/// <summary> /// Processes the SAML response received from the IdP. /// </summary> /// <param name="page">The page object.</param> /// <param name="relayState">The relay state</param> /// <param name="samlResponse">The SAML response object.</param> public static void ProcessResponse(Page page, out ComponentPro.Saml2.Response samlResponse, out string relayState) { // Extract the binding type from the query string. string bindingType = page.Request.QueryString["binding"]; switch (bindingType) { case "artifact": // Create an artifact from the query string. Saml2ArtifactType0004 httpArtifact = Saml2ArtifactType0004.CreateFromHttpArtifactQueryString(page.Request); // Create an artifact resolve request. ArtifactResolve artifactResolve = new ArtifactResolve(); artifactResolve.Issuer = new Issuer(GetAbsoluteUrl(page, "~/")); artifactResolve.Artifact = new Artifact(httpArtifact.ToString()); // Send the artifact resolve request and create an artifact response from the received XML. ArtifactResponse artifactResponse = ArtifactResponse.SendSamlMessageReceiveAftifactResponse(Global.ArtifactServiceUrl, artifactResolve); // Get the SAML Response from the artifact response. samlResponse = new ComponentPro.Saml2.Response(artifactResponse.Message); relayState = httpArtifact.RelayState; break; case "post": System.Diagnostics.Debug.WriteLine("POST"); // Create a SAML response from the form data. samlResponse = ComponentPro.Saml2.Response.Create(page.Request); relayState = samlResponse.RelayState; break; default: throw new ApplicationException("Unknown binding type"); } // Is the SAML response signed? if (samlResponse.IsSigned()) { // Get the previously loaded certificate. X509Certificate2 x509Certificate = (X509Certificate2)page.Application[Global.IdPCertKey]; // Validate the certificate. if (!samlResponse.Validate(x509Certificate)) { throw new ApplicationException("The SAML response signature failed to verify."); } } }
// Receive the authentication request from the service provider. public static void ReceiveAuthnRequest(Page page, out AuthnRequest authnRequest, out string relayState) { // Determine the service provider to identity provider binding type. // We use a query string parameter rather than having separate endpoints per binding. string bindingType = page.Request.QueryString[BindingQueryParameter]; switch (bindingType) { case SamlBindingUri.HttpRedirect: X509Certificate2 x509Certificate = (X509Certificate2)page.Application[Global.SPCertKey]; authnRequest = AuthnRequest.Create(page.Request.RawUrl, x509Certificate.PublicKey.Key); relayState = authnRequest.RelayState; break; case SamlBindingUri.HttpPost: authnRequest = AuthnRequest.CreateFromHttpPost(page.Request); relayState = authnRequest.RelayState; break; case SamlBindingUri.HttpArtifact: // Receive the artifact. Saml2ArtifactType0004 httpArtifact = Saml2ArtifactType0004.CreateFromHttpArtifactQueryString(page.Request); // Create an artifact resolve request. ArtifactResolve artifactResolve = new ArtifactResolve(); artifactResolve.Issuer = new Issuer(Util.GetAbsoluteUrl(page, "~/")); artifactResolve.Artifact = new Artifact(httpArtifact.ToString()); // Look up for the appropriate artifact SP url string referer = page.Request.UrlReferrer.AbsoluteUri; int i; for (i = 0; i < Services.AllowedServiceUrls.Length; i++) { string url = Services.AllowedServiceUrls[i]; if (referer.StartsWith(url)) { break; } } if (i == Services.AllowedServiceUrls.Length) { throw new Exception("Your SP is not allowed"); } // Send the artifact resolve request and receive the artifact response. string artifactServiceProviderUrl = Services.ArtifactServiceProviderUrls[i]; ArtifactResponse artifactResponse = ArtifactResponse.SendSamlMessageReceiveAftifactResponse(artifactServiceProviderUrl, artifactResolve); // Extract the authentication request from the artifact response. authnRequest = new AuthnRequest(artifactResponse.Message); relayState = httpArtifact.RelayState; break; default: Trace.Write("IdentityProvider", "Invalid service provider to identity provider binding"); authnRequest = null; relayState = null; return; } // If using HTTP redirect the message isn't signed as the generated query string is too long for most browsers. if (bindingType != SamlBindingUri.HttpRedirect) { if (authnRequest.IsSigned()) { // Verify the request's signature. X509Certificate2 x509Certificate = (X509Certificate2)page.Application[Global.SPCertKey]; if (!authnRequest.Validate(x509Certificate)) { throw new ApplicationException("The authentication request signature failed to verify."); } } } }