protected void Page_Load(object sender, EventArgs e) { // Receive the single logout request or response. // If a request is received then single logout is being initiated by the service provider. // If a response is received then this is in response to single logout having been initiated by the identity provider. bool isRequest = false; bool hasCompleted = false; string logoutReason = null; string partnerSP = null; string relayState = null; SAMLIdentityProvider.ReceiveSLO(Request, Response, out isRequest, out hasCompleted, out logoutReason, out partnerSP, out relayState); if (isRequest) { // Logout locally. FormsAuthentication.SignOut(); // Respond to the SP-initiated SLO request indicating successful logout. SAMLIdentityProvider.SendSLO(Response, null); } else { if (hasCompleted) { // IdP-initiated SLO has completed. Response.Redirect("~/"); } } }
protected void ssoLinkButton_Click(object sender, EventArgs e) { // Initiate single sign-on to the service provider (IdP-initiated SSO) // by sending a SAML response containing a SAML assertion to the SP. // Use the configured or logged in user name as the user name to send to the service provider (SP). // Include some user attributes. // If no target URL is specified the SP should display its default page. string partnerSP = WebConfigurationManager.AppSettings[AppSettings.PartnerSP]; string targetUrl = WebConfigurationManager.AppSettings[AppSettings.TargetUrl]; string userName = WebConfigurationManager.AppSettings[AppSettings.SubjectName]; if (string.IsNullOrEmpty(userName)) { userName = User.Identity.Name; } IDictionary <string, string> attributes = new Dictionary <string, string>(); foreach (string key in WebConfigurationManager.AppSettings.Keys) { if (key.StartsWith(AppSettings.Attribute)) { attributes[key.Substring(AppSettings.Attribute.Length + 1)] = WebConfigurationManager.AppSettings[key]; } } SAMLIdentityProvider.InitiateSSO( Response, userName, attributes, targetUrl, partnerSP); }
public ActionResult SLOService() { var isRequest = false; var hasCompleted = false; var logoutReason = default(string); var partnerSP = default(string); SAMLIdentityProvider.ReceiveSLO( Request, Response, out isRequest, out hasCompleted, out logoutReason, out partnerSP); // If this is a request, then the logout was initiated by a partner SP. if (isRequest) { Response.ForgetUserIdentity(); SAMLIdentityProvider.SendSLO(Response, null); } else if (hasCompleted) { // IdP-initiated SLO has completed. Response.ForgetUserIdentity(); Response.Redirect("~/"); } return(new EmptyResult()); }
public ActionResult SLOService() { // Receive the single logout request or response. // If a request is received then single logout is being initiated by the service provider. // If a response is received then this is in response to single logout having been initiated by the identity provider. bool isRequest = false; bool hasCompleted = false; string logoutReason = null; string partnerSP = null; SAMLIdentityProvider.ReceiveSLO(Request, Response, out isRequest, out hasCompleted, out logoutReason, out partnerSP); if (isRequest) { // Logout locally. FormsAuthentication.SignOut(); // Respond to the SP-initiated SLO request indicating successful logout. SAMLIdentityProvider.SendSLO(Response, null); } else { if (hasCompleted) { // IdP-initiated SLO has completed. Response.Redirect("~/"); } } return(new EmptyResult()); }
protected void ssoLinkButton_Click(object sender, EventArgs e) { string partnerSP = WebConfigurationManager.AppSettings[AppSettings.PartnerSP]; string targetUrl = WebConfigurationManager.AppSettings[AppSettings.TargetUrl]; string userName = WebConfigurationManager.AppSettings[AppSettings.SubjectName]; if (string.IsNullOrEmpty(userName)) { userName = User.Identity.Name; } IDictionary <string, string> attributes = new Dictionary <string, string>(); foreach (string key in WebConfigurationManager.AppSettings.Keys) { if (key.StartsWith(AppSettings.Attribute)) { attributes[key.Substring(AppSettings.Attribute.Length + 1)] = WebConfigurationManager.AppSettings[key]; } } SAMLIdentityProvider.InitiateSSO( Response, userName, attributes, targetUrl, partnerSP); }
protected void Page_Load(object sender, EventArgs e) { // Receive an authn request from an enhanced client or proxy (ECP). string partnerSP = null; SAMLIdentityProvider.ReceiveSSO(Request, out partnerSP); // In this example, the user's credentials are assumed to be included in the HTTP authorization header. // The application should authenticate the user against some user registry. // In this example, the credentials are assumed to be valid and no check is made. string userName = null; string password = null; HttpBasicAuthentication.GetAuthorizationHeader(Request, out userName, out password); // Respond to the authn request by sending a SAML response containing a SAML assertion to the SP. // Use the configured or logged in user name as the user name to send to the service provider (SP). // Include some user attributes. if (!string.IsNullOrEmpty(WebConfigurationManager.AppSettings[AppSettings.SubjectName])) { userName = WebConfigurationManager.AppSettings[AppSettings.SubjectName]; } IDictionary <string, string> attributes = new Dictionary <string, string>(); foreach (string key in WebConfigurationManager.AppSettings.Keys) { if (key.StartsWith(AppSettings.Attribute)) { attributes[key.Substring(AppSettings.Attribute.Length + 1)] = WebConfigurationManager.AppSettings[key]; } } SAMLIdentityProvider.SendSSO(Response, userName, attributes); }
private static void ReceiveAuthnRequest(XmlElement xmlElement) { SAML.HttpContext = new SAMLHttpContext(); SAMLHttpRequest samlHttpRequest = new SAMLHttpRequest(xmlElement, null, null, null); string partnerSP = null; SAMLIdentityProvider.ReceiveSSO(samlHttpRequest, out partnerSP); Console.WriteLine("Partner SP: {0}", partnerSP); }
public ActionResult SSOService() { // This method is called either by an SP request for authentication or, // as part of that process, by the local AccountController Login method. // Once we've received the request, the Session will be set with a temporary // flag to indicate that we have already retrieved the SP authentication // request. var ssoReceived = Session.GetValue(SSOReceivedSessionKey, false); var partnerSP = default(string); if (!ssoReceived) { SAMLIdentityProvider.ReceiveSSO(Request, out partnerSP); Session[SSOReceivedSessionKey] = true; Session[PartnerSPSessionKey] = partnerSP; } else { partnerSP = Session.GetValue(PartnerSPSessionKey); } // If a user isn't logged in locally, get them logged in. We'll return to // this method via the returnUrl. UpdateUser(); if (!User.Identity.IsAuthenticated) { return(RedirectToAction("LogIn", "Account", new { returnUrl = Request.Url.AbsolutePath })); } // If we are here, then the user is logged in locally, we've received // an external request for authentication from an SP, and we need to send a // SAML response. Session[SSOReceivedSessionKey] = null; Session[PartnerSPSessionKey] = null; var user = Database.Find <UserDoc>(u => u.Id == (User as UserModel).Id); var attributes = new Dictionary <string, string>(); foreach (var attr in user.Attributes.Where(a => a.PartnerSP == partnerSP)) { attributes[attr.Name] = attr.Value; } SAMLIdentityProvider.SendSSO( Response, User.Identity.Name, attributes as IDictionary <string, string>); return(new EmptyResult()); }
public ActionResult SSOService() { // Either an authn request has been received or login has just completed in response to a previous authn request. // The SSO pending session flag is false if an authn request is expected. Otherwise, it is true if // a login has just completed and control is being returned to this page. bool ssoPending = Session[ssoPendingSessionKey] != null && (bool)Session[ssoPendingSessionKey] == true; if (!(ssoPending && User.Identity.IsAuthenticated)) { string partnerSP = null; // Receive the authn request from the service provider (SP-initiated SSO). SAMLIdentityProvider.ReceiveSSO(Request, out partnerSP); // If the user isn't logged in at the identity provider, force the user to login. if (!User.Identity.IsAuthenticated) { Session[ssoPendingSessionKey] = true; FormsAuthentication.RedirectToLoginPage(); return(new EmptyResult()); } } Session[ssoPendingSessionKey] = null; // The user is logged in at the identity provider. // Respond to the authn request by sending a SAML response containing a SAML assertion to the SP. // Use the configured or logged in user name as the user name to send to the service provider (SP). // Include some user attributes. string userName = WebConfigurationManager.AppSettings[AppSettings.SubjectName]; if (string.IsNullOrEmpty(userName)) { userName = User.Identity.Name; } IDictionary <string, string> attributes = new Dictionary <string, string>(); foreach (string key in WebConfigurationManager.AppSettings.Keys) { if (key.StartsWith(AppSettings.Attribute)) { attributes[key.Substring(AppSettings.Attribute.Length + 1)] = WebConfigurationManager.AppSettings[key]; } } SAMLIdentityProvider.SendSSO(Response, userName, attributes); return(new EmptyResult()); }
public ActionResult LogOff() { // Logout locally. AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie); if (SAMLIdentityProvider.CanSLO()) { // Request logout at the service providers. SAMLIdentityProvider.InitiateSLO(Response, null, null); return(new EmptyResult()); } return(RedirectToAction("Index", "Home")); }
public ActionResult Logout() { // Logout locally. FormsAuthentication.SignOut(); if (SAMLIdentityProvider.CanSLO()) { // Request logout at the service providers. SAMLIdentityProvider.InitiateSLO(Response, null, null); return(new EmptyResult()); } return(RedirectToAction("Index", "Home")); }
protected void logoutButton_Click(object sender, EventArgs e) { // Logout locally. FormsAuthentication.SignOut(); if (SAMLIdentityProvider.CanSLO()) { // Request logout at the service providers. SAMLIdentityProvider.InitiateSLO(Response, null, null); } else { FormsAuthentication.RedirectToLoginPage(); } }
private void CompleteSingleSignOn() { // Get the name of the logged in user. var userName = User.Identity.Name; // For demonstration purposes, include some claims. var attributes = new Dictionary <string, string>(); foreach (var claim in ((ClaimsIdentity)User.Identity).Claims) { attributes[claim.Type] = claim.Value; } // The user is logged in at the identity provider. // Respond to the authn request by sending a SAML response containing a SAML assertion to the SP. SAMLIdentityProvider.SendSSO(Response, userName, attributes); }
public ActionResult SingleSignOnService() { // Receive the authn request from the service provider (SP-initiated SSO). SAMLIdentityProvider.ReceiveSSO(Request, out var partnerName); // If the user is logged in at the identity provider, complete SSO immediately. // Otherwise have the user login before completing SSO. if (User.Identity.IsAuthenticated) { CompleteSingleSignOn(); return(new EmptyResult()); } else { return(RedirectToAction("SingleSignOnServiceCompletion")); } }
public ActionResult SingleLogoutService() { // Receive the single logout request or response. // If a request is received then single logout is being initiated by a partner service provider. // If a response is received then this is in response to single logout having been initiated by the identity provider. bool isRequest; bool hasCompleted; string logoutReason; string partnerName; string relayState; SAMLIdentityProvider.ReceiveSLO( Request, Response, out isRequest, out hasCompleted, out logoutReason, out partnerName, out relayState); if (isRequest) { // Logout locally. HttpContext.GetOwinContext().Authentication.SignOut(DefaultAuthenticationTypes.ApplicationCookie); // Respond to the SP-initiated SLO request indicating successful logout. SAMLIdentityProvider.SendSLO(Response, null); } else { if (hasCompleted) { // IdP-initiated SLO has completed. if (!string.IsNullOrEmpty(relayState) && Url.IsLocalUrl(relayState)) { return(Redirect(relayState)); } return(RedirectToAction("Index", "Home")); } } return(new EmptyResult()); }
private static void ReceiveLogoutMessageFromServiceProvider(XmlElement xmlElement) { SAML.HttpContext = new SAMLHttpContext(); SAMLHttpRequest samlHttpRequest = new SAMLHttpRequest(xmlElement, null, null, null); SAMLHttpResponse samlHttpResponse = new SAMLHttpResponse(); bool isRequest = false; bool hasCompleted = false; string logoutReason = null; string partnerSP = null; string relayState = null; SAMLIdentityProvider.ReceiveSLO(samlHttpRequest, samlHttpResponse, out isRequest, out hasCompleted, out logoutReason, out partnerSP, out relayState); Console.WriteLine("Logout request: {0}", isRequest); Console.WriteLine("Logout completed: {0}", hasCompleted); Console.WriteLine("Logout reason: {0}", logoutReason); Console.WriteLine("Partner SP: {0}", partnerSP); }
public ActionResult SLOService() { // Receive the single logout request or response. // If a request is received then single logout is being initiated by the service provider. // If a response is received then this is in response to single logout having been initiated by the identity provider. bool isRequest = false; bool hasCompleted = false; string logoutReason = null; string partnerSP = null; string relayState = null; SAMLIdentityProvider.ReceiveSLO(Request, Response, out isRequest, out hasCompleted, out logoutReason, out partnerSP, out relayState); if (isRequest) { // Logout locally. FormsAuthentication.SignOut(); string logoutPath = UtilityMethods.ReadConfigValue("pathLogout"); _log.Debug("Calling " + logoutPath); string logoutResponse = WebServiceRequester.MakeWebPageCall(logoutPath); this.HttpContext.CleanupCookies(); // Respond to the SP-initiated SLO request indicating successful logout. SAMLIdentityProvider.SendSLO(Response, null); } else { if (hasCompleted) { // IdP-initiated SLO has completed. Response.Redirect("~/"); } } return(new EmptyResult()); }
public ActionResult SingleSignOn() { // Initiate single sign-on to the service provider (IdP-initiated SSO) // by sending a SAML response containing a SAML assertion to the SP. // Use the configured or logged in user name as the user name to send to the service provider (SP). // Include some user attributes. // If a target URL is specified the SP should display this page once SSO completes. string partnerSP = WebConfigurationManager.AppSettings[AppSettings.PartnerSP]; string targetUrl = WebConfigurationManager.AppSettings[AppSettings.TargetUrl]; string userName = WebConfigurationManager.AppSettings[AppSettings.SubjectName]; if (string.IsNullOrEmpty(userName)) { userName = User.Identity.Name; } IDictionary <string, string> attributes = new Dictionary <string, string>(); foreach (string key in WebConfigurationManager.AppSettings.Keys) { if (key.StartsWith(AppSettings.Attribute)) { attributes[key.Substring(AppSettings.Attribute.Length + 1)] = WebConfigurationManager.AppSettings[key]; } } SAMLIdentityProvider.InitiateSSO( Response, userName, attributes, targetUrl, partnerSP); return(new EmptyResult()); }
public ActionResult IdpSloService() { bool isRequest, hasCompleted; string logoutReason, partnerSp; SAMLIdentityProvider.ReceiveSLO(Request, Response, out isRequest, out hasCompleted, out logoutReason, out partnerSp); if (isRequest) { SessionHelper.Set(SourceDomainSessionKey, null); SessionHelper.Set(UserSessionKey, null); SAMLIdentityProvider.SendSLO(Response, null); } else { if (hasCompleted) { Response.Redirect("~/"); } } return(new EmptyResult()); }
public ActionResult InitiateSingleSignOn() { // Get the name of the logged in user. var userName = User.Identity.Name; // For demonstration purposes only, include all the claims as SAML attributes. // To include a specific claim: ((ClaimsIdentity) User.Identity).FindFirst(ClaimTypes.GivenName). var attributes = new Dictionary <string, string>(); foreach (var claim in ((ClaimsIdentity)User.Identity).Claims) { attributes[claim.Type] = claim.Value; } var partnerName = WebConfigurationManager.AppSettings["PartnerName"]; var relayState = WebConfigurationManager.AppSettings["TargetUrl"]; // Initiate single sign-on to the service provider (IdP-initiated SSO) // by sending a SAML response containing a SAML assertion to the SP. // The optional relay state normally specifies the target URL once SSO completes. SAMLIdentityProvider.InitiateSSO(Response, userName, attributes, relayState, partnerName); return(new EmptyResult()); }
public ActionResult SSOService() { // Either an authn request has been received or login has just completed in response to a previous authn request. _log.Debug("SSO Service Begin"); string partnerSP = null; string myCurrentSP = SAMLIdentityProvider.GetPartnerPendingResponse(); Dictionary <string, object> paramDictionary = new Dictionary <string, object> { { "optionalParam", Request.Params["optionalParam"] } }; if (Request.Form.AllKeys.Contains("SAMLRequest") || (Request.QueryString.AllKeys.Contains("SAMLRequest") && (Request.QueryString.AllKeys.Contains("RelayState") || Request.QueryString.AllKeys.Contains("Signature")))) { // Receive the authn request from the service provider (SP-initiated SSO). _log.Debug("Calling ReceiveSSO"); SAMLIdentityProvider.ReceiveSSO(Request, out partnerSP); myCurrentSP = SAMLIdentityProvider.GetPartnerPendingResponse(); _log.Debug("Received SSO from " + partnerSP); } // If the user isn't logged in at the identity provider, force the user to login. if (!User.Identity.IsAuthenticated) { _log.Debug("Redirecting to login"); FormsAuthentication.RedirectToLoginPage(); return(new EmptyResult()); } // The user is logged in at the identity provider. // Respond to the authn request by sending a SAML response containing a SAML assertion to the SP. // Use the configured or logged in user name as the user name to send to the service provider (SP). // Include some user attributes. string userName = WebConfigurationManager.AppSettings[AppSettings.SubjectName]; IDictionary <string, string> attributes = new Dictionary <string, string>(); if (string.IsNullOrEmpty(userName)) { try { string memberPath = UtilityMethods.ReadConfigValue("pathGetMember"); _log.Debug("Calling " + memberPath); string memberResponse = WebServiceRequester.MakeServiceCall(memberPath); SiteMemberModel memberModel = UtilityMethods.DeserializeResponse <SiteMemberModel>(memberResponse); userName = memberModel.MembershipId.ToString(); bool getsAdditionalValues = true; //determine which SP, and populate the respective member attributes myCurrentSP = SAMLIdentityProvider.GetPartnerPendingResponse(); //Connection with remote Learner if (myCurrentSP.Contains("oldmoney.remote-learner.net") || myCurrentSP.Contains("saltcourses.saltmoney.org")) { attributes = AddRemoteLearnerAttributes(attributes, memberModel); //Setup (create/update) user in Courses MoodleUser mu = new MoodleUser(memberModel); mu.SetupUser(); } if (myCurrentSP.Contains("sso.online.tableau.com")) { attributes = AddTableauAttributes(attributes, memberModel); } if (myCurrentSP.Contains("community.saltmoney.org")) { String optionalParam = (String)paramDictionary["optionalParam"]; attributes = AddJiveAttributes(attributes, memberModel, optionalParam); } _log.Debug("Calling AddSSOCoreAttributes"); attributes = AddSSOCoreAttributes(attributes, memberModel, myCurrentSP, getsAdditionalValues); _log.Debug("Returned from AddSSOCoreAttributes with " + attributes.Count() + " Attributes"); } catch (Exception ex) { _log.Error(ex); throw ex; } } try { _log.Debug("Calling SendSSO for " + userName); SAMLIdentityProvider.SendSSO(Response, userName, attributes); } catch (Exception ex) { _log.Error(ex); throw ex; } return(new EmptyResult()); }
public ActionResult SingleSignOn(string attributes, string targetUrl, string partnerSP) { try { // Initiate single sign-on to the service provider (IdP-initiated SSO)] // by sending a SAML response containing a SAML assertion to the SP. // get the member id (was IWS number) from the database var member = Services.MemberService.GetByUsername(User.Identity.Name); Trace.TraceInformation(DateTime.Now.ToShortTimeString() + ":" + string.Format("---------------------USER '{0}' initiated the SSO---------------------", member.Username)); // Create a dictionary of attributes to add to the SAML assertion var attribs = new Dictionary <string, string>(); ///////////////////////////////////////////////////////////////////////// // SAML Parameter Configurations ///////////////////////////////////////////////////////////////////////// // Attributes for StatDoctors if (partnerSP == "StatDoctors") { string AccountUniqueContactId = member.GetValue("yNumber").ToString(); string AccountFamilyId = member.GetValue("yNumber").ToString(); if (AccountFamilyId.Length > 7) { AccountFamilyId = AccountFamilyId.Substring(0, 7); } string FamilyDependentId = member.GetValue("yNumber").ToString(); if (FamilyDependentId.Length > 7) { FamilyDependentId = FamilyDependentId.Substring(7, 2); } { // Create attribute list an populate with needed data var attrib = new Dictionary <string, string> { { "AccountUniqueContactId", AccountUniqueContactId }, { "AccountFamilyId", AccountFamilyId }, { "FamilyDependentId", FamilyDependentId }, { "PartnerId", "AC4134" }, { "PartnerAccountId", "" }, { "ReturnUrl", "" } }; // Send an IdP initiated SAML assertion SAMLIdentityProvider.InitiateSSO( Response, member.GetValue("yNumber").ToString(), attrib, "", partnerSP); } } // Attributes for US Script if (partnerSP == "USScript") { string yNumber = member.GetValue("yNumber").ToString(); if (yNumber.Length > 7) { yNumber = yNumber.Substring(0, 7); } var samlAttributes = new Dictionary <string, string> { { "urn:uss:saml:attrib::id", yNumber }, { "urn:uss:saml:attrib::firstname", member.GetValue("msFirstName").ToString() }, { "urn:uss:saml:attrib::lastname", member.GetValue("msLastName").ToString() }, { "urn:uss:saml:attrib::groupid", member.GetValue("groupId").ToString() }, { "urn:uss:saml:attrib::dateofbirth", Convert.ToDateTime(member.GetValue("birthday")).ToString("yyyy-MM-dd") }, { "urn:uss:saml:attrib::email", member.Email } }; PgpSAML20Assertion.GuideSSO(Response, partnerSP, String.Empty, samlAttributes); } // Attributes for MagnaCare if (partnerSP == "MagnaCare") { var samlAttributes = new Dictionary <string, string> { { "member:id", member.GetValue("yNumber").ToString() }, { "member:first_name", member.GetValue("msFirstName").ToString() }, { "member:last_name", member.GetValue("msLastName").ToString() }, { "member:product", member.GetValue("healthPlanName").ToString() } }; SAML20Assertion.GuideSSO(Response, partnerSP, member.GetValue("yNumber").ToString(), samlAttributes); } // Attributes for HealthX if (partnerSP == "https://secure.healthx.com/PublicService/SSO/AutoLogin.aspx" || partnerSP == "https://secure.healthx.com/PublicService/SSO/AutoLogin.aspx?mobile=1") { // Create attribute list an populate with needed data var attrib = new List <SAMLAttribute> { // Version 1 is constant value set by HealthX new SAMLAttribute("Version", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "Version", "xs:string", "1"), // This is the site ID and is redundant since it is in the Assertion consumer url. I added this for completeness new SAMLAttribute("ServiceId", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "ServiceID", "xs:string", "d99bfe58-3896-4eb6-9586-d2f9ae673052"), // This is the service ID and is redundant since it is in the Assertion consumer url. I added this for completeness new SAMLAttribute("SiteId", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "SiteId", "xs:string", "e6fa832c-fbd3-48c7-860f-e4f04b22bab7"), new SAMLAttribute("RelationshipCode", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "RelationshipCode", "xs:string", "18"), new SAMLAttribute("UserId", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "UserId", "xs:string", member.GetValue("yNumber").ToString().ToUpper()), new SAMLAttribute("MemberLastName", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "MemberLastName", "xs:string", member.GetValue("msLastName").ToString().ToUpper()), new SAMLAttribute("MemberFirstName", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "MemberFirstName", "xs:string", member.GetValue("msFirstName").ToString().ToUpper()), new SAMLAttribute("UserLastName", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "UserLastName", "xs:string", member.GetValue("msLastName").ToString().ToUpper()), new SAMLAttribute("UserFirstName", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "UserFirstName", "xs:string", member.GetValue("msFirstName").ToString().ToUpper()) }; // Nest a node named ServiceId in the RedirectInfo attribute // Add a serializer to allow the nesting of the serviceid attribute without it being url encoded if (!AttributeType.IsAttributeValueSerializerRegistered("RedirectInfo", null)) { AttributeType.RegisterAttributeValueSerializer("RedirectInfo", null, new XmlAttributeValueSerializer()); } // Add Redirect Info xml var xmlRedirectInfo = new XmlDocument { PreserveWhitespace = true }; xmlRedirectInfo.LoadXml(targetUrl); var attrRedirectInfo = new SAMLAttribute("RedirectInfo", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "RedirectInfo"); attrRedirectInfo.Values.Add(new AttributeValue(xmlRedirectInfo.DocumentElement)); attrib.Add(attrRedirectInfo); // Send an IdP initiated SAML assertion SAMLIdentityProvider.InitiateSSO( Response, member.GetValue("yNumber").ToString(), attrib.ToArray(), "", partnerSP); } // Attributes for Morneau Shapell if (partnerSP == "SBCSystems") { // Replace the template variables in the url if (targetUrl.IndexOf("<%PLANID%>") != -1) { targetUrl = targetUrl.Replace("<%PLANID%>", member.GetValue("healthplanid").ToString()); } // Replace "initialEnrollment" with "specialEnrollmentSelect" if outside of 11/15-3/31 if (targetUrl.Contains("initialEnrollment") && !IsInInitialEnrollmentPeriod()) { targetUrl = targetUrl.Replace("initialEnrollment", "specialEnrollmentSelect"); } // Send an IdP initiated SAML assertion SAMLIdentityProvider.InitiateSSO( Response, member.GetValue("memberId").ToString(), attribs, targetUrl, partnerSP); } // Add the response to the ViewBag so we can access it on the front end if we need to ViewBag.Response = Response; TempData["response"] = Response; // Return an empty response since we wait for the SAML consumer to send us the requested page return(new EmptyResult()); } catch (Exception ex) { // Create an error message with sufficient info to contact the user string additionalInfo = "SSO Error for user " + User.Identity.Name + ". Partner: " + partnerSP + ". TargetUrl: " + targetUrl + "."; // Add the error message to the log4net output log4net.GlobalContext.Properties["additionalInfo"] = additionalInfo; // Log the error logger.Error("Unable to use SSO", ex); return(new EmptyResult()); } }
public async Task <ActionResult> SSOService() { var logger = log4net.LogManager.GetLogger("SAMLController"); logger.Info("SSOService() - Single sign-on service entered"); var pendingSessionKey = Session[ssoPendingSessionKey]; logger.Debug("Session[ssoPendingSessionKey] = " + ((pendingSessionKey == null) ? "null" : pendingSessionKey.ToString())); // Either an authn request has been received or login has just completed in response to a previous authn request. // The SSO pending session flag is false if an authn request is expected. Otherwise, it is true if // a login has just completed and control is being returned to this page. bool ssoPending = pendingSessionKey != null && (bool)Session[ssoPendingSessionKey] == true; logger.Debug("ssoPending = " + ssoPending.ToString()); logger.Debug("User.Identity.IsAuthenticated = " + User.Identity.IsAuthenticated.ToString()); if (!(ssoPending && User.Identity.IsAuthenticated)) { string partnerSP = null; // Receive the authn request from the service provider (SP-initiated SSO). SAMLIdentityProvider.ReceiveSSO(Request, out partnerSP); logger.Debug("partnerSP = " + partnerSP); // If the user isn't logged in at the identity provider, force the user to login. if (!User.Identity.IsAuthenticated) { Session[ssoPendingSessionKey] = true; logger.Info("User not authenticated, redirecting to login page()"); FormsAuthentication.RedirectToLoginPage(); return(new EmptyResult()); } } Session[ssoPendingSessionKey] = null; // The user is logged in at the identity provider. // Respond to the authn request by sending a SAML response containing a SAML assertion to the SP. // Use the configured or logged in user name as the user name to send to the service provider (SP). // Include some user attributes. var userName = WebConfigurationManager.AppSettings[AppSettings.SubjectName]; var identity = (ClaimsIdentity)User.Identity; if (string.IsNullOrEmpty(userName)) { var bid = identity.FindFirst("bid_id"); if (bid == null) { logger.Info("bid_id claim not found, redirecting to login page"); FormsAuthentication.RedirectToLoginPage(); return(new EmptyResult()); } userName = bid.Value; var firstName = identity.FindFirst("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"); var lastName = identity.FindFirst("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"); logger.Info("Username obtained from BankID : " + userName); logger.Info("Firstname from BankID : " + ((firstName == null) ? "<not provided>" : firstName.Value)); logger.Info("Lastname from BankID : " + ((lastName == null) ? "<not provided>" : lastName.Value)); var iseSettings = Utility.Configuration.Settings.IseServer; var iseUri = new UriBuilder("https", iseSettings.ServerIP.ToString(), 9060); var developerConnection = new CiscoISE.ISEConnection(iseUri.Uri, iseSettings.ApiUsername, iseSettings.ApiPassword); var portals = await CiscoISE.Portals.Get(developerConnection); if (portals == null) { throw new Exception("Could not access ISE to enumerate portals"); } logger.Debug("Retrieved portals from the Cisco ISE server using the API account"); // TODO : Research whether this is the best way to get the sponsor portal. var sponsorPortal = portals.Where(x => x.Name == "Sponsor Portal (default)").FirstOrDefault(); if (sponsorPortal == null) { throw new Exception("Could not access ISE to find GUID for Sponsor Portal (default)"); } logger.Debug("Sponsor portal found on ISE server : " + sponsorPortal.Name); var sponsorConnection = new CiscoISE.ISEConnection(iseUri.Uri, iseSettings.SponsorPortalUsername, iseSettings.SponsorPortalPassword); logger.Debug("Finding an existing guest user with username : "******"Retrieved user " + userName + " from ISE server\n" + JsonConvert.SerializeObject(guestUser)); } else { logger.Info("Existing user (" + userName + ") not found, attempt to create a new one"); logger.Debug("Getting GuestTypes from ISE server"); // TODO : Catch errors on connecting to the API var guestTypes = await CiscoISE.GuestTypes.Get(developerConnection); if (guestTypes == null) { // TODO : Provide a better method of handling API issues throw new Exception("Failed to get a list of GuestTypes from Cisco ISE"); } // TODO : Provide a configuration option to allow specific guest types to be // chosen based on how the user is logging in. var guestType = guestTypes.FirstOrDefault(); if (guestType == null) { // TODO : Provide a better method of dealing with there not being any guest types throw new Exception("There appears to be no guest types configured in Cisco ISE"); } logger.Info("Using first guest type in the list : " + guestType.Name); logger.Debug("Getting list of guest locations from the ISE server"); // TODO : Catch exceptions on guest locations var guestLocations = await CiscoISE.GuestLocations.Get(developerConnection); if (guestLocations == null) { // TODO : Provide a better method of handling API issues throw new Exception("Failed to obtain a list of guest locations from Cisco ISE"); } // TODO : Provide a configuration option to allow specific guest locations to be // chosen based on where the user is logging in var guestLocation = guestLocations.FirstOrDefault(); if (guestLocation == null) { // TODO : Provide a better method of handling API issues throw new Exception("ISE does not appear to have any guest locations configured"); } logger.Info("Using first guest location from the list " + guestLocation.Name); //var randomPassword = Membership.GeneratePassword(16, 4); var randomPassword = CiscoISE.Utility.PasswordGenerator.GenerateStrongGuestPassword(); // TODO : Consider removing this from the code. Though, the password is not used anywhere, it could be a "alarm" during a code audit logger.Info("Automatically generated a password for the new user (" + randomPassword + ")"); // TODO : Add configuration settings to specify the duration which a guest account is valid var validFrom = DateTime.Now; var validUntil = validFrom.AddHours(4); guestUser = new GuestUserViewModel { GuestType = guestType.Name, // TODO : File "bug" with Cisco over name referencing instead of ID PortalId = sponsorPortal.Id.ToString(), GuestInfo = new CiscoISE.GuestInfoViewModel { Username = userName, Password = randomPassword, FirstName = firstName == null ? "<unknown>" : firstName.Value, LastName = lastName == null ? "<unknown>" : lastName.Value, Enabled = true }, GuestAccessInfo = new GuestAccessInfoViewModel { ValidDays = 1, FromDate = validFrom, ToDate = validUntil, Location = guestLocation.Name // TODO : File "bug" with Cisco over name reference instead of ID } }; logger.Debug("guestUser = "******"Creating new guest user"); var created = await CiscoISE.GuestUsers.Create( sponsorConnection, guestUser ); logger.Info(created ? "Guest user created" : "Guest user failed to be created"); if (!created) { throw new Exception("Failed to create new guest user, cannot continue login process"); } } } var ClaimToAttributes = new [] { new { claimType = Microsoft.IdentityModel.Protocols.OpenIdConnectParameterNames.AccessToken, samlAttributeName = "bidAccessToken" }, new { claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth", samlAttributeName = "dateofbirth" }, new { claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", samlAttributeName = "givenname" }, new { claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", samlAttributeName = "surname" }, new { claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", samlAttributeName = "name" } }; logger.Info("Appending attributes to SAML assertion"); var samlAttributes = new List <SAMLAttribute>(); foreach (var claimToAttribute in ClaimToAttributes) { var claim = identity.FindFirst(claimToAttribute.claimType); if (claim != null) { var attribute = new SAMLAttribute( claimToAttribute.samlAttributeName, SAMLIdentifiers.AttributeNameFormats.Unspecified, null, "xs:string", claim.Value ); samlAttributes.Add(attribute); } } ComponentSpace.SAML2.SAMLController.TraceLevel = System.Diagnostics.TraceLevel.Verbose; logger.Info("Sending SSO to SAML service provider"); SAMLIdentityProvider.SendSSO(Response, userName, samlAttributes.ToArray()); return(new EmptyResult()); }