// Create a SAML response with the user's local identity, if any, or indicating an error.
private SAMLResponse CreateSAMLResponse(SSOState ssoState)
{
Trace.Write("IdP", "Creating SAML response");
SAMLResponse samlResponse = new SAMLResponse();
string issuerURL = CreateAbsoluteURL("~/");
Issuer issuer = new Issuer(issuerURL);
samlResponse.Issuer = issuer;
if (User.Identity.IsAuthenticated) {
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
Subject subject = new Subject(new NameID(User.Identity.Name));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.InResponseTo = ssoState.authnRequest.ID;
subjectConfirmationData.Recipient = ssoState.assertionConsumerServiceURL;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Password);
samlAssertion.Statements.Add(authnStatement);
// Attributes may be included in the SAML assertion.
AttributeStatement attributeStatement = new AttributeStatement();
attributeStatement.Attributes.Add(new SAMLAttribute("Membership", SAMLIdentifiers.AttributeNameFormats.Basic, null, "Gold"));
samlAssertion.Statements.Add(attributeStatement);
samlResponse.Assertions.Add(samlAssertion);
} else {
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Responder, SAMLIdentifiers.SecondaryStatusCodes.AuthnFailed, "The user is not authenticated at the identity provider");
}
Trace.Write("IdP", "Created SAML response");
return samlResponse;
}
// Create a SAML response with the user's local identity.
private SAMLResponse CreateSAMLResponse()
{
Trace.Write("IdP", "Creating SAML response");
SAMLResponse samlResponse = new SAMLResponse();
samlResponse.Destination = Configuration.AssertionConsumerServiceURL;
Issuer issuer = new Issuer(CreateAbsoluteURL("~/"));
samlResponse.Issuer = issuer;
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
Subject subject = new Subject(new NameID(User.Identity.Name));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.Recipient = Configuration.AssertionConsumerServiceURL;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Password);
samlAssertion.Statements.Add(authnStatement);
samlResponse.Assertions.Add(samlAssertion);
Trace.Write("IdP", "Created SAML response");
return samlResponse;
}
public void ValidatesSubjectConfirmationDataTimeIntervalSettings()
{
// TODO: Split this up
// Arrange
var validator = new Saml20SubjectConfirmationDataValidator();
var subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.NotBefore = new DateTime(2008, 01, 30, 17, 13, 0, 500, DateTimeKind.Utc);
subjectConfirmationData.NotOnOrAfter = subjectConfirmationData.NotBefore.Value.AddHours(1);
validator.ValidateSubjectConfirmationData(subjectConfirmationData);
subjectConfirmationData.NotBefore = null;
validator.ValidateSubjectConfirmationData(subjectConfirmationData);
// DateTime validation wrt DateTime.UtcNow is NOT done by the validators
// so a future-NotBefore must be valid
subjectConfirmationData.NotBefore = subjectConfirmationData.NotOnOrAfter;
subjectConfirmationData.NotOnOrAfter = null;
validator.ValidateSubjectConfirmationData(subjectConfirmationData);
subjectConfirmationData.NotBefore = null;
// Act
validator.ValidateSubjectConfirmationData(subjectConfirmationData);
}
/// <summary>
/// [SAML2.0std] section 2.4.1.2
/// </summary>
/// <param name="subjectConfirmationData"></param>
public void ValidateSubjectConfirmationData(SubjectConfirmationData subjectConfirmationData)
{
// If present it must be anyUri
if (subjectConfirmationData.Recipient != null)
{
if (!Uri.IsWellFormedUriString(subjectConfirmationData.Recipient, UriKind.Absolute))
{
throw new Saml2FormatException("Recipient of SubjectConfirmationData must be a wellformed absolute URI.");
}
}
// NotBefore MUST BE striclty less than NotOnOrAfter if they are both set
if (subjectConfirmationData.NotBefore != null && subjectConfirmationData.NotBefore.HasValue &&
subjectConfirmationData.NotOnOrAfter != null && subjectConfirmationData.NotOnOrAfter.HasValue)
{
if (!(subjectConfirmationData.NotBefore < subjectConfirmationData.NotOnOrAfter))
{
throw new Saml2FormatException(String.Format("NotBefore {0} MUST BE less than NotOnOrAfter {1} on SubjectConfirmationData", Saml2Utils.ToUTCString(subjectConfirmationData.NotBefore.Value), Saml2Utils.ToUTCString(subjectConfirmationData.NotOnOrAfter.Value)));
}
}
// Make sure the extension-attributes are namespace-qualified and do not use reserved namespaces
if (subjectConfirmationData.AnyAttr != null)
{
_anyAttrValidator.ValidateXmlAnyAttributes(subjectConfirmationData.AnyAttr);
}
// Standards-defined extension type which has stricter rules than it's base type
if (subjectConfirmationData is KeyInfoConfirmationData)
{
_keyInfoValidator.ValidateKeyInfo(subjectConfirmationData);
}
}
// Create a SAML response with the user's local identity.
private SAMLResponse CreateSAMLResponse()
{
Trace.Write("IdP", "Creating SAML response");
SAMLResponse samlResponse = new SAMLResponse();
samlResponse.Destination = Configuration.AssertionConsumerServiceURL;
Issuer issuer = new Issuer(Configuration.Issuer);
samlResponse.Issuer = issuer;
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
// For simplicity, a configured Salesforce user name is used.
// NB. You must update the web.config to specify a valid Salesforce user name.
// In a real world application you would perform some sort of local to Salesforce identity mapping.
Subject subject = new Subject(new NameID(Configuration.SalesforceLoginID, null, null, SAMLIdentifiers.NameIdentifierFormats.Unspecified, null));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.Recipient = Configuration.AssertionConsumerServiceURL;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
Conditions conditions = new Conditions(new TimeSpan(1, 0, 0));
AudienceRestriction audienceRestriction = new AudienceRestriction();
audienceRestriction.Audiences.Add(new Audience(audienceURI));
conditions.ConditionsList.Add(audienceRestriction);
samlAssertion.Conditions = conditions;
subjectConfirmationData.NotOnOrAfter = conditions.NotOnOrAfter;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Unspecified);
samlAssertion.Statements.Add(authnStatement);
AttributeStatement attributeStatement = new AttributeStatement();
attributeStatement.Attributes.Add(new SAMLAttribute(AttributeNames.SSOStartPage, SAMLIdentifiers.AttributeNameFormats.Unspecified, null, CreateAbsoluteURL("~/Login.aspx")));
attributeStatement.Attributes.Add(new SAMLAttribute(AttributeNames.LogoutURL, SAMLIdentifiers.AttributeNameFormats.Unspecified, null, CreateAbsoluteURL("~/Logout.aspx")));
samlAssertion.Statements.Add(attributeStatement);
samlResponse.Assertions.Add(samlAssertion);
Trace.Write("IdP", "Created SAML response");
return(samlResponse);
}
public void ThrowsExceptionWhenSubjectConfirmationDataRecipientIsInvalid()
{
// Arrange
var subjectConfirmationData = new SubjectConfirmationData {
Recipient = "malformed uri"
};
var validator = new Saml20SubjectConfirmationDataValidator();
// Act
validator.ValidateSubjectConfirmationData(subjectConfirmationData);
}
public void ValidatesSubjectConfirmationDataRecipient()
{
// Arrange
var subjectConfirmationData = new SubjectConfirmationData {
Recipient = "urn:wellformed.uri:ok"
};
var validator = new Saml20SubjectConfirmationDataValidator();
// Act
validator.ValidateSubjectConfirmationData(subjectConfirmationData);
}
public override XElement ToXml()
{
return(new XElement(
NA.saml + "SubjectConfirmation",
new XElement(NA.saml + "ConfirmationMethod", SamlIDs.HolderOfKey), //specielt for DGWS
//BaseID == null ? null : BaseID.ToXml(),
NameID == null ? null : NameID.ToXml(),
//EncryptedID == null ? null : EncryptedID.ToXml(),
SubjectConfirmationData == null ? null : SubjectConfirmationData.ToXml()
));
}
public void ThrowsExceptionWhenSubjectConfirmationDataRecipientIsInvalid()
{
// Arrange
var subjectConfirmationData = new SubjectConfirmationData {
Recipient = "malformed uri"
};
var validator = new Saml20SubjectConfirmationDataValidator();
// Act
Assert.Throws <Saml20FormatException>(() => validator.ValidateSubjectConfirmationData(subjectConfirmationData),
"Recipient of SubjectConfirmationData must be a wellformed absolute URI.");
}
// Create a SAML response with the user's local identity, if any, or indicating an error.
private SAMLResponse CreateSAMLResponse(AuthnRequest authnRequest)
{
Trace.Write("IdP", "Creating SAML response");
SAMLResponse samlResponse = new SAMLResponse();
samlResponse.InResponseTo = authnRequest.ID;
samlResponse.Destination = authnRequest.AssertionConsumerServiceURL;
Issuer issuer = new Issuer(CreateAbsoluteURL("~/"));
samlResponse.Issuer = issuer;
if (User.Identity.IsAuthenticated)
{
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
samlAssertion.Conditions = new Conditions(new TimeSpan(0, 10, 0));
AudienceRestriction audienceRestriction = new AudienceRestriction();
audienceRestriction.Audiences.Add(new Audience(authnRequest.AssertionConsumerServiceURL));
samlAssertion.Conditions.ConditionsList.Add(audienceRestriction);
Subject subject = new Subject(new NameID(User.Identity.Name));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.InResponseTo = authnRequest.ID;
subjectConfirmationData.Recipient = authnRequest.AssertionConsumerServiceURL;
subjectConfirmationData.NotBefore = samlAssertion.Conditions.NotBefore;
subjectConfirmationData.NotOnOrAfter = samlAssertion.Conditions.NotOnOrAfter;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Password);
samlAssertion.Statements.Add(authnStatement);
samlResponse.Assertions.Add(samlAssertion);
}
else
{
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Responder, SAMLIdentifiers.SecondaryStatusCodes.AuthnFailed, "The user is not authenticated at the identity provider");
}
Trace.Write("IdP", "Created SAML response");
return(samlResponse);
}
public void ThrowsExceptionWhenSubjectConfirmationDataTimeIntervalIsInvalid()
{
// Arrange
var subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.NotBefore = new DateTime(2008, 01, 30, 17, 13, 0, 500, DateTimeKind.Utc);
subjectConfirmationData.NotOnOrAfter = subjectConfirmationData.NotBefore.Value.AddHours(-1);
var validator = new Saml20SubjectConfirmationDataValidator();
// Act
validator.ValidateSubjectConfirmationData(subjectConfirmationData);
}
//ExpectedMessage = "Recipient of SubjectConfirmationData must be a wellformed absolute URI.")]
public void ThrowsExceptionWhenSubjectConfirmationDataRecipientIsEmpty()
{
// Arrange
var subjectConfirmationData = new SubjectConfirmationData {
Recipient = " "
};
var validator = new Saml20SubjectConfirmationDataValidator();
// Act
Assert.Throws(typeof(Saml20FormatException), () => {
validator.ValidateSubjectConfirmationData(subjectConfirmationData);
});
}
public void ThrowsExceptionWhenSubjectConfirmationDataTimeIntervalIsInvalid()
{
// Arrange
var subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.NotBefore = new DateTime(2008, 01, 30, 17, 13, 0, 500, DateTimeKind.Utc);
subjectConfirmationData.NotOnOrAfter = subjectConfirmationData.NotBefore.Value.AddHours(-1);
var validator = new Saml20SubjectConfirmationDataValidator();
// Act
Assert.Throws <Saml20FormatException>(() => validator.ValidateSubjectConfirmationData(subjectConfirmationData),
"NotBefore 2008-01-30T17:13:00.5Z MUST BE less than NotOnOrAfter 2008-01-30T16:13:00.5Z on SubjectConfirmationData");
}
// Create a SAML response with the user's local identity.
private SAMLResponse CreateSAMLResponse()
{
Trace.Write("IdP", "Creating SAML response");
SAMLResponse samlResponse = new SAMLResponse();
samlResponse.Destination = Configuration.AssertionConsumerServiceURL;
Issuer issuer = new Issuer(Configuration.Issuer);
samlResponse.Issuer = issuer;
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
// For simplicity, a configured Salesforce user name is used.
// NB. You must update the web.config to specify a valid Salesforce user name.
// In a real world application you would perform some sort of local to Salesforce identity mapping.
Subject subject = new Subject(new NameID(Configuration.SalesforceLoginID, null, null, SAMLIdentifiers.NameIdentifierFormats.Unspecified, null));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.Recipient = Configuration.AssertionConsumerServiceURL;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
Conditions conditions = new Conditions(new TimeSpan(1, 0, 0));
AudienceRestriction audienceRestriction = new AudienceRestriction();
audienceRestriction.Audiences.Add(new Audience(audienceURI));
conditions.ConditionsList.Add(audienceRestriction);
samlAssertion.Conditions = conditions;
subjectConfirmationData.NotOnOrAfter = conditions.NotOnOrAfter;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Unspecified);
samlAssertion.Statements.Add(authnStatement);
AttributeStatement attributeStatement = new AttributeStatement();
attributeStatement.Attributes.Add(new SAMLAttribute(AttributeNames.SSOStartPage, SAMLIdentifiers.AttributeNameFormats.Unspecified, null, CreateAbsoluteURL("~/Login.aspx")));
attributeStatement.Attributes.Add(new SAMLAttribute(AttributeNames.LogoutURL, SAMLIdentifiers.AttributeNameFormats.Unspecified, null, CreateAbsoluteURL("~/Logout.aspx")));
samlAssertion.Statements.Add(attributeStatement);
samlResponse.Assertions.Add(samlAssertion);
Trace.Write("IdP", "Created SAML response");
return samlResponse;
}
// Create a SAML response with the user's local identity, if any, or indicating an error.
private SAMLResponse CreateSAMLResponse(SSOState ssoState)
{
Trace.Write("IdP", "Creating SAML response");
SAMLResponse samlResponse = new SAMLResponse();
string issuerURL = CreateAbsoluteURL("~/");
Issuer issuer = new Issuer(issuerURL);
samlResponse.Issuer = issuer;
if (User.Identity.IsAuthenticated)
{
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
Subject subject = new Subject(new NameID(User.Identity.Name));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.InResponseTo = ssoState.authnRequest.ID;
subjectConfirmationData.Recipient = ssoState.assertionConsumerServiceURL;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Password);
samlAssertion.Statements.Add(authnStatement);
// Attributes may be included in the SAML assertion.
AttributeStatement attributeStatement = new AttributeStatement();
attributeStatement.Attributes.Add(new SAMLAttribute("Membership", SAMLIdentifiers.AttributeNameFormats.Basic, null, "Gold"));
samlAssertion.Statements.Add(attributeStatement);
samlResponse.Assertions.Add(samlAssertion);
}
else
{
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Responder, SAMLIdentifiers.SecondaryStatusCodes.AuthnFailed, "The user is not authenticated at the identity provider");
}
Trace.Write("IdP", "Created SAML response");
return(samlResponse);
}
public XElement Serialize()
{
var result = new XElement(Constants.XMLNamespaces.SAML + "SubjectConfirmation",
new XElement(Constants.XMLNamespaces.SAML + "ConfirmationMethod", ConfirmationMethod));
if (SubjectConfirmationData != null)
{
result.Add(SubjectConfirmationData.Serialize());
}
if (KeyInfo != null)
{
result.Add(KeyInfo.Serialize(false));
}
return(result);
}
public void AddConfirmation([DefaultValue("urn:oasis:names:tc:SAML:2.0:cm:bearer")] string method, Uri recipient, int minutes)
{
_confirmation = new SubjectConfirmation
{
Method = new Uri(method),
};
var data = new SubjectConfirmationData
{
NotOnOrAfter = new DateTimeOffset(_now.AddMinutes(minutes)),
Recipient = recipient
};
_confirmation.Add(data);
_response.Subject.Add(_confirmation);
}
/// <summary>
/// Builds the SAML response.
/// </summary>
/// <param name="authnRequest">The AuthnRequest object.</param>
/// <returns>A SAML Response object.</returns>
public static ComponentPro.Saml2.Response BuildResponse(Page page, AuthnRequest authnRequest)
{
ComponentPro.Saml2.Response samlResponse = new ComponentPro.Saml2.Response();
samlResponse.Destination = Global.AssertionServiceUrl;
Issuer issuer = new Issuer(GetAbsoluteUrl(page, "~/"));
samlResponse.Issuer = issuer;
if (page.User.Identity.IsAuthenticated)
{
samlResponse.Status = new Status(SamlPrimaryStatusCode.Success, null);
Assertion samlAssertion = new Assertion();
samlAssertion.Issuer = issuer;
Subject subject = new Subject(new NameId(page.User.Identity.Name));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SamlSubjectConfirmationMethod.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.InResponseTo = authnRequest.Id;
subjectConfirmationData.Recipient = Global.AssertionServiceUrl;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SamlAuthenticateContext.Password);
samlAssertion.Statements.Add(authnStatement);
samlResponse.Assertions.Add(samlAssertion);
}
else
{
samlResponse.Status = new Status(SamlPrimaryStatusCode.Responder, SamlSecondaryStatusCode.AuthnFailed, "The user is not authenticated at the identity provider");
}
return(samlResponse);
}
// Create a SAML response with the user's local identity.
private SAMLResponse CreateSAMLResponse()
{
Trace.Write("IdP", "Creating SAML response");
SAMLResponse samlResponse = new SAMLResponse();
samlResponse.Destination = Configuration.AssertionConsumerServiceURL;
Issuer issuer = new Issuer(CreateAbsoluteURL("~/"));
samlResponse.Issuer = issuer;
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
Subject subject = new Subject(new NameID(User.Identity.Name));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.Recipient = Configuration.AssertionConsumerServiceURL;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Password);
samlAssertion.Statements.Add(authnStatement);
samlResponse.Assertions.Add(samlAssertion);
Trace.Write("IdP", "Created SAML response");
return(samlResponse);
}
/// <summary>
/// Validates the presence and correctness of a <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> among the any-xml-elements of a SubjectConfirmationData
/// </summary>
/// <param name="subjectConfirmationData">The subject confirmation data.</param>
public void ValidateKeyInfo(SubjectConfirmationData subjectConfirmationData)
{
if (subjectConfirmationData == null)
{
throw new Saml20FormatException("SubjectConfirmationData cannot be null when KeyInfo subelements are required");
}
if (subjectConfirmationData.AnyElements == null)
{
throw new Saml20FormatException(string.Format("SubjectConfirmationData element MUST have at least one {0} subelement", KeyInfo.ElementName));
}
var keyInfoFound = false;
foreach (var element in subjectConfirmationData.AnyElements)
{
if (element.NamespaceURI != Saml20Constants.Xmldsig || element.LocalName != KeyInfo.ElementName)
{
continue;
}
keyInfoFound = true;
// A KeyInfo element MUST identify a cryptographic key
if (!element.HasChildNodes)
{
throw new Saml20FormatException(string.Format("{0} subelement of SubjectConfirmationData MUST NOT be empty", KeyInfo.ElementName));
}
}
// There MUST BE at least one <ds:KeyInfo> element present (from the arbitrary elements list on SubjectConfirmationData
if (!keyInfoFound)
{
throw new Saml20FormatException(string.Format("SubjectConfirmationData element MUST contain at least one {0} in namespace {1}", KeyInfo.ElementName, Saml20Constants.Xmldsig));
}
}
protected override Assertion GenerateAssertion()
{
//Create SubjectConfirmationData based on AuthLevel.
SubjectConfirmation subjectConf = new SubjectConfirmation();
if (AuthenticationLevel.Equals(AuthenticationLevel.UsernamePasswordAuthentication))
{
var subjectConfData = new SubjectConfirmationData
{
Item = new UsernameToken()
{
Username = Username, Password = Password
}
};
subjectConf.SubjectConfirmationData = subjectConfData;
}
else if (AuthenticationLevel.Equals(AuthenticationLevel.MocesTrustedUser) || AuthenticationLevel.Equals(AuthenticationLevel.VocesTrustedSystem))
{
var subjectConfData = new SubjectConfirmationData
{
Item = new KeyInfo
{
Item = "OCESSignature"
}
};
subjectConf.SubjectConfirmationData = subjectConfData;
subjectConf.ConfirmationMethod = ConfirmationMethod.urnoasisnamestcSAML20cmholderofkey;
}
//Create NameID based on alternative identifier
NameID nameId = new NameID();
if (string.IsNullOrEmpty(AlternativeIdentifier))
{
nameId.Format = SystemInfo.CareProvider.Type;
nameId.Value = SystemInfo.CareProvider.Id;
}
else
{
nameId.Format = SubjectIdentifierType.medcomother;
nameId.Value = AlternativeIdentifier;
}
var ass = new Assertion
{
IssueInstant = CreatedDate,
id = "IDCard",
Version = 2.0m,
Issuer = Issuer,
Conditions = new Conditions
{
NotBefore = CreatedDate,
NotOnOrAfter = ExpiryDate
},
Subject = new Subject
{
NameID = nameId,
SubjectConfirmation = AuthenticationLevel.Equals(AuthenticationLevel.NoAuthentication) ? null : subjectConf
},
AttributeStatement = new[]
{
new AttributeStatement
{
id = AttributeStatementID.IDCardData,
Attribute = new []
{
new Attribute {
Name = AttributeName.sosiIDCardID, AttributeValue = IdCardId
},
new Attribute {
Name = AttributeName.sosiIDCardVersion, AttributeValue = Version
},
new Attribute {
Name = AttributeName.sosiIDCardType, AttributeValue = "system"
},
new Attribute {
Name = AttributeName.sosiAuthenticationLevel, AttributeValue = AuthenticationLevel.Level.ToString()
},
new Attribute {
Name = AttributeName.sosiOCESCertHash, AttributeValue = CertHash,
}
}
},
new AttributeStatement
{
id = AttributeStatementID.SystemLog,
Attribute = new []
{
new Attribute {
Name = AttributeName.medcomITSystemName, AttributeValue = SystemInfo.ItSystemName
},
new Attribute
{
Name = AttributeName.medcomCareProviderID,
AttributeValue = SystemInfo.CareProvider.Id,
NameFormatSpecified = true,
NameFormat = SystemInfo.CareProvider.Type
},
new Attribute {
Name = AttributeName.medcomCareProviderName, AttributeValue = SystemInfo.CareProvider.OrgName
},
}
}
}
};
return(ass);
}
private static XmlElement CreateSamlResponse(string assertionConsumerServiceUrl, List <SAMLAttribute> attributes, string requestId = null, bool signAssertion = false, bool signResponse = false, bool encryptAssertion = false)
{
var samlResponse = new SAMLResponse {
Destination = assertionConsumerServiceUrl
};
var issuer = new Issuer(SAMLConfiguration.Current.IdentityProviderConfiguration.Name);
var issuerX509CertificateFilePath = Path.Combine(HttpRuntime.AppDomainAppPath, SAMLConfiguration.Current.IdentityProviderConfiguration.CertificateFile);
var issuerX509Certificate = new X509Certificate2(issuerX509CertificateFilePath, SAMLConfiguration.Current.IdentityProviderConfiguration.CertificatePassword);
var partner = SessionHelper.Get <string>(PartnerSpSessionKey) ?? SAMLConfiguration.Current.ServiceProviderConfiguration.Name;
var partnerConfig = SAMLConfiguration.Current.PartnerServiceProviderConfigurations[partner];
var partnerX509CertificateFilePath = string.Empty;
var partnerX509Certificate = null as X509Certificate2;
if (partnerConfig != null)
{
partnerX509CertificateFilePath = Path.Combine(HttpRuntime.AppDomainAppPath, partnerConfig.CertificateFile);
partnerX509Certificate = new X509Certificate2(partnerX509CertificateFilePath);
signAssertion = partnerConfig.SignAssertion;
signResponse = partnerConfig.SignSAMLResponse;
encryptAssertion = partnerConfig.EncryptAssertion;
}
samlResponse.Issuer = issuer;
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
samlResponse.IssueInstant = DateTime.Now;
samlResponse.InResponseTo = requestId;
var samlAssertion = new SAMLAssertion {
Issuer = issuer, IssueInstant = samlResponse.IssueInstant
};
var profileId = attributes.Where(a => a.Name == PortalClaimTypes.ProfileId).Select(a => a.Values[0].ToString()).FirstOrDefault();
var subject = new Subject(new NameID(profileId));
var subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
var subjectConfirmationData = new SubjectConfirmationData {
Recipient = assertionConsumerServiceUrl
};
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
var conditions = new Conditions(DateTime.Now, DateTime.Now.AddDays(1));
var audienceRestriction = new AudienceRestriction();
audienceRestriction.Audiences.Add(new Audience(partner));
conditions.ConditionsList.Add(audienceRestriction);
samlAssertion.Conditions = conditions;
var authnStatement = new AuthnStatement {
AuthnContext = new AuthnContext(), AuthnInstant = samlResponse.IssueInstant
};
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.X509);
samlAssertion.Statements.Add(authnStatement);
attributes.ForEach(a =>
{
var attributeStatement = new AttributeStatement();
attributeStatement.Attributes.Add(a);
samlAssertion.Statements.Add(attributeStatement);
});
var samlAssertionXml = samlAssertion.ToXml();
if (signAssertion)
{
SAMLAssertionSignature.Generate(samlAssertionXml, issuerX509Certificate.PrivateKey, issuerX509Certificate);
}
if (encryptAssertion)
{
var encryptedAssertion = new EncryptedAssertion(samlAssertionXml, partnerX509Certificate);
samlResponse.Assertions.Add(encryptedAssertion.ToXml());
}
else
{
samlResponse.Assertions.Add(samlAssertionXml);
}
var samlResponseXml = samlResponse.ToXml();
if (signResponse)
{
SAMLMessageSignature.Generate(samlResponseXml, issuerX509Certificate.PrivateKey, issuerX509Certificate);
}
return(samlResponseXml);
}
// Create a SAML response with the user's local identity, if any, or indicating an error.
private SAMLResponse CreateSAMLResponse(AuthnRequest authnRequest)
{
Trace.Write("IdP", "Creating SAML response");
SAMLResponse samlResponse = new SAMLResponse();
samlResponse.Destination = Configuration.AssertionConsumerServiceURL;
Issuer issuer = new Issuer(CreateAbsoluteURL("~/"));
samlResponse.Issuer = issuer;
if (User.Identity.IsAuthenticated) {
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
Subject subject = new Subject(new NameID(User.Identity.Name));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.InResponseTo = authnRequest.ID;
subjectConfirmationData.Recipient = Configuration.AssertionConsumerServiceURL;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Password);
samlAssertion.Statements.Add(authnStatement);
samlResponse.Assertions.Add(samlAssertion);
} else {
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Responder, SAMLIdentifiers.SecondaryStatusCodes.AuthnFailed, "The user is not authenticated at the identity provider");
}
Trace.Write("IdP", "Created SAML response");
return samlResponse;
}
private void BuildSamlRequest()
{
ClientScript.RegisterStartupScript(typeof(Page), "OpaqueDivider",
@"
<script language=""javascript"">
<!--
var dividerID = '" + this.SamlAgentDiv.ClientID + @"';
var divider = document.getElementById(dividerID);
divider.style.visibility = 'visible';
//-->
</script>" );
//Creating SAML response
X509Certificate2 vendorCertificate = GetVendorCertificate();
X509Certificate2 selerixCertificate = GetSelerixCertificate();
//string assertionConsumerServiceURL = "SamlResponse.aspx";
string assertionConsumerServiceURL = "http://localhost:49000/login.aspx?Path=SAML_TEST";
string audienceName = "whatever audience";
SAMLResponse samlResponse = new SAMLResponse();
samlResponse.Destination = assertionConsumerServiceURL;
Issuer issuer = new Issuer("Vendor");
samlResponse.Issuer = issuer;
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
Subject subject = null;
//subject = new Subject(new EncryptedID(new NameID(this._EmailText.Text), selerixCertificate, new EncryptionMethod(EncryptedXml.XmlEncTripleDESUrl)));
subject = new Subject(new NameID(this._EmailText.Text));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.Recipient = assertionConsumerServiceURL;
subjectConfirmationData.NotOnOrAfter = DateTime.UtcNow.AddHours(1);
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
Conditions conditions = new Conditions(new TimeSpan(1, 0, 0));
AudienceRestriction audienceRestriction = new AudienceRestriction();
audienceRestriction.Audiences.Add(new Audience(audienceName));
conditions.ConditionsList.Add(audienceRestriction);
samlAssertion.Conditions = conditions;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Unspecified);
samlAssertion.Statements.Add(authnStatement);
AttributeStatement attributeStatement = new AttributeStatement();
Transmittal transmittal = BuildTransmittal();
if (transmittal != null && !string.IsNullOrEmpty(this._FirstName.Text) && !string.IsNullOrEmpty(this._LastName.Text))
{
attributeStatement.Attributes.Add(new SAMLAttribute("Transmittal", SAMLIdentifiers.AttributeNameFormats.Basic, null, SerializationHelper.SerializeToString(transmittal)));
}
samlAssertion.Statements.Add(attributeStatement);
// EncryptedAssertion encryptedAssertion = new EncryptedAssertion(samlAssertion, selerixCertificate, new EncryptionMethod(EncryptedXml.XmlEncTripleDESUrl));
// samlResponse.Assertions.Add(encryptedAssertion);
samlResponse.Assertions.Add(samlAssertion);
//Created SAML response
//Sending SAML response
// Serialize the SAML response for transmission.
XmlElement samlResponseXml = samlResponse.ToXml();
// Sign the SAML response.
SAMLMessageSignature.Generate(samlResponseXml, vendorCertificate.PrivateKey, vendorCertificate);
HttpContext.Current.Response.AddHeader("Cache-Control", "no-cache");
HttpContext.Current.Response.AddHeader("Pragma", "no-cache");
IdentityProvider.SendSAMLResponseByHTTPPost(HttpContext.Current.Response, assertionConsumerServiceURL, samlResponseXml, "");// for test purposes
}
/// <summary>
/// Processes a successful SAML response and redirect to the requested URL.
/// </summary>
/// <param name="page">The page object.</param>
/// <param name="samlResponse">The SAML response object.</param>
/// <param name="relayState">The relay state.</param>
public static void SamlSuccessRedirect(Page page, ComponentPro.Saml2.Response samlResponse, string relayState)
{
// Get the previously loaded certificate.
X509Certificate2 x509Certificate = (X509Certificate2)page.Application[Global.SpCertKey];
Assertion samlAssertion;
// Check assertions.
if (samlResponse.GetAssertions().Count > 0)
{
// Extract the first assertion.
samlAssertion = samlResponse.GetAssertions()[0];
}
else if (samlResponse.GetEncryptedAssertions().Count > 0)
{
// Extract the first assertion.
samlAssertion = samlResponse.GetEncryptedAssertions()[0].Decrypt(x509Certificate.PrivateKey, null);
}
else
{
throw new ApplicationException("No assertions in response");
}
string userName;
// Get the subject name identifier.
if (samlAssertion.Subject.NameId != null)
{
//userName = samlAssertion.Subject.NameId.NameIdentifier;
userName = samlAssertion.GetAttributeValueByFriendlyName("eduPersonPrincipalName");
System.Collections.Generic.Dictionary<string, string> dict = new System.Collections.Generic.Dictionary<string, string>();
foreach (ComponentPro.Saml2.Attribute attribute in samlAssertion.AttributeStatements[0].Attributes)
{
dict.Add(attribute.FriendlyName, attribute.Values[0].ToString());
System.Diagnostics.Trace.WriteLine(attribute.FriendlyName + ":" + attribute.Values[0].ToString());
}
HttpContext.Current.Session.Add("samlAttributes", dict);
}
else if (samlAssertion.Subject.EncryptedId != null)
{
NameId nameId = samlAssertion.Subject.EncryptedId.Decrypt(x509Certificate.PrivateKey, null);
userName = nameId.NameIdentifier;
}
else
{
throw new ApplicationException("No name in subject");
}
try
{
string aaURL = "https://idp.testshib.org:8443/idp/profile/SAML2/SOAP/AttributeQuery";
//Testing subject
NameId subje = new NameId(userName,null,null,SamlNameIdentifierFormat.Unspecified,aaURL);
//Testing subject
Subject subject = new Subject(new NameId(userName));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SamlSubjectConfirmationMethod.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.Recipient = aaURL;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
AttributeQuery attributeQuery = new AttributeQuery();
//attributeQuery.Subject = subject;
attributeQuery.Destination = aaURL;
attributeQuery.Issuer = new Issuer(Global.entityId);
attributeQuery.Attributes.Add(new ComponentPro.Saml2.Attribute() { FriendlyName = "givenName" });
attributeQuery.Subject = new Subject(samlAssertion.Subject.NameId);
attributeQuery.Sign(x509Certificate);
System.Diagnostics.Trace.WriteLine("Trying to get attributes from AA");
System.Diagnostics.Trace.WriteLine("AA query " + attributeQuery.GetXml().OuterXml);
System.Diagnostics.Trace.WriteLine("AA Subject " + attributeQuery.Subject.ToString());
ArtifactResponse artifactResponse = ArtifactResponse.SendSamlMessageReceiveAftifactResponse(aaURL, attributeQuery);
Response attrResponse;
attrResponse = new ComponentPro.Saml2.Response(artifactResponse.Message);
System.Diagnostics.Trace.WriteLine("AA reponse " + attrResponse.GetXml().OuterXml);
}
catch (Exception e)
{
System.Diagnostics.Trace.WriteLine("Execption: " + e.ToString());
//throw;
}
// Get the originally requested resource URL from the relay state.
string resourceUrl = (string)SamlSettings.CacheProvider.Remove(relayState);
if (resourceUrl == null)
{
throw new ApplicationException("Invalid relay state");
}
// Create a login context for the asserted identity.
FormsAuthentication.SetAuthCookie(userName, false);
// Redirect to the originally requested resource URL.
page.Response.Redirect(resourceUrl, false);
}
/// <summary>
/// Handles the Click event of the submitButton control.
/// </summary>
/// <param name="sender">The source of the event.</param>
/// <param name="e">The <see cref="System.EventArgs"/> instance containing the event data.</param>
private void submitButton_Click(object sender, EventArgs e)
{
Transmittal transmittal = null;
string employeeID = this._EmployeeID.Text;
if (!string.IsNullOrEmpty(this._XMLText.Text))
{
try
{
transmittal = (Transmittal)SerializationHelper.DeserializeFromString(this._XMLText.Text, typeof(Transmittal));
}
catch (Exception exception)
{
this._XMLText.Text = exception.Message;
Exception inner = exception.InnerException;
while (inner != null)
{
this._XMLText.Text += "\n" + inner.Message;
inner = inner.InnerException;
}
this._XMLText.Text = PrepareSourceCode(this._XMLText.Text);
}
}
if (!string.IsNullOrEmpty(employeeID) && transmittal != null && transmittal.Applicants != null && transmittal.Applicants.Count > 0)
{
transmittal.Applicants[0].EmployeeIdent = employeeID;
}
Session["Transmittal"] = transmittal;
//Creating SAML responce
X509Certificate2 vendorCertificate = GetVendorCertificate();
X509Certificate2 selerixCertificate = GetSelerixCertificate();
string assertionConsumerServiceURL = "SamlResponse.aspx";
string audienceName = "whatever audience";
SAMLResponse samlResponse = new SAMLResponse();
samlResponse.Destination = assertionConsumerServiceURL;
Issuer issuer = new Issuer("Vendor");
samlResponse.Issuer = issuer;
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
Subject subject = null;
// subject = new Subject(new EncryptedID(new NameID(employeeID), selerixCertificate, new EncryptionMethod(EncryptedXml.XmlEncTripleDESUrl))); //employee ID
subject = new Subject(new NameID(employeeID)); //employee ID
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.Recipient = assertionConsumerServiceURL;
subjectConfirmationData.NotOnOrAfter = DateTime.UtcNow.AddHours(1);
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
Conditions conditions = new Conditions(new TimeSpan(1, 0, 0));
AudienceRestriction audienceRestriction = new AudienceRestriction();
audienceRestriction.Audiences.Add(new Audience(audienceName));
conditions.ConditionsList.Add(audienceRestriction);
samlAssertion.Conditions = conditions;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Unspecified);
samlAssertion.Statements.Add(authnStatement);
AttributeStatement attributeStatement = new AttributeStatement();
if (transmittal != null)
{
attributeStatement.Attributes.Add(new SAMLAttribute("Transmittal", SAMLIdentifiers.AttributeNameFormats.Basic, null, SerializationHelper.SerializeToString(transmittal)));
if (transmittal.Applicants != null && transmittal.Applicants.Count > 0)
{
transmittal.Applicants[0].EmployeeIdent = employeeID;
}
}
//Check for Transmittal Options
for (int i = 0; i < _TransmittalOptionsList.Items.Count; i++)
{
string answer = "no";
if (_TransmittalOptionsList.Items[i].Selected)
{
answer = "yes";
}
if (_TransmittalOptionsList.Items[i].Value == "HeaderAndFooter")
{
attributeStatement.Attributes.Add(new SAMLAttribute("HeaderAndFooter", SAMLIdentifiers.AttributeNameFormats.Basic, null, answer));
}
else if (_TransmittalOptionsList.Items[i].Value == "Sidebar")
{
attributeStatement.Attributes.Add(new SAMLAttribute("Sidebar", SAMLIdentifiers.AttributeNameFormats.Basic, null, answer));
}
else if (_TransmittalOptionsList.Items[i].Value == "PersonalInfo")
{
attributeStatement.Attributes.Add(new SAMLAttribute("PersonalInfo", SAMLIdentifiers.AttributeNameFormats.Basic, null, answer));
}
else if (_TransmittalOptionsList.Items[i].Value == "Welcome")
{
attributeStatement.Attributes.Add(new SAMLAttribute("Welcome", SAMLIdentifiers.AttributeNameFormats.Basic, null, answer));
}
else if (_TransmittalOptionsList.Items[i].Value == "Review")
{
attributeStatement.Attributes.Add(new SAMLAttribute("Review", SAMLIdentifiers.AttributeNameFormats.Basic, null, answer));
}
}
samlAssertion.Statements.Add(attributeStatement);
// EncryptedAssertion encryptedAssertion = new EncryptedAssertion(samlAssertion, selerixCertificate, new EncryptionMethod(EncryptedXml.XmlEncTripleDESUrl));
// samlResponse.Assertions.Add(encryptedAssertion);
samlResponse.Assertions.Add(samlAssertion);
//Created SAML response
//Sending SAML response
// Serialize the SAML response for transmission.
XmlElement samlResponseXml = samlResponse.ToXml();
// Sign the SAML response.
SAMLMessageSignature.Generate(samlResponseXml, vendorCertificate.PrivateKey, vendorCertificate);
HttpContext.Current.Response.AddHeader("Cache-Control", "no-cache");
HttpContext.Current.Response.AddHeader("Pragma", "no-cache");
IdentityProvider.SendSAMLResponseByHTTPPost(HttpContext.Current.Response, assertionConsumerServiceURL, samlResponseXml, "");// for test purposes
}
protected override void OnLoad(EventArgs e)
{
base.OnLoad(e);
try
{
// Extract the SP target url.
string targetUrl = Request.QueryString["spUrl"];
// Validate it.
if (string.IsNullOrEmpty(targetUrl))
{
return;
}
// Create a SAML response object.
ComponentPro.Saml2.Response samlResponse = new ComponentPro.Saml2.Response();
// Assign the consumer service url.
samlResponse.Destination = ConsumerServiceUrl;
Issuer issuer = new Issuer(GetAbsoluteUrl("~/"));
samlResponse.Issuer = issuer;
samlResponse.Status = new Status(SamlPrimaryStatusCode.Success, null);
Assertion samlAssertion = new Assertion();
samlAssertion.Issuer = issuer;
// Use the local user's local identity.
Subject subject = new Subject(new NameId(User.Identity.Name));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SamlSubjectConfirmationMethod.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.Recipient = ConsumerServiceUrl;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
// Create a new authentication statement.
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SamlAuthenticateContext.Password);
samlAssertion.Statements.Add(authnStatement);
// If you need to add custom attributes, uncomment the following code
// #region Custom Attributes
// AttributeStatement attributeStatement = new AttributeStatement();
// attributeStatement.Attributes.Add(new ComponentPro.Saml2.Attribute("email", SamlAttributeNameFormat.Basic, null,
// "*****@*****.**"));
// attributeStatement.Attributes.Add(new ComponentPro.Saml2.Attribute("FirstName", SamlAttributeNameFormat.Basic, null,
// "John"));
// attributeStatement.Attributes.Add(new ComponentPro.Saml2.Attribute("LastName", SamlAttributeNameFormat.Basic, null,
// "Smith"));
// // Insert a custom token key to the SAML response.
// attributeStatement.Attributes.Add(new ComponentPro.Saml2.Attribute("CustomTokenForVerification", SamlAttributeNameFormat.Basic, null,
// "YourEncryptedTokenHere"));
// samlAssertion.Statements.Add(attributeStatement);
// #endregion
// Define ENCRYPTEDSAML preprocessor flag if you wish to encrypt the SAML response.
#if ENCRYPTEDSAML
// Load the certificate for the encryption.
// Please make sure the file is in the root directory.
X509Certificate2 encryptingCert = new X509Certificate2(Path.Combine(HttpRuntime.AppDomainAppPath, "EncryptionX509Certificate.cer"), "password");
// Create an encrypted SAML assertion from the SAML assertion we have created.
EncryptedAssertion encryptedSamlAssertion = new EncryptedAssertion(samlAssertion, encryptingCert, new System.Security.Cryptography.Xml.EncryptionMethod(SamlKeyAlgorithm.TripleDesCbc));
// Add encrypted assertion to the SAML response object.
samlResponse.Assertions.Add(encryptedSamlAssertion);
#else
// Add assertion to the SAML response object.
samlResponse.Assertions.Add(samlAssertion);
#endif
// Get the previously loaded certificate.
X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.CertKeyName];
// Sign the SAML response with the certificate.
samlResponse.Sign(x509Certificate);
// Send the SAML response to the service provider.
samlResponse.SendPostBindingForm(Response.OutputStream, ConsumerServiceUrl, targetUrl);
}
catch (Exception exception)
{
Trace.Write("IdentityProvider", "An Error occurred", exception);
}
}
