private static void VerifyAssertion(XmlElement xmlElement)
{
Console.Error.WriteLine("Verifying SAML assertion");
if (SAMLAssertionSignature.IsSigned(xmlElement))
{
bool verified = SAMLAssertionSignature.Verify(xmlElement, x509Certificate);
Console.Error.WriteLine("Verified: " + verified);
}
else
{
Console.Error.WriteLine("The SAML assertion isn't signed");
}
}
static void Main(string[] args)
{
try {
#if DOTNET45
// Register the SHA-256 cryptographic algorithm.
// Only supported in .NET 4.5 and above.
CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA256SignatureDescription), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
#endif
// Load the certificate and private key for signature generation.
X509Certificate2 x509Certificate = new X509Certificate2("idp.pfx", "password");
// Create a basic SAML assertion and serialize it to XML.
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = new Issuer("test");
XmlElement samlAssertionElement = samlAssertion.ToXml();
// Sign the SAML assertion using SHA-256 for the digest and signature algorithms.
SAMLAssertionSignature.Generate(samlAssertionElement, x509Certificate.PrivateKey, x509Certificate, null, "http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
Console.WriteLine("Signed SAML assertion: {0}", samlAssertionElement.OuterXml);
// Verify the signature.
bool verified = SAMLAssertionSignature.Verify(samlAssertionElement);
Console.WriteLine("Signature verified: {0}", verified);
// The HTTP-redirect doesn't use XML signatures so check it separately.
// Create a basic authn request and serialize it to XML.
AuthnRequest authnRequest = new AuthnRequest();
authnRequest.Issuer = new Issuer("test");
XmlElement authnRequestElement = authnRequest.ToXml();
// Create the HTTP-redirect URL included the SHA-256 signature.
string url = HTTPRedirectBinding.CreateRequestRedirectURL("http://www.test.com", authnRequestElement, null, x509Certificate.PrivateKey, HTTPRedirectBinding.SignatureAlgorithms.RSA_SHA256);
string relayState = null;
bool signed = false;
// Retrieve the authn request from the HTTP-redirect URL and verify the signature.
HTTPRedirectBinding.GetRequestFromRedirectURL(url, out authnRequestElement, out relayState, out signed, x509Certificate.PublicKey.Key);
}
catch (Exception exception) {
// If signature generation/verification fails then most likely the .NET CLR security update
// hasn't been installed and configured correctly or the inbuilt .NET SHA-256 support hasn't been initialized.
Console.WriteLine(exception.ToString());
}
}
private static void SignAndVerify(X509Certificate2 x509Certificate, string digestMethod, string signatureMethod)
{
try
{
Console.WriteLine("Testing signature generation and verification using \"{0}\".", signatureMethod);
// Create a basic SAML assertion and serialize it to XML.
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = new Issuer("test");
XmlElement samlAssertionElement = samlAssertion.ToXml();
// Sign the SAML assertion using the specified digest and signature methods.
SAMLAssertionSignature.Generate(samlAssertionElement, x509Certificate.PrivateKey, x509Certificate, null, digestMethod, signatureMethod);
// Verify the signature.
bool verified = SAMLAssertionSignature.Verify(samlAssertionElement);
if (!verified)
{
throw new Exception("The XML signature failed to verify.");
}
// The HTTP-redirect doesn't use XML signatures so check it separately.
// Create a basic authn request and serialize it to XML.
AuthnRequest authnRequest = new AuthnRequest();
authnRequest.Issuer = new Issuer("test");
XmlElement authnRequestElement = authnRequest.ToXml();
// Create the HTTP-redirect URL included the signature.
string url = HTTPRedirectBinding.CreateRequestRedirectURL("http://www.test.com", authnRequestElement, null, x509Certificate.PrivateKey, signatureMethod);
string relayState = null;
bool signed = false;
// Retrieve the authn request from the HTTP-redirect URL and verify the signature.
HTTPRedirectBinding.GetRequestFromRedirectURL(url, out authnRequestElement, out relayState, out signed, x509Certificate.PublicKey.Key);
Console.WriteLine("Signature generation and verification using \"{0}\" was successful.", signatureMethod);
}
catch (Exception exception)
{
Console.WriteLine("Signature generation and verification using \"{0}\" failed.", signatureMethod);
Console.WriteLine(exception.ToString());
}
}
// Process a successful SAML response.
private void ProcessSuccessSAMLResponse(SAMLResponse samlResponse, string relayState)
{
Trace.Write("SP", "Processing successful SAML response");
// Extract the asserted identity from the SAML response.
// The SAML assertion may be signed or encrypted and signed.
SAMLAssertion samlAssertion = null;
if (samlResponse.GetUnsignedAssertions().Count > 0)
{
samlAssertion = samlResponse.GetUnsignedAssertions()[0];
}
else if (samlResponse.GetSignedAssertions().Count > 0)
{
Trace.Write("SP", "Verifying assertion signature");
XmlElement samlAssertionXml = samlResponse.GetSignedAssertions()[0];
// Verify the assertion signature. The embedded signing certificate is used.
if (!SAMLAssertionSignature.Verify(samlAssertionXml))
{
throw new ArgumentException("The SAML assertion signature failed to verify.");
}
samlAssertion = new SAMLAssertion(samlAssertionXml);
}
else if (samlResponse.GetEncryptedAssertions().Count > 0)
{
Trace.Write("SP", "Decrypting assertion");
// Load the decryption key.
X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.SPX509Certificate];
// Decrypt the encrypted assertion.
XmlElement samlAssertionXml = samlResponse.GetEncryptedAssertions()[0].DecryptToXml(x509Certificate.PrivateKey, null, null);
if (SAMLAssertionSignature.IsSigned(samlAssertionXml))
{
Trace.Write("SP", "Verifying assertion signature");
// Verify the assertion signature. The embedded signing certificate is used.
if (!SAMLAssertionSignature.Verify(samlAssertionXml))
{
throw new ArgumentException("The SAML assertion signature failed to verify.");
}
}
samlAssertion = new SAMLAssertion(samlAssertionXml);
}
else
{
throw new ArgumentException("No assertions in response");
}
// Get the subject name identifier.
string userName = null;
if (samlAssertion.Subject.NameID != null)
{
userName = samlAssertion.Subject.NameID.NameIdentifier;
}
if (string.IsNullOrEmpty(userName))
{
throw new ArgumentException("The SAML assertion doesn't contain a subject name.");
}
// Create a login context for the asserted identity.
Trace.Write("SP", "Automatically logging in user " + userName);
FormsAuthentication.SetAuthCookie(userName, false);
// Get the originally requested resource URL from the relay state, if any.
string redirectURL = "~/";
RelayState cachedRelayState = RelayStateCache.Remove(relayState);
if (cachedRelayState != null)
{
redirectURL = cachedRelayState.ResourceURL;
}
// Redirect to the originally requested resource URL, if any, or the default page.
Trace.Write("SP", "Redirecting to " + redirectURL);
Response.Redirect(redirectURL, false);
Trace.Write("SP", "Processed successful SAML response");
}
private static XmlElement CreateSamlResponse(string assertionConsumerServiceUrl, List <SAMLAttribute> attributes, string requestId = null, bool signAssertion = false, bool signResponse = false, bool encryptAssertion = false)
{
var samlResponse = new SAMLResponse {
Destination = assertionConsumerServiceUrl
};
var issuer = new Issuer(SAMLConfiguration.Current.IdentityProviderConfiguration.Name);
var issuerX509CertificateFilePath = Path.Combine(HttpRuntime.AppDomainAppPath, SAMLConfiguration.Current.IdentityProviderConfiguration.CertificateFile);
var issuerX509Certificate = new X509Certificate2(issuerX509CertificateFilePath, SAMLConfiguration.Current.IdentityProviderConfiguration.CertificatePassword);
var partner = SessionHelper.Get <string>(PartnerSpSessionKey) ?? SAMLConfiguration.Current.ServiceProviderConfiguration.Name;
var partnerConfig = SAMLConfiguration.Current.PartnerServiceProviderConfigurations[partner];
var partnerX509CertificateFilePath = string.Empty;
var partnerX509Certificate = null as X509Certificate2;
if (partnerConfig != null)
{
partnerX509CertificateFilePath = Path.Combine(HttpRuntime.AppDomainAppPath, partnerConfig.CertificateFile);
partnerX509Certificate = new X509Certificate2(partnerX509CertificateFilePath);
signAssertion = partnerConfig.SignAssertion;
signResponse = partnerConfig.SignSAMLResponse;
encryptAssertion = partnerConfig.EncryptAssertion;
}
samlResponse.Issuer = issuer;
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
samlResponse.IssueInstant = DateTime.Now;
samlResponse.InResponseTo = requestId;
var samlAssertion = new SAMLAssertion {
Issuer = issuer, IssueInstant = samlResponse.IssueInstant
};
var profileId = attributes.Where(a => a.Name == PortalClaimTypes.ProfileId).Select(a => a.Values[0].ToString()).FirstOrDefault();
var subject = new Subject(new NameID(profileId));
var subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
var subjectConfirmationData = new SubjectConfirmationData {
Recipient = assertionConsumerServiceUrl
};
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
var conditions = new Conditions(DateTime.Now, DateTime.Now.AddDays(1));
var audienceRestriction = new AudienceRestriction();
audienceRestriction.Audiences.Add(new Audience(partner));
conditions.ConditionsList.Add(audienceRestriction);
samlAssertion.Conditions = conditions;
var authnStatement = new AuthnStatement {
AuthnContext = new AuthnContext(), AuthnInstant = samlResponse.IssueInstant
};
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.X509);
samlAssertion.Statements.Add(authnStatement);
attributes.ForEach(a =>
{
var attributeStatement = new AttributeStatement();
attributeStatement.Attributes.Add(a);
samlAssertion.Statements.Add(attributeStatement);
});
var samlAssertionXml = samlAssertion.ToXml();
if (signAssertion)
{
SAMLAssertionSignature.Generate(samlAssertionXml, issuerX509Certificate.PrivateKey, issuerX509Certificate);
}
if (encryptAssertion)
{
var encryptedAssertion = new EncryptedAssertion(samlAssertionXml, partnerX509Certificate);
samlResponse.Assertions.Add(encryptedAssertion.ToXml());
}
else
{
samlResponse.Assertions.Add(samlAssertionXml);
}
var samlResponseXml = samlResponse.ToXml();
if (signResponse)
{
SAMLMessageSignature.Generate(samlResponseXml, issuerX509Certificate.PrivateKey, issuerX509Certificate);
}
return(samlResponseXml);
}
public ActionResult UploadSaml(FormCollection formCollection)
{
var attributes = new List <SAMLAttribute>();
var errorMessages = new List <string>();
var xmlDoc = null as XmlDocument;
SessionHelper.Set(SamlAttributesSessionKey, null);
SessionHelper.Set(SamlErrorMessagesSessionKey, null);
if (Request != null)
{
var file = Request.Files["SamlFile"];
if ((file != null) && (file.ContentLength > 0) && !string.IsNullOrEmpty(file.FileName))
{
try
{
xmlDoc = new XmlDocument();
xmlDoc.Load(file.InputStream);
var samlValidator = new SAMLValidator();
var isValid = samlValidator.Validate(xmlDoc);
if (!isValid)
{
errorMessages.AddRange(samlValidator.Warnings.Select(warning => string.Format("Warning:, {0}", warning.Message)));
errorMessages.AddRange(samlValidator.Errors.Select(error => error.Message));
}
if (SAMLMessageSignature.IsSigned(xmlDoc.DocumentElement))
{
if (!SAMLMessageSignature.Verify(xmlDoc.DocumentElement))
{
errorMessages.Add(string.Format("Failed to verify SAML response signature. [{0}]", xmlDoc.OuterXml));
}
}
var samlResponse = new SAMLResponse(xmlDoc.DocumentElement);
var assertions = samlResponse.GetAssertions();
var encryptedAssertions = samlResponse.GetEncryptedAssertions();
var signedAssertions = samlResponse.GetSignedAssertions();
var x509CertificateFilePath = Path.Combine(HttpRuntime.AppDomainAppPath, SAMLConfiguration.Current.ServiceProviderConfiguration.CertificateFile);
var x509Certificate = new X509Certificate2(x509CertificateFilePath, SAMLConfiguration.Current.ServiceProviderConfiguration.CertificatePassword);
encryptedAssertions.ForEach(a =>
{
var decryptedAssertion = a.DecryptToXml(x509Certificate);
assertions.Add(new SAMLAssertion(decryptedAssertion));
});
signedAssertions.ForEach(a =>
{
if (SAMLAssertionSignature.IsSigned(a))
{
if (!SAMLAssertionSignature.Verify(a))
{
errorMessages.Add(string.Format("Failed to verify SAML assertion signature. [{0}]", a.OuterXml));
}
}
assertions.Add(new SAMLAssertion(a));
});
assertions.ForEach(a =>
{
var nameId = a.GetNameID();
if (!string.IsNullOrEmpty(nameId))
{
attributes.Add("NameId", nameId);
}
a.GetAttributeStatements().ForEach(
s => attributes.AddRange(from object attribute in s.Attributes
select attribute as SAMLAttribute));
});
}
catch (Exception ex)
{
var saml = xmlDoc != null ? xmlDoc.OuterXml : string.Empty;
_logger.Log(ex);
errorMessages.Add(string.Format("{0} [{1}]", ex.Message, saml));
}
}
}
SessionHelper.Set(SamlAttributesSessionKey, attributes.ToArray());
SessionHelper.Set(SamlErrorMessagesSessionKey, errorMessages);
return(Redirect(TestTargetUrl));
}
private static void SignAssertion(XmlElement xmlElement)
{
Console.Error.WriteLine("Signing SAML assertion");
SAMLAssertionSignature.Generate(xmlElement, x509Certificate.PrivateKey, x509Certificate);
}
