// Receive the SAML response from the identity provider. private void ReceiveSAMLResponse(out SAMLResponse samlResponse, out string relayState) { // Receive the SAML response over the specified binding. XmlElement samlResponseXml = null; ServiceProvider.ReceiveSAMLResponseByHTTPPost(Request, out samlResponseXml, out relayState); Session["SAML_XML"] = samlResponseXml.OuterXml; // Verify the response's signature. if (SAMLMessageSignature.IsSigned(samlResponseXml)) { //Verifying response signature X509Certificate2 x509Certificate = GetVendorCertificate(); if (!SAMLMessageSignature.Verify(samlResponseXml, x509Certificate)) { throw new ArgumentException("The SAML response signature failed to verify."); } } // Deserialize the XML. samlResponse = new SAMLResponse(samlResponseXml); }
// Receive the SAML response from the identity provider. private void ReceiveSAMLResponse(out SAMLResponse samlResponse, out string relayState) { Trace.Write("SP", "Receiving SAML response"); // Receive the SAML response. XmlElement samlResponseXml = null; ServiceProvider.ReceiveSAMLResponseByHTTPPost(Request, out samlResponseXml, out relayState); // Verify the response's signature. if (SAMLMessageSignature.IsSigned(samlResponseXml)) { Trace.Write("SP", "Verifying response signature"); X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.IdPX509Certificate]; if (!SAMLMessageSignature.Verify(samlResponseXml, x509Certificate)) { throw new ArgumentException("The SAML response signature failed to verify."); } } // Deserialize the XML. samlResponse = new SAMLResponse(samlResponseXml); Trace.Write("SP", "Received SAML response"); }
private static void VerifyMessage(XmlElement xmlElement) { Console.Error.WriteLine("Verifying SAML message"); try { if (SAMLMessageSignature.IsSigned(xmlElement)) { bool verified = SAMLMessageSignature.Verify(xmlElement, x509Certificate); Console.Error.WriteLine("Verified: " + verified); } else { Console.Error.WriteLine("The SAML message isn't signed"); } } catch (Exception exception) { Console.Error.WriteLine(exception.ToString()); } foreach (XmlElement assertionElement in SAMLAssertion.Find(xmlElement)) { VerifyAssertion(assertionElement); } }
// Receive the SAML response from the identity provider. private void ReceiveSAMLResponse(out SAMLResponse samlResponse, out string relayState) { // Rather than separate endpoints per binding, we have a single endpoint and use a query string // parameter to determine the identity provider to service provider binding type. string bindingType = Request.QueryString[bindingQueryParameter]; Trace.Write("SP", "Receiving SAML response over binding " + bindingType); // Receive the SAML response over the specified binding. XmlElement samlResponseXml = null; switch (bindingType) { case BindingTypes.Post: ServiceProvider.ReceiveSAMLResponseByHTTPPost(Request, out samlResponseXml, out relayState); break; case BindingTypes.Artifact: // Receive the artifact. HTTPArtifact httpArtifact = null; ServiceProvider.ReceiveArtifactByHTTPArtifact(Request, false, out httpArtifact, out relayState); // Create an artifact resolve request. ArtifactResolve artifactResolve = new ArtifactResolve(); artifactResolve.Issuer = new Issuer(CreateAbsoluteURL("~/")); artifactResolve.Artifact = new Artifact(httpArtifact.ToString()); XmlElement artifactResolveXml = artifactResolve.ToXml(); // Send the artifact resolve request and receive the artifact response. XmlElement artifactResponseXml = ArtifactResolver.SendRequestReceiveResponse(Configuration.ArtifactResolutionServiceURL, artifactResolveXml); ArtifactResponse artifactResponse = new ArtifactResponse(artifactResponseXml); // Extract the authentication request from the artifact response. samlResponseXml = artifactResponse.SAMLMessage; break; default: throw new ArgumentException("Unknown binding type"); } // Verify the response's signature. if (SAMLMessageSignature.IsSigned(samlResponseXml)) { Trace.Write("SP", "Verifying response signature"); X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.IdPX509Certificate]; if (!SAMLMessageSignature.Verify(samlResponseXml, x509Certificate)) { throw new ArgumentException("The SAML response signature failed to verify."); } } // Deserialize the XML. samlResponse = new SAMLResponse(samlResponseXml); Trace.Write("SP", "Received SAML response"); }
// Receive the SAML response from the identity provider. private void ReceiveSAMLResponse(ref SAMLResponse samlResponse, ref string relayState) { Trace.Write("SP", "Receiving SAML response"); // Determine the identity provider to service provider binding type. // We use a query string parameter rather than having separate endpoints per binding. string bindingType = Request.QueryString[bindingQueryParameter]; // Receive the SAML response over the specified binding. XmlElement samlResponseXml = null; switch (bindingType) { case SAMLIdentifiers.BindingURIs.HTTPPost: ServiceProvider.ReceiveSAMLResponseByHTTPPost(Request, out samlResponseXml, out relayState); break; case SAMLIdentifiers.BindingURIs.HTTPArtifact: // Receive the artifact. HTTPArtifact httpArtifact = null; ServiceProvider.ReceiveArtifactByHTTPArtifact(Request, false, out httpArtifact, out relayState); // Create an artifact resolve request. ArtifactResolve artifactResolve = new ArtifactResolve(); artifactResolve.Issuer = new Issuer(CreateAbsoluteURL("~/")); artifactResolve.Artifact = new Artifact(httpArtifact.ToString()); XmlElement artifactResolveXml = artifactResolve.ToXml(); // Send the artifact resolve request and receive the artifact response. string spArtifactResponderURL = WebConfigurationManager.AppSettings["idpArtifactResponderURL"]; XmlElement artifactResponseXml = ArtifactResolver.SendRequestReceiveResponse(spArtifactResponderURL, artifactResolveXml); ArtifactResponse artifactResponse = new ArtifactResponse(artifactResponseXml); // Extract the SAML response from the artifact response. samlResponseXml = artifactResponse.SAMLMessage; break; default: Trace.Write("SP", "Invalid identity provider to service provider binding"); return; } // Verify the response's signature. X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.IdPX509Certificate]; if (!SAMLMessageSignature.Verify(samlResponseXml, x509Certificate)) { throw new ArgumentException("The SAML response signature failed to verify."); } // Deserialize the XML. samlResponse = new SAMLResponse(samlResponseXml); Trace.Write("SP", "Received SAML response"); }
// Receive the authentication request and relay state. private void ReceiveAuthnRequest(out AuthnRequest authnRequest, out string relayState) { Trace.Write("IdP", "Receiving authentication request over binding"); XmlElement authnRequestXml = null; bool signed = false; IdentityProvider.ReceiveAuthnRequestByHTTPRedirect(Request, out authnRequestXml, out relayState, out signed, null); if (SAMLMessageSignature.IsSigned(authnRequestXml)) { Trace.Write("IdP", "Verifying request signature"); if (!SAMLMessageSignature.Verify(authnRequestXml)) { throw new ArgumentException("The authentication request signature failed to verify."); } } authnRequest = new AuthnRequest(authnRequestXml); Trace.Write("IdP", "Received authentication request"); }
// Receive the authentication request and relay state. private void ReceiveAuthnRequest(out AuthnRequest authnRequest, out string relayState) { // Rather than separate endpoints per binding, we have a single endpoint and use a query string // parameter to determine the service provider to identity provider binding type. string bindingType = Request.QueryString[bindingQueryParameter]; Trace.Write("IdP", "Receiving authentication request over binding " + bindingType); X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.SPX509Certificate]; XmlElement authnRequestXml = null; switch (bindingType) { case BindingTypes.Redirect: bool signed = false; IdentityProvider.ReceiveAuthnRequestByHTTPRedirect(Request, out authnRequestXml, out relayState, out signed, x509Certificate.PublicKey.Key); break; case BindingTypes.Post: IdentityProvider.ReceiveAuthnRequestByHTTPPost(Request, out authnRequestXml, out relayState); break; case BindingTypes.Artifact: // Receive the artifact. HTTPArtifact httpArtifact = null; IdentityProvider.ReceiveArtifactByHTTPArtifact(Request, false, out httpArtifact, out relayState); // Create an artifact resolve request. ArtifactResolve artifactResolve = new ArtifactResolve(); artifactResolve.Issuer = new Issuer(CreateAbsoluteURL("~/")); artifactResolve.Artifact = new Artifact(httpArtifact.ToString()); XmlElement artifactResolveXml = artifactResolve.ToXml(); // Send the artifact resolve request and receive the artifact response. XmlElement artifactResponseXml = ArtifactResolver.SendRequestReceiveResponse(Configuration.ArtifactResolutionServiceURL, artifactResolveXml); ArtifactResponse artifactResponse = new ArtifactResponse(artifactResponseXml); // Extract the authentication request from the artifact response. authnRequestXml = artifactResponse.SAMLMessage; break; default: throw new ArgumentException("Invalid binding type"); } if (SAMLMessageSignature.IsSigned(authnRequestXml)) { Trace.Write("IdP", "Verifying request signature"); if (!SAMLMessageSignature.Verify(authnRequestXml, x509Certificate)) { throw new ArgumentException("The authentication request signature failed to verify."); } } authnRequest = new AuthnRequest(authnRequestXml); Trace.Write("IdP", "Received authentication request"); }
public override bool VerifySignature() { return(IsSigned && SAMLMessageSignature.Verify(ResponseElement)); }
public ActionResult UploadSaml(FormCollection formCollection) { var attributes = new List <SAMLAttribute>(); var errorMessages = new List <string>(); var xmlDoc = null as XmlDocument; SessionHelper.Set(SamlAttributesSessionKey, null); SessionHelper.Set(SamlErrorMessagesSessionKey, null); if (Request != null) { var file = Request.Files["SamlFile"]; if ((file != null) && (file.ContentLength > 0) && !string.IsNullOrEmpty(file.FileName)) { try { xmlDoc = new XmlDocument(); xmlDoc.Load(file.InputStream); var samlValidator = new SAMLValidator(); var isValid = samlValidator.Validate(xmlDoc); if (!isValid) { errorMessages.AddRange(samlValidator.Warnings.Select(warning => string.Format("Warning:, {0}", warning.Message))); errorMessages.AddRange(samlValidator.Errors.Select(error => error.Message)); } if (SAMLMessageSignature.IsSigned(xmlDoc.DocumentElement)) { if (!SAMLMessageSignature.Verify(xmlDoc.DocumentElement)) { errorMessages.Add(string.Format("Failed to verify SAML response signature. [{0}]", xmlDoc.OuterXml)); } } var samlResponse = new SAMLResponse(xmlDoc.DocumentElement); var assertions = samlResponse.GetAssertions(); var encryptedAssertions = samlResponse.GetEncryptedAssertions(); var signedAssertions = samlResponse.GetSignedAssertions(); var x509CertificateFilePath = Path.Combine(HttpRuntime.AppDomainAppPath, SAMLConfiguration.Current.ServiceProviderConfiguration.CertificateFile); var x509Certificate = new X509Certificate2(x509CertificateFilePath, SAMLConfiguration.Current.ServiceProviderConfiguration.CertificatePassword); encryptedAssertions.ForEach(a => { var decryptedAssertion = a.DecryptToXml(x509Certificate); assertions.Add(new SAMLAssertion(decryptedAssertion)); }); signedAssertions.ForEach(a => { if (SAMLAssertionSignature.IsSigned(a)) { if (!SAMLAssertionSignature.Verify(a)) { errorMessages.Add(string.Format("Failed to verify SAML assertion signature. [{0}]", a.OuterXml)); } } assertions.Add(new SAMLAssertion(a)); }); assertions.ForEach(a => { var nameId = a.GetNameID(); if (!string.IsNullOrEmpty(nameId)) { attributes.Add("NameId", nameId); } a.GetAttributeStatements().ForEach( s => attributes.AddRange(from object attribute in s.Attributes select attribute as SAMLAttribute)); }); } catch (Exception ex) { var saml = xmlDoc != null ? xmlDoc.OuterXml : string.Empty; _logger.Log(ex); errorMessages.Add(string.Format("{0} [{1}]", ex.Message, saml)); } } } SessionHelper.Set(SamlAttributesSessionKey, attributes.ToArray()); SessionHelper.Set(SamlErrorMessagesSessionKey, errorMessages); return(Redirect(TestTargetUrl)); }
// Receive the authentication request from the service provider. private void ReceiveAuthnRequest(out AuthnRequest authnRequest, out string relayState) { // Determine the service provider to identity provider binding type. // We use a query string parameter rather than having separate endpoints per binding. string bindingType = Request.QueryString[bindingQueryParameter]; Trace.Write("IdP", "Receiving authentication request over binding " + bindingType); // Receive the authentication request. XmlElement authnRequestXml = null; switch (bindingType) { case SAMLIdentifiers.BindingURIs.HTTPRedirect: bool signed = false; X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.SPX509Certificate]; IdentityProvider.ReceiveAuthnRequestByHTTPRedirect(Request, out authnRequestXml, out relayState, out signed, x509Certificate.PublicKey.Key); break; case SAMLIdentifiers.BindingURIs.HTTPPost: IdentityProvider.ReceiveAuthnRequestByHTTPPost(Request, out authnRequestXml, out relayState); break; case SAMLIdentifiers.BindingURIs.HTTPArtifact: // Receive the artifact. HTTPArtifact httpArtifact = null; IdentityProvider.ReceiveArtifactByHTTPArtifact(Request, false, out httpArtifact, out relayState); // Create an artifact resolve request. ArtifactResolve artifactResolve = new ArtifactResolve(); artifactResolve.Issuer = new Issuer(CreateAbsoluteURL("~/")); artifactResolve.Artifact = new Artifact(httpArtifact.ToString()); XmlElement artifactResolveXml = artifactResolve.ToXml(); // Send the artifact resolve request and receive the artifact response. string spArtifactResponderURL = WebConfigurationManager.AppSettings["spArtifactResponderURL"]; XmlElement artifactResponseXml = ArtifactResolver.SendRequestReceiveResponse(spArtifactResponderURL, artifactResolveXml); ArtifactResponse artifactResponse = new ArtifactResponse(artifactResponseXml); // Extract the authentication request from the artifact response. authnRequestXml = artifactResponse.SAMLMessage; break; default: throw new ArgumentException("Invalid service provider to identity provider binding"); } // If using HTTP redirect the message isn't signed as the generated query string is too long for most browsers. if (bindingType != SAMLIdentifiers.BindingURIs.HTTPRedirect) { if (SAMLMessageSignature.IsSigned(authnRequestXml)) { // Verify the request's signature. X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.SPX509Certificate]; if (!SAMLMessageSignature.Verify(authnRequestXml, x509Certificate)) { throw new ArgumentException("The authentication request signature failed to verify."); } } } // Deserialize the XML. authnRequest = new AuthnRequest(authnRequestXml); Trace.Write("IdP", "Received authentication request"); }