public string PostableLogOutRequest(SamlRequestOption requestOption, string xmlPrivateKey = "")
{
try
{
_logger.LogInformation("PostableLogOutRequest -> initialize logout request for IDP {0}", requestOption.Destination);
LogoutRequestType logOutRequest = _logOutRequestTypeMapper.Map(requestOption);
_logger.LogInformation("PostableLogOutRequest -> request created with id {0}", logOutRequest.ID);
XmlDocument xmlRequest = new XmlDocument();
xmlRequest.LoadXml(logOutRequest.ToXmlString());
_logger.LogInformation("PostableLogOutRequest -> generating signature for id {0}...", logOutRequest.ID);
XmlElement signatureElement = _signatureHelper.GetXmlAuthRequestSignature(xmlRequest, requestOption.Certificate, xmlPrivateKey);
xmlRequest.DocumentElement.InsertAfter(signatureElement, xmlRequest.DocumentElement.ChildNodes[0]);
_logger.LogInformation("PostableLogOutRequest -> signature generated correctly");
_logger.LogDebug("PostableLogOutRequest -> request id {0} - xml: {1}", logOutRequest.ID, xmlRequest.OuterXml);
_traceLogger.LogInformation("LogoutReq_ID: {0}|LogouteReq_IssueInstant: {1}|LogouteReq_SAML: {2}", logOutRequest.ID, logOutRequest.IssueInstant, xmlRequest.OuterXml);
return(Convert.ToBase64String(Encoding.UTF8.GetBytes(xmlRequest.OuterXml)));
}
catch (Exception ex)
{
_logger.LogError(ex, "PostableLogOutRequest -> error on creating postable logout request");
throw;
}
}
public LogoutRequestType Map(SamlRequestOption source)
{
DateTime requestDateTime = DateTime.UtcNow;
LogoutRequestType logoutRequest = new LogoutRequestType()
{
ID = string.Concat("_", source.Id.ToString()),
Version = source.Version,
IssueInstant = requestDateTime,
Destination = source.Destination,
Issuer = new NameIDType
{
Format = SamlNamespaceHelper.SAML_ENTITY_NAMESPACE,
NameQualifier = source.SPDomain,
Value = source.SPDomain
},
Item = new NameIDType
{
SPNameQualifier = source.SPDomain,
Format = SamlNamespaceHelper.SAML_TRANSIENT_NAMESPACE,
Value = source.SubjectNameId
},
NotOnOrAfterSpecified = true,
NotOnOrAfter = requestDateTime.Add(source.NotOnOrAfter),
Reason = SamlNamespaceHelper.SAML_LOGOUT_USER_NAMESPACE,
SessionIndex = new string[] { source.AuthnStatementSessionIndex }
};
return(logoutRequest);
}
/// <summary>
/// Check the validity of IdP logout response
/// </summary>
/// <param name="response"></param>
/// <param name="request"></param>
/// <returns>True if valid, false otherwise</returns>
public static bool ValidateLogoutResponse(LogoutResponseType response, LogoutRequestType request)
{
var xmlDoc = response.SerializeToXmlDoc();
BusinessValidation.ValidationCondition(() => XmlHelpers.VerifySignature(xmlDoc), ErrorLocalization.InvalidSignature);
return(response.InResponseTo == request.ID);
}
public void Logout()
{
try
{
LogoutRequestType logoutRequestType = new LogoutRequestType();
logoutRequestType._this = (VimApi_65.ManagedObjectReference)VIConvert.ToWsdlType(this.MoRef);
this.VimServiceProxy.Logout(new LogoutRequest(logoutRequestType));
}
catch (FaultException ex)
{
if (ex.Message != "The session is not authenticated")
{
throw FaultUtility.HandleFault(ex);
}
}
}
public string HandleSLORequest(string encodedSLORequest, out string logoutConsumerServiceURL)
{
LogoutRequestType samlSLORequest = new LogoutRequestType();
//LogoutResponseType
//try
//{
// var decodedSLORequest = DecodeAndDecompressString(encodedSLORequest);
// samlSLORequest = DeserializeXMLStringToModel<LogoutRequestType>(decodedSLORequest);
// logoutConsumerServiceURL = _serviceProviders.Value.FirstOrDefault(x => x.Name == samlSLORequest.Issuer.Value).LogoutServiceUrl;
// samlSLOResponse = !_context.User.Identity.IsAuthenticated
// ? SamlResponseHelper.CreateSuccessSamlSLOResponse(samlSLORequest)
// : SamlResponseHelper.CreateErrorSamlSLOResponse(samlSLORequest);
//}
logoutConsumerServiceURL = String.Empty;
return(String.Empty);
}
/// <summary>
/// Build a signed SAML logout request.
/// </summary>
/// <param name="uuid"></param>
/// <param name="destination"></param>
/// <param name="consumerServiceURL"></param>
/// <param name="certificate"></param>
/// <param name="identityProvider"></param>
/// <param name="subjectNameId"></param>
/// <param name="authnStatementSessionIndex"></param>
/// <returns></returns>
public static string BuildLogoutPostRequest(string uuid, string consumerServiceURL, X509Certificate2 certificate,
IdentityProvider identityProvider, string subjectNameId, string authnStatementSessionIndex)
{
if (string.IsNullOrWhiteSpace(uuid))
{
throw new ArgumentNullException("The uuid parameter can't be null or empty.");
}
if (string.IsNullOrWhiteSpace(consumerServiceURL))
{
throw new ArgumentNullException("The consumerServiceURL parameter can't be null or empty.");
}
if (certificate == null)
{
throw new ArgumentNullException("The certificate parameter can't be null.");
}
if (identityProvider == null)
{
throw new ArgumentNullException("The identityProvider parameter can't be null.");
}
if (string.IsNullOrWhiteSpace(subjectNameId))
{
throw new ArgumentNullException("The subjectNameId parameter can't be null or empty.");
}
if (string.IsNullOrWhiteSpace(identityProvider.SingleLogoutServiceUrl))
{
throw new ArgumentNullException("The LogoutServiceUrl of the identity provider is null or empty.");
}
DateTime now = DateTime.UtcNow;
LogoutRequestType logoutRequest = new LogoutRequestType
{
ID = "_" + uuid,
Version = "2.0",
IssueInstant = identityProvider.Now(now),
Destination = identityProvider.EntityID,
Issuer = new NameIDType
{
Value = consumerServiceURL.Trim(),
Format = "urn:oasis:names:tc:SAML:2.0:nameid-format:entity",
NameQualifier = consumerServiceURL
},
Item = new NameIDType
{
NameQualifier = consumerServiceURL,
Format = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
Value = identityProvider.SubjectNameIdFormatter(subjectNameId)
},
NotOnOrAfterSpecified = true,
NotOnOrAfter = now.AddMinutes(10),
Reason = "urn:oasis:names:tc:SAML:2.0:logout:user",
SessionIndex = new string[] { authnStatementSessionIndex }
};
try
{
XmlSerializerNamespaces ns = new XmlSerializerNamespaces();
ns.Add("saml2p", "urn:oasis:names:tc:SAML:2.0:protocol");
ns.Add("saml2", "urn:oasis:names:tc:SAML:2.0:assertion");
StringWriter stringWriter = new StringWriter();
XmlWriterSettings settings = new XmlWriterSettings
{
OmitXmlDeclaration = true,
Indent = true,
Encoding = Encoding.UTF8
};
XmlWriter responseWriter = XmlTextWriter.Create(stringWriter, settings);
XmlSerializer responseSerializer = new XmlSerializer(logoutRequest.GetType());
responseSerializer.Serialize(responseWriter, logoutRequest, ns);
responseWriter.Close();
string samlString = stringWriter.ToString();
stringWriter.Close();
XmlDocument doc = new XmlDocument();
doc.LoadXml(samlString);
XmlElement signature = XmlSigningHelper.SignXMLDoc(doc, certificate, "_" + uuid);
doc.DocumentElement.InsertBefore(signature, doc.DocumentElement.ChildNodes[1]);
return(Convert.ToBase64String(Encoding.UTF8.GetBytes("<?xml version=\"1.0\" encoding=\"UTF-8\"?>" + doc.OuterXml)));
}
catch (Exception ex)
{
throw ex;
}
}
/// <summary>
/// Gets the logout request.
/// </summary>
/// <returns></returns>
public string GetLogoutRequest()
{
string result = "";
DateTime requestDatTime = DateTime.UtcNow;
//New LogoutRequestType
LogoutRequestType request = new LogoutRequestType();
request.Version = Options.Version;
//Unique UUID
request.ID = "_" + this.Options.UUID;
//Request DateTime
request.IssueInstant = requestDatTime;
//SLO Destination URI
request.Destination = this.Options.Destination;
request.SessionIndex = new string[] { this.Options.SessionId };
//Request Logout Level
if (this.Options.LogoutLevel == LogoutLevel.Admin)
{
request.Reason = "urn:oasis:names:tc:SAML:2.0:logout:admin";
}
else
{
request.Reason = "urn:oasis:names:tc:SAML:2.0:logout:user";
}
//Issuer Data
request.Issuer = new NameIDType()
{
Format = "urn:oasis:names:tc:SAML:2.0:nameid-format:entity",
Value = Options.SPUID,
NameQualifier = Options.SPUID
};
request.Item = new NameIDType()
{
Format = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
SPNameQualifier = Options.SPUID,
Value = Options.SubjectNameId,
};
request.NotOnOrAfterSpecified = true;
request.NotOnOrAfter = requestDatTime.Add(Options.NotOnOrAfter);
string samlString = "";
XmlSerializer serializer = new XmlSerializer(request.GetType());
using (StringWriter stringWriter = new StringWriter())
{
XmlWriterSettings settings = new XmlWriterSettings()
{
OmitXmlDeclaration = true,
Indent = true,
Encoding = Encoding.UTF8
};
using (XmlWriter writer = XmlWriter.Create(stringWriter, settings))
{
XmlSerializerNamespaces namespaces = new XmlSerializerNamespaces();
namespaces.Add("saml2p", "urn:oasis:names:tc:SAML:2.0:protocol");
namespaces.Add("saml2", "urn:oasis:names:tc:SAML:2.0:assertion");
serializer.Serialize(writer, request, namespaces);
samlString = stringWriter.ToString();
}
}
result = samlString;
return(result);
}
public NexoLogout() : base(MessageCategoryEnumeration.Logout)
{
RequestItem = new LogoutRequestType();
ReplyItem = new LogoutResponseType();
}
public async Task <(bool, LogoutRequestType)> HandleRedirectToIdentityProviderForSignOut(HttpContext context, AuthenticationScheme scheme, SpidOptions options, AuthenticationProperties properties, LogoutRequestType message)
{
var redirectContext = new RedirectContext(context, scheme, options, properties, message);
await _events.RedirectToIdentityProvider(redirectContext);
return(redirectContext.Handled, (LogoutRequestType)redirectContext.SignedProtocolMessage);
}
