// Create a SAML response with the user's local identity, if any, or indicating an error. private SAMLResponse CreateSAMLResponse(SSOState ssoState) { Trace.Write("IdP", "Creating SAML response"); SAMLResponse samlResponse = new SAMLResponse(); string issuerURL = CreateAbsoluteURL("~/"); Issuer issuer = new Issuer(issuerURL); samlResponse.Issuer = issuer; if (User.Identity.IsAuthenticated) { samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null); SAMLAssertion samlAssertion = new SAMLAssertion(); samlAssertion.Issuer = issuer; Subject subject = new Subject(new NameID(User.Identity.Name)); SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer); SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData(); subjectConfirmationData.InResponseTo = ssoState.authnRequest.ID; subjectConfirmationData.Recipient = ssoState.assertionConsumerServiceURL; subjectConfirmation.SubjectConfirmationData = subjectConfirmationData; subject.SubjectConfirmations.Add(subjectConfirmation); samlAssertion.Subject = subject; AuthnStatement authnStatement = new AuthnStatement(); authnStatement.AuthnContext = new AuthnContext(); authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Password); samlAssertion.Statements.Add(authnStatement); // Attributes may be included in the SAML assertion. AttributeStatement attributeStatement = new AttributeStatement(); attributeStatement.Attributes.Add(new SAMLAttribute("Membership", SAMLIdentifiers.AttributeNameFormats.Basic, null, "Gold")); samlAssertion.Statements.Add(attributeStatement); samlResponse.Assertions.Add(samlAssertion); } else { samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Responder, SAMLIdentifiers.SecondaryStatusCodes.AuthnFailed, "The user is not authenticated at the identity provider"); } Trace.Write("IdP", "Created SAML response"); return samlResponse; }
public void ThrowsExceptionWhenAuthnContextAuthnContextDeclRefUriInvalid() { // Arrange var statement = new AuthnStatement { AuthnInstant = DateTime.UtcNow, SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1) }; statement.AuthnContext = new AuthnContext { Items = new object[] { "urn:a.valid.uri:string", "an/invalid/uri/string.aspx" }, ItemsElementName = new[] { AuthnContextType.AuthnContextClassRef, AuthnContextType.AuthnContextDeclRef } }; var validator = new Saml20StatementValidator(); // Act validator.ValidateStatement(statement); }
public void ThrowsExceptionWhenAuthnContextAuthnContextDeclInvalid() { // Arrange var statement = new AuthnStatement { AuthnInstant = DateTime.UtcNow, SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1) }; statement.AuthnContext = new AuthnContext { Items = new object[] { new AuthnStatement() }, ItemsElementName = new[] { AuthnContextType.AuthnContextDecl } }; var validator = new Saml20StatementValidator(); // Act validator.ValidateStatement(statement); }
public void ThrowsExceptionWhenAuthnContextFirstItemNotAuthnContextClassRef() { // Arrange var statement = new AuthnStatement { AuthnInstant = DateTime.UtcNow, SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1) }; statement.AuthnContext = new AuthnContext { Items = new object[] { "urn:a.valid.uri:string", "urn:a.valid.uri:string" }, ItemsElementName = new[] { AuthnContextType.AuthnContextDeclRef, AuthnContextType.AuthnContextClassRef } }; var validator = new Saml20StatementValidator(); // Act Assert.Throws <Saml20FormatException>(() => validator.ValidateStatement(statement), "AuthnContextClassRef must be in the first element"); }
public void ThrowsExceptionWhenAuthnContextHasMoreThanTwoItems() { // Arrange var statement = new AuthnStatement { AuthnInstant = DateTime.UtcNow, SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1) }; statement.AuthnContext = new AuthnContext { Items = new object[] { "urn:a.valid.uri:string", "urn:a.valid.uri:string", "urn:a.valid.uri:string" }, ItemsElementName = new[] { AuthnContextType.AuthnContextDeclRef, AuthnContextType.AuthnContextDeclRef, AuthnContextType.AuthnContextDeclRef } }; var validator = new Saml20StatementValidator(); // Act Assert.Throws <Saml20FormatException>(() => validator.ValidateStatement(statement), "AuthnContext MUST NOT contain more than two elements."); }
//ExpectedMessage = "AuthnContextClassRef has a value which is not a wellformed absolute uri")] public void ThrowsExceptionWhenAuthnContextAuthnContextClassRefUriInvalid() { // Arrange var statement = new AuthnStatement { AuthnInstant = DateTime.UtcNow, SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1) }; statement.AuthnContext = new AuthnContext { Items = new object[] { string.Empty, "urn:a.valid.uri:string" }, ItemsElementName = new[] { AuthnContextType.AuthnContextClassRef, AuthnContextType.AuthnContextDeclRef } }; var validator = new Saml20StatementValidator(); // Act Assert.Throws(typeof(Saml20FormatException), () => { validator.ValidateStatement(statement, true); }); }
/// <summary> /// Validates the <c>AuthnStatement</c>. /// </summary> /// <param name="authnStatement">The <c>AuthnStatement</c>.</param> /// <exception cref="SAML2.Profiles.DKSAML20.DKSaml20FormatException">The DK-SAML 2.0 profile requires that the <c>\AuthnStatement\</c> element contains the <c>\SessionIndex\</c> attribute.</exception> private void ValidateAuthnStatement(AuthnStatement authnStatement) { if (!Saml20Utils.ValidateRequiredString(authnStatement.SessionIndex)) { throw new DKSaml20FormatException("The DK-SAML 2.0 profile requires that the \"AuthnStatement\" element contains the \"SessionIndex\" attribute."); } }
public void ThrowsExceptionWhenAuthnContextAuthenticatingAuthorityUriInvalid() { // Arrange var statement = new AuthnStatement { AuthnInstant = DateTime.UtcNow, SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1) }; statement.AuthnContext = new AuthnContext { AuthenticatingAuthority = new[] { "urn:aksdlfj", "urn/invalid" }, Items = new object[] { "urn:a:valid.uri:string", "http://another/valid/uri.string" }, ItemsElementName = new[] { AuthnContextType.AuthnContextClassRef, AuthnContextType.AuthnContextDeclRef } }; var validator = new Saml20StatementValidator(); // Act validator.ValidateStatement(statement); }
public void ThrowsExceptionWhenAuthnContextAuthenticatingAuthorityUriInvalid() { // Arrange var statement = new AuthnStatement { AuthnInstant = DateTime.UtcNow, SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1) }; statement.AuthnContext = new AuthnContext { AuthenticatingAuthority = new[] { "urn:aksdlfj", "urn/invalid" }, Items = new object[] { "urn:a:valid.uri:string", "http://another/valid/uri.string" }, ItemsElementName = new[] { AuthnContextType.AuthnContextClassRef, AuthnContextType.AuthnContextDeclRef } }; var validator = new Saml20StatementValidator(); // Act Assert.Throws <Saml20FormatException>(() => validator.ValidateStatement(statement), "AuthenticatingAuthority array contains a value which is not a wellformed absolute uri"); }
public void ThrowsExceptionWhenAuthnContextHasMoreThanTwoItems() { // Arrange var statement = new AuthnStatement { AuthnInstant = DateTime.UtcNow, SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1) }; statement.AuthnContext = new AuthnContext { Items = new object[] { "urn:a.valid.uri:string", "urn:a.valid.uri:string", "urn:a.valid.uri:string" }, ItemsElementName = new[] { AuthnContextType.AuthnContextDeclRef, AuthnContextType.AuthnContextDeclRef, AuthnContextType.AuthnContextDeclRef } }; var validator = new Saml20StatementValidator(); // Act validator.ValidateStatement(statement, true); }
public void AuthnStatement_Element() { Assertion saml20Assertion = AssertionUtil.GetBasicAssertion(); AuthnStatement authnStmt = (AuthnStatement)Array.Find(saml20Assertion.Items, delegate(StatementAbstract stmnt) { return(stmnt is AuthnStatement); }); // Mess around with the AuthnStatement. { string oldSessionIndex = authnStmt.SessionIndex; authnStmt.SessionIndex = null; TestAssertion(saml20Assertion, "The DK-SAML 2.0 profile requires that the \"AuthnStatement\" element contains the \"SessionIndex\" attribute."); authnStmt.SessionIndex = oldSessionIndex; } { int index = Array.FindIndex(authnStmt.AuthnContext.Items, delegate(object o) { return(o is string && o.ToString() == "urn:oasis:names:tc:SAML:2.0:ac:classes:X509"); }); object oldValue = authnStmt.AuthnContext.Items[index]; authnStmt.AuthnContext.Items[index] = "Hallelujagobble!!"; TestAssertion(saml20Assertion, "AuthnContextClassRef has a value which is not a wellformed absolute uri"); authnStmt.AuthnContext.Items[index] = oldValue; } // Remove it. saml20Assertion = AssertionUtil.GetBasicAssertion(); List <StatementAbstract> statements = new List <StatementAbstract>(saml20Assertion.Items); statements.RemoveAll(delegate(StatementAbstract stmnt) { return(stmnt is AuthnStatement); }); saml20Assertion.Items = statements.ToArray(); TestAssertion(saml20Assertion, "The DK-SAML 2.0 profile requires exactly one \"AuthnStatement\" element and one \"AttributeStatement\" element."); }
// Create a SAML response with the user's local identity. private SAMLResponse CreateSAMLResponse() { Trace.Write("IdP", "Creating SAML response"); SAMLResponse samlResponse = new SAMLResponse(); samlResponse.Destination = Configuration.AssertionConsumerServiceURL; Issuer issuer = new Issuer(CreateAbsoluteURL("~/")); samlResponse.Issuer = issuer; samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null); SAMLAssertion samlAssertion = new SAMLAssertion(); samlAssertion.Issuer = issuer; Subject subject = new Subject(new NameID(User.Identity.Name)); SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer); SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData(); subjectConfirmationData.Recipient = Configuration.AssertionConsumerServiceURL; subjectConfirmation.SubjectConfirmationData = subjectConfirmationData; subject.SubjectConfirmations.Add(subjectConfirmation); samlAssertion.Subject = subject; AuthnStatement authnStatement = new AuthnStatement(); authnStatement.AuthnContext = new AuthnContext(); authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Password); samlAssertion.Statements.Add(authnStatement); samlResponse.Assertions.Add(samlAssertion); Trace.Write("IdP", "Created SAML response"); return samlResponse; }
public void ThrowsExceptionWhenAuthnContextAuthnContextDeclInvalid() { // Arrange var statement = new AuthnStatement { AuthnInstant = DateTime.UtcNow, SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1) }; statement.AuthnContext = new AuthnContext { Items = new object[] { new AuthnStatement() }, ItemsElementName = new[] { AuthnContextType.AuthnContextDecl } }; var validator = new Saml20StatementValidator(); // Act Assert.Throws <Saml20FormatException>(() => validator.ValidateStatement(statement), "AuthnContextDecl elements are not allowed in this implementation"); }
public void ThrowsExceptionWhenAuthnContextAuthnContextDeclRefUriInvalid() { // Arrange var statement = new AuthnStatement { AuthnInstant = DateTime.UtcNow, SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1) }; statement.AuthnContext = new AuthnContext { Items = new object[] { "urn:a.valid.uri:string", "an/invalid/uri/string.aspx" }, ItemsElementName = new[] { AuthnContextType.AuthnContextClassRef, AuthnContextType.AuthnContextDeclRef } }; var validator = new Saml20StatementValidator(); // Act Assert.Throws <Saml20FormatException>(() => validator.ValidateStatement(statement), "AuthnContextDeclRef has a value which is not a wellformed absolute uri"); }
/// <summary> /// [SAML2.0std] section 2.7.2 /// </summary> /// <param name="statement"></param> private void ValidateAuthnStatement(AuthnStatement statement) { if (statement.AuthnInstant == null) { throw new Saml2FormatException("AuthnStatement MUST have an AuthnInstant attribute"); } if (!Saml2Utils.ValidateOptionalString(statement.SessionIndex)) { throw new Saml2FormatException("SessionIndex attribute of AuthnStatement must contain at least one non-whitespace character"); } if (statement.SubjectLocality != null) { if (!Saml2Utils.ValidateOptionalString(statement.SubjectLocality.Address)) { throw new Saml2FormatException("Address attribute of SubjectLocality must contain at least one non-whitespace character"); } if (!Saml2Utils.ValidateOptionalString(statement.SubjectLocality.DNSName)) { throw new Saml2FormatException("DNSName attribute of SubjectLocality must contain at least one non-whitespace character"); } } ValidateAuthnContext(statement.AuthnContext); }
// Create a SAML response with the user's local identity. private SAMLResponse CreateSAMLResponse() { Trace.Write("IdP", "Creating SAML response"); SAMLResponse samlResponse = new SAMLResponse(); samlResponse.Destination = Configuration.AssertionConsumerServiceURL; Issuer issuer = new Issuer(Configuration.Issuer); samlResponse.Issuer = issuer; samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null); SAMLAssertion samlAssertion = new SAMLAssertion(); samlAssertion.Issuer = issuer; // For simplicity, a configured Salesforce user name is used. // NB. You must update the web.config to specify a valid Salesforce user name. // In a real world application you would perform some sort of local to Salesforce identity mapping. Subject subject = new Subject(new NameID(Configuration.SalesforceLoginID, null, null, SAMLIdentifiers.NameIdentifierFormats.Unspecified, null)); SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer); SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData(); subjectConfirmationData.Recipient = Configuration.AssertionConsumerServiceURL; subjectConfirmation.SubjectConfirmationData = subjectConfirmationData; subject.SubjectConfirmations.Add(subjectConfirmation); samlAssertion.Subject = subject; Conditions conditions = new Conditions(new TimeSpan(1, 0, 0)); AudienceRestriction audienceRestriction = new AudienceRestriction(); audienceRestriction.Audiences.Add(new Audience(audienceURI)); conditions.ConditionsList.Add(audienceRestriction); samlAssertion.Conditions = conditions; subjectConfirmationData.NotOnOrAfter = conditions.NotOnOrAfter; AuthnStatement authnStatement = new AuthnStatement(); authnStatement.AuthnContext = new AuthnContext(); authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Unspecified); samlAssertion.Statements.Add(authnStatement); AttributeStatement attributeStatement = new AttributeStatement(); attributeStatement.Attributes.Add(new SAMLAttribute(AttributeNames.SSOStartPage, SAMLIdentifiers.AttributeNameFormats.Unspecified, null, CreateAbsoluteURL("~/Login.aspx"))); attributeStatement.Attributes.Add(new SAMLAttribute(AttributeNames.LogoutURL, SAMLIdentifiers.AttributeNameFormats.Unspecified, null, CreateAbsoluteURL("~/Logout.aspx"))); samlAssertion.Statements.Add(attributeStatement); samlResponse.Assertions.Add(samlAssertion); Trace.Write("IdP", "Created SAML response"); return(samlResponse); }
public void ThrowsExceptionWhenAuthnInstantNull() { // Arrange var statement = new AuthnStatement(); var validator = new Saml20StatementValidator(); statement.AuthnInstant = null; // Act validator.ValidateStatement(statement); }
public void ThrowsExceptionWhenAuthnInstantNull() { // Arrange var statement = new AuthnStatement(); var validator = new Saml20StatementValidator(); statement.AuthnInstant = null; // Act Assert.Throws <Saml20FormatException>(() => validator.ValidateStatement(statement), "AuthnStatement MUST have an AuthnInstant attribute"); }
// Create a SAML response with the user's local identity, if any, or indicating an error. private SAMLResponse CreateSAMLResponse(AuthnRequest authnRequest) { Trace.Write("IdP", "Creating SAML response"); SAMLResponse samlResponse = new SAMLResponse(); samlResponse.InResponseTo = authnRequest.ID; samlResponse.Destination = authnRequest.AssertionConsumerServiceURL; Issuer issuer = new Issuer(CreateAbsoluteURL("~/")); samlResponse.Issuer = issuer; if (User.Identity.IsAuthenticated) { samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null); SAMLAssertion samlAssertion = new SAMLAssertion(); samlAssertion.Issuer = issuer; samlAssertion.Conditions = new Conditions(new TimeSpan(0, 10, 0)); AudienceRestriction audienceRestriction = new AudienceRestriction(); audienceRestriction.Audiences.Add(new Audience(authnRequest.AssertionConsumerServiceURL)); samlAssertion.Conditions.ConditionsList.Add(audienceRestriction); Subject subject = new Subject(new NameID(User.Identity.Name)); SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer); SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData(); subjectConfirmationData.InResponseTo = authnRequest.ID; subjectConfirmationData.Recipient = authnRequest.AssertionConsumerServiceURL; subjectConfirmationData.NotBefore = samlAssertion.Conditions.NotBefore; subjectConfirmationData.NotOnOrAfter = samlAssertion.Conditions.NotOnOrAfter; subjectConfirmation.SubjectConfirmationData = subjectConfirmationData; subject.SubjectConfirmations.Add(subjectConfirmation); samlAssertion.Subject = subject; AuthnStatement authnStatement = new AuthnStatement(); authnStatement.AuthnContext = new AuthnContext(); authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Password); samlAssertion.Statements.Add(authnStatement); samlResponse.Assertions.Add(samlAssertion); } else { samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Responder, SAMLIdentifiers.SecondaryStatusCodes.AuthnFailed, "The user is not authenticated at the identity provider"); } Trace.Write("IdP", "Created SAML response"); return(samlResponse); }
public void ThrowsExceptionWhenAuthnContextNull() { // Arrange var statement = new AuthnStatement { AuthnInstant = DateTime.UtcNow, SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1) }; var validator = new Saml20StatementValidator(); // Act validator.ValidateStatement(statement); }
//ExpectedMessage = "AuthnStatement MUST have an AuthnInstant attribute")] public void ThrowsExceptionWhenAuthnInstantNull() { // Arrange var statement = new AuthnStatement(); var validator = new Saml20StatementValidator(); statement.AuthnInstant = null; // Act Assert.Throws(typeof(Saml20FormatException), () => { validator.ValidateStatement(statement, true); }); }
public void ThrowsExceptionWhenAuthnContextNull() { // Arrange var statement = new AuthnStatement { AuthnInstant = DateTime.UtcNow, SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1) }; var validator = new Saml20StatementValidator(); // Act Assert.Throws <Saml20FormatException>(() => validator.ValidateStatement(statement), "AuthnStatement MUST have an AuthnContext element"); }
public void ThrowsExceptionWhenAuthnContextItemsNull() { // Arrange var statement = new AuthnStatement { AuthnContext = new AuthnContext(), AuthnInstant = DateTime.UtcNow, SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1) }; var validator = new Saml20StatementValidator(); // Act Assert.Throws <Saml20FormatException>(() => validator.ValidateStatement(statement), "AuthnContext element MUST contain at least one AuthnContextClassRef, AuthnContextDecl or AuthnContextDeclRef element"); }
//ExpectedMessage = "AuthnStatement MUST have an AuthnContext element")] public void ThrowsExceptionWhenAuthnContextNull() { // Arrange var statement = new AuthnStatement { AuthnInstant = DateTime.UtcNow, SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1) }; var validator = new Saml20StatementValidator(); // Act Assert.Throws(typeof(Saml20FormatException), () => { validator.ValidateStatement(statement, true); }); }
// Create a SAML response with the user's local identity, if any, or indicating an error. private SAMLResponse CreateSAMLResponse(SSOState ssoState) { Trace.Write("IdP", "Creating SAML response"); SAMLResponse samlResponse = new SAMLResponse(); string issuerURL = CreateAbsoluteURL("~/"); Issuer issuer = new Issuer(issuerURL); samlResponse.Issuer = issuer; if (User.Identity.IsAuthenticated) { samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null); SAMLAssertion samlAssertion = new SAMLAssertion(); samlAssertion.Issuer = issuer; Subject subject = new Subject(new NameID(User.Identity.Name)); SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer); SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData(); subjectConfirmationData.InResponseTo = ssoState.authnRequest.ID; subjectConfirmationData.Recipient = ssoState.assertionConsumerServiceURL; subjectConfirmation.SubjectConfirmationData = subjectConfirmationData; subject.SubjectConfirmations.Add(subjectConfirmation); samlAssertion.Subject = subject; AuthnStatement authnStatement = new AuthnStatement(); authnStatement.AuthnContext = new AuthnContext(); authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Password); samlAssertion.Statements.Add(authnStatement); // Attributes may be included in the SAML assertion. AttributeStatement attributeStatement = new AttributeStatement(); attributeStatement.Attributes.Add(new SAMLAttribute("Membership", SAMLIdentifiers.AttributeNameFormats.Basic, null, "Gold")); samlAssertion.Statements.Add(attributeStatement); samlResponse.Assertions.Add(samlAssertion); } else { samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Responder, SAMLIdentifiers.SecondaryStatusCodes.AuthnFailed, "The user is not authenticated at the identity provider"); } Trace.Write("IdP", "Created SAML response"); return(samlResponse); }
public void ThrowsExceptionWhenAuthnStatementSessionNotOnOrAfterInPast() { // Arrange var assertion = AssertionUtil.GetBasicAssertion(); var statements = new List <StatementAbstract>(assertion.Items); var authnStatement = new AuthnStatement { AuthnInstant = DateTime.UtcNow, SessionNotOnOrAfter = DateTime.UtcNow.AddHours(-1) }; statements.Add(authnStatement); assertion.Items = statements.ToArray(); var validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false); // Act validator.ValidateTimeRestrictions(assertion, new TimeSpan()); }
public void ThrowsExceptionWhenAuthnContextItemsEmpty() { // Arrange var statement = new AuthnStatement { AuthnInstant = DateTime.UtcNow, SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1) }; statement.AuthnContext = new AuthnContext { Items = new List <object>().ToArray(), ItemsElementName = new List <AuthnContextType>().ToArray() }; var validator = new Saml20StatementValidator(); // Act validator.ValidateStatement(statement); }
public void ThrowsExceptionWhenAuthnContextItemsEmpty() { // Arrange var statement = new AuthnStatement { AuthnInstant = DateTime.UtcNow, SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1) }; statement.AuthnContext = new AuthnContext { Items = new List <object>().ToArray(), ItemsElementName = new List <AuthnContextType>().ToArray() }; var validator = new Saml20StatementValidator(); // Act Assert.Throws <Saml20FormatException>(() => validator.ValidateStatement(statement), "AuthnContext element MUST contain at least one AuthnContextClassRef, AuthnContextDecl or AuthnContextDeclRef element"); }
/// <summary> /// Builds the SAML response. /// </summary> /// <param name="authnRequest">The AuthnRequest object.</param> /// <returns>A SAML Response object.</returns> public static ComponentPro.Saml2.Response BuildResponse(Page page, AuthnRequest authnRequest) { ComponentPro.Saml2.Response samlResponse = new ComponentPro.Saml2.Response(); samlResponse.Destination = Global.AssertionServiceUrl; Issuer issuer = new Issuer(GetAbsoluteUrl(page, "~/")); samlResponse.Issuer = issuer; if (page.User.Identity.IsAuthenticated) { samlResponse.Status = new Status(SamlPrimaryStatusCode.Success, null); Assertion samlAssertion = new Assertion(); samlAssertion.Issuer = issuer; Subject subject = new Subject(new NameId(page.User.Identity.Name)); SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SamlSubjectConfirmationMethod.Bearer); SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData(); subjectConfirmationData.InResponseTo = authnRequest.Id; subjectConfirmationData.Recipient = Global.AssertionServiceUrl; subjectConfirmation.SubjectConfirmationData = subjectConfirmationData; subject.SubjectConfirmations.Add(subjectConfirmation); samlAssertion.Subject = subject; AuthnStatement authnStatement = new AuthnStatement(); authnStatement.AuthnContext = new AuthnContext(); authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SamlAuthenticateContext.Password); samlAssertion.Statements.Add(authnStatement); samlResponse.Assertions.Add(samlAssertion); } else { samlResponse.Status = new Status(SamlPrimaryStatusCode.Responder, SamlSecondaryStatusCode.AuthnFailed, "The user is not authenticated at the identity provider"); } return(samlResponse); }
// Create a SAML response with the user's local identity. private SAMLResponse CreateSAMLResponse() { Trace.Write("IdP", "Creating SAML response"); SAMLResponse samlResponse = new SAMLResponse(); samlResponse.Destination = Configuration.AssertionConsumerServiceURL; Issuer issuer = new Issuer(CreateAbsoluteURL("~/")); samlResponse.Issuer = issuer; samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null); SAMLAssertion samlAssertion = new SAMLAssertion(); samlAssertion.Issuer = issuer; Subject subject = new Subject(new NameID(User.Identity.Name)); SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer); SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData(); subjectConfirmationData.Recipient = Configuration.AssertionConsumerServiceURL; subjectConfirmation.SubjectConfirmationData = subjectConfirmationData; subject.SubjectConfirmations.Add(subjectConfirmation); samlAssertion.Subject = subject; AuthnStatement authnStatement = new AuthnStatement(); authnStatement.AuthnContext = new AuthnContext(); authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Password); samlAssertion.Statements.Add(authnStatement); samlResponse.Assertions.Add(samlAssertion); Trace.Write("IdP", "Created SAML response"); return(samlResponse); }
private string BuildSAML() { var strIssuer = queryParameters.FirstOrDefault(i => i.Key == "issuer").Value; var member = queryParameters.FirstOrDefault(i => i.Key == "member").Value; var userEmail = queryParameters.FirstOrDefault(i => i.Key == "userEmail").Value; var cn = queryParameters.FirstOrDefault(i => i.Key == "cn").Value; var uid = queryParameters.FirstOrDefault(i => i.Key == "uid").Value; var pfxLocation = queryParameters.FirstOrDefault(i => i.Key == "pfxLocation").Value; var pfxPwd = queryParameters.FirstOrDefault(i => i.Key == "pfxPwd").Value; var samlResponse = new SAMLResponse(); samlResponse.Issuer = new Issuer(strIssuer); samlResponse.Destination = strIssuer; var samlAssertion = new SAMLAssertion(); samlAssertion.Issuer = new Issuer(strIssuer); samlAssertion.Subject = new Subject(new NameID(userEmail, null, null, SAMLIdentifiers.NameIdentifierFormats.EmailAddress, null)); samlAssertion.Conditions = new Conditions(new TimeSpan(1, 0, 0)); var authnStatement = new AuthnStatement(); authnStatement.AuthnContext = new AuthnContext(); authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.PasswordProtectedTransport); samlAssertion.Statements.Add(authnStatement); var attributeStatement = new AttributeStatement(); attributeStatement.Attributes.Add(new SAMLAttribute("member", SAMLIdentifiers.AttributeNameFormats.Basic, null, member)); samlAssertion.Statements.Add(attributeStatement); attributeStatement = new AttributeStatement(); attributeStatement.Attributes.Add(new SAMLAttribute("mail", SAMLIdentifiers.AttributeNameFormats.Basic, null, userEmail)); samlAssertion.Statements.Add(attributeStatement); attributeStatement = new AttributeStatement(); attributeStatement.Attributes.Add(new SAMLAttribute("cn", SAMLIdentifiers.AttributeNameFormats.Basic, null, cn)); samlAssertion.Statements.Add(attributeStatement); attributeStatement = new AttributeStatement(); attributeStatement.Attributes.Add(new SAMLAttribute("uid", SAMLIdentifiers.AttributeNameFormats.Basic, null, uid)); samlAssertion.Statements.Add(attributeStatement); samlResponse.Assertions.Add(samlAssertion); if (true) { var x509Certificate = Util.LoadSignKeyAndCertificate(pfxLocation, pfxPwd); var signedXml = new SignedXml(samlResponse.ToXml()); signedXml.SigningKey = x509Certificate.PrivateKey; var keyInfo = new KeyInfo(); keyInfo.AddClause(new KeyInfoX509Data(x509Certificate)); signedXml.KeyInfo = keyInfo; // Create a reference to be signed. var reference = new Reference(); reference.Uri = "#" + samlAssertion.ID; var env = new XmlDsigEnvelopedSignatureTransform(); reference.AddTransform(env); signedXml.AddReference(reference); signedXml.ComputeSignature(); samlResponse.Signature = signedXml.GetXml(); } var result = samlResponse.ToXml().OuterXml.ToString(); File.WriteAllText("SAMLPayload.xml", result); return(Util.EncodeToBase64(result)); }
// Create a SAML response with the user's local identity. private SAMLResponse CreateSAMLResponse() { Trace.Write("IdP", "Creating SAML response"); SAMLResponse samlResponse = new SAMLResponse(); samlResponse.Destination = Configuration.AssertionConsumerServiceURL; Issuer issuer = new Issuer(Configuration.Issuer); samlResponse.Issuer = issuer; samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null); SAMLAssertion samlAssertion = new SAMLAssertion(); samlAssertion.Issuer = issuer; // For simplicity, a configured Salesforce user name is used. // NB. You must update the web.config to specify a valid Salesforce user name. // In a real world application you would perform some sort of local to Salesforce identity mapping. Subject subject = new Subject(new NameID(Configuration.SalesforceLoginID, null, null, SAMLIdentifiers.NameIdentifierFormats.Unspecified, null)); SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer); SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData(); subjectConfirmationData.Recipient = Configuration.AssertionConsumerServiceURL; subjectConfirmation.SubjectConfirmationData = subjectConfirmationData; subject.SubjectConfirmations.Add(subjectConfirmation); samlAssertion.Subject = subject; Conditions conditions = new Conditions(new TimeSpan(1, 0, 0)); AudienceRestriction audienceRestriction = new AudienceRestriction(); audienceRestriction.Audiences.Add(new Audience(audienceURI)); conditions.ConditionsList.Add(audienceRestriction); samlAssertion.Conditions = conditions; subjectConfirmationData.NotOnOrAfter = conditions.NotOnOrAfter; AuthnStatement authnStatement = new AuthnStatement(); authnStatement.AuthnContext = new AuthnContext(); authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Unspecified); samlAssertion.Statements.Add(authnStatement); AttributeStatement attributeStatement = new AttributeStatement(); attributeStatement.Attributes.Add(new SAMLAttribute(AttributeNames.SSOStartPage, SAMLIdentifiers.AttributeNameFormats.Unspecified, null, CreateAbsoluteURL("~/Login.aspx"))); attributeStatement.Attributes.Add(new SAMLAttribute(AttributeNames.LogoutURL, SAMLIdentifiers.AttributeNameFormats.Unspecified, null, CreateAbsoluteURL("~/Logout.aspx"))); samlAssertion.Statements.Add(attributeStatement); samlResponse.Assertions.Add(samlAssertion); Trace.Write("IdP", "Created SAML response"); return samlResponse; }
protected override void OnLoad(EventArgs e) { base.OnLoad(e); try { #region Custom Attributes // If you need to add custom attributes, uncomment the following code var attributeStatement = new AttributeStatement(); attributeStatement.Attributes.Add(new Atp.Saml2.Attribute("email", SamlAttributeNameFormat.Basic, null, "*****@*****.**")); attributeStatement.Attributes.Add(new Atp.Saml2.Attribute("FirstName", SamlAttributeNameFormat.Basic, null, "John")); attributeStatement.Attributes.Add(new Atp.Saml2.Attribute("LastName", SamlAttributeNameFormat.Basic, null, "Smith")); if (Session["username"] != null && Session["previoususername"] != null) { if (!Session["username"].ToString().ToLower().Equals(Session["previoususername"].ToString().ToLower())) attributeStatement.Attributes.Add(new Atp.Saml2.Attribute("samlsessionstate", SamlAttributeNameFormat.Basic, null, "new")); } #endregion // Set External Account Id for Metanga var externalAccountId = "XAF10964"; if (Session["username"] != null) { externalAccountId = Session["username"].ToString(); } else { Session["username"] = externalAccountId; Session["previoususername"] = externalAccountId; } var consumerServiceUrl = Helper.GetUrl("LinkSelfcareLogin"); // Use the local user's local identity. var subject = new Subject(new NameId(User.Identity.Name)) {NameId = {NameIdentifier = externalAccountId}}; subject.SubjectConfirmations.Add(new SubjectConfirmation(SamlSubjectConfirmationMethod.Bearer) { SubjectConfirmationData = new SubjectConfirmationData { Recipient = consumerServiceUrl } }); // Create a new authentication statement. var authnStatement = new AuthnStatement { AuthnContext = new AuthnContext { AuthnContextClassRef = new AuthnContextClassRef(SamlAuthenticateContext.Password) } }; var issuer = new Issuer(GetAbsoluteUrl("~/")); var samlAssertion = new Assertion { Issuer = issuer, Subject = subject }; samlAssertion.Statements.Add(authnStatement); samlAssertion.Statements.Add(attributeStatement); // Get the PFX certificate with Private Key. var filePath = Path.Combine(HttpRuntime.AppDomainAppPath, "metangasso.pfx"); const string pwd = "123"; var x509Certificate = new X509Certificate2(filePath, pwd, X509KeyStorageFlags.MachineKeySet); if (!x509Certificate.HasPrivateKey) return; // Create a SAML response object. var samlResponse = new Response { // Assign the consumer service url. Destination = consumerServiceUrl, Issuer = issuer, Status = new Status(SamlPrimaryStatusCode.Success, null) }; // Add assertion to the SAML response object. samlResponse.Assertions.Add(samlAssertion); // Sign the SAML response with the certificate. samlResponse.Sign(x509Certificate); var targetUrl = Helper.GetUrl("LinkSelfcareBilling") + "?SSO=true"; if (Session["SsoLink"] != null) { targetUrl = Session["SsoLink"].ToString(); } // Send the SAML response to the service provider. samlResponse.SendPostBindingForm(Response.OutputStream, consumerServiceUrl, targetUrl); } catch (Exception exception) { Trace.Write("IdentityProvider", "An Error occurred", exception); } }
/// <summary> /// Assembles our basic test assertion /// </summary> /// <returns>The <see cref="Assertion"/>.</returns> public static Assertion GetBasicAssertion() { var assertion = new Assertion { Issuer = new NameId(), Id = "_b8977dc86cda41493fba68b32ae9291d", IssueInstant = DateTime.UtcNow, Version = "2.0" }; assertion.Issuer.Value = GetBasicIssuer(); assertion.Subject = new Subject(); var subjectConfirmation = new SubjectConfirmation { Method = SubjectConfirmation.BearerMethod, SubjectConfirmationData = new SubjectConfirmationData { NotOnOrAfter = new DateTime(2008, 12, 31, 12, 0, 0, 0), Recipient = "http://borger.dk" } }; assertion.Subject.Items = new object[] { subjectConfirmation }; assertion.Conditions = new Conditions { NotOnOrAfter = new DateTime(2008, 12, 31, 12, 0, 0, 0) }; var audienceRestriction = new AudienceRestriction { Audience = GetAudiences().Select(u => u.ToString()).ToList() }; assertion.Conditions.Items = new List <ConditionAbstract>(new ConditionAbstract[] { audienceRestriction }); AuthnStatement authnStatement; { authnStatement = new AuthnStatement(); assertion.Items = new StatementAbstract[] { authnStatement }; authnStatement.AuthnInstant = new DateTime(2008, 1, 8); authnStatement.SessionIndex = "70225885"; authnStatement.AuthnContext = new AuthnContext { Items = new object[] { "urn:oasis:names:tc:SAML:2.0:ac:classes:X509", "http://www.safewhere.net/authncontext/declref" }, ItemsElementName = new[] { AuthnContextType.AuthnContextClassRef, AuthnContextType.AuthnContextDeclRef } }; } AttributeStatement attributeStatement; { attributeStatement = new AttributeStatement(); var surName = new SamlAttribute { FriendlyName = "SurName", Name = "urn:oid:2.5.4.4", NameFormat = SamlAttribute.NameformatUri, AttributeValue = new[] { "Fry" } }; var commonName = new SamlAttribute { FriendlyName = "CommonName", Name = "urn:oid:2.5.4.3", NameFormat = SamlAttribute.NameformatUri, AttributeValue = new[] { "Philip J. Fry" } }; var userName = new SamlAttribute { Name = "urn:oid:0.9.2342.19200300.100.1.1", NameFormat = SamlAttribute.NameformatUri, AttributeValue = new[] { "fry" } }; var email = new SamlAttribute { FriendlyName = "Email", Name = "urn:oid:0.9.2342.19200300.100.1.3", NameFormat = SamlAttribute.NameformatUri, AttributeValue = new[] { "*****@*****.**" } }; attributeStatement.Items = new object[] { surName, commonName, userName, email }; } assertion.Items = new StatementAbstract[] { authnStatement, attributeStatement }; return(assertion); }
// Create a SAML response with the user's local identity, if any, or indicating an error. private SAMLResponse CreateSAMLResponse(AuthnRequest authnRequest) { Trace.Write("IdP", "Creating SAML response"); SAMLResponse samlResponse = new SAMLResponse(); samlResponse.Destination = Configuration.AssertionConsumerServiceURL; Issuer issuer = new Issuer(CreateAbsoluteURL("~/")); samlResponse.Issuer = issuer; if (User.Identity.IsAuthenticated) { samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null); SAMLAssertion samlAssertion = new SAMLAssertion(); samlAssertion.Issuer = issuer; Subject subject = new Subject(new NameID(User.Identity.Name)); SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer); SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData(); subjectConfirmationData.InResponseTo = authnRequest.ID; subjectConfirmationData.Recipient = Configuration.AssertionConsumerServiceURL; subjectConfirmation.SubjectConfirmationData = subjectConfirmationData; subject.SubjectConfirmations.Add(subjectConfirmation); samlAssertion.Subject = subject; AuthnStatement authnStatement = new AuthnStatement(); authnStatement.AuthnContext = new AuthnContext(); authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Password); samlAssertion.Statements.Add(authnStatement); samlResponse.Assertions.Add(samlAssertion); } else { samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Responder, SAMLIdentifiers.SecondaryStatusCodes.AuthnFailed, "The user is not authenticated at the identity provider"); } Trace.Write("IdP", "Created SAML response"); return samlResponse; }