Esempio n. 1
0
        // Receive the SAML response from the identity provider.
        private void ReceiveSAMLResponse(out SAMLResponse samlResponse, out string relayState)
        {
            // Rather than separate endpoints per binding, we have a single endpoint and use a query string
            // parameter to determine the identity provider to service provider binding type.
            string bindingType = Request.QueryString[bindingQueryParameter];

            Trace.Write("SP", "Receiving SAML response over binding " + bindingType);

            // Receive the SAML response over the specified binding.
            XmlElement samlResponseXml = null;

            switch (bindingType)
            {
            case BindingTypes.Post:
                ServiceProvider.ReceiveSAMLResponseByHTTPPost(Request, out samlResponseXml, out relayState);
                break;

            case BindingTypes.Artifact:
                // Receive the artifact.
                HTTPArtifact httpArtifact = null;

                ServiceProvider.ReceiveArtifactByHTTPArtifact(Request, false, out httpArtifact, out relayState);

                // Create an artifact resolve request.
                ArtifactResolve artifactResolve = new ArtifactResolve();
                artifactResolve.Issuer   = new Issuer(CreateAbsoluteURL("~/"));
                artifactResolve.Artifact = new Artifact(httpArtifact.ToString());

                XmlElement artifactResolveXml = artifactResolve.ToXml();

                // Send the artifact resolve request and receive the artifact response.
                XmlElement artifactResponseXml = ArtifactResolver.SendRequestReceiveResponse(Configuration.ArtifactResolutionServiceURL, artifactResolveXml);

                ArtifactResponse artifactResponse = new ArtifactResponse(artifactResponseXml);

                // Extract the authentication request from the artifact response.
                samlResponseXml = artifactResponse.SAMLMessage;
                break;

            default:
                throw new ArgumentException("Unknown binding type");
            }

            // Verify the response's signature.
            if (SAMLMessageSignature.IsSigned(samlResponseXml))
            {
                Trace.Write("SP", "Verifying response signature");
                X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.IdPX509Certificate];

                if (!SAMLMessageSignature.Verify(samlResponseXml, x509Certificate))
                {
                    throw new ArgumentException("The SAML response signature failed to verify.");
                }
            }

            // Deserialize the XML.
            samlResponse = new SAMLResponse(samlResponseXml);

            Trace.Write("SP", "Received SAML response");
        }
Esempio n. 2
0
        // Receive the SAML response from the identity provider.
        private void ReceiveSAMLResponse(ref SAMLResponse samlResponse, ref string relayState)
        {
            Trace.Write("SP", "Receiving SAML response");

            // Determine the identity provider to service provider binding type.
            // We use a query string parameter rather than having separate endpoints per binding.
            string bindingType = Request.QueryString[bindingQueryParameter];

            // Receive the SAML response over the specified binding.
            XmlElement samlResponseXml = null;

            switch (bindingType)
            {
            case SAMLIdentifiers.BindingURIs.HTTPPost:
                ServiceProvider.ReceiveSAMLResponseByHTTPPost(Request, out samlResponseXml, out relayState);
                break;

            case SAMLIdentifiers.BindingURIs.HTTPArtifact:
                // Receive the artifact.
                HTTPArtifact httpArtifact = null;

                ServiceProvider.ReceiveArtifactByHTTPArtifact(Request, false, out httpArtifact, out relayState);

                // Create an artifact resolve request.
                ArtifactResolve artifactResolve = new ArtifactResolve();
                artifactResolve.Issuer   = new Issuer(CreateAbsoluteURL("~/"));
                artifactResolve.Artifact = new Artifact(httpArtifact.ToString());

                XmlElement artifactResolveXml = artifactResolve.ToXml();

                // Send the artifact resolve request and receive the artifact response.
                string spArtifactResponderURL = WebConfigurationManager.AppSettings["idpArtifactResponderURL"];

                XmlElement artifactResponseXml = ArtifactResolver.SendRequestReceiveResponse(spArtifactResponderURL, artifactResolveXml);

                ArtifactResponse artifactResponse = new ArtifactResponse(artifactResponseXml);

                // Extract the SAML response from the artifact response.
                samlResponseXml = artifactResponse.SAMLMessage;
                break;

            default:
                Trace.Write("SP", "Invalid identity provider to service provider binding");
                return;
            }

            // Verify the response's signature.
            X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.IdPX509Certificate];

            if (!SAMLMessageSignature.Verify(samlResponseXml, x509Certificate))
            {
                throw new ArgumentException("The SAML response signature failed to verify.");
            }

            // Deserialize the XML.
            samlResponse = new SAMLResponse(samlResponseXml);

            Trace.Write("SP", "Received SAML response");
        }
Esempio n. 3
0
        // Receive the authentication request and relay state.
        private void ReceiveAuthnRequest(out AuthnRequest authnRequest, out string relayState)
        {
            // Rather than separate endpoints per binding, we have a single endpoint and use a query string
            // parameter to determine the service provider to identity provider binding type.
            string bindingType = Request.QueryString[bindingQueryParameter];

            Trace.Write("IdP", "Receiving authentication request over binding " + bindingType);

            X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.SPX509Certificate];
            XmlElement       authnRequestXml = null;

            switch (bindingType)
            {
            case BindingTypes.Redirect:
                bool signed = false;

                IdentityProvider.ReceiveAuthnRequestByHTTPRedirect(Request, out authnRequestXml, out relayState, out signed, x509Certificate.PublicKey.Key);
                break;

            case BindingTypes.Post:
                IdentityProvider.ReceiveAuthnRequestByHTTPPost(Request, out authnRequestXml, out relayState);
                break;

            case BindingTypes.Artifact:
                // Receive the artifact.
                HTTPArtifact httpArtifact = null;

                IdentityProvider.ReceiveArtifactByHTTPArtifact(Request, false, out httpArtifact, out relayState);

                // Create an artifact resolve request.
                ArtifactResolve artifactResolve = new ArtifactResolve();
                artifactResolve.Issuer   = new Issuer(CreateAbsoluteURL("~/"));
                artifactResolve.Artifact = new Artifact(httpArtifact.ToString());

                XmlElement artifactResolveXml = artifactResolve.ToXml();

                // Send the artifact resolve request and receive the artifact response.
                XmlElement artifactResponseXml = ArtifactResolver.SendRequestReceiveResponse(Configuration.ArtifactResolutionServiceURL, artifactResolveXml);

                ArtifactResponse artifactResponse = new ArtifactResponse(artifactResponseXml);

                // Extract the authentication request from the artifact response.
                authnRequestXml = artifactResponse.SAMLMessage;
                break;

            default:
                throw new ArgumentException("Invalid binding type");
            }

            if (SAMLMessageSignature.IsSigned(authnRequestXml))
            {
                Trace.Write("IdP", "Verifying request signature");

                if (!SAMLMessageSignature.Verify(authnRequestXml, x509Certificate))
                {
                    throw new ArgumentException("The authentication request signature failed to verify.");
                }
            }

            authnRequest = new AuthnRequest(authnRequestXml);

            Trace.Write("IdP", "Received authentication request");
        }
        // Receive the authentication request from the service provider.
        private void ReceiveAuthnRequest(out AuthnRequest authnRequest, out string relayState)
        {
            // Determine the service provider to identity provider binding type.
            // We use a query string parameter rather than having separate endpoints per binding.
            string bindingType = Request.QueryString[bindingQueryParameter];

            Trace.Write("IdP", "Receiving authentication request over binding " + bindingType);

            // Receive the authentication request.
            XmlElement authnRequestXml = null;

            switch (bindingType)
            {
            case SAMLIdentifiers.BindingURIs.HTTPRedirect:
                bool             signed          = false;
                X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.SPX509Certificate];

                IdentityProvider.ReceiveAuthnRequestByHTTPRedirect(Request, out authnRequestXml, out relayState, out signed, x509Certificate.PublicKey.Key);
                break;

            case SAMLIdentifiers.BindingURIs.HTTPPost:
                IdentityProvider.ReceiveAuthnRequestByHTTPPost(Request, out authnRequestXml, out relayState);
                break;

            case SAMLIdentifiers.BindingURIs.HTTPArtifact:
                // Receive the artifact.
                HTTPArtifact httpArtifact = null;

                IdentityProvider.ReceiveArtifactByHTTPArtifact(Request, false, out httpArtifact, out relayState);

                // Create an artifact resolve request.
                ArtifactResolve artifactResolve = new ArtifactResolve();
                artifactResolve.Issuer   = new Issuer(CreateAbsoluteURL("~/"));
                artifactResolve.Artifact = new Artifact(httpArtifact.ToString());

                XmlElement artifactResolveXml = artifactResolve.ToXml();

                // Send the artifact resolve request and receive the artifact response.
                string spArtifactResponderURL = WebConfigurationManager.AppSettings["spArtifactResponderURL"];

                XmlElement artifactResponseXml = ArtifactResolver.SendRequestReceiveResponse(spArtifactResponderURL, artifactResolveXml);

                ArtifactResponse artifactResponse = new ArtifactResponse(artifactResponseXml);

                // Extract the authentication request from the artifact response.
                authnRequestXml = artifactResponse.SAMLMessage;
                break;

            default:
                throw new ArgumentException("Invalid service provider to identity provider binding");
            }

            // If using HTTP redirect the message isn't signed as the generated query string is too long for most browsers.
            if (bindingType != SAMLIdentifiers.BindingURIs.HTTPRedirect)
            {
                if (SAMLMessageSignature.IsSigned(authnRequestXml))
                {
                    // Verify the request's signature.
                    X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.SPX509Certificate];

                    if (!SAMLMessageSignature.Verify(authnRequestXml, x509Certificate))
                    {
                        throw new ArgumentException("The authentication request signature failed to verify.");
                    }
                }
            }

            // Deserialize the XML.
            authnRequest = new AuthnRequest(authnRequestXml);

            Trace.Write("IdP", "Received authentication request");
        }