private static CommandResult ProcessResponse(IOptions options, Saml2Response samlResponse)
{
var principal = new ClaimsPrincipal(samlResponse.GetClaims(options));
principal = options.SPOptions.SystemIdentityModelIdentityConfiguration
.ClaimsAuthenticationManager.Authenticate(null, principal);
var requestState = samlResponse.GetRequestState(options);
if(requestState == null && options.SPOptions.ReturnUrl == null)
{
throw new ConfigurationErrorsException(MissingReturnUrlMessage);
}
return new CommandResult()
{
HttpStatusCode = HttpStatusCode.SeeOther,
Location = requestState?.ReturnUrl ?? options.SPOptions.ReturnUrl,
Principal = principal,
RelayData =
requestState == null
? null
: requestState.RelayData
};
}
private static CommandResult ProcessResponse(IOptions options, Saml2Response samlResponse, string returnURL)
{
var principal = new ClaimsPrincipal(samlResponse.GetClaims(options));
principal = options.SPOptions.SystemIdentityModelIdentityConfiguration
.ClaimsAuthenticationManager.Authenticate(null, principal);
var requestState = samlResponse.GetRequestState(options);
UriBuilder builder = new UriBuilder(requestState != null && requestState.ReturnUrl != null ? requestState.ReturnUrl : options.SPOptions.ReturnUrl);
if (!string.IsNullOrEmpty(returnURL) && builder.Path.ToString().IndexOf(returnURL, StringComparison.OrdinalIgnoreCase) < 0)
{
builder = new UriBuilder(returnURL);
}
return new CommandResult()
{
HttpStatusCode = HttpStatusCode.SeeOther,
Location = builder.Uri,
Principal = principal,
RelayData =
requestState == null
? null
: requestState.RelayData
};
}
public CommandResult Run(HttpRequestData request, IOptions options)
{
if(request == null)
{
throw new ArgumentNullException(nameof(request));
}
if(options == null)
{
throw new ArgumentNullException(nameof(options));
}
var binding = Saml2Binding.Get(request);
if (binding != null)
{
UnbindResult unbindResult = null;
try
{
unbindResult = binding.Unbind(request, options);
var samlResponse = new Saml2Response(unbindResult.Data, request.StoredRequestState?.MessageId);
var result = ProcessResponse(options, samlResponse, request.StoredRequestState);
if(unbindResult.RelayState != null)
{
result.ClearCookieName = "Kentor." + unbindResult.RelayState;
}
return result;
}
catch (FormatException ex)
{
throw new BadFormatSamlResponseException(
"The SAML Response did not contain valid BASE64 encoded data.", ex);
}
catch (XmlException ex)
{
var newEx = new BadFormatSamlResponseException(
"The SAML response contains incorrect XML", ex);
// Add the payload to the exception
if (unbindResult != null)
{
newEx.Data["Saml2Response"] = unbindResult.Data.OuterXml;
}
throw newEx;
}
catch (Exception ex)
{
if (unbindResult != null)
{
// Add the payload to the existing exception
ex.Data["Saml2Response"] = unbindResult.Data.OuterXml;
}
throw;
}
}
throw new NoSamlResponseFoundException();
}
public void Saml2Response_Ctor_FromData()
{
var issuer = new EntityId("http://idp.example.com");
var identity = new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.NameIdentifier, "JohnDoe")
});
var response = new Saml2Response(issuer, null, null, null, identity);
response.Issuer.Should().Be(issuer);
response.GetClaims(Options.FromConfiguration)
.Single()
.ShouldBeEquivalentTo(identity);
}
private static CommandResult ProcessResponse(IOptions options, Saml2Response samlResponse)
{
var principal = new ClaimsPrincipal(samlResponse.GetClaims(options));
principal = options.SPOptions.SystemIdentityModelIdentityConfiguration
.ClaimsAuthenticationManager.Authenticate(null, principal);
var requestState = samlResponse.GetRequestState(options);
return new CommandResult()
{
HttpStatusCode = HttpStatusCode.SeeOther,
Location =
requestState != null && requestState.ReturnUrl != null
? requestState.ReturnUrl
: options.SPOptions.ReturnUrl,
Principal = principal,
RelayData =
requestState == null
? null
: requestState.RelayData
};
}
private static CommandResult ProcessResponse(
IOptions options,
Saml2Response samlResponse,
StoredRequestState storedRequestState)
{
var principal = new ClaimsPrincipal(samlResponse.GetClaims(options));
principal = options.SPOptions.SystemIdentityModelIdentityConfiguration
.ClaimsAuthenticationManager.Authenticate(null, principal);
if(options.SPOptions.ReturnUrl == null)
{
if (storedRequestState == null)
{
throw new ConfigurationErrorsException(UnsolicitedMissingReturnUrlMessage);
}
if(storedRequestState.ReturnUrl == null)
{
throw new ConfigurationErrorsException(SpInitiatedMissingReturnUrl);
}
}
return new CommandResult()
{
HttpStatusCode = HttpStatusCode.SeeOther,
Location = storedRequestState?.ReturnUrl ?? options.SPOptions.ReturnUrl,
Principal = principal,
RelayData = storedRequestState?.RelayData,
SessionNotOnOrAfter = samlResponse.SessionNotOnOrAfter
};
}
public void Saml2Response_Xml_FromData_ContainsStatus_Success()
{
var identity = new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.NameIdentifier, "JohnDoe")
});
var response = new Saml2Response(new EntityId("issuer"), SignedXmlHelper.TestCert,
new Uri("http://destination.example.com"), null, identity);
var xml = response.XmlElement;
var subject = xml["Status", Saml2Namespaces.Saml2PName];
subject["StatusCode", Saml2Namespaces.Saml2PName].GetAttribute("Value")
.Should().Be("urn:oasis:names:tc:SAML:2.0:status:Success");
}
public void Saml2Response_Xml_FromData_ContainsInResponseTo()
{
var identity = new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.NameIdentifier, "JohnDoe")
});
var response = new Saml2Response(new EntityId("issuer"), SignedXmlHelper.TestCert,
new Uri("http://destination.example.com"), new Saml2Id("InResponseToID"), identity);
var xml = response.XmlElement;
xml.GetAttribute("InResponseTo").Should().Be("InResponseToID");
}
public void Saml2Response_Xml_FromData_ContainsBasicData()
{
var issuer = new EntityId("http://idp.example.com");
var nameId = "JohnDoe";
var destination = "http://destination.example.com/";
var identity = new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.NameIdentifier, nameId)
});
// Grab current time both before and after generating the response
// to avoid heisenbugs if the second counter is updated while creating
// the response.
string before = DateTime.UtcNow.ToSaml2DateTimeString();
var response = new Saml2Response(issuer, SignedXmlHelper.TestCert,
new Uri(destination), null, identity);
string after = DateTime.UtcNow.ToSaml2DateTimeString();
var xml = response.XmlElement;
xml.LocalName.Should().Be("Response");
xml.NamespaceURI.Should().Be(Saml2Namespaces.Saml2PName);
xml.Prefix.Should().Be("saml2p");
xml["Issuer", Saml2Namespaces.Saml2Name].InnerText.Should().Be(issuer.Id);
xml["Assertion", Saml2Namespaces.Saml2Name]
["Subject", Saml2Namespaces.Saml2Name]["NameID", Saml2Namespaces.Saml2Name]
.InnerText.Should().Be(nameId);
xml.GetAttribute("Destination").Should().Be(destination);
xml.GetAttribute("ID").Should().NotBeNullOrWhiteSpace();
xml.GetAttribute("Version").Should().Be("2.0");
xml.GetAttribute("IssueInstant").Should().Match(
i => i == before || i == after);
}
public void Saml2Response_Xml_FromData_ContainsAudienceRestriction()
{
var identity = new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.NameIdentifier, "JohnDoe")
});
var audience = "http://sp.example.com";
var subject = new Saml2Response(
new EntityId("issuer"),
SignedXmlHelper.TestCert,
new Uri("http://destination.example.com"),
new Saml2Id("InResponseToID"),
null,
new Uri(audience),
identity);
var actual = subject.XmlElement;
actual["Assertion", Saml2Namespaces.Saml2Name].Should().NotBeNull("Assertion element should be present")
.And.Subject["Conditions", Saml2Namespaces.Saml2Name].Should().NotBeNull("Conditions element should be present")
.And.Subject["AudienceRestriction", Saml2Namespaces.Saml2Name].Should().NotBeNull("AudienceRestriction element should be present")
.And.Subject["Audience", Saml2Namespaces.Saml2Name].Should().NotBeNull("Audience element should be present")
.And.Subject.InnerText.Should().Be(audience);
}
public void Saml2Response_MessageName()
{
var subject = new Saml2Response(new EntityId("issuer"), null, null, null);
subject.MessageName.Should().Be("SAMLResponse");
}
public void Saml2Response_FromData_RelayState()
{
var subject = new Saml2Response(new EntityId("issuer"), null, null, null, "ABC123");
subject.RelayState.Should().Be("ABC123");
}
public void Saml2Response_Xml_FromData_IsSigned()
{
var issuer = new EntityId("http://idp.example.com");
var nameId = "JohnDoe";
var identity = new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.NameIdentifier, nameId)
});
var response = new Saml2Response(issuer, SignedXmlHelper.TestCert,
null, null, claimsIdentities: identity);
var xml = response.XmlDocument;
var signedXml = new SignedXml(xml);
var signature = xml.DocumentElement["Signature", SignedXml.XmlDsigNamespaceUrl];
signedXml.LoadXml(signature);
signature.Should().NotBeNull();
signedXml.CheckSignature(SignedXmlHelper.TestCert, true).Should().BeTrue();
}
