예제 #1
0
        static void Main(string[] args)
        {
            try {
#if DOTNET45
                // Register the SHA-256 cryptographic algorithm.
                // Only supported in .NET 4.5 and above.
                CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA256SignatureDescription), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
#endif

                // Load the certificate and private key for signature generation.
                X509Certificate2 x509Certificate = new X509Certificate2("idp.pfx", "password");

                // Create a basic SAML assertion and serialize it to XML.
                SAMLAssertion samlAssertion = new SAMLAssertion();
                samlAssertion.Issuer = new Issuer("test");
                XmlElement samlAssertionElement = samlAssertion.ToXml();

                // Sign the SAML assertion using SHA-256 for the digest and signature algorithms.
                SAMLAssertionSignature.Generate(samlAssertionElement, x509Certificate.PrivateKey, x509Certificate, null, "http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
                Console.WriteLine("Signed SAML assertion: {0}", samlAssertionElement.OuterXml);

                // Verify the signature.
                bool verified = SAMLAssertionSignature.Verify(samlAssertionElement);
                Console.WriteLine("Signature verified: {0}", verified);

                // The HTTP-redirect doesn't use XML signatures so check it separately.
                // Create a basic authn request and serialize it to XML.
                AuthnRequest authnRequest = new AuthnRequest();
                authnRequest.Issuer = new Issuer("test");
                XmlElement authnRequestElement = authnRequest.ToXml();

                // Create the HTTP-redirect URL included the SHA-256 signature.
                string url = HTTPRedirectBinding.CreateRequestRedirectURL("http://www.test.com", authnRequestElement, null, x509Certificate.PrivateKey, HTTPRedirectBinding.SignatureAlgorithms.RSA_SHA256);

                string relayState = null;
                bool   signed     = false;

                // Retrieve the authn request from the HTTP-redirect URL and verify the signature.
                HTTPRedirectBinding.GetRequestFromRedirectURL(url, out authnRequestElement, out relayState, out signed, x509Certificate.PublicKey.Key);
            }

            catch (Exception exception) {
                // If signature generation/verification fails then most likely the .NET CLR security update
                // hasn't been installed and configured correctly or the inbuilt .NET SHA-256 support hasn't been initialized.
                Console.WriteLine(exception.ToString());
            }
        }
예제 #2
0
        private static void SignAndVerify(X509Certificate2 x509Certificate, string digestMethod, string signatureMethod)
        {
            try
            {
                Console.WriteLine("Testing signature generation and verification using \"{0}\".", signatureMethod);

                // Create a basic SAML assertion and serialize it to XML.
                SAMLAssertion samlAssertion = new SAMLAssertion();
                samlAssertion.Issuer = new Issuer("test");
                XmlElement samlAssertionElement = samlAssertion.ToXml();

                // Sign the SAML assertion using the specified digest and signature methods.
                SAMLAssertionSignature.Generate(samlAssertionElement, x509Certificate.PrivateKey, x509Certificate, null, digestMethod, signatureMethod);

                // Verify the signature.
                bool verified = SAMLAssertionSignature.Verify(samlAssertionElement);

                if (!verified)
                {
                    throw new Exception("The XML signature failed to verify.");
                }

                // The HTTP-redirect doesn't use XML signatures so check it separately.
                // Create a basic authn request and serialize it to XML.
                AuthnRequest authnRequest = new AuthnRequest();
                authnRequest.Issuer = new Issuer("test");
                XmlElement authnRequestElement = authnRequest.ToXml();

                // Create the HTTP-redirect URL included the signature.
                string url = HTTPRedirectBinding.CreateRequestRedirectURL("http://www.test.com", authnRequestElement, null, x509Certificate.PrivateKey, signatureMethod);

                string relayState = null;
                bool   signed     = false;

                // Retrieve the authn request from the HTTP-redirect URL and verify the signature.
                HTTPRedirectBinding.GetRequestFromRedirectURL(url, out authnRequestElement, out relayState, out signed, x509Certificate.PublicKey.Key);

                Console.WriteLine("Signature generation and verification using \"{0}\" was successful.", signatureMethod);
            }

            catch (Exception exception)
            {
                Console.WriteLine("Signature generation and verification using \"{0}\" failed.", signatureMethod);
                Console.WriteLine(exception.ToString());
            }
        }
예제 #3
0
        private static XmlElement CreateSamlResponse(string assertionConsumerServiceUrl, List <SAMLAttribute> attributes, string requestId = null, bool signAssertion = false, bool signResponse = false, bool encryptAssertion = false)
        {
            var samlResponse = new SAMLResponse {
                Destination = assertionConsumerServiceUrl
            };
            var issuer = new Issuer(SAMLConfiguration.Current.IdentityProviderConfiguration.Name);
            var issuerX509CertificateFilePath = Path.Combine(HttpRuntime.AppDomainAppPath, SAMLConfiguration.Current.IdentityProviderConfiguration.CertificateFile);
            var issuerX509Certificate         = new X509Certificate2(issuerX509CertificateFilePath, SAMLConfiguration.Current.IdentityProviderConfiguration.CertificatePassword);
            var partner       = SessionHelper.Get <string>(PartnerSpSessionKey) ?? SAMLConfiguration.Current.ServiceProviderConfiguration.Name;
            var partnerConfig = SAMLConfiguration.Current.PartnerServiceProviderConfigurations[partner];
            var partnerX509CertificateFilePath = string.Empty;
            var partnerX509Certificate         = null as X509Certificate2;

            if (partnerConfig != null)
            {
                partnerX509CertificateFilePath = Path.Combine(HttpRuntime.AppDomainAppPath, partnerConfig.CertificateFile);
                partnerX509Certificate         = new X509Certificate2(partnerX509CertificateFilePath);
                signAssertion    = partnerConfig.SignAssertion;
                signResponse     = partnerConfig.SignSAMLResponse;
                encryptAssertion = partnerConfig.EncryptAssertion;
            }

            samlResponse.Issuer       = issuer;
            samlResponse.Status       = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
            samlResponse.IssueInstant = DateTime.Now;
            samlResponse.InResponseTo = requestId;

            var samlAssertion = new SAMLAssertion {
                Issuer = issuer, IssueInstant = samlResponse.IssueInstant
            };

            var profileId               = attributes.Where(a => a.Name == PortalClaimTypes.ProfileId).Select(a => a.Values[0].ToString()).FirstOrDefault();
            var subject                 = new Subject(new NameID(profileId));
            var subjectConfirmation     = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
            var subjectConfirmationData = new SubjectConfirmationData {
                Recipient = assertionConsumerServiceUrl
            };

            subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
            subject.SubjectConfirmations.Add(subjectConfirmation);
            samlAssertion.Subject = subject;

            var conditions          = new Conditions(DateTime.Now, DateTime.Now.AddDays(1));
            var audienceRestriction = new AudienceRestriction();

            audienceRestriction.Audiences.Add(new Audience(partner));
            conditions.ConditionsList.Add(audienceRestriction);
            samlAssertion.Conditions = conditions;

            var authnStatement = new AuthnStatement {
                AuthnContext = new AuthnContext(), AuthnInstant = samlResponse.IssueInstant
            };

            authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.X509);
            samlAssertion.Statements.Add(authnStatement);

            attributes.ForEach(a =>
            {
                var attributeStatement = new AttributeStatement();

                attributeStatement.Attributes.Add(a);
                samlAssertion.Statements.Add(attributeStatement);
            });

            var samlAssertionXml = samlAssertion.ToXml();

            if (signAssertion)
            {
                SAMLAssertionSignature.Generate(samlAssertionXml, issuerX509Certificate.PrivateKey, issuerX509Certificate);
            }

            if (encryptAssertion)
            {
                var encryptedAssertion = new EncryptedAssertion(samlAssertionXml, partnerX509Certificate);

                samlResponse.Assertions.Add(encryptedAssertion.ToXml());
            }
            else
            {
                samlResponse.Assertions.Add(samlAssertionXml);
            }

            var samlResponseXml = samlResponse.ToXml();

            if (signResponse)
            {
                SAMLMessageSignature.Generate(samlResponseXml, issuerX509Certificate.PrivateKey, issuerX509Certificate);
            }

            return(samlResponseXml);
        }
예제 #4
0
 private static void SignAssertion(XmlElement xmlElement)
 {
     Console.Error.WriteLine("Signing SAML assertion");
     SAMLAssertionSignature.Generate(xmlElement, x509Certificate.PrivateKey, x509Certificate);
 }