public void RemoveEncryptedAssertionTest()
{
try
{
// https://docs.oasis-open.org/security/saml/v2.0/saml-schema-protocol-2.0.xsd
Saml2Controller controller = new Saml2Controller();
Saml2Serializer serializer = new Saml2Serializer();
string keystorePath = ConfigurationManager.AppSettings.Get("KeystoreDirectoryPathSP") + ConfigurationManager.AppSettings.Get("KeystoreNameSP");
string keystorePassword = ConfigurationManager.AppSettings.Get("KeystorePasswordSP");
string friendlyName = ConfigurationManager.AppSettings.Get("KeystoreFriendlyNameSP");
string metadataDirectoryPath = ConfigurationManager.AppSettings.Get("MetadataDirectoryPath");
controller.Init(keystorePath, keystorePassword, friendlyName, metadataDirectoryPath);
string xml = ReadFile(responseFilenameHub);
Response response = serializer.ConvertXMLToResponseObject(xml);
controller.RemoveEncryptedAssertion(response);
Assert.IsNotNull(response.Assertion);
}
catch (Exception e)
{
Assert.Fail(e.Message);
}
}
public void CheckTimeValidTest()
{
Saml2Serializer serializer = new Saml2Serializer();
SamlValidator validator = new SamlValidator();
Response response = serializer.ConvertXMLToResponseObject(ReadFile(xmlResponseFilename));
TimeZone localZone = TimeZone.CurrentTimeZone;
DateTime actualTime = localZone.ToUniversalTime(DateTime.Now);
try
{
// add a correct time to the response
response.Assertion.Conditions.NotBefore = actualTime.AddSeconds(-20);
response.Assertion.Conditions.NotOnOrAfter = actualTime.AddMinutes(5);
response.Assertion.Subject.SubjectConfirmation.SubjectConfirmationData.NotOnOrAfter = actualTime.AddMinutes(5);
response.IssueInstant = actualTime.AddSeconds(-20);
response.Assertion.IssueInstant = actualTime.AddSeconds(-20);
Assert.IsTrue(validator.CheckTime(response));
}
catch (Exception e)
{
Assert.Fail(e.Message);
}
}
public void ValidateResponseWithoutTimeValidTest()
{
Saml2Serializer serializer = new Saml2Serializer();
SamlValidator validator = new SamlValidator();
string xml = Encoding.UTF8.GetString(Convert.FromBase64String(ReadFile(responseFilename)));
EntityDescriptor entityDescriptor = serializer.ConvertXMLToEntityDescriptorObject(ReadFile(xmlMetadataFile));
AuthnRequest authnRequest = serializer.ConvertXMLToAuthnRequestObject(ReadFile(xmlAuthnRequestFile));
Response response = serializer.ConvertXMLToResponseObject(xml);
bool isValid = validator.ValidateResponse(response, xml, entityDescriptor, authnRequest, false);
Assert.IsTrue(isValid);
}
/// <summary>
/// Reads the given saml response and extracts the attributes
/// </summary>
/// <param name="samlResponse">saml response with or without encrypted assertion</param>
/// <param name="relaystate">related state to saml response</param>
/// <param name="responseAssertionAttributes">contains the extracted attributes from the assertion (if there were any)</param>
/// <returns>true -> valid response -> else exception is thrown</returns>
public bool ReadResponse(string samlResponse, string relaystate, out Dictionary <string, ResponseAssertionAttribute> responseAssertionAttributes)
{
if (!initialized)
{
throw new SamlCommunicationException("Init must be called first", SamlCommunicationType.SAMLCOMMUNICATION);
}
LogService.Log(LogService.LogType.Info, "ReadResponse called");
responseAssertionAttributes = new Dictionary <string, ResponseAssertionAttribute>();
try
{
LogService.Log(LogService.LogType.Info, "ReadResponse response: '" + samlResponse + "'; relatedstate: '" + relaystate + "'");
// decode SAMLResponse first (base64)
string responseXML = Encoding.UTF8.GetString(Convert.FromBase64String(samlResponse));
// get response as object
Response response = serializer.ConvertXMLToResponseObject(responseXML);
// remove encrypted assertion if there is one
if (response.EncryptedAssertion != null)
{
RemoveEncryptedAssertion(response); // TODO should check first if response is valid or not (saving computation power)
}
// load metadata from issuer
EntityDescriptor metadata = LoadMetadataFile(response.Issuer, metadataDirectoryPath);
// load AuthnRequest from archiver
string authnRequestString = archiver.GetArchivedObject(response.Assertion.Subject.SubjectConfirmation.SubjectConfirmationData.InResponseTo);
AuthnRequest authnRequest = serializer.ConvertXMLToAuthnRequestObject(Encoding.UTF8.GetString(Convert.FromBase64String(authnRequestString)));
// check if response is valid
if (verifier.ValidateResponse(response, responseXML, metadata, authnRequest))
{
LogService.Log(LogService.LogType.Info, "ReadResponse extract attributes from response");
responseAssertionAttributes = serializer.GetAttributes(response);
return(true);
}
throw new SamlCommunicationException("Response is not valid.");
}
catch (Exception e)
{
LogService.Log(LogService.LogType.FatalError, "ReadResponse failed", e);
throw new SamlCommunicationException("ReadResponse failed", e, SamlCommunicationType.SAMLCOMMUNICATION);
}
}
public void CheckTimeInvalidTest()
{
Saml2Serializer serializer = new Saml2Serializer();
SamlValidator validator = new SamlValidator();
Response response = serializer.ConvertXMLToResponseObject(ReadFile(xmlResponseFilename));
TimeZone localZone = TimeZone.CurrentTimeZone;
DateTime actualTime = localZone.ToUniversalTime(DateTime.Now);
// response.Assertion.Conditions.NotBefore is wrong
try
{
response.Assertion.Conditions.NotBefore = actualTime.AddSeconds(20);
response.Assertion.Conditions.NotOnOrAfter = actualTime.AddMinutes(5);
response.Assertion.Subject.SubjectConfirmation.SubjectConfirmationData.NotOnOrAfter = actualTime.AddMinutes(5);
response.IssueInstant = actualTime.AddSeconds(-20);
response.Assertion.IssueInstant = actualTime.AddSeconds(-20);
Assert.IsFalse(validator.CheckTime(response));
}
catch (SamlCommunicationException e) { Assert.IsTrue(true); } // exception expected in this test
catch (Exception e) { Assert.Fail(e.Message); } // not this kind of exception expected
// response.Assertion.Conditions.NotOnOrAfter is wrong
try
{
response.Assertion.Conditions.NotBefore = actualTime.AddSeconds(-20);
response.Assertion.Conditions.NotOnOrAfter = actualTime.AddMinutes(-20);
response.Assertion.Subject.SubjectConfirmation.SubjectConfirmationData.NotOnOrAfter = actualTime.AddMinutes(5);
response.IssueInstant = actualTime.AddSeconds(-20);
response.Assertion.IssueInstant = actualTime.AddSeconds(-20);
Assert.IsFalse(validator.CheckTime(response));
}
catch (SamlCommunicationException e) { Assert.IsTrue(true); } // exception expected in this test
catch (Exception e) { Assert.Fail(e.Message); } // not this kind of exception expected
// response.Assertion.Subject.SubjectConfirmation.SubjectConfirmationData.NotOnOrAfter is wrong
try
{
response.Assertion.Conditions.NotBefore = actualTime.AddSeconds(-20);
response.Assertion.Conditions.NotOnOrAfter = actualTime.AddMinutes(5);
response.Assertion.Subject.SubjectConfirmation.SubjectConfirmationData.NotOnOrAfter = actualTime.AddMinutes(-20);
response.IssueInstant = actualTime.AddSeconds(-20);
response.Assertion.IssueInstant = actualTime.AddSeconds(-20);
Assert.IsFalse(validator.CheckTime(response));
}
catch (SamlCommunicationException e) { Assert.IsTrue(true); } // exception expected in this test
catch (Exception e) { Assert.Fail(e.Message); } // not this kind of exception expected
// response.IssueInstant is wrong
try
{
response.Assertion.Conditions.NotBefore = actualTime.AddSeconds(-20);
response.Assertion.Conditions.NotOnOrAfter = actualTime.AddMinutes(5);
response.Assertion.Subject.SubjectConfirmation.SubjectConfirmationData.NotOnOrAfter = actualTime.AddMinutes(5);
response.IssueInstant = actualTime.AddSeconds(20);
response.Assertion.IssueInstant = actualTime.AddSeconds(-20);
Assert.IsFalse(validator.CheckTime(response));
}
catch (SamlCommunicationException e) { Assert.IsTrue(true); } // exception expected in this test
catch (Exception e) { Assert.Fail(e.Message); } // not this kind of exception expected
// response.Assertion.IssueInstant is wrong
try
{
response.Assertion.Conditions.NotBefore = actualTime.AddSeconds(-20);
response.Assertion.Conditions.NotOnOrAfter = actualTime.AddMinutes(5);
response.Assertion.Subject.SubjectConfirmation.SubjectConfirmationData.NotOnOrAfter = actualTime.AddMinutes(5);
response.IssueInstant = actualTime.AddSeconds(-20);
response.Assertion.IssueInstant = actualTime.AddSeconds(20);
Assert.IsFalse(validator.CheckTime(response));
}
catch (SamlCommunicationException e) { Assert.IsTrue(true); } // exception expected in this test
catch (Exception e) { Assert.Fail(e.Message); } // not this kind of exception expected
}
public void ValidateResponseWithoutTimeInvalidTest()
{
Saml2Serializer serializer = new Saml2Serializer();
SamlValidator validator = new SamlValidator();
string xml = ReadFile(xmlResponseFilename);
EntityDescriptor entityDescriptor = serializer.ConvertXMLToEntityDescriptorObject(ReadFile(xmlMetadataFile));
AuthnRequest authnRequest = serializer.ConvertXMLToAuthnRequestObject(ReadFile(xmlAuthnRequestFile));
Response response = serializer.ConvertXMLToResponseObject(xml);
// wrong response.Status.StatusCode.Value
try
{
response.Status.StatusCode.Value = "urn:oasis:names:tc:SAML:2.0:status:Requester";
bool isValid = validator.ValidateResponse(response, xml, entityDescriptor, authnRequest, false);
}
catch (SamlCommunicationException e) { Assert.IsTrue(true); } // exception expected in this test
catch (Exception e) { Assert.Fail(e.Message); } // not this kind of exception expected
// wrong response.Issuer
try
{
response.Issuer = "wrongIssuer";
bool isValid = validator.ValidateResponse(response, xml, entityDescriptor, authnRequest, false);
}
catch (SamlCommunicationException e) { Assert.IsTrue(true); } // exception expected in this test
catch (Exception e) { Assert.Fail(e.Message); } // not this kind of exception expected
// wrong x509 certificate
try
{
response.Signature.KeyInfo.X509Data.X509Certificate = response.Signature.KeyInfo.X509Data.X509Certificate + "s";
bool isValid = validator.ValidateResponse(response, xml, entityDescriptor, authnRequest, false);
}
catch (SamlCommunicationException e) { Assert.IsTrue(true); } // exception expected in this test
catch (Exception e) { Assert.Fail(e.Message); } // not this kind of exception expected
// response was changed / attack
try
{
string attackedXML = ReadFile("ChangedSamlResponseSimpleSamlPHP.xml");
response.Signature.KeyInfo.X509Data.X509Certificate = response.Signature.KeyInfo.X509Data.X509Certificate + "s";
bool isValid = validator.ValidateResponse(response, attackedXML, entityDescriptor, authnRequest, false);
}
catch (SamlCommunicationException e) { Assert.IsTrue(true); } // exception expected in this test
catch (Exception e) { Assert.Fail(e.Message); } // not this kind of exception expected
// wrong response.Destination
try
{
response.Destination = "newdesinationaddress.com";
bool isValid = validator.ValidateResponse(response, xml, entityDescriptor, authnRequest, false);
}
catch (SamlCommunicationException e) { Assert.IsTrue(true); } // exception expected in this test
catch (Exception e) { Assert.Fail(e.Message); } // not this kind of exception expected
// wrong response.Assertion.Conditions.AudienceRestriction.Audience -> issuer
try
{
response.Assertion.Conditions.AudienceRestriction.Audience = "otherIssuer";
bool isValid = validator.ValidateResponse(response, xml, entityDescriptor, authnRequest, false);
}
catch (SamlCommunicationException e) { Assert.IsTrue(true); } // exception expected in this test
catch (Exception e) { Assert.Fail(e.Message); } // not this kind of exception expected
// wrong response.InResponseTo
try
{
response.InResponseTo = "InResponseTo";
bool isValid = validator.ValidateResponse(response, xml, entityDescriptor, authnRequest, false);
}
catch (SamlCommunicationException e) { Assert.IsTrue(true); } // exception expected in this test
catch (Exception e) { Assert.Fail(e.Message); } // not this kind of exception expected
// wrong response.Assertion.Subject.SubjectConfirmation.Method
try
{
response.Assertion.Subject.SubjectConfirmation.Method = "urn:oasis:names:tc:SAML:2.0:cm:holder-of-key";
bool isValid = validator.ValidateResponse(response, xml, entityDescriptor, authnRequest, false);
}
catch (SamlCommunicationException e) { Assert.IsTrue(true); } // exception expected in this test
catch (Exception e) { Assert.Fail(e.Message); } // not this kind of exception expected
}
