/// <summary>
/// Creates a saml authentication request
/// </summary>
/// <param name="authnRequest">contains the authentication request properties</param>
/// <param name="signAlgorithm">algorithm to sign the saml request</param>
/// <returns>signed saml request</returns>
public string CreateSamlAuthnRequest(Saml2AuthnRequest authnRequest,
Cryptography.SigningAlgorithm signAlgorithm = Cryptography.SigningAlgorithm.SHA1withRSA)
{
if (!initialized)
{
throw new SamlCommunicationException("Init must be called first", SamlCommunicationType.SAMLCOMMUNICATION);
}
// load signing certificate
X509Certificate2 signingCertificate = certificate; // LoadCertificate();
// set creation time
TimeZone localZone = TimeZone.CurrentTimeZone;
authnRequest.IssueInstant = localZone.ToUniversalTime(DateTime.Now);
// make id -> hash the authn request make it unique
byte[] hash = crypto.Hash(authnRequest.ToXML(), Cryptography.HashTypes.SHA256);
authnRequest.ID = Convert.ToBase64String(hash);
// set signing algorithm
string signingAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
if (signAlgorithm == Cryptography.SigningAlgorithm.SHA256withRSA)
{
signingAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"; // TODO correct algorithm
}
string original;
string deflated = serializer.Deflate(authnRequest.ToXML(), out original);
// todo store authn request in storage!
archiver.SetObjectToArchive(authnRequest.ID, Convert.ToBase64String(Encoding.UTF8.GetBytes(authnRequest.ToXML())));
// SAMLResponse=value&RelayState=value&SigAlg=value
string toSign = "SAMLRequest=" + WebUtility.UrlEncode(deflated) // HttpUtility if in Webproject
+ "&RelayState=" + WebUtility.UrlEncode(authnRequest.ID)
+ "&SigAlg=" + WebUtility.UrlEncode(signingAlgorithm);
string signature = crypto.SignString(toSign, signingCertificate, signAlgorithm);
string request = authnRequest.Destination + "?" + toSign + "&Signature=" + WebUtility.UrlEncode(signature);
LogService.Log(LogService.LogType.Info, "CreateSamlAuthnRequest - authnRequest created: '" + request + "'");
return(request);
}
public void StringSignatureVerificationSuccessfulTest()
{
SamlCertificateController certController = new SamlCertificateController();
Cryptography crypto = new Cryptography();
string toSign = "this should be signed";
X509Certificate2 cert = certController.GetCertificate(FriendlyName, KeystorePath, KeystorePassword);
Cryptography.SigningAlgorithm signingAlgo = Cryptography.SigningAlgorithm.SHA1withRSA;
Cryptography.HashTypes hashingAlgo = Cryptography.HashTypes.SHA1;
X509Certificate2 certValidate = new X509Certificate2(Encoding.UTF8.GetBytes(ReadFile("PublicCertificateHybridIssuer.txt")));
try
{
// signing
string signature = crypto.SignString(toSign, cert, signingAlgo, hashingAlgo);
// verifying
Assert.IsTrue(crypto.VerifySignedString(toSign, signature, certValidate, signingAlgo, hashingAlgo)); // import only the certificate as string
Assert.IsTrue(crypto.VerifySignedString(toSign, signature, cert, signingAlgo, hashingAlgo)); // use the public key from the keystore
}
catch (SamlCommunicationException e) { Assert.Fail(e.Message); }
catch (Exception e) { Assert.Fail(e.Message); }
}
/// <summary>
/// Creates a saml authentication request with the given authentication request properties
/// </summary>
/// <param name="assertionConsumerServiceURL"></param>
/// <param name="attributeConsumingServiceIndex"></param>
/// <param name="destination"></param>
/// <param name="forceAuthn"></param>
/// <param name="providerName"></param>
/// <param name="issuer"></param>
/// <param name="signAlgorithm"></param>
/// <returns>signed saml request</returns>
public string CreateSamlAuthnRequest(string assertionConsumerServiceURL, int attributeConsumingServiceIndex, string destination,
bool forceAuthn, string providerName, string issuer, Cryptography.SigningAlgorithm signAlgorithm = Cryptography.SigningAlgorithm.SHA1withRSA)
{
LogService.Log(LogService.LogType.Info, "CreateSamlAuthnRequest called");
if (!initialized)
{
throw new SamlCommunicationException("Init must be called first", SamlCommunicationType.SAMLCOMMUNICATION);
}
Saml2AuthnRequest authnRequest = new Saml2AuthnRequest()
{
AssertionConsumerServiceURL = assertionConsumerServiceURL,
AttributeConsumingServiceIndex = attributeConsumingServiceIndex,
Destination = destination,
ForceAuthn = forceAuthn,
ProviderName = providerName,
Issuer = issuer
};
LogService.Log(LogService.LogType.Info, "CreateSamlAuthnRequest authnRequest properties set - '" + authnRequest.ToString() + "'");
return(CreateSamlAuthnRequest(authnRequest, signAlgorithm));
}
