protected override void OnLoad(System.EventArgs e)
{
base.OnLoad(e);
try
{
// Process the artifact resolve request received from the identity provider in response
// to the artifact sent by the service provider.
ArtifactResolve artifactResolve = ArtifactResolve.Create(Request);
// Get the artifact.
Saml2ArtifactType0004 httpArtifact = new Saml2ArtifactType0004(artifactResolve.Artifact.ArtifactValue);
// Remove the artifact state from the cache.
XmlElement artifactXml = (XmlElement)SamlSettings.CacheProvider.Remove(httpArtifact.ToString());
if (artifactXml == null)
{
return;
}
// Create an artifact response containing the cached SAML message.
ArtifactResponse artifactResponse = new ArtifactResponse();
artifactResponse.Issuer = new Issuer(Util.GetAbsoluteUrl(this, "~/"));
artifactResponse.Message = artifactXml;
// Send the artifact response.
artifactResponse.Send(Response);
}
catch (System.Exception exception)
{
Trace.Write("ServiceProvider", "Error in artifact responder", exception);
}
}
/// <summary>
/// Loads the current message as an artifact resolve.
/// </summary>
private void LoadArtifactResolve()
{
if (_artifactResolve == null)
{
_artifactResolve = Serialization.Deserialize <ArtifactResolve>(new XmlNodeReader(SamlMessage));
}
}
protected override void OnLoad(System.EventArgs e)
{
base.OnLoad(e);
try
{
// Receive the artifact resolve request.
ArtifactResolve artifactResolve = ArtifactResolve.Create(Request);
// Get the artifact.
Saml2ArtifactType0004 httpArtifact = new Saml2ArtifactType0004(artifactResolve.Artifact.ArtifactValue);
// Remove the artifact state from the cache.
XmlElement samlResponseXml = (XmlElement)SamlSettings.CacheProvider.Remove(httpArtifact.ToString());
if (samlResponseXml == null)
{
return;
}
// Create an artifact response containing the cached SAML message.
ArtifactResponse artifactResponse = new ArtifactResponse();
artifactResponse.Issuer = new Issuer(new Uri(Request.Url, ResolveUrl("~/")).ToString());
artifactResponse.Message = samlResponseXml;
// Send the artifact response.
artifactResponse.Send(Response);
}
catch (Exception exception)
{
Trace.Write("ServiceProvider", "An Error occurred", exception);
}
}
/// <summary>
/// Handles responses to an artifact resolve message.
/// </summary>
/// <param name="idpEndPoint">The IdP endpoint</param>
/// <param name="artifactResolve">The artifact resolve message.</param>
public void RespondToArtifactResolve(IDPEndPoint idpEndPoint, ArtifactResolve artifactResolve)
{
XmlDocument samlDoc = (XmlDocument)_context.Cache.Get(artifactResolve.Artifact);
Saml20ArtifactResponse response = Saml20ArtifactResponse.GetDefault();
response.StatusCode = Saml20Constants.StatusCodes.Success;
response.InResponseTo = artifactResolve.ID;
response.SamlElement = samlDoc.DocumentElement;
XmlDocument responseDoc = response.GetXml();
if (responseDoc.FirstChild is XmlDeclaration)
{
responseDoc.RemoveChild(responseDoc.FirstChild);
}
var signingCertificate = FederationConfig.GetConfig().GetFirstValidCertificate();
var shaHashingAlgorithm = SignatureProviderFactory.ValidateShaHashingAlgorithm(idpEndPoint.ShaHashingAlgorithm);
var signatureProvider = SignatureProviderFactory.CreateFromShaHashingAlgorithmName(shaHashingAlgorithm);
signatureProvider.SignAssertion(responseDoc, response.ID, signingCertificate);
if (Trace.ShouldTrace(TraceEventType.Information))
{
Trace.TraceData(TraceEventType.Information, string.Format(Tracing.RespondToArtifactResolve, artifactResolve.Artifact, responseDoc.OuterXml));
}
SendResponseMessage(responseDoc.OuterXml);
}
// Process the artifact resolve request received from the identity provider in response
// to the artifact sent by the service provider.
private void ProcessArtifactResolve()
{
Trace.Write("IdP", "Processing artifact resolve request");
// Receive the artifact resolve request.
XmlElement artifactResolveXml = ArtifactResolver.ReceiveArtifactResolve(Request);
ArtifactResolve artifactResolve = new ArtifactResolve(artifactResolveXml);
// Get the artifact.
HTTPArtifactType4 httpArtifact = new HTTPArtifactType4(artifactResolve.Artifact.ArtifactValue);
// Remove the artifact state from the cache.
HTTPArtifactState httpArtifactState = HTTPArtifactStateCache.Remove(httpArtifact);
if (httpArtifactState == null)
{
throw new ArgumentException("Invalid artifact.");
}
// Create an artifact response containing the cached SAML message.
ArtifactResponse artifactResponse = new ArtifactResponse();
artifactResponse.Issuer = new Issuer(CreateAbsoluteURL("~/"));
artifactResponse.SAMLMessage = httpArtifactState.SAMLMessage;
XmlElement artifactResponseXml = artifactResponse.ToXml();
// Send the artifact response.
ArtifactResolver.SendArtifactResponse(Response, artifactResponseXml);
Trace.Write("IdP", "Processed artifact resolve request");
}
/// <summary>
/// Handles responses to an artifact resolve message.
/// </summary>
/// <param name="artifactResolve">The artifact resolve message.</param>
public void RespondToArtifactResolve(ArtifactResolve artifactResolve)
{
XmlDocument samlDoc = (XmlDocument)_context.Cache.Get(artifactResolve.Artifact);
Saml20ArtifactResponse response = Saml20ArtifactResponse.GetDefault();
response.StatusCode = Saml20Constants.StatusCodes.Success;
response.InResponseTo = artifactResolve.ID;
response.SamlElement = samlDoc.DocumentElement;
XmlDocument responseDoc = response.GetXml();
if (responseDoc.FirstChild is XmlDeclaration)
{
responseDoc.RemoveChild(responseDoc.FirstChild);
}
XmlSignatureUtils.SignDocument(responseDoc, response.ID);
if (Trace.ShouldTrace(TraceEventType.Information))
{
Trace.TraceData(TraceEventType.Information, string.Format(Tracing.RespondToArtifactResolve, artifactResolve.Artifact, responseDoc.OuterXml));
}
SendResponseMessage(responseDoc.OuterXml);
}
// Process the artifact resolve request received from the identity provider in response
// to the artifact sent by the service provider.
private void ProcessArtifactResolve()
{
Trace.Write("IdP", "Processing artifact resolve request");
// Receive the artifact resolve request.
XmlElement artifactResolveXml = ArtifactResolver.ReceiveArtifactResolve(Request);
ArtifactResolve artifactResolve = new ArtifactResolve(artifactResolveXml);
// Get the artifact.
HTTPArtifactType4 httpArtifact = new HTTPArtifactType4(artifactResolve.Artifact.ArtifactValue);
// Remove the artifact state from the cache.
HTTPArtifactState httpArtifactState = HTTPArtifactStateCache.Remove(httpArtifact);
if (httpArtifactState == null) {
return;
}
// Create an artifact response containing the cached SAML message.
ArtifactResponse artifactResponse = new ArtifactResponse();
artifactResponse.Issuer = new Issuer(CreateAbsoluteURL("~/"));
artifactResponse.SAMLMessage = httpArtifactState.SAMLMessage;
XmlElement artifactResponseXml = artifactResponse.ToXml();
// Send the artifact response.
ArtifactResolver.SendArtifactResponse(Response, artifactResponseXml);
Trace.Write("IdP", "Processed artifact resolve request");
}
protected void Page_Load(object sender, EventArgs e)
{
try
{
// Get the artifact resolve request.
ArtifactResolve artifactResolve = ArtifactResolve.Create(Request);
// Create a new artifact.
Saml2ArtifactType0004 httpArtifact = new Saml2ArtifactType0004(artifactResolve.Artifact.ArtifactValue);
// Remove the artifact state from the cache.
XmlElement samlResponseXml = (XmlElement)SamlSettings.CacheProvider.Remove(httpArtifact.ToString());
if (samlResponseXml == null)
{
throw new ApplicationException("Invalid artifact.");
}
// Create an artifact response containing the cached SAML message.
ArtifactResponse artifactResponse = new ArtifactResponse();
artifactResponse.Issuer = new Issuer(Util.GetAbsoluteUrl(this, "~/"));
artifactResponse.Message = samlResponseXml;
// Send the artifact response.
artifactResponse.Send(Response);
}
catch (Exception exception)
{
Trace.Write("ServiceProvider", "An Error occurred", exception);
}
}
// Receive the SAML response from the identity provider.
private void ReceiveSAMLResponse(out SAMLResponse samlResponse, out string relayState)
{
// Rather than separate endpoints per binding, we have a single endpoint and use a query string
// parameter to determine the identity provider to service provider binding type.
string bindingType = Request.QueryString[bindingQueryParameter];
Trace.Write("SP", "Receiving SAML response over binding " + bindingType);
// Receive the SAML response over the specified binding.
XmlElement samlResponseXml = null;
switch (bindingType)
{
case BindingTypes.Post:
ServiceProvider.ReceiveSAMLResponseByHTTPPost(Request, out samlResponseXml, out relayState);
break;
case BindingTypes.Artifact:
// Receive the artifact.
HTTPArtifact httpArtifact = null;
ServiceProvider.ReceiveArtifactByHTTPArtifact(Request, false, out httpArtifact, out relayState);
// Create an artifact resolve request.
ArtifactResolve artifactResolve = new ArtifactResolve();
artifactResolve.Issuer = new Issuer(CreateAbsoluteURL("~/"));
artifactResolve.Artifact = new Artifact(httpArtifact.ToString());
XmlElement artifactResolveXml = artifactResolve.ToXml();
// Send the artifact resolve request and receive the artifact response.
XmlElement artifactResponseXml = ArtifactResolver.SendRequestReceiveResponse(Configuration.ArtifactResolutionServiceURL, artifactResolveXml);
ArtifactResponse artifactResponse = new ArtifactResponse(artifactResponseXml);
// Extract the authentication request from the artifact response.
samlResponseXml = artifactResponse.SAMLMessage;
break;
default:
throw new ArgumentException("Unknown binding type");
}
// Verify the response's signature.
if (SAMLMessageSignature.IsSigned(samlResponseXml))
{
Trace.Write("SP", "Verifying response signature");
X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.IdPX509Certificate];
if (!SAMLMessageSignature.Verify(samlResponseXml, x509Certificate))
{
throw new ArgumentException("The SAML response signature failed to verify.");
}
}
// Deserialize the XML.
samlResponse = new SAMLResponse(samlResponseXml);
Trace.Write("SP", "Received SAML response");
}
// Receive the SAML response from the identity provider.
private void ReceiveSAMLResponse(ref SAMLResponse samlResponse, ref string relayState)
{
Trace.Write("SP", "Receiving SAML response");
// Determine the identity provider to service provider binding type.
// We use a query string parameter rather than having separate endpoints per binding.
string bindingType = Request.QueryString[bindingQueryParameter];
// Receive the SAML response over the specified binding.
XmlElement samlResponseXml = null;
switch (bindingType)
{
case SAMLIdentifiers.BindingURIs.HTTPPost:
ServiceProvider.ReceiveSAMLResponseByHTTPPost(Request, out samlResponseXml, out relayState);
break;
case SAMLIdentifiers.BindingURIs.HTTPArtifact:
// Receive the artifact.
HTTPArtifact httpArtifact = null;
ServiceProvider.ReceiveArtifactByHTTPArtifact(Request, false, out httpArtifact, out relayState);
// Create an artifact resolve request.
ArtifactResolve artifactResolve = new ArtifactResolve();
artifactResolve.Issuer = new Issuer(CreateAbsoluteURL("~/"));
artifactResolve.Artifact = new Artifact(httpArtifact.ToString());
XmlElement artifactResolveXml = artifactResolve.ToXml();
// Send the artifact resolve request and receive the artifact response.
string spArtifactResponderURL = WebConfigurationManager.AppSettings["idpArtifactResponderURL"];
XmlElement artifactResponseXml = ArtifactResolver.SendRequestReceiveResponse(spArtifactResponderURL, artifactResolveXml);
ArtifactResponse artifactResponse = new ArtifactResponse(artifactResponseXml);
// Extract the SAML response from the artifact response.
samlResponseXml = artifactResponse.SAMLMessage;
break;
default:
Trace.Write("SP", "Invalid identity provider to service provider binding");
return;
}
// Verify the response's signature.
X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.IdPX509Certificate];
if (!SAMLMessageSignature.Verify(samlResponseXml, x509Certificate))
{
throw new ArgumentException("The SAML response signature failed to verify.");
}
// Deserialize the XML.
samlResponse = new SAMLResponse(samlResponseXml);
Trace.Write("SP", "Received SAML response");
}
/// <summary>
/// Initializes a new instance of the <see cref="Saml20ArtifactResolve"/> class.
/// </summary>
public Saml20ArtifactResolve()
{
_artifactResolve = new ArtifactResolve();
_artifactResolve.Version = Saml20Constants.Version;
_artifactResolve.ID = "id" + Guid.NewGuid().ToString("N");
_artifactResolve.Issuer = new NameID();
_artifactResolve.IssueInstant = DateTime.Now;
}
/// <summary>
/// Initializes a new instance of the <see cref="Saml20ArtifactResolve"/> class.
/// </summary>
public Saml20ArtifactResolve()
{
_artifactResolve = new ArtifactResolve
{
Version = Saml20Constants.Version,
Id = "id" + Guid.NewGuid().ToString("N"),
Issuer = new NameId(),
IssueInstant = DateTime.Now
};
}
/// <summary>
/// Processes the authentication request.
/// </summary>
/// <param name="authnRequest">The AuthnRequest object.</param>
/// <param name="relayState">The relayState string.</param>
public static void ProcessAuthnRequest(Page page, out AuthnRequest authnRequest, out string relayState)
{
// Use a single endpoint and use a query string parameter to determine the Service Provider to Identity Provider binding type.
string bindingType = page.Request.QueryString[SP2IdPBindingTypeVar];
// Get the previously loaded certificate.
X509Certificate2 cert = (X509Certificate2)page.Application[Global.SPCertKey];
switch (bindingType)
{
case RedirectBinding:
authnRequest = AuthnRequest.Create(page.Request.RawUrl, cert.PublicKey.Key);
relayState = authnRequest.RelayState;
break;
case PostBinding:
authnRequest = AuthnRequest.CreateFromHttpPost(page.Request);
relayState = authnRequest.RelayState;
break;
case ArtifactBinding:
Saml2ArtifactType0004 httpArtifact = Saml2ArtifactType0004.CreateFromHttpArtifactHttpForm(page.Request);
// Create an artifact resolve request.
ArtifactResolve artifactResolve = new ArtifactResolve();
artifactResolve.Issuer = new Issuer(new Uri(page.Request.Url, page.ResolveUrl("~/")).ToString());
artifactResolve.Artifact = new Artifact(httpArtifact.ToString());
// Send the SAML Artifact Resolve Request and parse the received response.
ArtifactResponse artifactResponse = ArtifactResponse.SendSamlMessageReceiveAftifactResponse(Global.ArtifactResolutionUrl, artifactResolve);
// Extract the authentication request from the received artifact response.
authnRequest = new AuthnRequest(artifactResponse.Message);
relayState = httpArtifact.RelayState;
break;
default:
throw new ApplicationException("Invalid binding type");
}
if (authnRequest.IsSigned())
{
if (!authnRequest.Validate(cert))
{
throw new ApplicationException("The authentication request signature failed to verify.");
}
}
}
/// <summary>
/// Processes the SAML response received from the IdP.
/// </summary>
/// <param name="page">The page object.</param>
/// <param name="relayState">The relay state</param>
/// <param name="samlResponse">The SAML response object.</param>
public static void ProcessResponse(Page page, out ComponentPro.Saml2.Response samlResponse, out string relayState)
{
// Extract the binding type from the query string.
string bindingType = page.Request.QueryString["binding"];
switch (bindingType)
{
case "artifact":
// Create an artifact from the query string.
Saml2ArtifactType0004 httpArtifact = Saml2ArtifactType0004.CreateFromHttpArtifactQueryString(page.Request);
// Create an artifact resolve request.
ArtifactResolve artifactResolve = new ArtifactResolve();
artifactResolve.Issuer = new Issuer(GetAbsoluteUrl(page, "~/"));
artifactResolve.Artifact = new Artifact(httpArtifact.ToString());
// Send the artifact resolve request and create an artifact response from the received XML.
ArtifactResponse artifactResponse = ArtifactResponse.SendSamlMessageReceiveAftifactResponse(Global.ArtifactServiceUrl, artifactResolve);
// Get the SAML Response from the artifact response.
samlResponse = new ComponentPro.Saml2.Response(artifactResponse.Message);
relayState = httpArtifact.RelayState;
break;
case "post":
System.Diagnostics.Debug.WriteLine("POST");
// Create a SAML response from the form data.
samlResponse = ComponentPro.Saml2.Response.Create(page.Request);
relayState = samlResponse.RelayState;
break;
default:
throw new ApplicationException("Unknown binding type");
}
// Is the SAML response signed?
if (samlResponse.IsSigned())
{
// Get the previously loaded certificate.
X509Certificate2 x509Certificate = (X509Certificate2)page.Application[Global.IdPCertKey];
// Validate the certificate.
if (!samlResponse.Validate(x509Certificate))
{
throw new ApplicationException("The SAML response signature failed to verify.");
}
}
}
/// <summary>
/// Processes the SAML response received from the IdP.
/// </summary>
/// <param name="page">The page object.</param>
/// <param name="relayState">The relay state</param>
/// <param name="samlResponse">The SAML response object.</param>
public static void ProcessResponse(Page page, out ComponentPro.Saml2.Response samlResponse, out string relayState)
{
// Extract the binding type from the query string.
string bindingType = page.Request.QueryString["binding"];
switch (bindingType)
{
case "artifact":
// Create an artifact from the query string.
Saml2ArtifactType0004 httpArtifact = Saml2ArtifactType0004.CreateFromHttpArtifactQueryString(page.Request);
// Create an artifact resolve request.
ArtifactResolve artifactResolve = new ArtifactResolve();
artifactResolve.Issuer = new Issuer(GetAbsoluteUrl(page, "~/"));
artifactResolve.Artifact = new Artifact(httpArtifact.ToString());
// Send the artifact resolve request and create an artifact response from the received XML.
ArtifactResponse artifactResponse = ArtifactResponse.SendSamlMessageReceiveAftifactResponse(Global.ArtifactServiceUrl, artifactResolve);
// Get the SAML Response from the artifact response.
samlResponse = new ComponentPro.Saml2.Response(artifactResponse.Message);
relayState = httpArtifact.RelayState;
break;
case "post":
// Create a SAML response from the form data.
samlResponse = ComponentPro.Saml2.Response.Create(page.Request);
relayState = samlResponse.RelayState;
break;
default:
throw new ApplicationException("Unknown binding type");
}
// Is the SAML response signed?
if (samlResponse.IsSigned())
{
// Get the previously loaded certificate.
X509Certificate2 x509Certificate = (X509Certificate2)page.Application[Global.IdPCertKey];
// Validate the certificate.
if (!samlResponse.Validate(x509Certificate))
{
throw new ApplicationException("The SAML response signature failed to verify.");
}
}
}
/// <summary>
/// Receives the SAML response from the identity provider.
/// </summary>
/// <param name="samlResponse"></param>
/// <param name="relayState"></param>
private void ReceiveResponse(out ComponentPro.Saml2.Response samlResponse, out string relayState)
{
// Determine the identity provider to service provider binding type.
// We use a query string parameter rather than having separate endpoints per binding.
string bindingType = Request.QueryString[Util.BindingVarName];
switch (bindingType)
{
case SamlBindingUri.HttpPost:
samlResponse = ComponentPro.Saml2.Response.Create(Request);
relayState = samlResponse.RelayState;
break;
case SamlBindingUri.HttpArtifact:
Saml2ArtifactType0004 httpArtifact = Saml2ArtifactType0004.CreateFromHttpArtifactHttpForm(Request);
// Create an artifact resolve request.
ArtifactResolve artifactResolve = new ArtifactResolve();
artifactResolve.Issuer = new Issuer(Util.GetAbsoluteUrl(this, "~/"));
artifactResolve.Artifact = new Artifact(httpArtifact.ToString());
// Send the artifact resolve request and receive the artifact response.
string spArtifactResponderUrl = WebConfigurationManager.AppSettings["ArtifactIdProviderUrl"];
ArtifactResponse artifactResponse = ArtifactResponse.SendSamlMessageReceiveAftifactResponse(spArtifactResponderUrl, artifactResolve);
// Extract the authentication request from the artifact response.
samlResponse = new Response(artifactResponse.Message);
relayState = httpArtifact.RelayState;
break;
default:
Trace.Write("ServiceProvider", "Invalid identity provider to service provider binding");
samlResponse = null;
relayState = null;
return;
}
// Verify the response's signature.
X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.IdPCertKey];
if (!samlResponse.Validate(x509Certificate))
{
throw new System.ApplicationException("The SAML response signature failed to verify.");
}
}
protected Saml2Request UnbindInternal(HttpRequestBase request, ArtifactResolve saml2RequestResponse, string messageName, X509Certificate2 signatureValidationCertificate)
{
base.UnbindInternal(request, saml2RequestResponse, signatureValidationCertificate);
if (!"GET".Equals(request.HttpMethod, StringComparison.InvariantCultureIgnoreCase))
throw new InvalidSaml2BindingException("Not HTTP POST Method.");
if (!request.QueryString.AllKeys.Contains(messageName))
throw new Saml2BindingException("QueryString does not contain " + messageName);
if (request.QueryString.AllKeys.Contains(Saml2Constants.Message.RelayState))
{
RelayState = request.QueryString[Saml2Constants.Message.RelayState];
}
saml2RequestResponse.Artifact = request.QueryString[messageName];
return saml2RequestResponse;
}
/// <summary>
/// Handles responses to an artifact resolve message.
/// </summary>
/// <param name="artifactResolve">The artifact resolve message.</param>
public void RespondToArtifactResolve(ArtifactResolve artifactResolve, XmlElement samlDoc)
{
var response = Saml20ArtifactResponse.GetDefault(config.ServiceProvider.Id);
response.StatusCode = Saml20Constants.StatusCodes.Success;
response.InResponseTo = artifactResolve.Id;
response.SamlElement = samlDoc; //samlDoc.DocumentElement;
var responseDoc = response.GetXml();
if (responseDoc.FirstChild is XmlDeclaration)
{
responseDoc.RemoveChild(responseDoc.FirstChild);
}
XmlSignatureUtils.SignDocument(responseDoc, response.Id, config);
_logger.LogDebug(TraceMessages.ArtifactResolveResponseSent, artifactResolve.Artifact, responseDoc.OuterXml);
sendResponseMessage(responseDoc.OuterXml);
}
/// <summary>
/// Handles responses to an artifact resolve message.
/// </summary>
/// <param name="artifactResolve">The artifact resolve message.</param>
public void RespondToArtifactResolve(ArtifactResolve artifactResolve)
{
var samlDoc = (XmlDocument)Context.Cache.Get(artifactResolve.Artifact);
var response = Saml20ArtifactResponse.GetDefault(config.ServiceProvider.Id);
response.StatusCode = Saml20Constants.StatusCodes.Success;
response.InResponseTo = artifactResolve.Id;
response.SamlElement = samlDoc.DocumentElement;
var responseDoc = response.GetXml();
if (responseDoc.FirstChild is XmlDeclaration)
{
responseDoc.RemoveChild(responseDoc.FirstChild);
}
XmlSignatureUtils.SignDocument(responseDoc, response.Id, config.ServiceProvider.SigningCertificate);
Logger.DebugFormat(TraceMessages.ArtifactResolveResponseSent, artifactResolve.Artifact, responseDoc.OuterXml);
SendResponseMessage(responseDoc.OuterXml);
}
protected Saml2Request UnbindInternal(HttpRequestBase request, ArtifactResolve saml2RequestResponse, string messageName, X509Certificate2 signatureValidationCertificate)
{
base.UnbindInternal(request, saml2RequestResponse, signatureValidationCertificate);
if (!"GET".Equals(request.HttpMethod, StringComparison.InvariantCultureIgnoreCase))
{
throw new InvalidSaml2BindingException("Not HTTP POST Method.");
}
if (!request.QueryString.AllKeys.Contains(messageName))
{
throw new Saml2BindingException("QueryString does not contain " + messageName);
}
if (request.QueryString.AllKeys.Contains(Saml2Constants.Message.RelayState))
{
RelayState = request.QueryString[Saml2Constants.Message.RelayState];
}
saml2RequestResponse.Artifact = request.QueryString[messageName];
return(saml2RequestResponse);
}
protected override void OnLoad(EventArgs e)
{
base.OnLoad(e);
try
{
// Create a new Artifact Resolve from the request stream.
ArtifactResolve artifactResolve = ArtifactResolve.Create(Request);
// Get the ArtifactType0004.
Saml2ArtifactType0004 httpArtifact = new Saml2ArtifactType0004(artifactResolve.Artifact.ArtifactValue);
// Remove the saved http artifact from the cache.
XmlElement samlResponseXml = (XmlElement)SamlSettings.CacheProvider.Remove(httpArtifact.ToString());
if (samlResponseXml == null)
{
throw new ApplicationException("Invalid artifact.");
}
// Create an ArtifactResponse.
ArtifactResponse artifactResponse = new ArtifactResponse();
Uri uri = new Uri(Request.Url, ResolveUrl("~/"));
artifactResponse.Issuer = new Issuer(uri.ToString());
// Add the SAML response XML to the artifact response.
artifactResponse.Message = samlResponseXml;
// Send the artifact response.
artifactResponse.Send(Response);
}
catch (Exception exception)
{
Trace.Write("IdentityProvider", "An Error occurred", exception);
}
}
public Saml2Request Unbind(HttpRequestBase request, ArtifactResolve saml2Request, X509Certificate2 signatureValidationCertificate)
{
return UnbindInternal(request, saml2Request, Saml2Constants.Message.SamlArt, signatureValidationCertificate);
}
public Saml2Request Unbind(HttpRequestBase request, ArtifactResolve saml2Request, X509Certificate2 signatureValidationCertificate)
{
return(UnbindInternal(request, saml2Request, Saml2Constants.Message.SamlArt, signatureValidationCertificate));
}
// Receive the authentication request and relay state.
private void ReceiveAuthnRequest(out AuthnRequest authnRequest, out string relayState)
{
// Rather than separate endpoints per binding, we have a single endpoint and use a query string
// parameter to determine the service provider to identity provider binding type.
string bindingType = Request.QueryString[bindingQueryParameter];
Trace.Write("IdP", "Receiving authentication request over binding " + bindingType);
X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.SPX509Certificate];
XmlElement authnRequestXml = null;
switch (bindingType)
{
case BindingTypes.Redirect:
bool signed = false;
IdentityProvider.ReceiveAuthnRequestByHTTPRedirect(Request, out authnRequestXml, out relayState, out signed, x509Certificate.PublicKey.Key);
break;
case BindingTypes.Post:
IdentityProvider.ReceiveAuthnRequestByHTTPPost(Request, out authnRequestXml, out relayState);
break;
case BindingTypes.Artifact:
// Receive the artifact.
HTTPArtifact httpArtifact = null;
IdentityProvider.ReceiveArtifactByHTTPArtifact(Request, false, out httpArtifact, out relayState);
// Create an artifact resolve request.
ArtifactResolve artifactResolve = new ArtifactResolve();
artifactResolve.Issuer = new Issuer(CreateAbsoluteURL("~/"));
artifactResolve.Artifact = new Artifact(httpArtifact.ToString());
XmlElement artifactResolveXml = artifactResolve.ToXml();
// Send the artifact resolve request and receive the artifact response.
XmlElement artifactResponseXml = ArtifactResolver.SendRequestReceiveResponse(Configuration.ArtifactResolutionServiceURL, artifactResolveXml);
ArtifactResponse artifactResponse = new ArtifactResponse(artifactResponseXml);
// Extract the authentication request from the artifact response.
authnRequestXml = artifactResponse.SAMLMessage;
break;
default:
throw new ArgumentException("Invalid binding type");
}
if (SAMLMessageSignature.IsSigned(authnRequestXml))
{
Trace.Write("IdP", "Verifying request signature");
if (!SAMLMessageSignature.Verify(authnRequestXml, x509Certificate))
{
throw new ArgumentException("The authentication request signature failed to verify.");
}
}
authnRequest = new AuthnRequest(authnRequestXml);
Trace.Write("IdP", "Received authentication request");
}
// Receive the SAML response from the identity provider.
private void ReceiveSAMLResponse(out SAMLResponse samlResponse, out string relayState)
{
// Rather than separate endpoints per binding, we have a single endpoint and use a query string
// parameter to determine the identity provider to service provider binding type.
string bindingType = Request.QueryString[bindingQueryParameter];
Trace.Write("SP", "Receiving SAML response over binding " + bindingType);
// Receive the SAML response over the specified binding.
XmlElement samlResponseXml = null;
switch (bindingType) {
case BindingTypes.Post:
ServiceProvider.ReceiveSAMLResponseByHTTPPost(Request, out samlResponseXml, out relayState);
break;
case BindingTypes.Artifact:
// Receive the artifact.
HTTPArtifact httpArtifact = null;
ServiceProvider.ReceiveArtifactByHTTPArtifact(Request, false, out httpArtifact, out relayState);
// Create an artifact resolve request.
ArtifactResolve artifactResolve = new ArtifactResolve();
artifactResolve.Issuer = new Issuer(CreateAbsoluteURL("~/"));
artifactResolve.Artifact = new Artifact(httpArtifact.ToString());
XmlElement artifactResolveXml = artifactResolve.ToXml();
// Send the artifact resolve request and receive the artifact response.
XmlElement artifactResponseXml = ArtifactResolver.SendRequestReceiveResponse(Configuration.ArtifactResolutionServiceURL, artifactResolveXml);
ArtifactResponse artifactResponse = new ArtifactResponse(artifactResponseXml);
// Extract the authentication request from the artifact response.
samlResponseXml = artifactResponse.SAMLMessage;
break;
default:
throw new ArgumentException("Unknown binding type");
}
// Verify the response's signature.
if (SAMLMessageSignature.IsSigned(samlResponseXml)) {
Trace.Write("SP", "Verifying response signature");
X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.IdPX509Certificate];
if (!SAMLMessageSignature.Verify(samlResponseXml, x509Certificate)) {
throw new ArgumentException("The SAML response signature failed to verify.");
}
}
// Deserialize the XML.
samlResponse = new SAMLResponse(samlResponseXml);
Trace.Write("SP", "Received SAML response");
}
// Receive the authentication request from the service provider.
private void ReceiveAuthnRequest(out AuthnRequest authnRequest, out string relayState)
{
// Determine the service provider to identity provider binding type.
// We use a query string parameter rather than having separate endpoints per binding.
string bindingType = Request.QueryString[bindingQueryParameter];
Trace.Write("IdP", "Receiving authentication request over binding " + bindingType);
// Receive the authentication request.
XmlElement authnRequestXml = null;
switch (bindingType) {
case SAMLIdentifiers.BindingURIs.HTTPRedirect:
bool signed = false;
X509Certificate2 x509Certificate = (X509Certificate2) Application[Global.SPX509Certificate];
IdentityProvider.ReceiveAuthnRequestByHTTPRedirect(Request, out authnRequestXml, out relayState, out signed, x509Certificate.PublicKey.Key);
break;
case SAMLIdentifiers.BindingURIs.HTTPPost:
IdentityProvider.ReceiveAuthnRequestByHTTPPost(Request, out authnRequestXml, out relayState);
break;
case SAMLIdentifiers.BindingURIs.HTTPArtifact:
// Receive the artifact.
HTTPArtifact httpArtifact = null;
IdentityProvider.ReceiveArtifactByHTTPArtifact(Request, false, out httpArtifact, out relayState);
// Create an artifact resolve request.
ArtifactResolve artifactResolve = new ArtifactResolve();
artifactResolve.Issuer = new Issuer(CreateAbsoluteURL("~/"));
artifactResolve.Artifact = new Artifact(httpArtifact.ToString());
XmlElement artifactResolveXml = artifactResolve.ToXml();
// Send the artifact resolve request and receive the artifact response.
string spArtifactResponderURL = WebConfigurationManager.AppSettings["spArtifactResponderURL"];
XmlElement artifactResponseXml = ArtifactResolver.SendRequestReceiveResponse(spArtifactResponderURL, artifactResolveXml);
ArtifactResponse artifactResponse = new ArtifactResponse(artifactResponseXml);
// Extract the authentication request from the artifact response.
authnRequestXml = artifactResponse.SAMLMessage;
break;
default:
throw new ArgumentException("Invalid service provider to identity provider binding");
}
// If using HTTP redirect the message isn't signed as the generated query string is too long for most browsers.
if (bindingType != SAMLIdentifiers.BindingURIs.HTTPRedirect) {
if (SAMLMessageSignature.IsSigned(authnRequestXml)) {
// Verify the request's signature.
X509Certificate2 x509Certificate = (X509Certificate2) Application[Global.SPX509Certificate];
if (!SAMLMessageSignature.Verify(authnRequestXml, x509Certificate)) {
throw new ArgumentException("The authentication request signature failed to verify.");
}
}
}
// Deserialize the XML.
authnRequest = new AuthnRequest(authnRequestXml);
Trace.Write("IdP", "Received authentication request");
}
// Receive the authentication request and relay state.
private void ReceiveAuthnRequest(out AuthnRequest authnRequest, out string relayState)
{
// Rather than separate endpoints per binding, we have a single endpoint and use a query string
// parameter to determine the service provider to identity provider binding type.
string bindingType = Request.QueryString[bindingQueryParameter];
Trace.Write("IdP", "Receiving authentication request over binding " + bindingType);
X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.SPX509Certificate];
XmlElement authnRequestXml = null;
switch (bindingType) {
case BindingTypes.Redirect:
bool signed = false;
IdentityProvider.ReceiveAuthnRequestByHTTPRedirect(Request, out authnRequestXml, out relayState, out signed, x509Certificate.PublicKey.Key);
break;
case BindingTypes.Post:
IdentityProvider.ReceiveAuthnRequestByHTTPPost(Request, out authnRequestXml, out relayState);
break;
case BindingTypes.Artifact:
// Receive the artifact.
HTTPArtifact httpArtifact = null;
IdentityProvider.ReceiveArtifactByHTTPArtifact(Request, false, out httpArtifact, out relayState);
// Create an artifact resolve request.
ArtifactResolve artifactResolve = new ArtifactResolve();
artifactResolve.Issuer = new Issuer(CreateAbsoluteURL("~/"));
artifactResolve.Artifact = new Artifact(httpArtifact.ToString());
XmlElement artifactResolveXml = artifactResolve.ToXml();
// Send the artifact resolve request and receive the artifact response.
XmlElement artifactResponseXml = ArtifactResolver.SendRequestReceiveResponse(Configuration.ArtifactResolutionServiceURL, artifactResolveXml);
ArtifactResponse artifactResponse = new ArtifactResponse(artifactResponseXml);
// Extract the authentication request from the artifact response.
authnRequestXml = artifactResponse.SAMLMessage;
break;
default:
throw new ArgumentException("Invalid binding type");
}
if (SAMLMessageSignature.IsSigned(authnRequestXml)) {
Trace.Write("IdP", "Verifying request signature");
if (!SAMLMessageSignature.Verify(authnRequestXml, x509Certificate)) {
throw new ArgumentException("The authentication request signature failed to verify.");
}
}
authnRequest = new AuthnRequest(authnRequestXml);
Trace.Write("IdP", "Received authentication request");
}
// Receive the authentication request from the service provider.
public static void ReceiveAuthnRequest(Page page, out AuthnRequest authnRequest, out string relayState)
{
// Determine the service provider to identity provider binding type.
// We use a query string parameter rather than having separate endpoints per binding.
string bindingType = page.Request.QueryString[BindingQueryParameter];
switch (bindingType)
{
case SamlBindingUri.HttpRedirect:
X509Certificate2 x509Certificate = (X509Certificate2)page.Application[Global.SPCertKey];
authnRequest = AuthnRequest.Create(page.Request.RawUrl, x509Certificate.PublicKey.Key);
relayState = authnRequest.RelayState;
break;
case SamlBindingUri.HttpPost:
authnRequest = AuthnRequest.CreateFromHttpPost(page.Request);
relayState = authnRequest.RelayState;
break;
case SamlBindingUri.HttpArtifact:
// Receive the artifact.
Saml2ArtifactType0004 httpArtifact = Saml2ArtifactType0004.CreateFromHttpArtifactQueryString(page.Request);
// Create an artifact resolve request.
ArtifactResolve artifactResolve = new ArtifactResolve();
artifactResolve.Issuer = new Issuer(Util.GetAbsoluteUrl(page, "~/"));
artifactResolve.Artifact = new Artifact(httpArtifact.ToString());
// Look up for the appropriate artifact SP url
string referer = page.Request.UrlReferrer.AbsoluteUri;
int i;
for (i = 0; i < Services.AllowedServiceUrls.Length; i++)
{
string url = Services.AllowedServiceUrls[i];
if (referer.StartsWith(url))
{
break;
}
}
if (i == Services.AllowedServiceUrls.Length)
{
throw new Exception("Your SP is not allowed");
}
// Send the artifact resolve request and receive the artifact response.
string artifactServiceProviderUrl = Services.ArtifactServiceProviderUrls[i];
ArtifactResponse artifactResponse = ArtifactResponse.SendSamlMessageReceiveAftifactResponse(artifactServiceProviderUrl, artifactResolve);
// Extract the authentication request from the artifact response.
authnRequest = new AuthnRequest(artifactResponse.Message);
relayState = httpArtifact.RelayState;
break;
default:
Trace.Write("IdentityProvider", "Invalid service provider to identity provider binding");
authnRequest = null;
relayState = null;
return;
}
// If using HTTP redirect the message isn't signed as the generated query string is too long for most browsers.
if (bindingType != SamlBindingUri.HttpRedirect)
{
if (authnRequest.IsSigned())
{
// Verify the request's signature.
X509Certificate2 x509Certificate = (X509Certificate2)page.Application[Global.SPCertKey];
if (!authnRequest.Validate(x509Certificate))
{
throw new ApplicationException("The authentication request signature failed to verify.");
}
}
}
}
// Receive the authentication request from the service provider.
private void ReceiveAuthnRequest(out AuthnRequest authnRequest, out string relayState)
{
// Determine the service provider to identity provider binding type.
// We use a query string parameter rather than having separate endpoints per binding.
string bindingType = Request.QueryString[bindingQueryParameter];
Trace.Write("IdP", "Receiving authentication request over binding " + bindingType);
// Receive the authentication request.
XmlElement authnRequestXml = null;
switch (bindingType)
{
case SAMLIdentifiers.BindingURIs.HTTPRedirect:
bool signed = false;
X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.SPX509Certificate];
IdentityProvider.ReceiveAuthnRequestByHTTPRedirect(Request, out authnRequestXml, out relayState, out signed, x509Certificate.PublicKey.Key);
break;
case SAMLIdentifiers.BindingURIs.HTTPPost:
IdentityProvider.ReceiveAuthnRequestByHTTPPost(Request, out authnRequestXml, out relayState);
break;
case SAMLIdentifiers.BindingURIs.HTTPArtifact:
// Receive the artifact.
HTTPArtifact httpArtifact = null;
IdentityProvider.ReceiveArtifactByHTTPArtifact(Request, false, out httpArtifact, out relayState);
// Create an artifact resolve request.
ArtifactResolve artifactResolve = new ArtifactResolve();
artifactResolve.Issuer = new Issuer(CreateAbsoluteURL("~/"));
artifactResolve.Artifact = new Artifact(httpArtifact.ToString());
XmlElement artifactResolveXml = artifactResolve.ToXml();
// Send the artifact resolve request and receive the artifact response.
string spArtifactResponderURL = WebConfigurationManager.AppSettings["spArtifactResponderURL"];
XmlElement artifactResponseXml = ArtifactResolver.SendRequestReceiveResponse(spArtifactResponderURL, artifactResolveXml);
ArtifactResponse artifactResponse = new ArtifactResponse(artifactResponseXml);
// Extract the authentication request from the artifact response.
authnRequestXml = artifactResponse.SAMLMessage;
break;
default:
throw new ArgumentException("Invalid service provider to identity provider binding");
}
// If using HTTP redirect the message isn't signed as the generated query string is too long for most browsers.
if (bindingType != SAMLIdentifiers.BindingURIs.HTTPRedirect)
{
if (SAMLMessageSignature.IsSigned(authnRequestXml))
{
// Verify the request's signature.
X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.SPX509Certificate];
if (!SAMLMessageSignature.Verify(authnRequestXml, x509Certificate))
{
throw new ArgumentException("The authentication request signature failed to verify.");
}
}
}
// Deserialize the XML.
authnRequest = new AuthnRequest(authnRequestXml);
Trace.Write("IdP", "Received authentication request");
}
