private void TransferClient(IDPEndPoint idpEndpoint, Saml20AuthnRequest request, HttpContext context)
{
AuditLogging.AssertionId = request.ID;
AuditLogging.IdpId = idpEndpoint.Id;
//Set the last IDP we attempted to login at.
context.Session[IDPTempSessionKey]= idpEndpoint.Id;
// Determine which endpoint to use from the configuration file or the endpoint metadata.
IDPEndPointElement destination =
DetermineEndpointConfiguration(SAMLBinding.REDIRECT, idpEndpoint.SSOEndpoint, idpEndpoint.metadata.SSOEndpoints());
request.Destination = destination.Url;
if (idpEndpoint.ForceAuthn)
request.ForceAuthn = true;
object isPassiveFlag = context.Session[IDPIsPassive];
if (isPassiveFlag != null && (bool)isPassiveFlag)
{
request.IsPassive = true;
context.Session[IDPIsPassive] = null;
}
if (idpEndpoint.IsPassive)
request.IsPassive = true;
object forceAuthnFlag = context.Session[IDPForceAuthn];
if (forceAuthnFlag != null && (bool)forceAuthnFlag)
{
request.ForceAuthn = true;
context.Session[IDPForceAuthn] = null;
}
if (idpEndpoint.SSOEndpoint != null)
{
if (!string.IsNullOrEmpty(idpEndpoint.SSOEndpoint.ForceProtocolBinding))
{
request.ProtocolBinding = idpEndpoint.SSOEndpoint.ForceProtocolBinding;
}
}
//Save request message id to session
context.Session.Add(ExpectedInResponseToSessionKey, request.ID);
if (destination.Binding == SAMLBinding.REDIRECT)
{
Trace.TraceData(TraceEventType.Information, string.Format(Tracing.SendAuthnRequest, Saml20Constants.ProtocolBindings.HTTP_Redirect, idpEndpoint.Id));
HttpRedirectBindingBuilder builder = new HttpRedirectBindingBuilder();
builder.signingKey = _certificate.PrivateKey;
builder.Request = request.GetXml().OuterXml;
string s = request.Destination + "?" + builder.ToQuery();
AuditLogging.logEntry(Direction.OUT, Operation.AUTHNREQUEST_REDIRECT, "Redirecting user to IdP for authentication", builder.Request);
context.Response.Redirect(s, true);
return;
}
if (destination.Binding == SAMLBinding.POST)
{
Trace.TraceData(TraceEventType.Information, string.Format(Tracing.SendAuthnRequest, Saml20Constants.ProtocolBindings.HTTP_Post, idpEndpoint.Id));
HttpPostBindingBuilder builder = new HttpPostBindingBuilder(destination);
//Honor the ForceProtocolBinding and only set this if it's not already set
if (string.IsNullOrEmpty(request.ProtocolBinding))
request.ProtocolBinding = Saml20Constants.ProtocolBindings.HTTP_Post;
XmlDocument req = request.GetXml();
XmlSignatureUtils.SignDocument(req, request.ID);
builder.Request = req.OuterXml;
AuditLogging.logEntry(Direction.OUT, Operation.AUTHNREQUEST_POST);
builder.GetPage().ProcessRequest(context);
return;
}
if(destination.Binding == SAMLBinding.ARTIFACT)
{
Trace.TraceData(TraceEventType.Information, string.Format(Tracing.SendAuthnRequest, Saml20Constants.ProtocolBindings.HTTP_Artifact, idpEndpoint.Id));
HttpArtifactBindingBuilder builder = new HttpArtifactBindingBuilder(context);
//Honor the ForceProtocolBinding and only set this if it's not already set
if(string.IsNullOrEmpty(request.ProtocolBinding))
request.ProtocolBinding = Saml20Constants.ProtocolBindings.HTTP_Artifact;
AuditLogging.logEntry(Direction.OUT, Operation.AUTHNREQUEST_REDIRECT_ARTIFACT);
builder.RedirectFromLogin(destination, request);
}
HandleError(context, Resources.BindingError);
}
private void HandleSOAP(HttpContext context, Stream inputStream)
{
Trace.TraceMethodCalled(GetType(), "HandleSOAP");
HttpArtifactBindingParser parser = new HttpArtifactBindingParser(inputStream);
HttpArtifactBindingBuilder builder = new HttpArtifactBindingBuilder(context);
if(parser.IsArtifactResolve())
{
Trace.TraceData(TraceEventType.Information, Tracing.ArtifactResolveIn);
IDPEndPoint idp = RetrieveIDPConfiguration(parser.Issuer);
AuditLogging.IdpId = idp.Id;
AuditLogging.AssertionId = parser.ArtifactResolve.ID;
if (!parser.CheckSamlMessageSignature(idp.metadata.Keys))
{
HandleError(context, "Invalid Saml message signature");
AuditLogging.logEntry(Direction.IN, Operation.ARTIFACTRESOLVE, "Could not verify signature", parser.SamlMessage);
};
builder.RespondToArtifactResolve(parser.ArtifactResolve);
}else if(parser.IsArtifactResponse())
{
Trace.TraceData(TraceEventType.Information, Tracing.ArtifactResponseIn);
Status status = parser.ArtifactResponse.Status;
if (status.StatusCode.Value != Saml20Constants.StatusCodes.Success)
{
HandleError(context, status);
AuditLogging.logEntry(Direction.IN, Operation.ARTIFACTRESOLVE, string.Format("Illegal status for ArtifactResponse {0} expected 'Success', msg: {1}", status.StatusCode.Value, parser.SamlMessage));
return;
}
if(parser.ArtifactResponse.Any.LocalName == Response.ELEMENT_NAME)
{
bool isEncrypted;
XmlElement assertion = GetAssertion(parser.ArtifactResponse.Any, out isEncrypted);
if (assertion == null)
HandleError(context, "Missing assertion");
if(isEncrypted)
{
HandleEncryptedAssertion(context, assertion);
}else
{
HandleAssertion(context, assertion);
}
}else
{
AuditLogging.logEntry(Direction.IN, Operation.ARTIFACTRESOLVE, string.Format("Unsupported payload message in ArtifactResponse: {0}, msg: {1}", parser.ArtifactResponse.Any.LocalName, parser.SamlMessage));
HandleError(context,
string.Format("Unsupported payload message in ArtifactResponse: {0}",
parser.ArtifactResponse.Any.LocalName));
}
}else
{
Status s = parser.GetStatus();
if (s != null)
{
HandleError(context, s);
}
else
{
AuditLogging.logEntry(Direction.IN, Operation.ARTIFACTRESOLVE, string.Format("Unsupported SamlMessage element: {0}, msg: {1}", parser.SamlMessageName, parser.SamlMessage));
HandleError(context, string.Format("Unsupported SamlMessage element: {0}", parser.SamlMessageName));
}
}
}
private void TransferClient(IDPEndPoint endpoint, HttpContext context)
{
Trace.TraceMethodCalled(GetType(), "TransferClient()");
Saml20LogoutRequest request = Saml20LogoutRequest.GetDefault();
AuditLogging.AssertionId = request.ID;
AuditLogging.IdpId = endpoint.Id;
// Determine which endpoint to use from the configuration file or the endpoint metadata.
IDPEndPointElement destination =
DetermineEndpointConfiguration(SAMLBinding.REDIRECT, endpoint.SLOEndpoint, endpoint.metadata.SLOEndpoints());
request.Destination = destination.Url;
string nameIdFormat = context.Session[IDPNameIdFormat].ToString();
request.SubjectToLogOut.Format = nameIdFormat;
if (destination.Binding == SAMLBinding.POST)
{
HttpPostBindingBuilder builder = new HttpPostBindingBuilder(destination);
request.Destination = destination.Url;
request.Reason = Saml20Constants.Reasons.User;
request.SubjectToLogOut.Value = context.User.Identity.Name;
request.SessionIndex = context.Session[IDPSessionIdKey].ToString();
XmlDocument requestDocument = request.GetXml();
XmlSignatureUtils.SignDocument(requestDocument, request.ID);
builder.Request = requestDocument.OuterXml;
if(Trace.ShouldTrace(TraceEventType.Information))
Trace.TraceData(TraceEventType.Information, string.Format(Tracing.SendLogoutRequest, "POST", endpoint.Id, requestDocument.OuterXml));
AuditLogging.logEntry(Direction.OUT, Operation.LOGOUTREQUEST, "Binding: POST");
builder.GetPage().ProcessRequest(context);
context.Response.End();
return;
}
if(destination.Binding == SAMLBinding.REDIRECT)
{
HttpRedirectBindingBuilder builder = new HttpRedirectBindingBuilder();
builder.signingKey = FederationConfig.GetConfig().SigningCertificate.GetCertificate().PrivateKey;
request.Destination = destination.Url;
request.Reason = Saml20Constants.Reasons.User;
request.SubjectToLogOut.Value = context.User.Identity.Name;
request.SessionIndex = context.Session[IDPSessionIdKey].ToString();
builder.Request = request.GetXml().OuterXml;
string redirectUrl = destination.Url + "?" + builder.ToQuery();
if (Trace.ShouldTrace(TraceEventType.Information))
Trace.TraceData(TraceEventType.Information, string.Format(Tracing.SendLogoutRequest, "REDIRECT", endpoint.Id, redirectUrl));
AuditLogging.logEntry(Direction.OUT, Operation.LOGOUTREQUEST, "Binding: Redirect");
context.Response.Redirect(redirectUrl, true);
return;
}
if(destination.Binding == SAMLBinding.ARTIFACT)
{
if (Trace.ShouldTrace(TraceEventType.Information))
Trace.TraceData(TraceEventType.Information, string.Format(Tracing.SendLogoutRequest, "ARTIFACT", endpoint.Id, string.Empty));
request.Destination = destination.Url;
request.Reason = Saml20Constants.Reasons.User;
request.SubjectToLogOut.Value = context.User.Identity.Name;
request.SessionIndex = context.Session[IDPSessionIdKey].ToString();
HttpArtifactBindingBuilder builder = new HttpArtifactBindingBuilder(context);
AuditLogging.logEntry(Direction.OUT, Operation.LOGOUTREQUEST, "Method: Artifact");
builder.RedirectFromLogout(destination, request, Guid.NewGuid().ToString("N"));
}
HandleError(context, Resources.BindingError);
}
private void HandleArtifact(HttpContext context)
{
HttpArtifactBindingBuilder builder = new HttpArtifactBindingBuilder(context);
Stream inputStream = builder.ResolveArtifact();
HandleSOAP(context, inputStream);
}
private void HandleSOAP(HttpContext context, Stream inputStream)
{
Trace.TraceMethodCalled(GetType(), "HandleSOAP");
HttpArtifactBindingParser parser = new HttpArtifactBindingParser(inputStream);
HttpArtifactBindingBuilder builder = new HttpArtifactBindingBuilder(context);
SAML20FederationConfig config = SAML20FederationConfig.GetConfig();
IDPEndPoint idp = RetrieveIDPConfiguration(parser.Issuer);
AuditLogging.IdpId = idp.Id;
if (parser.IsArtifactResolve())
{
Trace.TraceData(TraceEventType.Information, Tracing.ArtifactResolveIn);
if (!parser.CheckSamlMessageSignature(idp.metadata.Keys))
{
HandleError(context, "Invalid Saml message signature");
AuditLogging.logEntry(Direction.UNDEFINED, Operation.ARTIFACTRESOLVE, "Signature could not be verified", parser.SamlMessage);
}
AuditLogging.AssertionId = parser.ArtifactResolve.ID;
AuditLogging.logEntry(Direction.IN, Operation.ARTIFACTRESOLVE, "", parser.SamlMessage);
builder.RespondToArtifactResolve(parser.ArtifactResolve);
}
else if (parser.IsArtifactResponse())
{
Trace.TraceData(TraceEventType.Information, Tracing.ArtifactResponseIn);
Status status = parser.ArtifactResponse.Status;
if (status.StatusCode.Value != Saml20Constants.StatusCodes.Success)
{
AuditLogging.logEntry(Direction.UNDEFINED, Operation.ARTIFACTRESOLVE, string.Format("Unexpected status code for artifact response: {0}, expected 'Success', msg: {1}", status.StatusCode.Value, parser.SamlMessage));
HandleError(context, status);
return;
}
if (parser.ArtifactResponse.Any.LocalName == LogoutRequest.ELEMENT_NAME)
{
if(Trace.ShouldTrace(TraceEventType.Information))
Trace.TraceData(TraceEventType.Information, string.Format(Tracing.LogoutRequest, parser.ArtifactResponse.Any.OuterXml));
//Send logoutresponse via artifact
Saml20LogoutResponse response = new Saml20LogoutResponse();
response.Issuer = config.ServiceProvider.ID;
LogoutRequest req = Serialization.DeserializeFromXmlString<LogoutRequest>(parser.ArtifactResponse.Any.OuterXml);
response.StatusCode = Saml20Constants.StatusCodes.Success;
response.InResponseTo = req.ID;
IDPEndPoint endpoint = RetrieveIDPConfiguration(context.Session[IDPLoginSessionKey].ToString());
IDPEndPointElement destination =
DetermineEndpointConfiguration(SAMLBinding.REDIRECT, endpoint.SLOEndpoint, endpoint.metadata.SLOEndpoints());
builder.RedirectFromLogout(destination, response);
}else if(parser.ArtifactResponse.Any.LocalName == LogoutResponse.ELEMENT_NAME)
{
DoLogout(context);
}
else
{
AuditLogging.logEntry(Direction.UNDEFINED, Operation.ARTIFACTRESOLVE, string.Format("Unsupported payload message in ArtifactResponse: {0}, msg: {1}", parser.ArtifactResponse.Any.LocalName, parser.SamlMessage));
HandleError(context,
string.Format("Unsupported payload message in ArtifactResponse: {0}",
parser.ArtifactResponse.Any.LocalName));
}
}
else if(parser.IsLogoutReqest())
{
if (Trace.ShouldTrace(TraceEventType.Information))
Trace.TraceData(TraceEventType.Information, string.Format(Tracing.LogoutRequest, parser.SamlMessage.OuterXml));
LogoutRequest req = parser.LogoutRequest;
//Build the response object
Saml20LogoutResponse response = new Saml20LogoutResponse();
response.Issuer = config.ServiceProvider.ID;
//response.Destination = destination.Url;
response.StatusCode = Saml20Constants.StatusCodes.Success;
response.InResponseTo = req.ID;
XmlDocument doc = response.GetXml();
XmlSignatureUtils.SignDocument(doc, response.ID);
if (doc.FirstChild is XmlDeclaration)
doc.RemoveChild(doc.FirstChild);
builder.SendResponseMessage(doc.OuterXml);
}
else
{
Status s = parser.GetStatus();
if (s != null)
{
HandleError(context, s);
}
else
{
AuditLogging.logEntry(Direction.UNDEFINED, Operation.ARTIFACTRESOLVE, string.Format("Unsupported SamlMessage element: {0}, msg: {1}", parser.SamlMessageName, parser.SamlMessage));
HandleError(context, string.Format("Unsupported SamlMessage element: {0}", parser.SamlMessageName));
}
}
}
