private static void Serialize(SamlRequest samlRequest, XmlDocument document, XmlNode root) { if (samlRequest == null) { throw new ArgumentNullException(nameof(samlRequest)); } if (document == null) { throw new ArgumentNullException(nameof(document)); } if (root == null) { throw new ArgumentNullException(nameof(root)); } var samlRequestNode = document.CreateElement(Constants.XmlPrefixes.Samlp, Constants.XmlRootNames.SamlRequest, Constants.XmlNamespaces.Samlp); samlRequestNode.SetAttribute($"xmlns:{Constants.XmlPrefixes.Ds}", Constants.XmlNamespaces.Ds); samlRequestNode.SetAttribute($"xmlns:{Constants.XmlPrefixes.Saml}", Constants.XmlNamespaces.Saml); samlRequestNode.SetAttribute(Constants.XmlAttributeNames.SamlIssueInstant, ConvertToCurrentTime(samlRequest.IssueInstant)); samlRequestNode.SetAttribute(Constants.XmlAttributeNames.SamlMajorVersion, samlRequest.MajorVersion.ToString()); samlRequestNode.SetAttribute(Constants.XmlAttributeNames.SamlMinorVersion, samlRequest.MinorVersion.ToString()); samlRequestNode.SetAttribute(Constants.XmlAttributeNames.SamlRequestId, samlRequest.Id); Serialize(samlRequest.SamlAttributeQuery, document, samlRequestNode); root.AppendChild(samlRequestNode); }
public SoapEnvelope Build() { CheckInit(); var samlAssertionId = GenerateId("assertion"); var requestId = GenerateId("request"); var bodyId = GenerateId("id"); var timeStampId = GenerateId("TS"); var x509Id = GenerateId("X509"); var ssin = GetSsin(_x509Certificate.Subject); if (string.IsNullOrWhiteSpace(ssin)) { throw new EhealthException(Constants.ErrorCodes.NoSerialNumber); } var identitySubject = ParseSubject(_x509Certificate.Subject); var issuerSubject = ParseSubject(_x509Certificate.Issuer); _samlAttributes.Add(new SamlAttribute(Constants.EhealthStsNames.SsinCertHolderAttributeName, Constants.EhealthStsNames.SsinAttributeNamespace, ssin)); _samlAttributes.Add(new SamlAttribute(Constants.EhealthStsNames.SsinAttributeName, Constants.EhealthStsNames.SsinAttributeNamespace, ssin)); _samlAttributeDesignators.Add(new SamlAttributeDesignator(Constants.EhealthStsNames.SsinCertHolderAttributeName, Constants.EhealthStsNames.SsinAttributeNamespace)); _samlAttributeDesignators.Add(new SamlAttributeDesignator(Constants.EhealthStsNames.SsinAttributeName, Constants.EhealthStsNames.SsinAttributeNamespace)); var issueInstant = DateTime.Now; var samlNameIdentifier = new SamlNameIdentifier( Constants.EhealthStsNames.NameIdentifierFormat, issuerSubject, identitySubject); var samlSubject = new SamlSubject(samlNameIdentifier); var samlConditions = new SamlConditions(issueInstant); var samlAttributeStatement = new SamlAttributeStatement(samlSubject, _samlAttributes); var samlAssertion = new SamlAssertion(samlAssertionId, issueInstant, identitySubject, samlConditions, samlAttributeStatement); var subjectConfirmationData = new SamlSubjectConfirmationData(samlAssertion); var subjectConfirmation = new SamlSubjectConfirmation(Constants.EhealthStsNames.SubjectConfirmationMethod, _x509Certificate, subjectConfirmationData); var samlSubjectO = new SamlSubject(samlNameIdentifier, subjectConfirmation); var samlAttributeQuery = new SamlAttributeQuery(samlSubjectO, _samlAttributeDesignators); var samlRequest = new SamlRequest(requestId, samlAttributeQuery); var body = new SoapBody(samlRequest, bodyId); var soapSecurity = new SoapSecurity(DateTime.UtcNow, timeStampId, x509Id, _x509Certificate); var header = new SoapHeader(soapSecurity); var soapEnvelope = new SoapEnvelope(header, body); return(soapEnvelope); }
public SoapBody(SamlRequest request, string id) { Request = request; Id = id; }
public void ProcessRequest(HttpContext context) { try { if (!SetupInfo.IsVisibleSettings(ManagementType.SingleSignOnSettings.ToString())) { _log.DebugFormat("Single sign-on settings are disabled"); context.Response.Redirect(AUTH_PAGE + "?m=" + HttpUtility.UrlEncode(Resource.SsoSettingsDisabled), false); context.ApplicationInstance.CompleteRequest(); return; } var settings = SettingsManager.Instance.LoadSettings <SsoSettings>(TenantProvider.CurrentTenantID); if (!settings.EnableSso) { _log.DebugFormat("Single sign-on is disabled"); context.Response.Redirect(AUTH_PAGE + "?m=" + HttpUtility.UrlEncode(Resource.SsoSettingsDisabled), false); context.ApplicationInstance.CompleteRequest(); return; } if (context.User.Identity.IsAuthenticated) { _log.DebugFormat("User {0} already authenticated"); context.Response.Redirect(CommonLinkUtility.GetDefault(), false); context.ApplicationInstance.CompleteRequest(); return; } UserInfo userInfo; if (settings.TokenType != TokenTypes.SAML) { _log.Error("Settings TokenType is not SAML"); context.Response.Redirect(AUTH_PAGE + "?m=" + HttpUtility.UrlEncode(Resource.SsoSettingsEnexpectedTokenType), false); context.ApplicationInstance.CompleteRequest(); return; } if (context.Request["auth"] == "true") { SamlRequest req = new SamlRequest(settings); string assertionConsumerServiceUrl = context.Request.Url.AbsoluteUri.Substring(0, context.Request.Url.AbsoluteUri.IndexOf("?")); context.Response.Redirect(settings.SsoEndPoint + "?" + req.GetRequest(SamlRequestFormat.Base64, assertionConsumerServiceUrl, Path.Combine(context.Request.PhysicalApplicationPath, "App_Data\\certificates\\sp.pfx"), ConfigurationManager.AppSettings["saml.request.certificate.password"] ?? PASSWORD), false); context.ApplicationInstance.CompleteRequest(); return; } var samlEncodedString = context.Request.Form[SAML_RESPONSE]; if (string.IsNullOrWhiteSpace(samlEncodedString)) { _log.Error("SAML response is null or empty"); context.Response.Redirect(AUTH_PAGE + "?m=" + HttpUtility.UrlEncode(Resource.SsoSettingsEmptyToken), false); context.ApplicationInstance.CompleteRequest(); return; } _log.Debug("Trying to authenticate using SAML"); SamlResponse samlResponse = new SamlResponse(settings); samlResponse.LoadXmlFromBase64(samlEncodedString); if (!samlResponse.IsValid()) { _log.Error("SAML response is not valid"); context.Response.Redirect(AUTH_PAGE + "?m=" + HttpUtility.UrlEncode(Resource.SsoSettingsNotValidToken), false); context.ApplicationInstance.CompleteRequest(); return; } SamlUserCreator userCreator = new SamlUserCreator(); userInfo = userCreator.CreateUserInfo(samlResponse); if (userInfo == Constants.LostUser) { _log.Error("Can't create userInfo using current SAML response"); context.Response.Redirect(AUTH_PAGE + "?m=" + HttpUtility.UrlEncode(Resource.SsoSettingsCantCreateUser), false); context.ApplicationInstance.CompleteRequest(); return; } if (userInfo.Status == EmployeeStatus.Terminated) { _log.Error("Current user is terminated"); context.Response.Redirect(AUTH_PAGE + "?m=" + HttpUtility.UrlEncode(Resource.SsoSettingsUserTerminated), false); context.ApplicationInstance.CompleteRequest(); return; } AddUser(samlResponse, userInfo); MessageService.Send(context.Request, MessageAction.LoginSuccessViaSSO); context.Response.Redirect(CommonLinkUtility.GetDefault(), false); context.ApplicationInstance.CompleteRequest(); } catch (Exception e) { _log.ErrorFormat("Unexpected error. {0}", e); context.Response.Redirect(AUTH_PAGE + "?m=" + HttpUtility.UrlEncode(e.Message), false); context.ApplicationInstance.CompleteRequest(); } }