public void CheckUserOneLoginInvalidCrtResponse() { var ssoSettings = new SsoSettings { EnableSso = true, Issuer = @"https://app.onelogin.com/saml/metadata/372455", SsoEndPoint = @"https://4testingteamlab.onelogin.com/trust/saml2/http-post/sso/37245", SloEndPoint = @"https://4testingteamlab.onelogin.com/trust/saml2/http-redirect/slo/372455", TokenType = "SAML", ValidationType = "X.509", PublicKey = @"-----BEGIN CERTIFICATE----- MIIEXzCCA0egAwIBAgIUUVnh6ZmH1MMsmSNtRTI1gYZy+6gwDQYJKoZIhvcNAQEF BQAwcDELMAkGA1UEBhMCVVMxKTAnBgNVBAoMIExlaWJuaXogVW5pdmVyc2l0w6R0 IElUIFNlcnZpY2VzMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9u ZUxvZ2luIEFjY291bnQgOTc2ODEwHhcNMTYxMjExMTAwMjExWhcNMjExMjEyMTAw MjExWjBwMQswCQYDVQQGEwJVUzEpMCcGA1UECgwgTGVpYm5peiBVbml2ZXJzaXTD pHQgSVQgU2VydmljZXMxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEfMB0GA1UEAwwW T25lTG9naW4gQWNjb3VudCA5NzY4MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAJI/b23mx7YUI4N2UkhOE2Moy+KFsuKRtqzZYXmEvYg9IFulXOL6CN/C cR0LhCOdb1XGUxd5ZCErE3VslPpsASj/H/ZWyJEeS6nZtU3CdHJ3zCJb06HFYROm +FxdxlgCT4R2gBEhuOv6pK9bgaFYO7YEcuRpKYI+/BU4fHFJSU2DyBvoKSTCoHFt mKM11++oWg8onbYfY5Wt+F8gL6hmvhq6eAInRAWXJ/Mkt48spEesXNGHwvIZPSSi 52qTCTx+nYxw6IDzLtA4Jg8oN4aCC79ULXR+Fyrhz20ShItTixWi0M5QUyPqkxO2 9O/M3VvLTxd8pKsJoziaCLipnpuPtDcCAwEAAaOB8DCB7TAMBgNVHRMBAf8EAjAA MB0GA1UdDgQWBBTkjOARt4qAEkZaIVGdwiTvAaKRizCBrQYDVR0jBIGlMIGigBTk jOARt4qAEkZaIVGdwiTvAaKRi6F0pHIwcDELMAkGA1UEBhMCVVMxKTAnBgNVBAoM IExlaWJuaXogVW5pdmVyc2l0w6R0IElUIFNlcnZpY2VzMRUwEwYDVQQLDAxPbmVM b2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgOTc2ODGCFFFZ4emZ h9TDLJkjbUUyNYGGcvuoMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOC AQEAYPV9R48h8MuifkaMXX9hUJ3FktVH0lA/rFpxXxKQbrE778Ye8Hc1MhvfaDiV hE9A4EpVO+LJBlIgNzGyt8s0dUsb7kxLlxmkksyAxz1yQzKwq+XF0YjOkGXVSzJ9 oi0dqz+ROiXfMr30yh9f8tCErIWMP5uMZlIQMzKmG+laoTssqye584IgV/5LbHJn /Z920rgY6DXDV8EteF0Sl8smOCP6Zwop5cUYnsT4NN/MCVAtRuF0AlQuQMy58Hyg Zh8ICXV37JJOkTAKLhVZrYWcJBF/bFIoW4lJvhkOstcFh3qNDgySHfyghgP5/mPf j9HtX6VzPCmLo8FKUnQ0lwacJg== -----END CERTIFICATE-----", ClientCertificateFileName = "", ClientPassword = "" }; var resp = @"<samlp:Response xmlns:saml=""urn:oasis:names:tc:SAML:2.0:assertion"" xmlns:samlp=""urn:oasis:names:tc:SAML:2.0:protocol"" ID=""pfxd77b98e8-a049-b381-eacc-4fb547ea8fc7"" Version=""2.0"" IssueInstant=""2016-12-12T10:15:06Z"" Destination=""{recipient}"" InResponseTo=""_596da3d5-e8c6-449a-bd4d-84ccee212a2f""> <saml:Issuer>https://app.onelogin.com/saml/metadata/610001</saml:Issuer> <ds:Signature xmlns:ds=""http://www.w3.org/2000/09/xmldsig#""> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm=""http://www.w3.org/2001/10/xml-exc-c14n#"" /> <ds:SignatureMethod Algorithm=""http://www.w3.org/2000/09/xmldsig#rsa-sha1"" /> <ds:Reference URI=""#pfxd77b98e8-a049-b381-eacc-4fb547ea8fc7""> <ds:Transforms> <ds:Transform Algorithm=""http://www.w3.org/2000/09/xmldsig#enveloped-signature"" /> <ds:Transform Algorithm=""http://www.w3.org/2001/10/xml-exc-c14n#"" /> </ds:Transforms> <ds:DigestMethod Algorithm=""http://www.w3.org/2000/09/xmldsig#sha1"" /> <ds:DigestValue>+GThzgaybYo32syv2nLwP30n6iw=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>PoMWjdalW3xcSM0luajRCt5YfZcyxz4XWgJiYT3UANSWSel6VzjlU0SzzcqW8IGtszcEqM3rvHX13mGFvJR0KK8+GNzCl2Ornnt2BdwZx4EJ2cxB1A0QnA1690DWUfdI+dz77/RY7HnQn/a53MqlvN0WQwIhAoogWR9AnMrmkKW+lfy5Cdbv7Q0n6JKJ+cPcL2ZHXHSoWh/SXjZkRXtE2Z5rLE5p9mcJExWOgd8biwsDJH1hE4r3X5OqW8MBK2T2VMtz+wC4RRkh/zBhZ8jLXyRH4DYo1HtR/jM42g29XGGDIZVTcfT/DlXCbnPh2xpMC/ZpNapoU9CSKREkwTq72A==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIEXzCCA0egAwIBAgIUUVnh6ZmH1MMsmSNtRTI1gYZy+6gwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UEBhMCVVMxKTAnBgNVBAoMIExlaWJuaXogVW5pdmVyc2l0w6R0IElUIFNlcnZpY2VzMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgOTc2ODEwHhcNMTYxMjExMTAwMjExWhcNMjExMjEyMTAwMjExWjBwMQswCQYDVQQGEwJVUzEpMCcGA1UECgwgTGVpYm5peiBVbml2ZXJzaXTDpHQgSVQgU2VydmljZXMxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEfMB0GA1UEAwwWT25lTG9naW4gQWNjb3VudCA5NzY4MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJI/b23mx7YUI4N2UkhOE2Moy+KFsuKRtqzZYXmEvYg9IFulXOL6CN/CcR0LhCOdb1XGUxd5ZCErE3VslPpsASj/H/ZWyJEeS6nZtU3CdHJ3zCJb06HFYROm+FxdxlgCT4R2gBEhuOv6pK9bgaFYO7YEcuRpKYI+/BU4fHFJSU2DyBvoKSTCoHFtmKM11++oWg8onbYfY5Wt+F8gL6hmvhq6eAInRAWXJ/Mkt48spEesXNGHwvIZPSSi52qTCTx+nYxw6IDzLtA4Jg8oN4aCC79ULXR+Fyrhz20ShItTixWi0M5QUyPqkxO29O/M3VvLTxd8pKsJoziaCLipnpuPtDcCAwEAAaOB8DCB7TAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTkjOARt4qAEkZaIVGdwiTvAaKRizCBrQYDVR0jBIGlMIGigBTkjOARt4qAEkZaIVGdwiTvAaKRi6F0pHIwcDELMAkGA1UEBhMCVVMxKTAnBgNVBAoMIExlaWJuaXogVW5pdmVyc2l0w6R0IElUIFNlcnZpY2VzMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgOTc2ODGCFFFZ4emZh9TDLJkjbUUyNYGGcvuoMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAYPV9R48h8MuifkaMXX9hUJ3FktVH0lA/rFpxXxKQbrE778Ye8Hc1MhvfaDiVhE9A4EpVO+LJBlIgNzGyt8s0dUsb7kxLlxmkksyAxz1yQzKwq+XF0YjOkGXVSzJ9oi0dqz+ROiXfMr30yh9f8tCErIWMP5uMZlIQMzKmG+laoTssqye584IgV/5LbHJn/Z920rgY6DXDV8EteF0Sl8smOCP6Zwop5cUYnsT4NN/MCVAtRuF0AlQuQMy58HygZh8ICXV37JJOkTAKLhVZrYWcJBF/bFIoW4lJvhkOstcFh3qNDgySHfyghgP5/mPfj9HtX6VzPCmLo8FKUnQ0lwacJg==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <samlp:Status> <samlp:StatusCode Value=""urn:oasis:names:tc:SAML:2.0:status:Success"" /> </samlp:Status> <saml:EncryptedAssertion> <xenc:EncryptedData xmlns:xenc=""http://www.w3.org/2001/04/xmlenc#"" Type=""http://www.w3.org/2001/04/xmlenc#Element""> <xenc:EncryptionMethod Algorithm=""http://www.w3.org/2001/04/xmlenc#aes256-cbc"" /> <ds:KeyInfo xmlns:ds=""http://www.w3.org/2000/09/xmldsig#""> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm=""http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"" /> <xenc:CipherData> <xenc:CipherValue>RQ/o9zxwBpyC6FLg1zSSGFLRsUw2QRWW6C96JLkpOxc5CRvQ6MMkfUT2hLd+vaCu GX2Xaa7EMYykCAp8FVq+veUw5BV2alebu87PF/PO0bNrCDJDbKexTeu0WPqHWoUn SWPH+rgVtodkl8ctRn2u7BWDbWv3udE433KtAjvVIFWQI8HB0ENlQhxXMX8wSkhp Wig53tgvXccvokm+W4tv4nJsNWTrY5ie3YBSwByeuj/JOhdBfJfaM0+aM8h3napl WCuoeD2NQUzq+deDAa4li6d/azDS28040lpd5AS2Xn79ZB4hmwSDa+7u8Zfms1Op W+dYFuIastT2EqLFzDuvuA==</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>78OakTKYv9+Iqxffdskv2fQCKeUfYuw2EARqXEvLluljK9ysD3xLcx76Hpmp64di K19q10mYXFWz/I6V+m53Yef5f++IueGfUPJbc8GLt2IzmSiOtlUzmx/A6/GYtwC1 RTVlYbIJve8WORsh27cEyglbdJU6hNBbqNKF504QOv9p5R8vFfdvpzzCbUQnE5C3 WTOBOb1JapEMM+tqGDl6N44uvIg5kzA+OQakFpmDOSTZSoYNPpdvKl/Qdm5pOc8o Cwtok4lqgz+xAacCudAeTi/4r3stiUvIwTt05Y0ckD4HKRlKDjnLgyUWIPXzen/+ RZekUg+Cy9RyeWjmjL1CN7nlNjd948vRD/HnSG3JkDefJh3h06uYRkY2JhKGrRTF /oK5fprcX1evh5qH4BMR/Iccdx1giBbNihs+8Ul2QVXFbBrpgxSS3KRyVk34i6wF FoQpp8k6v4mmNFgB2hAxFaRPo/unx+8KBJkqUQRbKzTrnpnsg5OIdu1cyPSg3qyZ uhfPK4XCdlleN7NXFPMRMIqBud2+QzXtoAt4tr8ylqDq1aQvkDHJ2Vqc4jrYqil7 iVBFMiviklIApDrWjGaDoLCrcGknDQzUWNGpne7COapfVuVwHoFXyJFS4zPCBDY9 HJTTl8SO0F4YTsBN7kCdpYJ8g+3Cwll5JKkNu3gNcWjcCb5VDu2OyQiiSmoI0vFs RamlnFEV07AMzIcZyLD8ZmrZdhv1+Y/O9wlOMq9bswvr5alDI/DmSHP5bTW2KDeE CK/3lX/ytiiTYr95hqr/NRMfxrjKS9sp4r7CcBd7Jlv3Y+3k+bBaZcT6zpfaqkrv AzR8oNJoo5uKV1esLfWzQ7lqFdAHmLCjZ4zZY80CRcm2hTw/4NBpedu+l9Cu+ex0 xHJMOmNcvWGsT1RmYEHg/Dr50fN2Nl3hEvSVm2DgJiuMyVDbAIqnxDd0YKXFUEg9 VZR7k8aLtTGDT2J9Y/mJbfLEgMyldC6GkkJD7PRVboywZiiXqueLf6ey0Z5DLBJe qDD/MqJqbKq3zHSv+B2OP9YMxoOm/AeUjMjLEMAJnlHFrCqFBvlb5cVfBp3xwAhh 6pHQ8+7Q0gElJI23zs3HbGj8gQ45yT3D3paxZxwXas1PgHaC3QTwpWBQBfHdPH+m vYFP1PElByr9cZ3bRM2bYaQbo6FK7Lb/IWhYBYDzZP9vXk+zVS9KnkvMJEfdR1oC 2jWNVGePR3GW//Pg13I9Oeallv3e+HAv0lFCXkvfZ9Q8F5+COlbfQz4nLOurB8jV muqUFp+/YSsjdOBFzpttulnGtkt0eQm9kVbeM+ME6NqkgGoSwUAjR4JALura0YY0 8v5BUhciwX57ca6eZoBGCBmRN4FJlfV20aXSiKXHKpnzpb1x3P/ZIqwiBDdhMVS+ jlMBgN9yINxON2IKytll2GbSWLxdkLLtnlgOxpPgwV8t5aDzbEBV6NeSQKXQWMDn r47godM2rKl8/n6DsqDu/0IIb4k+LPVKxm1TWLBw507+lzK8g5lCILSGHU7GPDGu VQAH1tTslVU8OLrAiReZZFbQpuk3DzEoAe0U9Rfm5GhBqWL4BC4VXlR9M9P6mk83 8xvqsJmJ9ElhwrhBvqsIZIELvZDftuMLqvhc9WHzHsL9Xni3Tlz3b3ntsZfIOOEs 6jItUtEQEtWZuJkZdHgNhSgAy0i5v1LDVgLP69MLaXv77INFrh4c1SLJhyEwuPiG /N0K+O2V4V4uqN31lUG8CA==</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </saml:EncryptedAssertion> </samlp:Response>"; var t = new SamlResponse(ssoSettings); t.LoadXml(resp); Assert.IsFalse(t.IsValid()); }
public void CheckUserShibbolethInvalidCrtResponse() { var ssoSettings = new SsoSettings { EnableSso = true, Issuer = @"https://app.onelogin.com/saml/metadata/372455", SsoEndPoint = @"https://4testingteamlab.onelogin.com/trust/saml2/http-post/sso/37245", SloEndPoint = @"https://4testingteamlab.onelogin.com/trust/saml2/http-redirect/slo/372455", TokenType = "SAML", ValidationType = "X.509", PublicKey = @"-----BEGIN CERTIFICATE----- MIIEXzCCA0egAwIBAgIUUVnh6ZmH1MMsmSNtRTI1gYZy+6gwDQYJKoZIhvcNAQEF BQAwcDELMAkGA1UEBhMCVVMxKTAnBgNVBAoMIExlaWJuaXogVW5pdmVyc2l0w6R0 IElUIFNlcnZpY2VzMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9u ZUxvZ2luIEFjY291bnQgOTc2ODEwHhcNMTYxMjExMTAwMjExWhcNMjExMjEyMTAw MjExWjBwMQswCQYDVQQGEwJVUzEpMCcGA1UECgwgTGVpYm5peiBVbml2ZXJzaXTD pHQgSVQgU2VydmljZXMxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEfMB0GA1UEAwwW T25lTG9naW4gQWNjb3VudCA5NzY4MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAJI/b23mx7YUI4N2UkhOE2Moy+KFsuKRtqzZYXmEvYg9IFulXOL6CN/C cR0LhCOdb1XGUxd5ZCErE3VslPpsASj/H/ZWyJEeS6nZtU3CdHJ3zCJb06HFYROm +FxdxlgCT4R2gBEhuOv6pK9bgaFYO7YEcuRpKYI+/BU4fHFJSU2DyBvoKSTCoHFt mKM11++oWg8onbYfY5Wt+F8gL6hmvhq6eAInRAWXJ/Mkt48spEesXNGHwvIZPSSi 52qTCTx+nYxw6IDzLtA4Jg8oN4aCC79ULXR+Fyrhz20ShItTixWi0M5QUyPqkxO2 9O/M3VvLTxd8pKsJoziaCLipnpuPtDcCAwEAAaOB8DCB7TAMBgNVHRMBAf8EAjAA MB0GA1UdDgQWBBTkjOARt4qAEkZaIVGdwiTvAaKRizCBrQYDVR0jBIGlMIGigBTk jOARt4qAEkZaIVGdwiTvAaKRi6F0pHIwcDELMAkGA1UEBhMCVVMxKTAnBgNVBAoM IExlaWJuaXogVW5pdmVyc2l0w6R0IElUIFNlcnZpY2VzMRUwEwYDVQQLDAxPbmVM b2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgOTc2ODGCFFFZ4emZ h9TDLJkjbUUyNYGGcvuoMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOC AQEAYPV9R48h8MuifkaMXX9hUJ3FktVH0lA/rFpxXxKQbrE778Ye8Hc1MhvfaDiV hE9A4EpVO+LJBlIgNzGyt8s0dUsb7kxLlxmkksyAxz1yQzKwq+XF0YjOkGXVSzJ9 oi0dqz+ROiXfMr30yh9f8tCErIWMP5uMZlIQMzKmG+laoTssqye584IgV/5LbHJn /Z920rgY6DXDV8EteF0Sl8smOCP6Zwop5cUYnsT4NN/MCVAtRuF0AlQuQMy58Hyg Zh8ICXV37JJOkTAKLhVZrYWcJBF/bFIoW4lJvhkOstcFh3qNDgySHfyghgP5/mPf j9HtX6VzPCmLo8FKUnQ0lwacJg== -----END CERTIFICATE-----", ClientCertificateFileName = "sp.pfx", ClientPassword = "******" }; var resp = @"<?xml version=""1.0"" encoding=""UTF-8""?> <saml2p:Response xmlns:saml2p=""urn:oasis:names:tc:SAML:2.0:protocol"" Destination=""https://office.cloud.uni-hannover.de/samllogin.ashx"" ID=""_119c4cd3c4b23255776edbe143a38357"" InResponseTo=""_485309fa-b7b1-4d72-bceb-18bc3433a729"" IssueInstant=""2016-12-12T08:38:38.995Z"" Version=""2.0"" xmlns:xs=""http://www.w3.org/2001/XMLSchema""> <saml2:Issuer xmlns:saml2=""urn:oasis:names:tc:SAML:2.0:assertion"" Format=""urn:oasis:names:tc:SAML:2.0:nameid-format:entity"">https://sso.idm.uni-hannover.de/idp/shibboleth</saml2:Issuer> <ds:Signature xmlns:ds=""http://www.w3.org/2000/09/xmldsig#""> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm=""http://www.w3.org/2001/10/xml-exc-c14n#"" /> <ds:SignatureMethod Algorithm=""http://www.w3.org/2000/09/xmldsig#rsa-sha1"" /> <ds:Reference URI=""#_119c4cd3c4b23255776edbe143a38357""> <ds:Transforms> <ds:Transform Algorithm=""http://www.w3.org/2000/09/xmldsig#enveloped-signature"" /> <ds:Transform Algorithm=""http://www.w3.org/2001/10/xml-exc-c14n#""> <ec:InclusiveNamespaces xmlns:ec=""http://www.w3.org/2001/10/xml-exc-c14n#"" PrefixList=""xs"" /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm=""http://www.w3.org/2000/09/xmldsig#sha1"" /> <ds:DigestValue>TBMuHbLmhq6dtF0THsLxSCx6UKg=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>IwDNps0tbGzGSa7aRetDNujpU2TrdLDCkFTYp1JNHMJ1hy1MZp/tCSnTjrNjob5wISf825cEjptQkKlWUu8K/FYjRzs1T16n/ilS4mm4Jrr1HMFZhg2uMYyS0Zvpy3c3fbesfS0XomCj3v/ObjEg3nga0b8I+bxGufINx/CZ9LwKEZGfPKdqQfcYaUl0Ke68MGfXUSXzS/LHwJuAEjIfWe6+kN2TGJQEwsnO1J/a4izsj778udaEk8Z5wom2/l27yVuuj36CMTUkRqsSKk9EhEPhnGytdQI+odJArEZiRRA25uMXbO3MdDM7KBh+WZM/zJTb/c8Y9/Rh7zmdStQRqg==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIFszCCBJugAwIBAgIHGXFE2RydJTANBgkqhkiG9w0BAQsFADBnMQswCQYDVQQGEwJERTEmMCQG A1UEChMdTGVpYm5peiBVbml2ZXJzaXRhZXQgSGFubm92ZXIxDTALBgNVBAsTBFJSWk4xITAfBgNV BAMTGENBIGRlciBMVUggKFVILUNBKSAtIEcwMzAeFw0xNTA1MTIwOTI2MzRaFw0xODA4MDgwOTI2 MzRaMIGRMQswCQYDVQQGEwJERTEWMBQGA1UECAwNTmllZGVyc2FjaHNlbjERMA8GA1UEBwwISGFu bm92ZXIxJjAkBgNVBAoMHUxlaWJuaXogVW5pdmVyc2l0YWV0IEhhbm5vdmVyMQ0wCwYDVQQLDARM VUlTMSAwHgYDVQQDDBdzc28uaWRtLnVuaS1oYW5ub3Zlci5kZTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAL9C8SoIdmtXpVqPaZ00VN+5IAu1pwfBtvgsKQHBQ89PfGS41zDcaB1hiHTB 8JuGkRwsS7wwmO0FZZp6u1/lIADYabMp53LKd2zC04T1PPRevQPJ4OyTpyrosRGk7rv0Gj62ePFT JKFx7dHDjKN1ms0elawwNId63IX+SKvvLqtPGilLU3+FEM9EJxdNz2NAEfywXpX7v+J6Y65iDdri XODS7dWc2b2XOLBzRgG8AXgB6Otgf63NBKXMjB5mmrryWuz8sB1jwQbedGHw83aaOYYQ4ZtXuu85 VSNiO/SH57ZBOExHa7gNehc/svKI2+ArMZgUX/fJoZvy3oCAlSysXmsCAwEAAaOCAjcwggIzME8G A1UdIARIMEYwEQYPKwYBBAGBrSGCLAEBBAMDMBEGDysGAQQBga0hgiwCAQQDATAPBg0rBgEEAYGt IYIsAQEEMA0GCysGAQQBga0hgiweMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQG CCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUkqBGogzHkzzGhDv1l4PEGYMVb/wwHwYDVR0j BBgwFoAU0/vgTeRNiIX0UalveXXpwCkhLhMwIgYDVR0RBBswGYIXc3NvLmlkbS51bmktaGFubm92 ZXIuZGUweQYDVR0fBHIwcDA2oDSgMoYwaHR0cDovL2NkcDEucGNhLmRmbi5kZS91aC1jYS9wdWIv Y3JsL2dfY2FjcmwuY3JsMDagNKAyhjBodHRwOi8vY2RwMi5wY2EuZGZuLmRlL3VoLWNhL3B1Yi9j cmwvZ19jYWNybC5jcmwwgckGCCsGAQUFBwEBBIG8MIG5MDMGCCsGAQUFBzABhidodHRwOi8vb2Nz cC5wY2EuZGZuLmRlL09DU1AtU2VydmVyL09DU1AwQAYIKwYBBQUHMAKGNGh0dHA6Ly9jZHAxLnBj YS5kZm4uZGUvdWgtY2EvcHViL2NhY2VydC9nX2NhY2VydC5jcnQwQAYIKwYBBQUHMAKGNGh0dHA6 Ly9jZHAyLnBjYS5kZm4uZGUvdWgtY2EvcHViL2NhY2VydC9nX2NhY2VydC5jcnQwDQYJKoZIhvcN AQELBQADggEBAJ05NSoXAkCSq9SoKOGnthKCtO3bRLm6Psp/db4pV/Aids6Rz8Pt/c6SOPhlsnFl pEl1V8aVnVCsKy8xNQrJDeRi+l1c0wqRfg9sWlhzJ7oy8PhnFgBAXmvqolEcd88Om+3SQt5W6KJT GRPNO0vmN1V7BDlEmQw3GTXeiaLQz2y52nvzgKCJr4GJdJEbLihoRVKi48YWWMM7w+Uu6Pa5Iln3 7CUQa0lPSOCwbJVcNCb/6GK95KTHUIlmRn5xVkGx6QdQhYzK64WT6MCg38ngdPModLUjUazdfRHh raWHSbOjCuvbllvvLleZIJU1fC4KKXY54mjD3AkQa56u58KyT9g=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2p:Status> <saml2p:StatusCode Value=""urn:oasis:names:tc:SAML:2.0:status:Success"" /> </saml2p:Status> <saml2:Assertion xmlns:saml2=""urn:oasis:names:tc:SAML:2.0:assertion"" ID=""_1e4fab4836c03c1ef9f8f76e6a0a8ab1"" IssueInstant=""2016-12-12T08:38:38.995Z"" Version=""2.0""> <saml2:Issuer Format=""urn:oasis:names:tc:SAML:2.0:nameid-format:entity"">https://sso.idm.uni-hannover.de/idp/shibboleth</saml2:Issuer> <saml2:Subject> <saml2:NameID Format=""urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"" NameQualifier=""https://sso.idm.uni-hannover.de/idp/shibboleth"">[email protected]</saml2:NameID> <saml2:SubjectConfirmation Method=""urn:oasis:names:tc:SAML:2.0:cm:bearer""> <saml2:SubjectConfirmationData Address=""130.75.5.118"" InResponseTo=""_485309fa-b7b1-4d72-bceb-18bc3433a729"" NotOnOrAfter=""2016-12-12T08:43:38.995Z"" Recipient=""https://office.cloud.uni-hannover.de/samllogin.ashx"" /> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore=""2016-12-12T08:38:38.995Z"" NotOnOrAfter=""2016-12-12T08:43:38.995Z""> <saml2:AudienceRestriction> <saml2:Audience>https://office.cloud.uni-hannover.de/samllogin.ashx</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant=""2016-12-12T08:38:20.083Z"" SessionIndex=""_9552061f6a8e69f464dd07621c18a527""> <saml2:SubjectLocality Address=""130.75.5.118"" /> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute FriendlyName=""eduPersonAffiliation"" Name=""urn:oid:1.3.6.1.4.1.5923.1.1.1.1"" NameFormat=""urn:oasis:names:tc:SAML:2.0:attrname-format:uri""> <saml2:AttributeValue xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xsi:type=""xs:string"">member</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName=""o"" Name=""urn:oid:2.5.4.10"" NameFormat=""urn:oasis:names:tc:SAML:2.0:attrname-format:uri""> <saml2:AttributeValue xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xsi:type=""xs:string"">Leibniz-Universit??t Hannover</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName=""eduPersonScopedAffiliation"" Name=""urn:oid:1.3.6.1.4.1.5923.1.1.1.9"" NameFormat=""urn:oasis:names:tc:SAML:2.0:attrname-format:uri""> <saml2:AttributeValue xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xsi:type=""xs:string"">[email protected]</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName=""sn"" Name=""urn:oid:2.5.4.4"" NameFormat=""urn:oasis:names:tc:SAML:2.0:attrname-format:uri""> <saml2:AttributeValue xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xsi:type=""xs:string"">Casselt</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName=""givenName"" Name=""urn:oid:2.5.4.42"" NameFormat=""urn:oasis:names:tc:SAML:2.0:attrname-format:uri""> <saml2:AttributeValue xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xsi:type=""xs:string"">Torsten</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName=""schacHomeOrganizationType"" Name=""urn:oid:1.3.6.1.4.1.25178.1.2.10"" NameFormat=""urn:oasis:names:tc:SAML:2.0:attrname-format:uri""> <saml2:AttributeValue xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xsi:type=""xs:string"">urn:mace:terena.org:schac:homeOrganizationType:eu:higherEducationInstitution</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName=""schacHomeOrganization"" Name=""urn:oid:1.3.6.1.4.1.25178.1.2.9"" NameFormat=""urn:oasis:names:tc:SAML:2.0:attrname-format:uri""> <saml2:AttributeValue xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xsi:type=""xs:string"">uni-hannover.de</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName=""eduPersonEntitlement"" Name=""urn:oid:1.3.6.1.4.1.5923.1.1.1.7"" NameFormat=""urn:oasis:names:tc:SAML:2.0:attrname-format:uri""> <saml2:AttributeValue xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xsi:type=""xs:string"">urn:mace:dir:entitlement:common-lib-terms</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response>"; var t = new SamlResponse(ssoSettings); t.LoadXml(resp); Assert.IsFalse(t.IsValid()); }
public void ProcessRequest(HttpContext context) { try { if (!SetupInfo.IsVisibleSettings(ManagementType.SingleSignOnSettings.ToString())) { _log.DebugFormat("Single sign-on settings are disabled"); context.Response.Redirect(AUTH_PAGE + "?m=" + HttpUtility.UrlEncode(Resource.SsoSettingsDisabled), false); context.ApplicationInstance.CompleteRequest(); return; } var settings = SettingsManager.Instance.LoadSettings <SsoSettings>(TenantProvider.CurrentTenantID); if (!settings.EnableSso) { _log.DebugFormat("Single sign-on is disabled"); context.Response.Redirect(AUTH_PAGE + "?m=" + HttpUtility.UrlEncode(Resource.SsoSettingsDisabled), false); context.ApplicationInstance.CompleteRequest(); return; } if (context.User.Identity.IsAuthenticated) { _log.DebugFormat("User {0} already authenticated"); context.Response.Redirect(CommonLinkUtility.GetDefault(), false); context.ApplicationInstance.CompleteRequest(); return; } UserInfo userInfo; if (settings.TokenType != TokenTypes.SAML) { _log.Error("Settings TokenType is not SAML"); context.Response.Redirect(AUTH_PAGE + "?m=" + HttpUtility.UrlEncode(Resource.SsoSettingsEnexpectedTokenType), false); context.ApplicationInstance.CompleteRequest(); return; } if (context.Request["auth"] == "true") { SamlRequest req = new SamlRequest(settings); string assertionConsumerServiceUrl = context.Request.Url.AbsoluteUri.Substring(0, context.Request.Url.AbsoluteUri.IndexOf("?")); context.Response.Redirect(settings.SsoEndPoint + "?" + req.GetRequest(SamlRequestFormat.Base64, assertionConsumerServiceUrl, Path.Combine(context.Request.PhysicalApplicationPath, "App_Data\\certificates\\sp.pfx"), ConfigurationManager.AppSettings["saml.request.certificate.password"] ?? PASSWORD), false); context.ApplicationInstance.CompleteRequest(); return; } var samlEncodedString = context.Request.Form[SAML_RESPONSE]; if (string.IsNullOrWhiteSpace(samlEncodedString)) { _log.Error("SAML response is null or empty"); context.Response.Redirect(AUTH_PAGE + "?m=" + HttpUtility.UrlEncode(Resource.SsoSettingsEmptyToken), false); context.ApplicationInstance.CompleteRequest(); return; } _log.Debug("Trying to authenticate using SAML"); SamlResponse samlResponse = new SamlResponse(settings); samlResponse.LoadXmlFromBase64(samlEncodedString); if (!samlResponse.IsValid()) { _log.Error("SAML response is not valid"); context.Response.Redirect(AUTH_PAGE + "?m=" + HttpUtility.UrlEncode(Resource.SsoSettingsNotValidToken), false); context.ApplicationInstance.CompleteRequest(); return; } SamlUserCreator userCreator = new SamlUserCreator(); userInfo = userCreator.CreateUserInfo(samlResponse); if (userInfo == Constants.LostUser) { _log.Error("Can't create userInfo using current SAML response"); context.Response.Redirect(AUTH_PAGE + "?m=" + HttpUtility.UrlEncode(Resource.SsoSettingsCantCreateUser), false); context.ApplicationInstance.CompleteRequest(); return; } if (userInfo.Status == EmployeeStatus.Terminated) { _log.Error("Current user is terminated"); context.Response.Redirect(AUTH_PAGE + "?m=" + HttpUtility.UrlEncode(Resource.SsoSettingsUserTerminated), false); context.ApplicationInstance.CompleteRequest(); return; } AddUser(samlResponse, userInfo); MessageService.Send(context.Request, MessageAction.LoginSuccessViaSSO); context.Response.Redirect(CommonLinkUtility.GetDefault(), false); context.ApplicationInstance.CompleteRequest(); } catch (Exception e) { _log.ErrorFormat("Unexpected error. {0}", e); context.Response.Redirect(AUTH_PAGE + "?m=" + HttpUtility.UrlEncode(e.Message), false); context.ApplicationInstance.CompleteRequest(); } }