/// <summary>
/// Processes the SAML response received from the IdP.
/// </summary>
/// <param name="page">The page object.</param>
/// <param name="relayState">The relay state</param>
/// <param name="samlResponse">The SAML response object.</param>
public static void ProcessResponse(Page page, out ComponentPro.Saml2.Response samlResponse, out string relayState)
{
// Extract the binding type from the query string.
string bindingType = page.Request.QueryString["binding"];
switch (bindingType)
{
case "artifact":
// Create an artifact from the query string.
Saml2ArtifactType0004 httpArtifact = Saml2ArtifactType0004.CreateFromHttpArtifactQueryString(page.Request);
// Create an artifact resolve request.
ArtifactResolve artifactResolve = new ArtifactResolve();
artifactResolve.Issuer = new Issuer(GetAbsoluteUrl(page, "~/"));
artifactResolve.Artifact = new Artifact(httpArtifact.ToString());
// Send the artifact resolve request and create an artifact response from the received XML.
ArtifactResponse artifactResponse = ArtifactResponse.SendSamlMessageReceiveAftifactResponse(Global.ArtifactServiceUrl, artifactResolve);
// Get the SAML Response from the artifact response.
samlResponse = new ComponentPro.Saml2.Response(artifactResponse.Message);
relayState = httpArtifact.RelayState;
break;
case "post":
System.Diagnostics.Debug.WriteLine("POST");
// Create a SAML response from the form data.
samlResponse = ComponentPro.Saml2.Response.Create(page.Request);
relayState = samlResponse.RelayState;
break;
default:
throw new ApplicationException("Unknown binding type");
}
// Is the SAML response signed?
if (samlResponse.IsSigned())
{
// Get the previously loaded certificate.
X509Certificate2 x509Certificate = (X509Certificate2)page.Application[Global.IdPCertKey];
// Validate the certificate.
if (!samlResponse.Validate(x509Certificate))
{
throw new ApplicationException("The SAML response signature failed to verify.");
}
}
}
// Receive the authentication request from the service provider.
public static void ReceiveAuthnRequest(Page page, out AuthnRequest authnRequest, out string relayState)
{
// Determine the service provider to identity provider binding type.
// We use a query string parameter rather than having separate endpoints per binding.
string bindingType = page.Request.QueryString[BindingQueryParameter];
switch (bindingType)
{
case SamlBindingUri.HttpRedirect:
X509Certificate2 x509Certificate = (X509Certificate2)page.Application[Global.SPCertKey];
authnRequest = AuthnRequest.Create(page.Request.RawUrl, x509Certificate.PublicKey.Key);
relayState = authnRequest.RelayState;
break;
case SamlBindingUri.HttpPost:
authnRequest = AuthnRequest.CreateFromHttpPost(page.Request);
relayState = authnRequest.RelayState;
break;
case SamlBindingUri.HttpArtifact:
// Receive the artifact.
Saml2ArtifactType0004 httpArtifact = Saml2ArtifactType0004.CreateFromHttpArtifactQueryString(page.Request);
// Create an artifact resolve request.
ArtifactResolve artifactResolve = new ArtifactResolve();
artifactResolve.Issuer = new Issuer(Util.GetAbsoluteUrl(page, "~/"));
artifactResolve.Artifact = new Artifact(httpArtifact.ToString());
// Look up for the appropriate artifact SP url
string referer = page.Request.UrlReferrer.AbsoluteUri;
int i;
for (i = 0; i < Services.AllowedServiceUrls.Length; i++)
{
string url = Services.AllowedServiceUrls[i];
if (referer.StartsWith(url))
{
break;
}
}
if (i == Services.AllowedServiceUrls.Length)
{
throw new Exception("Your SP is not allowed");
}
// Send the artifact resolve request and receive the artifact response.
string artifactServiceProviderUrl = Services.ArtifactServiceProviderUrls[i];
ArtifactResponse artifactResponse = ArtifactResponse.SendSamlMessageReceiveAftifactResponse(artifactServiceProviderUrl, artifactResolve);
// Extract the authentication request from the artifact response.
authnRequest = new AuthnRequest(artifactResponse.Message);
relayState = httpArtifact.RelayState;
break;
default:
Trace.Write("IdentityProvider", "Invalid service provider to identity provider binding");
authnRequest = null;
relayState = null;
return;
}
// If using HTTP redirect the message isn't signed as the generated query string is too long for most browsers.
if (bindingType != SamlBindingUri.HttpRedirect)
{
if (authnRequest.IsSigned())
{
// Verify the request's signature.
X509Certificate2 x509Certificate = (X509Certificate2)page.Application[Global.SPCertKey];
if (!authnRequest.Validate(x509Certificate))
{
throw new ApplicationException("The authentication request signature failed to verify.");
}
}
}
}
