// Process a successful SAML response.
private void ProcessSuccessSAMLResponse(SAMLResponse samlResponse, string relayState)
{
Trace.Write("SP", "Processing successful SAML response");
// Load the decryption key.
X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.SPX509Certificate];
// Extract the asserted identity from the SAML response.
SAMLAssertion samlAssertion = null;
if (samlResponse.GetUnsignedAssertions().Count > 0)
{
samlAssertion = samlResponse.GetUnsignedAssertions()[0];
}
else if (samlResponse.GetEncryptedAssertions().Count > 0)
{
Trace.Write("SP", "Decrypting assertion");
samlAssertion = samlResponse.GetEncryptedAssertions()[0].Decrypt(x509Certificate.PrivateKey, null, null);
}
else
{
throw new ArgumentException("No assertions in response");
}
// Get the subject name identifier.
string userName = null;
if (samlAssertion.Subject.NameID != null)
{
userName = samlAssertion.Subject.NameID.NameIdentifier;
}
else if (samlAssertion.Subject.EncryptedID != null)
{
Trace.Write("SP", "Decrypting ID");
NameID nameID = samlAssertion.Subject.EncryptedID.Decrypt(x509Certificate.PrivateKey, null, null);
userName = nameID.NameIdentifier;
}
else
{
throw new ArgumentException("No name in subject");
}
// Get the originally requested resource URL from the relay state.
RelayState cachedRelayState = RelayStateCache.Remove(relayState);
if (cachedRelayState == null)
{
throw new ArgumentException("Invalid relay state");
}
// Create a login context for the asserted identity.
FormsAuthentication.SetAuthCookie(userName, false);
// Redirect to the originally requested resource URL.
Response.Redirect(cachedRelayState.ResourceURL, false);
Trace.Write("SP", "Processed successful SAML response");
}
// Process the SAML response.
private void ProcessSAMLResponse(SAMLResponse samlResponse, string relayState)
{
Trace.Write("SP", "Processing SAML response");
// Check whether the SAML response indicates success.
if (!samlResponse.IsSuccess())
{
throw new ArgumentException("Received error response");
}
// Extract the asserted identity from the SAML response.
SAMLAssertion samlAssertion = null;
if (samlResponse.GetUnsignedAssertions().Count > 0)
{
samlAssertion = samlResponse.GetUnsignedAssertions()[0];
}
else
{
throw new ArgumentException("No assertions in response");
}
// Enforce single use of the SAML assertion.
if (!AssertionIDCache.Add(samlAssertion))
{
throw new ArgumentException("The SAML assertion has already been used");
}
// Get the subject name identifier.
string userName = null;
if (samlAssertion.Subject.NameID != null)
{
userName = samlAssertion.Subject.NameID.NameIdentifier;
}
else
{
throw new ArgumentException("No name in subject");
}
// Create a login context for the asserted identity.
FormsAuthentication.SetAuthCookie(userName, false);
// Redirect to the requested URL.
Response.Redirect(relayState, false);
Trace.Write("SP", "Processed successful SAML response");
}
// Process a successful SAML response.
private void ProcessSuccessSAMLResponse(SAMLResponse samlResponse, string relayState)
{
Trace.Write("SP", "Processing successful SAML response");
// Extract the asserted identity from the SAML response.
// The SAML assertion may be signed or encrypted and signed.
SAMLAssertion samlAssertion = null;
if (samlResponse.GetUnsignedAssertions().Count > 0)
{
samlAssertion = samlResponse.GetUnsignedAssertions()[0];
}
else if (samlResponse.GetSignedAssertions().Count > 0)
{
Trace.Write("SP", "Verifying assertion signature");
XmlElement samlAssertionXml = samlResponse.GetSignedAssertions()[0];
// Verify the assertion signature. The embedded signing certificate is used.
if (!SAMLAssertionSignature.Verify(samlAssertionXml))
{
throw new ArgumentException("The SAML assertion signature failed to verify.");
}
samlAssertion = new SAMLAssertion(samlAssertionXml);
}
else if (samlResponse.GetEncryptedAssertions().Count > 0)
{
Trace.Write("SP", "Decrypting assertion");
// Load the decryption key.
X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.SPX509Certificate];
// Decrypt the encrypted assertion.
XmlElement samlAssertionXml = samlResponse.GetEncryptedAssertions()[0].DecryptToXml(x509Certificate.PrivateKey, null, null);
if (SAMLAssertionSignature.IsSigned(samlAssertionXml))
{
Trace.Write("SP", "Verifying assertion signature");
// Verify the assertion signature. The embedded signing certificate is used.
if (!SAMLAssertionSignature.Verify(samlAssertionXml))
{
throw new ArgumentException("The SAML assertion signature failed to verify.");
}
}
samlAssertion = new SAMLAssertion(samlAssertionXml);
}
else
{
throw new ArgumentException("No assertions in response");
}
// Get the subject name identifier.
string userName = null;
if (samlAssertion.Subject.NameID != null)
{
userName = samlAssertion.Subject.NameID.NameIdentifier;
}
if (string.IsNullOrEmpty(userName))
{
throw new ArgumentException("The SAML assertion doesn't contain a subject name.");
}
// Create a login context for the asserted identity.
Trace.Write("SP", "Automatically logging in user " + userName);
FormsAuthentication.SetAuthCookie(userName, false);
// Get the originally requested resource URL from the relay state, if any.
string redirectURL = "~/";
RelayState cachedRelayState = RelayStateCache.Remove(relayState);
if (cachedRelayState != null)
{
redirectURL = cachedRelayState.ResourceURL;
}
// Redirect to the originally requested resource URL, if any, or the default page.
Trace.Write("SP", "Redirecting to " + redirectURL);
Response.Redirect(redirectURL, false);
Trace.Write("SP", "Processed successful SAML response");
}