreferredIDP);
}
}
//If there is only one configured IDPEndPoint lets just use that
if (config.IDPEndPoints.Count == 1 && config.IDPEndPoints[0].metadata != null)
{
AuditLogging.logEntry(Direction.IN, Operation.DISCOVER, "No IdP selected in Common Domain Cookie, using default IdP: " + config.IDPEndPoints[0].Name);
return(config.IDPEndPoints[0]);
}
// If one of the endpoints are marked with default, use that one
var defaultIdp = config.Endpoints.IDPEndPoints.Find(idp => idp.Default);
if (defaultIdp != null)
{
if (Trace.ShouldTrace(TraceEventType.Information))
{
Trace.TraceData(TraceEventType.Information, "Using IdP marked as default: " + defaultIdp.Id);
}
return(defaultIdp);
}
// In case an Idp selection url has been configured, redirect to that one.
if (!string.IsNullOrEmpty(config.Endpoints.idpSelectionUrl))
{
if (Trace.ShouldTrace(TraceEventType.Information))
{
Trace.TraceData(TraceEventType.Information, "Redirecting to idpSelectionUrl for selection of IDP: " + config.Endpoints.idpSelectionUrl);
}
context.Response.Redirect(config.Endpoints.idpSelectionUrl);
}
// If an IDPSelectionEvent handler is present, request the handler for an IDP endpoint to use.
var idpEndpoint = IDPSelectionUtil.InvokeIDPSelectionEventHandler(config.Endpoints);
if (idpEndpoint != null)
{
return(idpEndpoint);
}
return(null);
}
private void HandleSOAP(HttpContext context, Stream inputStream)
{
Trace.TraceMethodCalled(GetType(), "HandleSOAP");
HttpArtifactBindingParser parser = new HttpArtifactBindingParser(inputStream);
HttpArtifactBindingBuilder builder = new HttpArtifactBindingBuilder(context);
if (parser.IsArtifactResolve())
{
Trace.TraceData(TraceEventType.Information, Tracing.ArtifactResolveIn);
IDPEndPoint idp = RetrieveIDPConfiguration(parser.Issuer);
AuditLogging.IdpId = idp.Id;
AuditLogging.AssertionId = parser.ArtifactResolve.ID;
if (!parser.CheckSamlMessageSignature(idp.metadata.Keys))
{
HandleError(context, "Invalid Saml message signature");
AuditLogging.logEntry(Direction.IN, Operation.ARTIFACTRESOLVE, "Could not verify signature", parser.SamlMessage);
}
;
builder.RespondToArtifactResolve(parser.ArtifactResolve);
}
else if (parser.IsArtifactResponse())
{
Trace.TraceData(TraceEventType.Information, Tracing.ArtifactResponseIn);
Status status = parser.ArtifactResponse.Status;
if (status.StatusCode.Value != Saml20Constants.StatusCodes.Success)
{
HandleError(context, status);
AuditLogging.logEntry(Direction.IN, Operation.ARTIFACTRESOLVE, string.Format("Illegal status for ArtifactResponse {0} expected 'Success', msg: {1}", status.StatusCode.Value, parser.SamlMessage));
return;
}
if (parser.ArtifactResponse.Any.LocalName == Response.ELEMENT_NAME)
{
bool isEncrypted;
XmlElement assertion = GetAssertion(parser.ArtifactResponse.Any, out isEncrypted);
if (assertion == null)
{
HandleError(context, "Missing assertion");
}
if (isEncrypted)
{
HandleEncryptedAssertion(context, assertion);
}
else
{
HandleAssertion(context, assertion);
}
}
else
{
AuditLogging.logEntry(Direction.IN, Operation.ARTIFACTRESOLVE, string.Format("Unsupported payload message in ArtifactResponse: {0}, msg: {1}", parser.ArtifactResponse.Any.LocalName, parser.SamlMessage));
HandleError(context,
string.Format("Unsupported payload message in ArtifactResponse: {0}",
parser.ArtifactResponse.Any.LocalName));
}
}
else
{
Status s = parser.GetStatus();
if (s != null)
{
HandleError(context, s);
}
else
{
AuditLogging.logEntry(Direction.IN, Operation.ARTIFACTRESOLVE, string.Format("Unsupported SamlMessage element: {0}, msg: {1}", parser.SamlMessageName, parser.SamlMessage));
HandleError(context, string.Format("Unsupported SamlMessage element: {0}", parser.SamlMessageName));
}
}
}
private void TransferClient(IDPEndPoint idpEndpoint, Saml20AuthnRequest request, HttpContext context)
{
AuditLogging.AssertionId = request.ID;
AuditLogging.IdpId = idpEndpoint.Id;
//Set the last IDP we attempted to login at.
context.Session[IDPTempSessionKey] = idpEndpoint.Id;
// Determine which endpoint to use from the configuration file or the endpoint metadata.
IDPEndPointElement destination =
DetermineEndpointConfiguration(SAMLBinding.REDIRECT, idpEndpoint.SSOEndpoint, idpEndpoint.metadata.SSOEndpoints());
request.Destination = destination.Url;
if (idpEndpoint.ForceAuthn)
{
request.ForceAuthn = true;
}
object isPassiveFlag = context.Session[IDPIsPassive];
if (isPassiveFlag != null && (bool)isPassiveFlag)
{
request.IsPassive = true;
context.Session[IDPIsPassive] = null;
}
if (idpEndpoint.IsPassive)
{
request.IsPassive = true;
}
object forceAuthnFlag = context.Session[IDPForceAuthn];
if (forceAuthnFlag != null && (bool)forceAuthnFlag)
{
request.ForceAuthn = true;
context.Session[IDPForceAuthn] = null;
}
if (idpEndpoint.SSOEndpoint != null)
{
if (!string.IsNullOrEmpty(idpEndpoint.SSOEndpoint.ForceProtocolBinding))
{
request.ProtocolBinding = idpEndpoint.SSOEndpoint.ForceProtocolBinding;
}
}
//Save request message id to session
context.Session.Add(ExpectedInResponseToSessionKey, request.ID);
if (destination.Binding == SAMLBinding.REDIRECT)
{
Trace.TraceData(TraceEventType.Information, string.Format(Tracing.SendAuthnRequest, Saml20Constants.ProtocolBindings.HTTP_Redirect, idpEndpoint.Id));
HttpRedirectBindingBuilder builder = new HttpRedirectBindingBuilder();
builder.signingKey = _certificate.PrivateKey;
builder.Request = request.GetXml().OuterXml;
string s = request.Destination + "?" + builder.ToQuery();
AuditLogging.logEntry(Direction.OUT, Operation.AUTHNREQUEST_REDIRECT, "Redirecting user to IdP for authentication", builder.Request);
context.Response.Redirect(s, true);
return;
}
if (destination.Binding == SAMLBinding.POST)
{
Trace.TraceData(TraceEventType.Information, string.Format(Tracing.SendAuthnRequest, Saml20Constants.ProtocolBindings.HTTP_Post, idpEndpoint.Id));
HttpPostBindingBuilder builder = new HttpPostBindingBuilder(destination);
//Honor the ForceProtocolBinding and only set this if it's not already set
if (string.IsNullOrEmpty(request.ProtocolBinding))
{
request.ProtocolBinding = Saml20Constants.ProtocolBindings.HTTP_Post;
}
XmlDocument req = request.GetXml();
XmlSignatureUtils.SignDocument(req, request.ID);
builder.Request = req.OuterXml;
AuditLogging.logEntry(Direction.OUT, Operation.AUTHNREQUEST_POST);
builder.GetPage().ProcessRequest(context);
return;
}
if (destination.Binding == SAMLBinding.ARTIFACT)
{
Trace.TraceData(TraceEventType.Information, string.Format(Tracing.SendAuthnRequest, Saml20Constants.ProtocolBindings.HTTP_Artifact, idpEndpoint.Id));
HttpArtifactBindingBuilder builder = new HttpArtifactBindingBuilder(context);
//Honor the ForceProtocolBinding and only set this if it's not already set
if (string.IsNullOrEmpty(request.ProtocolBinding))
{
request.ProtocolBinding = Saml20Constants.ProtocolBindings.HTTP_Artifact;
}
AuditLogging.logEntry(Direction.OUT, Operation.AUTHNREQUEST_REDIRECT_ARTIFACT);
builder.RedirectFromLogin(destination, request);
}
HandleError(context, Resources.BindingError);
}
private void HandleRequest(HttpContext context)
{
Trace.TraceMethodCalled(GetType(), "HandleRequest()");
//Fetch config object
SAML20FederationConfig config = SAML20FederationConfig.GetConfig();
LogoutRequest logoutRequest = null;
IDPEndPoint endpoint = null;
string message = string.Empty;
//Build the response object
var response = new Saml20LogoutResponse();
response.Issuer = config.ServiceProvider.ID;
response.StatusCode = Saml20Constants.StatusCodes.Success; // Default success. Is overwritten if something fails.
if (context.Request.RequestType == "GET") // HTTP Redirect binding
{
HttpRedirectBindingParser parser = new HttpRedirectBindingParser(context.Request.Url);
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTREQUEST,
string.Format("Binding: redirect, Signature algorithm: {0} Signature: {1}, Message: {2}", parser.SignatureAlgorithm, parser.Signature, parser.Message));
if (!parser.IsSigned)
{
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTREQUEST, "Signature not present, msg: " + parser.Message);
response.StatusCode = Saml20Constants.StatusCodes.RequestDenied;
}
logoutRequest = parser.LogoutRequest;
endpoint = config.FindEndPoint(logoutRequest.Issuer.Value);
if (endpoint.metadata == null)
{
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTREQUEST, "Cannot find metadata for IdP: " + logoutRequest.Issuer.Value);
// Not able to return a response as we do not know the IdP.
HandleError(context, "Cannot find metadata for IdP " + logoutRequest.Issuer.Value);
return;
}
Saml20MetadataDocument metadata = endpoint.metadata;
if (!parser.VerifySignature(metadata.GetKeys(KeyTypes.signing)))
{
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTREQUEST, "Request has been denied. Invalid signature redirect-binding, msg: " + parser.Message);
response.StatusCode = Saml20Constants.StatusCodes.RequestDenied;
}
message = parser.Message;
}
else if (context.Request.RequestType == "POST") // HTTP Post binding
{
HttpPostBindingParser parser = new HttpPostBindingParser(context);
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTREQUEST,
"Binding: POST, Message: " + parser.Message);
if (!parser.IsSigned())
{
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTREQUEST, "Signature not present, msg: " + parser.Message);
response.StatusCode = Saml20Constants.StatusCodes.RequestDenied;
}
logoutRequest = parser.LogoutRequest;
endpoint = config.FindEndPoint(logoutRequest.Issuer.Value);
if (endpoint.metadata == null)
{
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTREQUEST, "Cannot find metadata for IdP");
// Not able to return a response as we do not know the IdP.
HandleError(context, "Cannot find metadata for IdP " + logoutRequest.Issuer.Value);
return;
}
Saml20MetadataDocument metadata = endpoint.metadata;
// handle a logout-request
if (!parser.CheckSignature(metadata.GetKeys(KeyTypes.signing)))
{
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTREQUEST, "Request has been denied. Invalid signature post-binding, msg: " + parser.Message);
response.StatusCode = Saml20Constants.StatusCodes.RequestDenied;
}
message = parser.Message;
}
else
{
//Error: We don't support HEAD, PUT, CONNECT, TRACE, DELETE and OPTIONS
// Not able to return a response as we do not understand the request.
HandleError(context, Resources.UnsupportedRequestTypeFormat(context.Request.RequestType));
}
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTREQUEST, message);
// Check that idp in session and request matches.
string idpRequest = logoutRequest.Issuer.Value;
bool newSession = SessionFactory.SessionContext.Current.New; // This call to Current must be the first in this request. Otherwise the value will always be false.
if (!newSession)
{
object idpId = Saml20PrincipalCache.GetSaml20AssertionLite().Issuer;
if (idpId != null && idpId.ToString() != idpRequest)
{
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTREQUEST, Resources.IdPMismatchBetweenRequestAndSessionFormat(idpId, idpRequest), message);
response.StatusCode = Saml20Constants.StatusCodes.RequestDenied;
}
}
else
{
// All other status codes than Success results in the IdP throwing an error page. Therefore we return default Success even if we do not have a session.
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTREQUEST, "Session does not exist. Continues the redirect logout procedure with status code success." + idpRequest, message);
}
// Only logout if request is valid and we are working on an existing Session.
if (Saml20Constants.StatusCodes.Success == response.StatusCode && !newSession)
{
// Execute all actions that the service provider has configured
DoLogout(context, true);
}
// Update the response object with informations that first is available when request has been parsed.
IDPEndPointElement destination = DetermineEndpointConfiguration(SAMLBinding.REDIRECT, endpoint.SLOEndpoint, endpoint.metadata.SLOEndpoints());
response.Destination = destination.Url;
response.InResponseTo = logoutRequest.ID;
//Respond using redirect binding
if (destination.Binding == SAMLBinding.REDIRECT)
{
HttpRedirectBindingBuilder builder = new HttpRedirectBindingBuilder();
builder.RelayState = context.Request.Params["RelayState"];
builder.Response = response.GetXml().OuterXml;
builder.signingKey = FederationConfig.GetConfig().SigningCertificate.GetCertificate().PrivateKey;
string s = destination.Url + "?" + builder.ToQuery();
context.Response.Redirect(s, true);
return;
}
//Respond using post binding
if (destination.Binding == SAMLBinding.POST)
{
HttpPostBindingBuilder builder = new HttpPostBindingBuilder(destination);
builder.Action = SAMLAction.SAMLResponse;
XmlDocument responseDocument = response.GetXml();
XmlSignatureUtils.SignDocument(responseDocument, response.ID);
builder.Response = responseDocument.OuterXml;
builder.RelayState = context.Request.Params["RelayState"];
builder.GetPage().ProcessRequest(context);
return;
}
}
private void HandleResponse(HttpContext context)
{
Trace.TraceMethodCalled(GetType(), "HandleResponse()");
string message = string.Empty;
if (context.Request.RequestType == "GET")
{
HttpRedirectBindingParser parser = new HttpRedirectBindingParser(context.Request.Url);
LogoutResponse response = Serialization.DeserializeFromXmlString <LogoutResponse>(parser.Message);
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTRESPONSE,
string.Format("Binding: redirect, Signature algorithm: {0} Signature: {1}, Message: {2}", parser.SignatureAlgorithm, parser.Signature, parser.Message));
IDPEndPoint idp = RetrieveIDPConfiguration(response.Issuer.Value);
AuditLogging.IdpId = idp.Id;
AuditLogging.AssertionId = response.ID;
if (idp.metadata == null)
{
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTRESPONSE,
string.Format("No IDP metadata, unknown IDP, response: {0}", parser.Message));
HandleError(context, Resources.UnknownIDP);
return;
}
if (!parser.VerifySignature(idp.metadata.Keys))
{
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTRESPONSE,
string.Format("Invalid signature in redirect-binding, response: {0}", parser.Message));
HandleError(context, Resources.SignatureInvalid);
return;
}
message = parser.Message;
}
else if (context.Request.RequestType == "POST")
{
HttpPostBindingParser parser = new HttpPostBindingParser(context);
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTRESPONSE,
"Binding: POST, Message: " + parser.Message);
LogoutResponse response = Serialization.DeserializeFromXmlString <LogoutResponse>(parser.Message);
IDPEndPoint idp = RetrieveIDPConfiguration(response.Issuer.Value);
if (idp.metadata == null)
{
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTRESPONSE,
string.Format("No IDP metadata, unknown IDP, response: {0}", parser.Message));
HandleError(context, Resources.UnknownIDP);
return;
}
if (!parser.IsSigned())
{
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTRESPONSE,
string.Format("Signature not present, response: {0}", parser.Message));
HandleError(context, Resources.SignatureNotPresent);
}
// signature on final message in logout
if (!parser.CheckSignature(idp.metadata.Keys))
{
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTRESPONSE,
string.Format("Invalid signature in post-binding, response: {0}", parser.Message));
HandleError(context, Resources.SignatureInvalid);
}
message = parser.Message;
}
else
{
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTRESPONSE,
string.Format("Unsupported request type format, type: {0}", context.Request.RequestType));
HandleError(context, Resources.UnsupportedRequestTypeFormat(context.Request.RequestType));
}
XmlDocument doc = new XmlDocument();
doc.XmlResolver = null;
doc.PreserveWhitespace = true;
doc.LoadXml(message);
XmlElement statElem =
(XmlElement)doc.GetElementsByTagName(Status.ELEMENT_NAME, Saml20Constants.PROTOCOL)[0];
Status status = Serialization.DeserializeFromXmlString <Status>(statElem.OuterXml);
if (status.StatusCode.Value != Saml20Constants.StatusCodes.Success)
{
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTRESPONSE,
string.Format("Unexpected status code: {0}, msg: {1}", status.StatusCode.Value, message));
HandleError(context, status);
return;
}
AuditLogging.logEntry(Direction.IN, Operation.LOGOUTRESPONSE,
"Assertion validated succesfully");
//Log the user out locally
DoLogout(context);
}
private void TransferClient(IDPEndPoint endpoint, HttpContext context)
{
Trace.TraceMethodCalled(GetType(), "TransferClient()");
Saml20LogoutRequest request = Saml20LogoutRequest.GetDefault();
AuditLogging.AssertionId = request.ID;
AuditLogging.IdpId = endpoint.Id;
// Determine which endpoint to use from the configuration file or the endpoint metadata.
IDPEndPointElement destination =
DetermineEndpointConfiguration(SAMLBinding.REDIRECT, endpoint.SLOEndpoint, endpoint.metadata.SLOEndpoints());
request.Destination = destination.Url;
request.SubjectToLogOut.Format = Saml20PrincipalCache.GetSaml20AssertionLite().Subject.Format;
if (destination.Binding == SAMLBinding.POST)
{
HttpPostBindingBuilder builder = new HttpPostBindingBuilder(destination);
request.Destination = destination.Url;
request.Reason = Saml20Constants.Reasons.User;
request.SubjectToLogOut.Value = Saml20PrincipalCache.GetSaml20AssertionLite().Subject.Value;
request.SessionIndex = Saml20PrincipalCache.GetSaml20AssertionLite().SessionIndex;
XmlDocument requestDocument = request.GetXml();
XmlSignatureUtils.SignDocument(requestDocument, request.ID);
builder.Request = requestDocument.OuterXml;
if (Trace.ShouldTrace(TraceEventType.Information))
{
Trace.TraceData(TraceEventType.Information, string.Format(Tracing.SendLogoutRequest, "POST", endpoint.Id, requestDocument.OuterXml));
}
AuditLogging.logEntry(Direction.OUT, Operation.LOGOUTREQUEST, "Binding: POST");
builder.GetPage().ProcessRequest(context);
context.Response.End();
return;
}
if (destination.Binding == SAMLBinding.REDIRECT)
{
HttpRedirectBindingBuilder builder = new HttpRedirectBindingBuilder();
builder.signingKey = FederationConfig.GetConfig().SigningCertificate.GetCertificate().PrivateKey;
request.Destination = destination.Url;
request.Reason = Saml20Constants.Reasons.User;
request.SubjectToLogOut.Value = Saml20PrincipalCache.GetSaml20AssertionLite().Subject.Value;
request.SessionIndex = Saml20PrincipalCache.GetSaml20AssertionLite().SessionIndex;
builder.Request = request.GetXml().OuterXml;
string redirectUrl = destination.Url + "?" + builder.ToQuery();
if (Trace.ShouldTrace(TraceEventType.Information))
{
Trace.TraceData(TraceEventType.Information, string.Format(Tracing.SendLogoutRequest, "REDIRECT", endpoint.Id, redirectUrl));
}
AuditLogging.logEntry(Direction.OUT, Operation.LOGOUTREQUEST, "Binding: Redirect");
context.Response.Redirect(redirectUrl, true);
return;
}
if (destination.Binding == SAMLBinding.ARTIFACT)
{
if (Trace.ShouldTrace(TraceEventType.Information))
{
Trace.TraceData(TraceEventType.Information, string.Format(Tracing.SendLogoutRequest, "ARTIFACT", endpoint.Id, string.Empty));
}
request.Destination = destination.Url;
request.Reason = Saml20Constants.Reasons.User;
request.SubjectToLogOut.Value = Saml20PrincipalCache.GetSaml20AssertionLite().Subject.Value;
request.SessionIndex = Saml20PrincipalCache.GetSaml20AssertionLite().SessionIndex;
HttpArtifactBindingBuilder builder = new HttpArtifactBindingBuilder(context);
AuditLogging.logEntry(Direction.OUT, Operation.LOGOUTREQUEST, "Method: Artifact");
builder.RedirectFromLogout(destination, request, Guid.NewGuid().ToString("N"));
}
HandleError(context, Resources.BindingError);
}
private void TransferClient(IDPEndPoint idpEndpoint, Saml20AuthnRequest request, SamlHttpContext context)
{
AuditLogging.AssertionId = request.ID;
AuditLogging.IdpId = idpEndpoint.Id;
// Determine which endpoint to use from the configuration file or the endpoint metadata.
IDPEndPointElement destination =
DetermineEndpointConfiguration(SAMLBinding.REDIRECT, idpEndpoint.SSOEndpoint, idpEndpoint.metadata.SSOEndpoints());
request.Destination = destination.Url;
bool isPassive;
string isPassiveAsString = context.Request.Params[IDPIsPassive];
if (bool.TryParse(isPassiveAsString, out isPassive))
{
request.IsPassive = isPassive;
}
if (idpEndpoint.IsPassive)
{
request.IsPassive = true;
}
bool forceAuthn;
string forceAuthnAsString = context.Request.Params[IDPForceAuthn];
if (bool.TryParse(forceAuthnAsString, out forceAuthn))
{
request.ForceAuthn = forceAuthn;
}
if (idpEndpoint.ForceAuthn)
{
request.ForceAuthn = true;
}
if (idpEndpoint.SSOEndpoint != null)
{
if (!string.IsNullOrEmpty(idpEndpoint.SSOEndpoint.ForceProtocolBinding))
{
request.ProtocolBinding = idpEndpoint.SSOEndpoint.ForceProtocolBinding;
}
}
//Save request message id to session
SessionFactory.SessionContext.Current[SessionConstants.ExpectedInResponseTo] = request.ID;
if (destination.Binding == SAMLBinding.REDIRECT)
{
Trace.TraceData(TraceEventType.Information, string.Format(Tracing.SendAuthnRequest, Saml20Constants.ProtocolBindings.HTTP_Redirect, idpEndpoint.Id));
HttpRedirectBindingBuilder builder = new HttpRedirectBindingBuilder();
builder.signingKey = _certificate.PrivateKey;
builder.Request = request.GetXml().OuterXml;
string s = request.Destination + "?" + builder.ToQuery();
AuditLogging.logEntry(Direction.OUT, Operation.AUTHNREQUEST_REDIRECT, "Redirecting user to IdP for authentication", builder.Request);
context.Response.Redirect(s, true);
return;
}
if (destination.Binding == SAMLBinding.POST)
{
throw new NotImplementedException("HttpPostBindingBuilder not ported");
//Trace.TraceData(TraceEventType.Information, string.Format(Tracing.SendAuthnRequest, Saml20Constants.ProtocolBindings.HTTP_Post, idpEndpoint.Id));
//HttpPostBindingBuilder builder = new HttpPostBindingBuilder(destination);
////Honor the ForceProtocolBinding and only set this if it's not already set
//if (string.IsNullOrEmpty(request.ProtocolBinding))
// request.ProtocolBinding = Saml20Constants.ProtocolBindings.HTTP_Post;
//XmlDocument req = request.GetXml();
//XmlSignatureUtils.SignDocument(req, request.ID);
//builder.Request = req.OuterXml;
//AuditLogging.logEntry(Direction.OUT, Operation.AUTHNREQUEST_POST);
//builder.GetPage().ProcessRequest(context);
//return;
}
if (destination.Binding == SAMLBinding.ARTIFACT)
{
Trace.TraceData(TraceEventType.Information, string.Format(Tracing.SendAuthnRequest, Saml20Constants.ProtocolBindings.HTTP_Artifact, idpEndpoint.Id));
HttpArtifactBindingBuilder builder = new HttpArtifactBindingBuilder(context);
//Honor the ForceProtocolBinding and only set this if it's not already set
if (string.IsNullOrEmpty(request.ProtocolBinding))
{
request.ProtocolBinding = Saml20Constants.ProtocolBindings.HTTP_Artifact;
}
AuditLogging.logEntry(Direction.OUT, Operation.AUTHNREQUEST_REDIRECT_ARTIFACT);
builder.RedirectFromLogin(destination, request);
}
HandleError(context, Resources.BindingError);
}
/// <summary>
/// Deserializes an assertion, verifies its signature and logs in the user if the assertion is valid.
/// </summary>
private void HandleAssertion(SamlHttpContext context, XmlElement elem)
{
Trace.TraceMethodCalled(GetType(), "HandleAssertion");
string issuer = GetIssuer(elem);
IDPEndPoint endp = RetrieveIDPConfiguration(issuer);
AuditLogging.IdpId = endp.Id;
PreHandleAssertion(context, elem, endp);
bool quirksMode = false;
if (endp != null)
{
quirksMode = endp.QuirksMode;
}
Saml20Assertion assertion = new Saml20Assertion(elem, null, AssertionProfile.Core, quirksMode);
if (endp == null || endp.metadata == null)
{
AuditLogging.logEntry(Direction.IN, Operation.AUTHNREQUEST_POST,
"Unknown login IDP, assertion: " + elem);
HandleError(context, Resources.UnknownLoginIDP);
return;
}
if (!endp.OmitAssertionSignatureCheck)
{
// var keys = endp.metadata.GetKeys(KeyTypes.signing); // don't be so fussy about the key type (e.g. Centrify's keys are only marked as encryption keys)
var keys = endp.metadata.Keys;
if (!assertion.CheckSignature(GetTrustedSigners(keys, endp)))
{
AuditLogging.logEntry(Direction.IN, Operation.AUTHNREQUEST_POST,
"Invalid signature, assertion: " + elem);
HandleError(context, Resources.SignatureInvalid);
return;
}
}
if (assertion.IsExpired())
{
AuditLogging.logEntry(Direction.IN, Operation.AUTHNREQUEST_POST,
"Assertion expired, assertion: " + elem.OuterXml);
HandleError(context, Resources.AssertionExpired);
return;
}
// Only check if assertion has the required assurancelevel if it is present.
string assuranceLevel = GetAssuranceLevel(assertion);
string minimumAssuranceLevel = SAML20FederationConfig.GetConfig().MinimumAssuranceLevel;
if (assuranceLevel != null)
{
// Assurance level is ok if the string matches the configured minimum assurance level. This is in order to support the value "Test". However, normally the value will be an integer
if (assuranceLevel != minimumAssuranceLevel)
{
// If strings are different it is still ok if the assertion has stronger assurance level than the minimum required.
int assuranceLevelAsInt;
int minimumAssuranceLevelAsInt;
if (!int.TryParse(assuranceLevel, out assuranceLevelAsInt) ||
!int.TryParse(minimumAssuranceLevel, out minimumAssuranceLevelAsInt) ||
assuranceLevelAsInt < minimumAssuranceLevelAsInt)
{
string errorMessage = string.Format(Resources.AssuranceLevelTooLow, assuranceLevel,
minimumAssuranceLevel);
AuditLogging.logEntry(Direction.IN, Operation.AUTHNREQUEST_POST,
errorMessage + " Assertion: " + elem.OuterXml);
HandleError(context,
string.Format(Resources.AssuranceLevelTooLow, assuranceLevel, minimumAssuranceLevel));
return;
}
}
}
CheckConditions(context, assertion);
AuditLogging.AssertionId = assertion.Id;
AuditLogging.logEntry(Direction.IN, Operation.AUTHNREQUEST_POST,
"Assertion validated succesfully");
DoLogin(context, assertion);
}