/// <summary> /// Creates a saml authentication request /// </summary> /// <param name="authnRequest">contains the authentication request properties</param> /// <param name="signAlgorithm">algorithm to sign the saml request</param> /// <returns>signed saml request</returns> public string CreateSamlAuthnRequest(Saml2AuthnRequest authnRequest, Cryptography.SigningAlgorithm signAlgorithm = Cryptography.SigningAlgorithm.SHA1withRSA) { if (!initialized) { throw new SamlCommunicationException("Init must be called first", SamlCommunicationType.SAMLCOMMUNICATION); } // load signing certificate X509Certificate2 signingCertificate = certificate; // LoadCertificate(); // set creation time TimeZone localZone = TimeZone.CurrentTimeZone; authnRequest.IssueInstant = localZone.ToUniversalTime(DateTime.Now); // make id -> hash the authn request make it unique byte[] hash = crypto.Hash(authnRequest.ToXML(), Cryptography.HashTypes.SHA256); authnRequest.ID = Convert.ToBase64String(hash); // set signing algorithm string signingAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"; if (signAlgorithm == Cryptography.SigningAlgorithm.SHA256withRSA) { signingAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"; // TODO correct algorithm } string original; string deflated = serializer.Deflate(authnRequest.ToXML(), out original); // todo store authn request in storage! archiver.SetObjectToArchive(authnRequest.ID, Convert.ToBase64String(Encoding.UTF8.GetBytes(authnRequest.ToXML()))); // SAMLResponse=value&RelayState=value&SigAlg=value string toSign = "SAMLRequest=" + WebUtility.UrlEncode(deflated) // HttpUtility if in Webproject + "&RelayState=" + WebUtility.UrlEncode(authnRequest.ID) + "&SigAlg=" + WebUtility.UrlEncode(signingAlgorithm); string signature = crypto.SignString(toSign, signingCertificate, signAlgorithm); string request = authnRequest.Destination + "?" + toSign + "&Signature=" + WebUtility.UrlEncode(signature); LogService.Log(LogService.LogType.Info, "CreateSamlAuthnRequest - authnRequest created: '" + request + "'"); return(request); }
public void StringSignatureVerificationSuccessfulTest() { SamlCertificateController certController = new SamlCertificateController(); Cryptography crypto = new Cryptography(); string toSign = "this should be signed"; X509Certificate2 cert = certController.GetCertificate(FriendlyName, KeystorePath, KeystorePassword); Cryptography.SigningAlgorithm signingAlgo = Cryptography.SigningAlgorithm.SHA1withRSA; Cryptography.HashTypes hashingAlgo = Cryptography.HashTypes.SHA1; X509Certificate2 certValidate = new X509Certificate2(Encoding.UTF8.GetBytes(ReadFile("PublicCertificateHybridIssuer.txt"))); try { // signing string signature = crypto.SignString(toSign, cert, signingAlgo, hashingAlgo); // verifying Assert.IsTrue(crypto.VerifySignedString(toSign, signature, certValidate, signingAlgo, hashingAlgo)); // import only the certificate as string Assert.IsTrue(crypto.VerifySignedString(toSign, signature, cert, signingAlgo, hashingAlgo)); // use the public key from the keystore } catch (SamlCommunicationException e) { Assert.Fail(e.Message); } catch (Exception e) { Assert.Fail(e.Message); } }
/// <summary> /// Creates a saml authentication request with the given authentication request properties /// </summary> /// <param name="assertionConsumerServiceURL"></param> /// <param name="attributeConsumingServiceIndex"></param> /// <param name="destination"></param> /// <param name="forceAuthn"></param> /// <param name="providerName"></param> /// <param name="issuer"></param> /// <param name="signAlgorithm"></param> /// <returns>signed saml request</returns> public string CreateSamlAuthnRequest(string assertionConsumerServiceURL, int attributeConsumingServiceIndex, string destination, bool forceAuthn, string providerName, string issuer, Cryptography.SigningAlgorithm signAlgorithm = Cryptography.SigningAlgorithm.SHA1withRSA) { LogService.Log(LogService.LogType.Info, "CreateSamlAuthnRequest called"); if (!initialized) { throw new SamlCommunicationException("Init must be called first", SamlCommunicationType.SAMLCOMMUNICATION); } Saml2AuthnRequest authnRequest = new Saml2AuthnRequest() { AssertionConsumerServiceURL = assertionConsumerServiceURL, AttributeConsumingServiceIndex = attributeConsumingServiceIndex, Destination = destination, ForceAuthn = forceAuthn, ProviderName = providerName, Issuer = issuer }; LogService.Log(LogService.LogType.Info, "CreateSamlAuthnRequest authnRequest properties set - '" + authnRequest.ToString() + "'"); return(CreateSamlAuthnRequest(authnRequest, signAlgorithm)); }