private SAMLAuthnResponse CreateAuthnResponse(string strIssuer, string strResponseString, string strRelayState) { return(new SAMLAuthnResponse { // Response-String with SAML Assertion SAMLResponse = strResponseString, // RelayState as submitted in the AuthnRequest RelayState = strRelayState, // Target URL for the AuthnResponse SAMLAssertionConsumerServiceURL = SingleSignOnConfiguration.GetAssertionConsumerServiceURLByRequestIssuer(strIssuer) }); }
private XElement CreateResponseElement(string strRequestId, string strIssuerURN) { string strIssueInstantTimeStamp = UserContext.Current.Now.ToUniversalTime().ToString("O"); /* <saml2p:Response Destination="https://feds.eiam.admin.ch/adfs/ls/" * ID="Response_f21ccc44a172149d99dce0b83b059918808bf460" * InResponseTo="id-6250a3ec-0a4a-4305-ab59-6397c0d93da4" * IssueInstant="2015-01-12T17:34:26.875Z" * Version="2.0" * xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> */ return(new XElement(SAML_PROTOCOL_NAMESPACE + "Response", new XAttribute("Destination", SingleSignOnConfiguration.GetAssertionConsumerServiceURLByRequestIssuer(strIssuerURN)), new XAttribute("ID", string.Format("Response_{0}", Guid.NewGuid())), new XAttribute("InResponseTo", strRequestId), new XAttribute("IssueInstant", strIssueInstantTimeStamp), new XAttribute("Version", "2.0"), new XAttribute(XNamespace.Xmlns + SAML_PROTOCOL_NAMESPACE_PREFIX, SAML_PROTOCOL_NAMESPACE))); }
internal SAMLAuthnResponse CreateResponse(SAMLAuthnRequest request, params SAMLAssertionAttribute[] additionalAttributes) { if (request == null) { throw new ArgumentNullException("request"); } /* Extracting AuthnRequest values */ // Convert request string to xml-format XDocument samlXmlDocument = XDocument.Parse(request.SAMLRequest); XElement elementRequest = samlXmlDocument.Element(SAML_PROTOCOL_NAMESPACE + "AuthnRequest"); if (elementRequest == null) { throw new InvalidOperationException("Missing root element 'AuthnRequest'."); } // Extract element and attribute values string strRequestID = (string)elementRequest.Attribute("ID"); string strVersion = (string)elementRequest.Attribute("Version"); string strDestination = (string)elementRequest.Attribute("Destination"); string strIssuer = (string)elementRequest.Element(SAML_ASSERTION_NAMESPACE + "Issuer"); /* Checking AuthnRequest values */ // Check ID Attribute if (string.IsNullOrWhiteSpace(strRequestID)) { throw new InvalidOperationException("Attribute 'ID' of the <AuthnRequest/> element is not present."); } // Check Request Method if (request.HttpMethod != "POST") { // Only POST requests are accepted string strStatusMessage = string.Format("SAMLAuthnRequest was made via HttpMethod '{0}' when only HttpMethod 'POST' is supported.", request.HttpMethod); return(CreateFailureResponse(request, strRequestID, strIssuer, SAMLTopLevelStatusCode.SAML_TOPLEVEL_STATUSCODE_REQUESTER, strStatusMessage, SAMLSecondLevelStatusCode.SAML_SECONDLEVEL_STATUSCODE_REQUESTUNSUPPORTED)); } // Check Version if (strVersion != SAML_VERSION) { string strStatusMessage = string.Format("Version of SAMLAuthnRequest was '{0}' but only Version '2.0' is supported.", strVersion); return(CreateFailureResponse(request, strRequestID, strIssuer, SAMLTopLevelStatusCode.SAML_TOPLEVEL_STATUSCODE_VERSION_MISMATCH, strStatusMessage, SAMLSecondLevelStatusCode.SAML_SECONDLEVEL_STATUSCODE_REQUESTVERSIONDEPRECATED)); } // Check Destination string strSamlServiceLocationURL = SystemSettings <SingleSignOnSystemSettings> .Current.SamlServiceLocationURL; if (string.IsNullOrWhiteSpace(strSamlServiceLocationURL)) { AdeNetSingleSignOn.Log.Warn("The SamlServiceLocationURL for SingleSignOn on the IdentityProvider is not configured in the systemsettings."); } else if (!string.Equals(strDestination, strSamlServiceLocationURL, StringComparison.InvariantCultureIgnoreCase)) { string strStatusMessage = string.Format("SAMLAuthnRequest Destination-Attribute with value '{0}' does not match the configured url in the systemsettings with value '{1}'.", strDestination, SystemSettings <SingleSignOnSystemSettings> .Current.SamlServiceLocationURL); return(CreateFailureResponse(request, strRequestID, strIssuer, SAMLTopLevelStatusCode.SAML_TOPLEVEL_STATUSCODE_REQUESTER, strStatusMessage, SAMLSecondLevelStatusCode.SAML_SECONDLEVEL_STATUSCODE_REQUESTUNSUPPORTED)); } // Check Issuer if (!SingleSignOnConfiguration.IsRequestIssuerConfigured()) { throw new Exception("SAMLAuthnResponse cannot be transmitted because there is no SamlRequestIssuer configured in the systemsettings."); } ValidateResult resultRequestIssuer = SingleSignOnConfiguration.IsValidRequestIssuer(strIssuer); if (!resultRequestIssuer.Valid) { return(CreateFailureResponse(request, strRequestID, strIssuer, SAMLTopLevelStatusCode.SAML_TOPLEVEL_STATUSCODE_REQUESTER, resultRequestIssuer.Message)); } if (UserContext.Current.IsAnonymous) { // No Single Sign On information found return(CreateFailureResponse(request, strRequestID, strIssuer, SAMLTopLevelStatusCode.SAML_TOPLEVEL_STATUSCODE_RESPONDER, "SingleSignOn Authentication failed. No user information available from prior user authentication.", SAMLSecondLevelStatusCode.SAML_SECONDLEVEL_STATUSCODE_AUTHNFAILED)); } // Validate Request Certificate ValidateResult result = ValidateAuthnRequest(request); if (!result) { return(CreateFailureResponse(request, strRequestID, strIssuer, SAMLTopLevelStatusCode.SAML_TOPLEVEL_STATUSCODE_REQUESTER, result.Message, SAMLSecondLevelStatusCode.SAML_SECONDLEVEL_STATUSCODE_REQUESTDENIED)); } return(CreateSuccessResponse(strRequestID, strIssuer, request.RelayState, additionalAttributes)); }
private SAMLAuthnResponse CreateSuccessResponse(string strRequestId, string strIssuerURN, string strRelayState, params SAMLAssertionAttribute[] additionalAttributes) { string strIssueInstantTimeStamp = UserContext.Current.Now.ToUniversalTime().ToString("O"); string strValidUntilTimeStamp = UserContext.Current.Now.AddMinutes(5).ToUniversalTime().ToString("O"); XNamespace nsXmlSchema = "http://www.w3.org/2001/XMLSchema"; XNamespace nsXmlSchemaInstance = "http://www.w3.org/2001/XMLSchema-instance"; string strAssertionElementName = "Assertion"; // Response - Root-Element XElement elementResponse = CreateResponseElement(strRequestId, strIssuerURN); // Response Issuer // <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.partnerweb.ch/AKXYZ/</saml2:Issuer> XElement elementResponseIssuer = new XElement(SAML_ASSERTION_NAMESPACE + "Issuer", SystemSettings <SingleSignOnSystemSettings> .Current.SamlServiceEntityId, new XAttribute(XNamespace.Xmlns + SAML_ASSERTION_NAMESPACE_PREFIX, SAML_ASSERTION_NAMESPACE)); elementResponse.Add(elementResponseIssuer); // Status Element elementResponse.Add(CreateStatusElement(SAMLTopLevelStatusCode.SAML_TOPLEVEL_STATUSCODE_SUCCESS)); // Assertion Element string strAssertionId = string.Format("{0}_{1}", strAssertionElementName, Guid.NewGuid()); XElement elementResponseAssertion = new XElement(SAML_ASSERTION_NAMESPACE + strAssertionElementName, new XAttribute("ID", strAssertionId), new XAttribute("IssueInstant", strIssueInstantTimeStamp), new XAttribute("Version", "2.0"), new XAttribute(XNamespace.Xmlns + SAML_ASSERTION_NAMESPACE_PREFIX, SAML_ASSERTION_NAMESPACE), new XAttribute(XNamespace.Xmlns + "xs", nsXmlSchema), new XElement(SAML_ASSERTION_NAMESPACE + "Issuer", SystemSettings <SingleSignOnSystemSettings> .Current.SamlServiceEntityId) ); // Subject Element XElement elementAssertionSubject = new XElement(SAML_ASSERTION_NAMESPACE + "Subject", new XElement(SAML_ASSERTION_NAMESPACE + "NameID", UserContext.Current.Login, new XAttribute("Format", SAML_ASSERTION_SUBJECT_NAMEID_FORMAT)), new XElement(SAML_ASSERTION_NAMESPACE + "SubjectConfirmation", new XAttribute("Method", SAML_ASSERTION_SUBJECT_CONFIRMATION_METHOD), new XElement(SAML_ASSERTION_NAMESPACE + "SubjectConfirmationData", new XAttribute("InResponseTo", strRequestId), new XAttribute("NotOnOrAfter", strValidUntilTimeStamp), new XAttribute("Recipient", SingleSignOnConfiguration.GetAssertionConsumerServiceURLByRequestIssuer(strIssuerURN))))); elementResponseAssertion.Add(elementAssertionSubject); // Conditions Element XElement elementAssertionConditions = new XElement(SAML_ASSERTION_NAMESPACE + "Conditions", new XAttribute("NotBefore", strIssueInstantTimeStamp), new XAttribute("NotOnOrAfter", strValidUntilTimeStamp), new XElement(SAML_ASSERTION_NAMESPACE + "AudienceRestriction", new XElement(SAML_ASSERTION_NAMESPACE + "Audience", strIssuerURN))); elementResponseAssertion.Add(elementAssertionConditions); // AuthnStatement Element XElement elementAssertionAuthnStatement = new XElement(SAML_ASSERTION_NAMESPACE + "AuthnStatement", new XAttribute("AuthnInstant", strIssueInstantTimeStamp), new XElement(SAML_ASSERTION_NAMESPACE + "AuthnContext", new XElement(SAML_ASSERTION_NAMESPACE + "AuthnContextClassRef", SAML_ASSERTION_AUTHNCONTEXTCLASSREF))); elementResponseAssertion.Add(elementAssertionAuthnStatement); // AttributeStatement Element XElement elementAssertionAttributeStatement = new XElement(SAML_ASSERTION_NAMESPACE + "AttributeStatement", new XElement(SAML_ASSERTION_NAMESPACE + "Attribute", new XAttribute("Name", GIVEN_NAME_ASSERTION_ATTRIBUTE_NAME), new XElement(SAML_ASSERTION_NAMESPACE + "AttributeValue", UserContext.Current.FirstName, new XAttribute(XNamespace.Xmlns + "xsi", nsXmlSchemaInstance), new XAttribute(nsXmlSchemaInstance + "Type", "xs:string") ) ), new XElement(SAML_ASSERTION_NAMESPACE + "Attribute", new XAttribute("Name", SURNAME_ASSERTION_ATTRIBUTE_NAME), new XElement(SAML_ASSERTION_NAMESPACE + "AttributeValue", UserContext.Current.LastName, new XAttribute(XNamespace.Xmlns + "xsi", nsXmlSchemaInstance), new XAttribute(nsXmlSchemaInstance + "Type", "xs:string") ) ), new XElement(SAML_ASSERTION_NAMESPACE + "Attribute", new XAttribute("Name", NAME_ASSERTION_ATTRIBUTE_NAME), new XElement(SAML_ASSERTION_NAMESPACE + "AttributeValue", UserContext.Current.Login, new XAttribute(XNamespace.Xmlns + "xsi", nsXmlSchemaInstance), new XAttribute(nsXmlSchemaInstance + "Type", "xs:string") ) ), new XElement(SAML_ASSERTION_NAMESPACE + "Attribute", new XAttribute("Name", EMAIL_ADDRESS_ASSERTION_ATTRIBUTE_NAME), new XElement(SAML_ASSERTION_NAMESPACE + "AttributeValue", UserContext.Current.EMail, new XAttribute(XNamespace.Xmlns + "xsi", nsXmlSchemaInstance), new XAttribute(nsXmlSchemaInstance + "Type", "xs:string") ) ), new XElement(SAML_ASSERTION_NAMESPACE + "Attribute", new XAttribute("Name", COMPANY_SUBNR_ASSERTION_ATTRIBUTE_NAME), new XElement(SAML_ASSERTION_NAMESPACE + "AttributeValue", UserContext.Current.CompanySubNr, new XAttribute(XNamespace.Xmlns + "xsi", nsXmlSchemaInstance), new XAttribute(nsXmlSchemaInstance + "Type", "xs:string") ) ), new XElement(SAML_ASSERTION_NAMESPACE + "Attribute", new XAttribute("Name", SPCD_ASSERTION_ATTRIBUTE_NAME), new XElement(SAML_ASSERTION_NAMESPACE + "AttributeValue", UserContext.Current.SpCd, new XAttribute(XNamespace.Xmlns + "xsi", nsXmlSchemaInstance), new XAttribute(nsXmlSchemaInstance + "Type", "xs:string") ) ) ); if (additionalAttributes != null) { // Add Attributes to the <AttributeStatement /> element foreach (SAMLAssertionAttribute samlAssertionAttribute in additionalAttributes) { elementAssertionAttributeStatement.Add( new XElement(SAML_ASSERTION_NAMESPACE + "Attribute", new XAttribute("Name", samlAssertionAttribute.Name), new XElement(SAML_ASSERTION_NAMESPACE + "AttributeValue", samlAssertionAttribute.Value, new XAttribute(XNamespace.Xmlns + "xsi", nsXmlSchemaInstance), new XAttribute(nsXmlSchemaInstance + "Type", "xs:string") ) ) ); } } // Add AttributeStatement Element to Assertion Element elementResponseAssertion.Add(elementAssertionAttributeStatement); // Add Assertion Element to the Response Element elementResponse.Add(elementResponseAssertion); // Create Response XDocument samlResponseXml = new XDocument(elementResponse); // Sign Assertion Element string strSignedXmlResponseString = CreateSignedDocumentString(samlResponseXml, strAssertionElementName, SAML_ASSERTION_NAMESPACE_PREFIX, SAML_ASSERTION_NAMESPACE.NamespaceName, "#" + strAssertionId); return(CreateAuthnResponse(strIssuerURN, strSignedXmlResponseString, strRelayState)); }