String GenerateResponse(String SamlAssession, AuthNRequest authNRequest) { String postForm = String.Copy(Common.postForm); //Base64 encoding String encoded = Common.EncodeTo64(SamlAssession); //return the html postForm = postForm.Replace("%ASSERTION_CONSUMER", SamlAssertionConsumerValidator.GetValidURL(authNRequest)); postForm = postForm.Replace("%SAML_RESPONSE", encoded); Common.debug(postForm); return(postForm); }
public static string GetValidURL(AuthNRequest request) { foreach (string allowedUrl in Common.AllowedAssertionConsumers) { if (request.AssertionConsumerServiceURL.Equals(allowedUrl, StringComparison.OrdinalIgnoreCase)) { return(request.AssertionConsumerServiceURL); } } Common.error("Disallowed AssertionConsumerServiceURL value in SAML Request: " + request.AssertionConsumerServiceURL + " Please check assertion_consumer value in Web.config."); throw new Exception("Disallowed AssertionConsumerServiceURL value in SAML Request: " + request.AssertionConsumerServiceURL); }
String BuildAssertion(String subject, AuthNRequest authNRequest) { Common.debug("inside BuildAssertion"); String recipientGsa = Common.GSAAssertionConsumer; XmlDocument respDoc = (XmlDocument)Common.postResponse.CloneNode(true); Common.debug("before replacement: " + respDoc.InnerXml); if (!recipientGsa.StartsWith("http")) { recipientGsa = "http://" + Request.Headers["Host"] + recipientGsa; } String req = respDoc.InnerXml; req = req.Replace("%REQID", authNRequest.Id); DateTime currentTimeStamp = DateTime.Now; req = req.Replace("%INSTANT", Common.FormatInvariantTime(currentTimeStamp.AddMinutes(-1))); req = req.Replace("%NOT_ON_OR_AFTER", Common.FormatInvariantTime(currentTimeStamp.AddSeconds(Common.iTrustDuration))); String idpEntityId; if (Common.IDPEntityId == null || "".Equals(Common.IDPEntityId)) { throw new Exception("IDP Entity ID is not set in config. Using machine name as default"); } req = req.Replace("%ISSUER", Common.IDPEntityId); String MessageId = Common.GenerateRandomString(); req = req.Replace("%MESSAGE_ID", MessageId); req = req.Replace("%RESPONSE_ID", Common.GenerateRandomString()); req = req.Replace("%ASSERTION_ID", Common.GenerateRandomString()); req = req.Replace("%SUBJECT", SecurityElement.Escape(subject)); req = req.Replace("%RECIPIENT", recipientGsa); req = req.Replace("%AUTHN_REQUEST_ID", SecurityElement.Escape(authNRequest.Id)); req = req.Replace("%AUDIENCE", authNRequest.Issuer); respDoc.InnerXml = req; // Sign the XML document. SignXml(respDoc, MessageId); Common.debug("exit BuildAssession"); return(respDoc.InnerXml); }
/// <summary> /// Extracts the Authn request ID from the SAML Request parameter /// </summary> /// <returns></returns> public AuthNRequest ExtractAuthNRequest(String samlRequest) { Common.debug("samlRequest = " + samlRequest); samlRequest = Decompress(samlRequest); Common.debug("samlRequest decoded = " + samlRequest); if (samlRequest == null) { Common.debug("Decompress failed"); return(null); } XmlDocument doc = new XmlDocument(); doc.InnerXml = samlRequest; XmlElement root = doc.DocumentElement; AuthNRequest req = new AuthNRequest(); req.Id = root.Attributes["ID"].Value; req.Issuer = Common.FindOnly(samlRequest, "Issuer").InnerText; return(req); }
protected void Page_Load(object sender, EventArgs e) { Common.debug("Login Request is: " + Request.RawUrl); Common.debug("before Login::entering pageload"); // create an IAutn instance IAuthn authn = AAFactory.getAuthn(this); String samlRequest = Request.Params["SAMLRequest"]; if (samlRequest == null || "".Equals(samlRequest)) { Diagnose(); return; } //Decode request and extract the AuthNRequestId AuthNRequest authNRequest = ExtractAuthNRequest(samlRequest); if (authNRequest.Id == null || authNRequest.Equals("")) { Common.error("Couldn't extract AuthN Request Id from SAMLRequest"); throw new Exception("Failed to extract AuthN Request Id from SAML Request"); } Common.debug("Extracted AuthNRequestId is :" + authNRequest.Id); String subject = authn.GetUserIdentity(); // Get the user's identity (silently, if properly configured). if (subject == null || subject.Equals("")) { Common.error("Couldn't get user name, check your system setup"); throw new Exception("Failed to get user name"); } Common.debug("The user is: " + subject); String SamlAssession = BuildAssertion(subject, authNRequest); Response.Write(GenerateResponse(SamlAssession, authNRequest)); }
private void Page_Load(object sender, System.EventArgs e) { Common.debug("Login Request is: " + Request.RawUrl); Common.debug("before Login::entering pageload"); // create an IAutn instance IAuthn authn = AAFactory.getAuthn(this); String samlRequest = Request.Params["SAMLRequest"]; if (samlRequest == null || "".Equals(samlRequest)) { Diagnose(); return; } //Decode request and extract the AuthNRequestId AuthNRequest authNRequest = ExtractAuthNRequest(samlRequest); if (authNRequest.Id == null || authNRequest.Id.Equals("")) { Common.error("Couldn't extract AuthN Request Id from SAMLRequest"); throw new Exception("Failed to extract AuthN Request Id from SAML Request"); } Common.debug("Extracted AuthNRequestId is :" + authNRequest.Id); String subject = authn.GetUserIdentity(); // Get the user's identity (silently, if properly configured). if (subject == null || subject.Equals("")) { Common.error("Couldn't get user name, check your system setup"); throw new Exception("Failed to get user name"); } Common.debug("The user is: " + subject); // Generate a random string (artifact) that the GSA // will use later to confirm the user's identity String artifactId = Common.GenerateRandomString(); // Set an application level name/value pair for storing the user ID // and the AuthN request Id with the artifact string. // This is used later when the GSA asks to verify the artifact and obtain the // user ID (in ResolveArt.aspx.cs). SamlArtifactCacheEntry samlArtifactCacheEntry = new SamlArtifactCacheEntry(subject, authNRequest.Id); Application[Common.ARTIFACT + "_" + artifactId] = samlArtifactCacheEntry; // Get the relay state, which is the search URL to which the user // is redirected following authentication and verification String relayState = Request.Params["RelayState"]; // Look up the GSA host name (stored in Web.config) String gsa; // Encode the relay state for building the redirection URL (back to the GSA) relayState = HttpUtility.UrlEncode(relayState); gsa = Common.GSAAssertionConsumer + "?SAMLart=" + artifactId + "&RelayState=" + relayState; if (!gsa.StartsWith("http")) { gsa = "http://" + Request.Headers["Host"] + gsa; } Common.debug("before Login::redirect"); Common.debug(" to: " + gsa); // Redirect back to the GSA, which will theb contact the Artifact verifier service // with the artifact, to ensure its validity and obtain the user's ID Response.Redirect(gsa); }