// Process a successful SAML response. private void ProcessSuccessSAMLResponse(SAMLResponse samlResponse, string relayState) { Trace.Write("SP", "Processing successful SAML response"); // Load the decryption key. X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.SPX509Certificate]; // Extract the asserted identity from the SAML response. SAMLAssertion samlAssertion = null; if (samlResponse.GetUnsignedAssertions().Count > 0) { samlAssertion = samlResponse.GetUnsignedAssertions()[0]; } else if (samlResponse.GetEncryptedAssertions().Count > 0) { Trace.Write("SP", "Decrypting assertion"); samlAssertion = samlResponse.GetEncryptedAssertions()[0].Decrypt(x509Certificate.PrivateKey, null, null); } else { throw new ArgumentException("No assertions in response"); } // Get the subject name identifier. string userName = null; if (samlAssertion.Subject.NameID != null) { userName = samlAssertion.Subject.NameID.NameIdentifier; } else if (samlAssertion.Subject.EncryptedID != null) { Trace.Write("SP", "Decrypting ID"); NameID nameID = samlAssertion.Subject.EncryptedID.Decrypt(x509Certificate.PrivateKey, null, null); userName = nameID.NameIdentifier; } else { throw new ArgumentException("No name in subject"); } // Get the originally requested resource URL from the relay state. RelayState cachedRelayState = RelayStateCache.Remove(relayState); if (cachedRelayState == null) { throw new ArgumentException("Invalid relay state"); } // Create a login context for the asserted identity. FormsAuthentication.SetAuthCookie(userName, false); // Redirect to the originally requested resource URL. Response.Redirect(cachedRelayState.ResourceURL, false); Trace.Write("SP", "Processed successful SAML response"); }
// Process the SAML response. private void ProcessSAMLResponse(SAMLResponse samlResponse, string relayState) { Trace.Write("SP", "Processing SAML response"); // Check whether the SAML response indicates success. if (!samlResponse.IsSuccess()) { throw new ArgumentException("Received error response"); } // Extract the asserted identity from the SAML response. SAMLAssertion samlAssertion = null; if (samlResponse.GetUnsignedAssertions().Count > 0) { samlAssertion = samlResponse.GetUnsignedAssertions()[0]; } else { throw new ArgumentException("No assertions in response"); } // Enforce single use of the SAML assertion. if (!AssertionIDCache.Add(samlAssertion)) { throw new ArgumentException("The SAML assertion has already been used"); } // Get the subject name identifier. string userName = null; if (samlAssertion.Subject.NameID != null) { userName = samlAssertion.Subject.NameID.NameIdentifier; } else { throw new ArgumentException("No name in subject"); } // Create a login context for the asserted identity. FormsAuthentication.SetAuthCookie(userName, false); // Redirect to the requested URL. Response.Redirect(relayState, false); Trace.Write("SP", "Processed successful SAML response"); }
// Process a successful SAML response. private void ProcessSuccessSAMLResponse(SAMLResponse samlResponse, string relayState) { Trace.Write("SP", "Processing successful SAML response"); // Extract the asserted identity from the SAML response. // The SAML assertion may be signed or encrypted and signed. SAMLAssertion samlAssertion = null; if (samlResponse.GetUnsignedAssertions().Count > 0) { samlAssertion = samlResponse.GetUnsignedAssertions()[0]; } else if (samlResponse.GetSignedAssertions().Count > 0) { Trace.Write("SP", "Verifying assertion signature"); XmlElement samlAssertionXml = samlResponse.GetSignedAssertions()[0]; // Verify the assertion signature. The embedded signing certificate is used. if (!SAMLAssertionSignature.Verify(samlAssertionXml)) { throw new ArgumentException("The SAML assertion signature failed to verify."); } samlAssertion = new SAMLAssertion(samlAssertionXml); } else if (samlResponse.GetEncryptedAssertions().Count > 0) { Trace.Write("SP", "Decrypting assertion"); // Load the decryption key. X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.SPX509Certificate]; // Decrypt the encrypted assertion. XmlElement samlAssertionXml = samlResponse.GetEncryptedAssertions()[0].DecryptToXml(x509Certificate.PrivateKey, null, null); if (SAMLAssertionSignature.IsSigned(samlAssertionXml)) { Trace.Write("SP", "Verifying assertion signature"); // Verify the assertion signature. The embedded signing certificate is used. if (!SAMLAssertionSignature.Verify(samlAssertionXml)) { throw new ArgumentException("The SAML assertion signature failed to verify."); } } samlAssertion = new SAMLAssertion(samlAssertionXml); } else { throw new ArgumentException("No assertions in response"); } // Get the subject name identifier. string userName = null; if (samlAssertion.Subject.NameID != null) { userName = samlAssertion.Subject.NameID.NameIdentifier; } if (string.IsNullOrEmpty(userName)) { throw new ArgumentException("The SAML assertion doesn't contain a subject name."); } // Create a login context for the asserted identity. Trace.Write("SP", "Automatically logging in user " + userName); FormsAuthentication.SetAuthCookie(userName, false); // Get the originally requested resource URL from the relay state, if any. string redirectURL = "~/"; RelayState cachedRelayState = RelayStateCache.Remove(relayState); if (cachedRelayState != null) { redirectURL = cachedRelayState.ResourceURL; } // Redirect to the originally requested resource URL, if any, or the default page. Trace.Write("SP", "Redirecting to " + redirectURL); Response.Redirect(redirectURL, false); Trace.Write("SP", "Processed successful SAML response"); }