String GenerateResponse(String SamlAssession, AuthNRequest authNRequest)
{
String postForm = String.Copy(Common.postForm);
//Base64 encoding
String encoded = Common.EncodeTo64(SamlAssession);
//return the html
postForm = postForm.Replace("%ASSERTION_CONSUMER", SamlAssertionConsumerValidator.GetValidURL(authNRequest));
postForm = postForm.Replace("%SAML_RESPONSE", encoded);
Common.debug(postForm);
return(postForm);
}
public static string GetValidURL(AuthNRequest request)
{
foreach (string allowedUrl in Common.AllowedAssertionConsumers)
{
if (request.AssertionConsumerServiceURL.Equals(allowedUrl,
StringComparison.OrdinalIgnoreCase))
{
return(request.AssertionConsumerServiceURL);
}
}
Common.error("Disallowed AssertionConsumerServiceURL value in SAML Request: "
+ request.AssertionConsumerServiceURL
+ " Please check assertion_consumer value in Web.config.");
throw new Exception("Disallowed AssertionConsumerServiceURL value in SAML Request: "
+ request.AssertionConsumerServiceURL);
}
String BuildAssertion(String subject, AuthNRequest authNRequest)
{
Common.debug("inside BuildAssertion");
String recipientGsa = Common.GSAAssertionConsumer;
XmlDocument respDoc = (XmlDocument)Common.postResponse.CloneNode(true);
Common.debug("before replacement: " + respDoc.InnerXml);
if (!recipientGsa.StartsWith("http"))
{
recipientGsa = "http://" + Request.Headers["Host"] + recipientGsa;
}
String req = respDoc.InnerXml;
req = req.Replace("%REQID", authNRequest.Id);
DateTime currentTimeStamp = DateTime.Now;
req = req.Replace("%INSTANT", Common.FormatInvariantTime(currentTimeStamp.AddMinutes(-1)));
req = req.Replace("%NOT_ON_OR_AFTER", Common.FormatInvariantTime(currentTimeStamp.AddSeconds(Common.iTrustDuration)));
String idpEntityId;
if (Common.IDPEntityId == null || "".Equals(Common.IDPEntityId))
{
throw new Exception("IDP Entity ID is not set in config. Using machine name as default");
}
req = req.Replace("%ISSUER", Common.IDPEntityId);
String MessageId = Common.GenerateRandomString();
req = req.Replace("%MESSAGE_ID", MessageId);
req = req.Replace("%RESPONSE_ID", Common.GenerateRandomString());
req = req.Replace("%ASSERTION_ID", Common.GenerateRandomString());
req = req.Replace("%SUBJECT", SecurityElement.Escape(subject));
req = req.Replace("%RECIPIENT", recipientGsa);
req = req.Replace("%AUTHN_REQUEST_ID", SecurityElement.Escape(authNRequest.Id));
req = req.Replace("%AUDIENCE", authNRequest.Issuer);
respDoc.InnerXml = req;
// Sign the XML document.
SignXml(respDoc, MessageId);
Common.debug("exit BuildAssession");
return(respDoc.InnerXml);
}
/// <summary>
/// Extracts the Authn request ID from the SAML Request parameter
/// </summary>
/// <returns></returns>
public AuthNRequest ExtractAuthNRequest(String samlRequest)
{
Common.debug("samlRequest = " + samlRequest);
samlRequest = Decompress(samlRequest);
Common.debug("samlRequest decoded = " + samlRequest);
if (samlRequest == null)
{
Common.debug("Decompress failed");
return(null);
}
XmlDocument doc = new XmlDocument();
doc.InnerXml = samlRequest;
XmlElement root = doc.DocumentElement;
AuthNRequest req = new AuthNRequest();
req.Id = root.Attributes["ID"].Value;
req.Issuer = Common.FindOnly(samlRequest, "Issuer").InnerText;
return(req);
}
protected void Page_Load(object sender, EventArgs e)
{
Common.debug("Login Request is: " + Request.RawUrl);
Common.debug("before Login::entering pageload");
// create an IAutn instance
IAuthn authn = AAFactory.getAuthn(this);
String samlRequest = Request.Params["SAMLRequest"];
if (samlRequest == null || "".Equals(samlRequest))
{
Diagnose();
return;
}
//Decode request and extract the AuthNRequestId
AuthNRequest authNRequest = ExtractAuthNRequest(samlRequest);
if (authNRequest.Id == null || authNRequest.Equals(""))
{
Common.error("Couldn't extract AuthN Request Id from SAMLRequest");
throw new Exception("Failed to extract AuthN Request Id from SAML Request");
}
Common.debug("Extracted AuthNRequestId is :" + authNRequest.Id);
String subject = authn.GetUserIdentity();
// Get the user's identity (silently, if properly configured).
if (subject == null || subject.Equals(""))
{
Common.error("Couldn't get user name, check your system setup");
throw new Exception("Failed to get user name");
}
Common.debug("The user is: " + subject);
String SamlAssession = BuildAssertion(subject, authNRequest);
Response.Write(GenerateResponse(SamlAssession, authNRequest));
}
private void Page_Load(object sender, System.EventArgs e)
{
Common.debug("Login Request is: " + Request.RawUrl);
Common.debug("before Login::entering pageload");
// create an IAutn instance
IAuthn authn = AAFactory.getAuthn(this);
String samlRequest = Request.Params["SAMLRequest"];
if (samlRequest == null || "".Equals(samlRequest))
{
Diagnose();
return;
}
//Decode request and extract the AuthNRequestId
AuthNRequest authNRequest = ExtractAuthNRequest(samlRequest);
if (authNRequest.Id == null || authNRequest.Id.Equals(""))
{
Common.error("Couldn't extract AuthN Request Id from SAMLRequest");
throw new Exception("Failed to extract AuthN Request Id from SAML Request");
}
Common.debug("Extracted AuthNRequestId is :" + authNRequest.Id);
String subject = authn.GetUserIdentity();
// Get the user's identity (silently, if properly configured).
if (subject == null || subject.Equals(""))
{
Common.error("Couldn't get user name, check your system setup");
throw new Exception("Failed to get user name");
}
Common.debug("The user is: " + subject);
// Generate a random string (artifact) that the GSA
// will use later to confirm the user's identity
String artifactId = Common.GenerateRandomString();
// Set an application level name/value pair for storing the user ID
// and the AuthN request Id with the artifact string.
// This is used later when the GSA asks to verify the artifact and obtain the
// user ID (in ResolveArt.aspx.cs).
SamlArtifactCacheEntry samlArtifactCacheEntry = new SamlArtifactCacheEntry(subject, authNRequest.Id);
Application[Common.ARTIFACT + "_" + artifactId] = samlArtifactCacheEntry;
// Get the relay state, which is the search URL to which the user
// is redirected following authentication and verification
String relayState = Request.Params["RelayState"];
// Look up the GSA host name (stored in Web.config)
String gsa;
// Encode the relay state for building the redirection URL (back to the GSA)
relayState = HttpUtility.UrlEncode(relayState);
gsa = Common.GSAAssertionConsumer + "?SAMLart=" + artifactId + "&RelayState=" + relayState;
if (!gsa.StartsWith("http"))
{
gsa = "http://" + Request.Headers["Host"] + gsa;
}
Common.debug("before Login::redirect");
Common.debug(" to: " + gsa);
// Redirect back to the GSA, which will theb contact the Artifact verifier service
// with the artifact, to ensure its validity and obtain the user's ID
Response.Redirect(gsa);
}
