public static LinkIDAuthnResponse parse(ResponseType response) { String userId = null; Dictionary <String, List <LinkIDAttribute> > attributes = new Dictionary <string, List <LinkIDAttribute> >(); foreach (object item in response.Items) { AssertionType assertion = (AssertionType)item; SubjectType subject = assertion.Subject; NameIDType nameId = (NameIDType)subject.Items[0]; userId = nameId.Value; foreach (StatementAbstractType statement in assertion.Items) { if (statement is AttributeStatementType) { AttributeStatementType attributeStatement = (AttributeStatementType)statement; attributes = getAttributes(attributeStatement); } } } LinkIDPaymentResponse paymentResponse = findPaymentResponse(response); LinkIDExternalCodeResponse externalCodeResponse = findExternalCodeResponse(response); return(new LinkIDAuthnResponse(userId, attributes, paymentResponse, externalCodeResponse)); }
private static ICollection <Claim> BuildClaims(AssertionType assertion) { var claims = new List <Claim>(); var nameId = assertion.Subject.Items.FirstOrDefault(i => i is NameIDType) as NameIDType; if (nameId != null) { claims.Add(new Claim(ClaimTypes.NameIdentifier, nameId.Value)); } if (assertion.Items != null) { var attributeStatement = assertion.Items.FirstOrDefault(i => i is AttributeStatementType) as AttributeStatementType; if (attributeStatement != null) { var attributes = attributeStatement.Items.Where(i => i is AttributeType).Cast <AttributeType>(); foreach (var attribute in attributes) { string name = attribute.Name; if (MappingSamlAttributeToClaim.ContainsKey(attribute.Name)) { name = MappingSamlAttributeToClaim[attribute.Name]; } foreach (var attributeValue in attribute.AttributeValue) { claims.Add(new Claim(name, attributeValue.ToString())); } } } } return(claims); }
public static void ValidateAssertionAttributes(AssertionType assertion) { if (string.IsNullOrEmpty(assertion.Version)) { throw new Exception("Assertion element must have Version attribute"); } if (assertion.Version != "2.0") { throw new Exception("Application supports only Saml 2.0"); } if (string.IsNullOrEmpty(assertion.ID)) { throw new Exception("Assertion element must have ID attribute"); } if (assertion.ID.Length < 16) { throw new Exception("Assertion ID length must be atleast 128 bits in length"); } if (assertion.IssueInstant >= DateTime.UtcNow) { throw new Exception("Assertion issue instant must be prior to current instant"); } if (assertion.Issuer.Value != "https://localhost:44351") { throw new Exception("Issuer is not valid"); } }
public CounterBenchmarkSetting(string counterName, AssertionType assertionType, Assertion assertion) { Contract.Requires(!string.IsNullOrEmpty(counterName)); CounterName = new CounterMetricName(counterName); AssertionType = assertionType; Assertion = assertion; }
private static void getAttributeValues(ResponseType response, Dictionary <String, List <LinkIDAttribute> > attributeMap) { if (null == response.Items || response.Items.Length == 0) { throw new RuntimeException("No assertions in response"); } AssertionType assertion = (AssertionType)response.Items[0]; if (null == assertion.Items || assertion.Items.Length == 0) { throw new RuntimeException("No statements in response assertion"); } AttributeStatementType attributeStatement = (AttributeStatementType)assertion.Items[0]; foreach (Object attributeObject in attributeStatement.Items) { AttributeType attributeType = (AttributeType)attributeObject; LinkIDAttribute attribute = Saml2AuthUtil.getAttribute(attributeType); List <LinkIDAttribute> attributes; if (!attributeMap.ContainsKey(attribute.attributeName)) { attributes = new List <LinkIDAttribute>(); } else { attributes = attributeMap[attribute.attributeName]; } attributes.Add(attribute); attributeMap.Remove(attribute.attributeName); attributeMap.Add(attribute.attributeName, attributes); } }
public AssertionData(AssertionType assertion) { // Find the attribute statement within the assertion AttributeStatementType ast = null; foreach (StatementAbstractType sat in assertion.Items) { if (sat.GetType().Equals(typeof(AttributeStatementType))) { ast = (AttributeStatementType)sat; } } if (ast == null) { throw new ApplicationException("Invalid SAML Assertion: Missing Attribute Values"); } SAMLAttributes = new Dictionary <string, string>(); // Do what needs to be done to pull specific attributes out for sending on // For now assuming this is a simple list of string key and string values foreach (AttributeType at in ast.Items) { SAMLAttributes.Add(at.Name, ((XmlNode[])at.AttributeValue[0])[1].Value); } }
public Assertion(string description, string value, AssertionType assertionType, AssertionMethod assertionMethod) { Description = description; Value = value; AssertionType = assertionType; AssertionMethod = assertionMethod; }
internal static void InvokeAssertionGreater <T>(AssertionType assertionType, T lhs, T rhs, string lhsText, string rhsText, string functionName, string fileName, int lineNumber) where T : IComparable <T> { string message = string.Format("{0} must be greater than {1}.\nThe actual values are as follows.\n{0}: {2}\n{1}: {3}", lhsText, rhsText, lhs, rhs); Assert.OnAssertionFailure(assertionType, "Greater", functionName, fileName, lineNumber, message); }
internal static void InvokeAssertionAligned(AssertionType assertionType, ulong value, int alignment, string valueText, string alignmentText, string functionName, string fileName, int lineNumber) { string message = string.Format("{0} must be {1}-bytes aligned.\nThe actual values are as follows.\n{0}: {2}\n{1}: {3}", valueText, alignmentText, value, alignment); Assert.OnAssertionFailure(assertionType, "Aligned", functionName, fileName, lineNumber, message); }
internal static void InvokeAssertionInRange(AssertionType assertionType, int value, int lower, int upper, string valueText, string lowerText, string upperText, string functionName, string fileName, int lineNumber) { string message = string.Format( "{0} must be within the range [{1}, {2})\nThe actual values are as follows.\n{0}: {3}\n{1}: {4}\n{2}: {5}", valueText, lowerText, upperText, value, lower, upper); Assert.OnAssertionFailure(assertionType, "RangeCheck", functionName, fileName, lineNumber, message); }
internal static void InvokeAssertionWithinMinMax(AssertionType assertionType, long value, long min, long max, string valueText, string minText, string maxText, string functionName, string fileName, int lineNumber) { string message = string.Format( "{0} must satisfy the condition min:{1} and max:{2}\nThe actual values are as follows.\n{0}: {3}\n{1}: {4}\n{2}: {5}", valueText, minText, maxText, value, min, max); Assert.OnAssertionFailure(assertionType, "MinMaxCheck", functionName, fileName, lineNumber, message); }
/*[Test] * [Ignore("")] * public void TestSosiGWExchangeViaApi2() * { * var sc = SealCard.Create(MakeAssertion()); * using (var stsClient = new SosiGwCardClient("SosiGW")) * { * var d = stsClient.ExchangeAssertion(sc, "http://sundhed.dk/") as GenericXmlSecurityToken; * var elm = d.TokenXml; * } * }*/ private static Security MakeSecurity(AssertionType assertion) { return(new Security { id = Guid.NewGuid().ToString("D"), Timestamp = new Timestamp { Created = DateTimeEx.UtcNowRound - TimeSpan.FromMinutes(5) }, Assertion = assertion }); }
private AssertionType GetAssertionFromXMLDoc(XmlDocument SAMLXML) { XmlNamespaceManager ns = new XmlNamespaceManager(SAMLXML.NameTable); ns.AddNamespace("saml", "urn:oasis:names:tc:SAML:2.0:assertion"); XmlElement xeAssertion = SAMLXML.DocumentElement.SelectSingleNode("saml:Assertion", ns) as XmlElement; XmlSerializer serializer = new XmlSerializer(typeof(AssertionType)); AssertionType assertion = (AssertionType)serializer.Deserialize(new XmlNodeReader(xeAssertion)); return(assertion); }
/// <summary> /// Add an assertion. /// </summary> /// <param name="callback"></param> /// <returns></returns> public SamlResponseBuilder AddAssertion(Action <AssertionBuilder> callback) { var assertion = new AssertionType { Version = Constants.SamlVersion, ID = $"assertion_{Guid.NewGuid()}", IssueInstant = DateTime.UtcNow }; var builder = new AssertionBuilder(assertion); callback(builder); _response.Items = _response.Items.Add(assertion); return(this); }
public static void ValidateAssertion(AssertionType assertion, ServiceProviderModel serviceProvider) { try { SamlValidationHelper.ValidateAssertionAttributes(assertion); SamlValidationHelper.ValidateSubject(assertion.Subject, serviceProvider); SamlValidationHelper.ValidateConditions(assertion.Conditions, serviceProvider); SamlValidationHelper.ValidateStatements(assertion.Items, serviceProvider); } catch (Exception ex) { throw new Exception("Authentication failed", ex); } }
public (string, string) GetUsernameAndAuthIdFromBase64EncodedString(StringValues base64EncodedResponse) { string decodedResponse = SecurityHelper.DecodeFromBase64(base64EncodedResponse); XmlDocument xmlResponseWithEncryptedAssertion = SamlHelper.GetXmlFromString(decodedResponse); ResponseType responseWithEncryptedAssertion = SamlHelper.ConvertXmlToModel <ResponseType>(xmlResponseWithEncryptedAssertion); SamlValidationHelper.VerifyResponse(responseWithEncryptedAssertion); XmlDocument xmlAssertion = SecurityHelper.DecryptAssertion(xmlResponseWithEncryptedAssertion); AssertionType assertion = SamlHelper.ConvertXmlToModel <AssertionType>(xmlAssertion); SamlValidationHelper.ValidateAssertion(assertion, _serviceProvider.Value); return(SamlHelper.Username, SamlHelper.AuthnRequestID); }
public AssertionData(AssertionType assertion) { // Find the attribute statement within the assertion AttributeStatementType ast = null; foreach (StatementAbstractType sat in assertion.Items) { if (sat.GetType().Equals(typeof(AttributeStatementType))) { ast = (AttributeStatementType)sat; } } if (ast == null) { throw new ApplicationException("Invalid SAML Assertion: Missing Attribute Values"); } SAMLAttributes = new Dictionary <string, string>(); // Do what needs to be done to pull specific attributes out for sending on // For now assuming this is a simple list of string key and string values foreach (AttributeType at in ast.Items) { SAMLAttributes.Add(at.Name, at.AttributeValue.ToString()); //switch (at.Name) //{ // case "UserID": // if (at.AttributeValue.Length > 0) UserID = at.AttributeValue[0].ToString(); // break; // case "UserFirstName": // if (at.AttributeValue.Length > 0) UserFirstName = int.Parse(at.AttributeValue[0].ToString()); // break; // case "UserLastName": // if (at.AttributeValue.Length > 0) UserLastName = at.AttributeValue[0].ToString(); // break; // case "UserDisplayName": // if (at.AttributeValue.Length > 0) UserDisplayName = at.AttributeValue[0].ToString(); // break; // case "UserEmail": // if (at.AttributeValue.Length > 0) UserEmail = at.AttributeValue[0].ToString(); // break; // case "GroupID": // if (at.AttributeValue.Length > 0) GroupID = int.Parse(at.AttributeValue[0].ToString()); // break; //} } }
/// <summary> /// Checks whether the issuer of the SAML is trusted and whether the user is known and authenticated successfully. /// </summary> private bool TokenValid(string samlXML, out string username) { XmlSerializer serializer = new XmlSerializer(typeof(ResponseType)); ResponseType response = (ResponseType)serializer.Deserialize(new StringReader(samlXML)); bool issuerTrusted = trustedSAMLIdProviders.Contains(response.Issuer.Value); bool statusSuccess = response.Status.StatusCode.Value.Equals("urn:oasis:names:tc:SAML:2.0:status:Success"); bool userIsKnown = false; username = null; //Find assertion AssertionType assertion = null; foreach (var item in response.Items) { if (item is AssertionType) { assertion = item as AssertionType; } } //Find the username if (assertion != null) { foreach (var item in assertion.Subject.Items) { if (item is NameIDType) { if (!string.IsNullOrEmpty(((NameIDType)item).Value)) { userIsKnown = federatedUsers.Contains(((NameIDType)item).Value); username = ((NameIDType)item).Value; } } } } if (issuerTrusted && statusSuccess && userIsKnown) { return(true); } else { return(false); } }
public void ProcessRequest(HttpContext context) { switch (context.Request.HttpMethod) { case "POST": // Checking to verify that a SAML Assertion is included if (context.Request.Params["SAMLResponse"] == null) { context.Response.Redirect("ServiceProviderError.aspx"); } // Checking for the intended resource if (context.Request.Params["RelayState"] == null) { context.Response.Redirect("ServiceProviderError.aspx"); } // pull Base 64 encoded XML saml assertion from Request and decode it XmlDocument SAMLXML = new XmlDocument(); String SAMLResponseString = System.Text.Encoding.UTF8.GetString( Convert.FromBase64String(context.Request.Params["SAMLResponse"].ToString())); SAMLXML.LoadXml(SAMLResponseString); // Validate X509 Certificate Signature if (!ValidateX509CertificateSignature(SAMLXML)) { context.Response.Redirect("ServiceProviderError.aspx"); } // Finding AssertionType assertion = GetAssertionFromXMLDoc(SAMLXML); if (assertion.Issuer.Value == ConfigurationManager.AppSettings["CertIssuer"]) { AssertionData SSOData = new AssertionData(assertion); } // At this point any specific work that needs to be done to establish user context with // the SSOData should be executed before redirecting the user browser to the target context.Response.Redirect(context.Request.Params["RelayState"].ToString()); break; } }
private static string GetExceptionMessage(AssertionType assertion, string[] affectedParameterNames) { string format = null; switch (assertion) { case AssertionType.AssertNotNull: format = Properties.Resources.AssertionFailedExceptionNotNull; break; case AssertionType.AssertNotEmpty: format = Properties.Resources.AssertionFailedExceptionNotEmpty; break; case AssertionType.Invalid: default: format = Properties.Resources.AssertionFailedGenericMessage; break; } return(string.Format(format, affectedParameterNames)); }
/// <summary> /// Initializes a new instance of the <see cref="AssertionFailedException"/> class. /// </summary> /// <param name="assertion">Type of the assertion.</param> /// <param name="affectedParameterNames">The affected parameter names.</param> public AssertionFailedException(AssertionType assertion, string[] affectedParameterNames) : this(Properties.Resources.AssertionFailedGenericMessage, assertion, affectedParameterNames) { }
/// <summary> /// Initializes a new instance of the <see cref="AssertionFailedException"/> class. /// </summary> /// <param name="message">The message to display if the assertion has failed.</param> /// <param name="assertion">Type of the assertion.</param> /// <param name="affectedParameterNames">The affected parameter names.</param> public AssertionFailedException(string message, AssertionType assertion, string[] affectedParameterNames) : base(message) { this.Assertion = assertion; this.AffectedParameterNames = affectedParameterNames; }
/// <summary> /// Creates a SAML 2.0 Assertion Segment for a Response /// Simple implmenetation assuming a list of string key and value pairs /// </summary> /// <param name="Issuer"></param> /// <param name="AssertionExpirationMinutes"></param> /// <param name="Audience"></param> /// <param name="Subject"></param> /// <param name="Recipient"></param> /// <param name="Attributes">Dictionary of string key, string value pairs</param> /// <returns>Assertion to sign and include in Response</returns> private static AssertionType CreateSAML20Assertion(string Issuer, int AssertionExpirationMinutes, string Audience, string Subject, string Recipient, Dictionary <string, string> Attributes) { AssertionType NewAssertion = new AssertionType() { Version = "2.0", IssueInstant = DateTime.Now,//DateTime.UtcNow, ID = "_" + System.Guid.NewGuid().ToString() }; // Create Issuer NewAssertion.Issuer = new NameIDType() { Value = Issuer.Trim() }; // Create Assertion Subject SubjectType subject = new SubjectType(); NameIDType subjectNameIdentifier = new NameIDType() { Value = Subject.Trim(), Format = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" }; SubjectConfirmationType subjectConfirmation = new SubjectConfirmationType() { Method = "urn:oasis:names:tc:SAML:2.0:cm:bearer", SubjectConfirmationData = new SubjectConfirmationDataType() { NotOnOrAfter = DateTime.Now.AddMinutes(AssertionExpirationMinutes), Recipient = Recipient } }; //{ NotOnOrAfter = DateTime.UtcNow.AddMinutes(AssertionExpirationMinutes), Recipient = Recipient } }; subject.Items = new object[] { subjectNameIdentifier, subjectConfirmation }; NewAssertion.Subject = subject; // Create Assertion Conditions ConditionsType conditions = new ConditionsType(); conditions.NotBefore = DateTime.Now; //DateTime.UtcNow; conditions.NotBeforeSpecified = true; conditions.NotOnOrAfter = DateTime.Now.AddMinutes(AssertionExpirationMinutes); //DateTime.UtcNow.AddMinutes(AssertionExpirationMinutes); conditions.NotOnOrAfterSpecified = true; conditions.Items = new ConditionAbstractType[] { new AudienceRestrictionType() { Audience = new string[] { Audience.Trim() } } }; NewAssertion.Conditions = conditions; // Add AuthnStatement and Attributes as Items AuthnStatementType authStatement = new AuthnStatementType() { AuthnInstant = DateTime.Now, SessionIndex = NewAssertion.ID }; //{ AuthnInstant = DateTime.UtcNow, SessionIndex = NewAssertion.ID }; AuthnContextType context = new AuthnContextType(); context.ItemsElementName = new ItemsChoiceType5[] { ItemsChoiceType5.AuthnContextClassRef }; context.Items = new object[] { "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified" }; authStatement.AuthnContext = context; AttributeStatementType attributeStatement = new AttributeStatementType(); attributeStatement.Items = new AttributeType[Attributes.Count]; int i = 0; foreach (KeyValuePair <string, string> attribute in Attributes) { attributeStatement.Items[i] = new AttributeType() { Name = attribute.Key, AttributeValue = new object[] { attribute.Value }, NameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" }; i++; } NewAssertion.Items = new StatementAbstractType[] { authStatement, attributeStatement }; return(NewAssertion); }
/// <summary> /// Creates a Version 1.1 Saml Assertion /// </summary> /// <param name="issuer">Issuer</param> /// <param name="subject">Subject</param> /// <param name="attributes">Attributes</param> /// <returns>returns a Version 1.1 Saml Assertion</returns> private static AssertionType CreateSamlAssertion(string issuer, string recipient, string domain, string subject, Dictionary <string, string> attributes) { // Here we create some SAML assertion with ID and Issuer name. AssertionType assertion = new AssertionType(); assertion.ID = "_" + Guid.NewGuid().ToString(); NameIDType issuerForAssertion = new NameIDType(); issuerForAssertion.Value = issuer.Trim(); assertion.Issuer = issuerForAssertion; assertion.Version = "2.0"; assertion.IssueInstant = System.DateTime.UtcNow; //Not before, not after conditions ConditionsType conditions = new ConditionsType(); conditions.NotBefore = DateTime.UtcNow; conditions.NotBeforeSpecified = true; conditions.NotOnOrAfter = DateTime.UtcNow.AddMinutes(5); conditions.NotOnOrAfterSpecified = true; AudienceRestrictionType audienceRestriction = new AudienceRestrictionType(); audienceRestriction.Audience = new string[] { domain.Trim() }; conditions.Items = new ConditionAbstractType[] { audienceRestriction }; //Name Identifier to be used in Saml Subject NameIDType nameIdentifier = new NameIDType(); nameIdentifier.NameQualifier = domain.Trim(); nameIdentifier.Value = subject.Trim(); SubjectConfirmationType subjectConfirmation = new SubjectConfirmationType(); SubjectConfirmationDataType subjectConfirmationData = new SubjectConfirmationDataType(); subjectConfirmation.Method = "urn:oasis:names:tc:SAML:2.0:cm:bearer"; subjectConfirmation.SubjectConfirmationData = subjectConfirmationData; // // Create some SAML subject. SubjectType samlSubject = new SubjectType(); AttributeStatementType attrStatement = new AttributeStatementType(); AuthnStatementType authStatement = new AuthnStatementType(); authStatement.AuthnInstant = DateTime.UtcNow; AuthnContextType context = new AuthnContextType(); context.ItemsElementName = new ItemsChoiceType5[] { ItemsChoiceType5.AuthnContextClassRef }; context.Items = new object[] { "AuthnContextClassRef" }; authStatement.AuthnContext = context; samlSubject.Items = new object[] { nameIdentifier, subjectConfirmation }; assertion.Subject = samlSubject; IPHostEntry ipEntry = Dns.GetHostEntry(System.Environment.MachineName); SubjectLocalityType subjectLocality = new SubjectLocalityType(); subjectLocality.Address = ipEntry.AddressList[0].ToString(); attrStatement.Items = new AttributeType[attributes.Count]; int i = 0; // Create userName SAML attributes. foreach (KeyValuePair <string, string> attribute in attributes) { AttributeType attr = new AttributeType(); attr.Name = attribute.Key; attr.NameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"; attr.AttributeValue = new object[] { attribute.Value }; attrStatement.Items[i] = attr; i++; } assertion.Conditions = conditions; assertion.Items = new StatementAbstractType[] { authStatement, attrStatement }; return(assertion); }
internal static void InvokeAssertionNotNull(AssertionType assertionType, string valueText, string functionName, string fileName, int lineNumber) { Assert.OnAssertionFailure(assertionType, "NotNull", functionName, fileName, lineNumber, $"{valueText} must not be nullptr."); }
private static string GetExceptionMessage(AssertionType assertion, string[] affectedParameterNames) { string format=null; switch (assertion) { case AssertionType.AssertNotNull: format= Properties.Resources.AssertionFailedExceptionNotNull; break; case AssertionType.AssertNotEmpty: format= Properties.Resources.AssertionFailedExceptionNotEmpty; break; case AssertionType.Invalid: default: format= Properties.Resources.AssertionFailedGenericMessage; break; } return string.Format(format, affectedParameterNames); }
public AssertionBehavior(AssertionType type, bool inversion) { Type = type; Inversion = inversion; }
/// <summary> /// GetPostSamlResponse - Returns a Base64 Encoded String with the SamlResponse in it. /// </summary> /// <param name="recipient">Recipient</param> /// <param name="issuer">Issuer</param> /// <param name="domain">Domain</param> /// <param name="subject">Subject</param> /// <param name="storeLocation">Certificate Store Location</param> /// <param name="storeName">Certificate Store Name</param> /// <param name="findType">Certificate Find Type</param> /// <param name="certLocation">Certificate Location</param> /// <param name="findValue">Certificate Find Value</param> /// <param name="certFile">Certificate File (used instead of the above Certificate Parameters)</param> /// <param name="certPassword">Certificate Password (used instead of the above Certificate Parameters)</param> /// <param name="attributes">A list of attributes to pass</param> /// <param name="signatureType">Whether to sign Response or Assertion</param> /// <returns>A base64Encoded string with a SAML response.</returns> public static string GetPostSamlResponse(string recipient, string issuer, string domain, string subject, StoreLocation storeLocation, StoreName storeName, X509FindType findType, string certFile, string certPassword, object findValue, Dictionary <string, string> attributes, SigningHelper.SignatureType signatureType) { ResponseType response = new ResponseType(); // Response Main Area response.ID = "_" + Guid.NewGuid().ToString(); response.Destination = recipient; response.Version = "2.0"; response.IssueInstant = System.DateTime.UtcNow; NameIDType issuerForResponse = new NameIDType(); issuerForResponse.Value = issuer.Trim(); response.Issuer = issuerForResponse; StatusType status = new StatusType(); status.StatusCode = new StatusCodeType(); status.StatusCode.Value = "urn:oasis:names:tc:SAML:2.0:status:Success"; response.Status = status; XmlSerializer responseSerializer = new XmlSerializer(response.GetType()); StringWriter stringWriter = new StringWriter(); XmlWriterSettings settings = new XmlWriterSettings(); settings.OmitXmlDeclaration = true; settings.Indent = true; settings.Encoding = Encoding.UTF8; XmlWriter responseWriter = XmlTextWriter.Create(stringWriter, settings); string samlString = string.Empty; AssertionType assertionType = SamlHelper.CreateSamlAssertion( issuer.Trim(), recipient.Trim(), domain.Trim(), subject.Trim(), attributes); response.Items = new AssertionType[] { assertionType }; responseSerializer.Serialize(responseWriter, response); responseWriter.Close(); samlString = stringWriter.ToString(); samlString = samlString.Replace("SubjectConfirmationData", string.Format("SubjectConfirmationData NotOnOrAfter=\"{0:o}\" Recipient=\"{1}\"", DateTime.UtcNow.AddMinutes(5), recipient)); stringWriter.Close(); XmlDocument doc = new XmlDocument(); doc.LoadXml(samlString); X509Certificate2 cert = null; if (System.IO.File.Exists(certFile)) { cert = new X509Certificate2(certFile, certPassword); } else { X509Store store = new X509Store(storeName, storeLocation); store.Open(OpenFlags.ReadOnly); X509Certificate2Collection coll = store.Certificates.Find(findType, findValue, true); if (coll.Count < 1) { throw new ArgumentException("Unable to locate certificate"); } cert = coll[0]; store.Close(); } XmlElement signature = SigningHelper.SignDoc(doc, cert, "ID", (signatureType == SigningHelper.SignatureType.Response || signatureType == SigningHelper.SignatureType.TestVU475445) ? response.ID : assertionType.ID); doc.DocumentElement.InsertBefore(signature, doc.DocumentElement.ChildNodes[1]); if (SamlHelper.Logger.IsDebugEnabled) { SamlHelper.Logger.DebugFormat( "Saml Assertion before encoding = {0}", doc.OuterXml.ToString()); } string responseStr = doc.OuterXml; // 2018Ma06 Special Post-signature Maniuplation postsignature to inject comment into subject. if (signatureType == SigningHelper.SignatureType.TestVU475445) { string sub = subject.Trim(); int half = sub.Length / 2; string firstHalf = sub.Substring(0, half); string secondHalf = sub.Substring(half); responseStr = responseStr.Replace(sub, firstHalf + "<!--VU475445-->" + secondHalf); int breaker = 1; } byte[] base64EncodedBytes = Encoding.UTF8.GetBytes(responseStr); string returnValue = System.Convert.ToBase64String( base64EncodedBytes); return(returnValue); }
public void AssertElement(AssertionType type, String assertion, HtmlElement element) { startSWATFixtureIfNotInOne(); //_assertion = "|AssertElementExists|expression|" + assertionBox.Text + "|" + _srcElement.tagName + "|"; switch (type) { case AssertionType.ElementExists: _sb.Append("|AssertElementExists|Expression|"); break; case AssertionType.ElementDoesNotExist: _sb.Append("|AssertElementDoesNotExist|Expression|"); break; } //assertion = replaceSpecialCharacters(assertion); _sb.Append(assertion + "|" + element.TagName + "|"); writeCommand(getStringBuilderValueAndReset()); }
private void CreateSAMLResponse() { FormsIdentity id = null; if (HttpContext.Current.User != null) { if (HttpContext.Current.User.Identity.IsAuthenticated) { if (HttpContext.Current.User.Identity is FormsIdentity) { id = (FormsIdentity)HttpContext.Current.User.Identity; } } } DateTime notBefore = (id != null ? id.Ticket.IssueDate.ToUniversalTime() : DateTime.UtcNow); DateTime notOnOrAfter = (id != null ? id.Ticket.Expiration.ToUniversalTime() : DateTime.UtcNow.AddMinutes(30)); IDProvider config = IDProvider.GetConfig(); SAMLResponse.Status = new StatusType(); SAMLResponse.Status.StatusCode = new StatusCodeType(); SAMLResponse.Status.StatusCode.Value = SAMLUtility.StatusCodes.Success; AssertionType assert = new AssertionType(); assert.ID = SAMLUtility.GenerateID(); assert.IssueInstant = DateTime.UtcNow.AddMinutes(10); assert.Issuer = new NameIDType(); assert.Issuer.Value = config.id; SubjectConfirmationType subjectConfirmation = new SubjectConfirmationType(); subjectConfirmation.Method = "urn:oasis:names:tc:SAML:2.0:cm:bearer"; subjectConfirmation.SubjectConfirmationData = new SubjectConfirmationDataType(); subjectConfirmation.SubjectConfirmationData.Recipient = SAMLRequest.Issuer; subjectConfirmation.SubjectConfirmationData.InResponseTo = SAMLRequest.Request.ID; subjectConfirmation.SubjectConfirmationData.NotOnOrAfter = notOnOrAfter; NameIDType nameID = new NameIDType(); nameID.Format = SAMLUtility.NameIdentifierFormats.Transient; nameID.Value = (id != null ? id.Name : UtilBO.FormatNameFormsAuthentication(this.__SessionWEB.__UsuarioWEB.Usuario)); assert.Subject = new SubjectType(); assert.Subject.Items = new object[] { subjectConfirmation, nameID }; assert.Conditions = new ConditionsType(); assert.Conditions.NotBefore = notBefore; assert.Conditions.NotOnOrAfter = notOnOrAfter; assert.Conditions.NotBeforeSpecified = true; assert.Conditions.NotOnOrAfterSpecified = true; AudienceRestrictionType audienceRestriction = new AudienceRestrictionType(); audienceRestriction.Audience = new string[] { SAMLRequest.Issuer }; assert.Conditions.Items = new ConditionAbstractType[] { audienceRestriction }; AuthnStatementType authnStatement = new AuthnStatementType(); authnStatement.AuthnInstant = DateTime.UtcNow; authnStatement.SessionIndex = SAMLUtility.GenerateID(); authnStatement.AuthnContext = new AuthnContextType(); authnStatement.AuthnContext.Items = new object[] { "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" }; authnStatement.AuthnContext.ItemsElementName = new ItemsChoiceType5[] { ItemsChoiceType5.AuthnContextClassRef }; StatementAbstractType[] statementAbstract = new StatementAbstractType[] { authnStatement }; assert.Items = statementAbstract; SAMLResponse.Items = new object[] { assert }; string xmlResponse = SAMLUtility.SerializeToXmlString(SAMLResponse); XmlDocument doc = new XmlDocument(); doc.LoadXml(xmlResponse); XmlSignatureUtils.SignDocument(doc, assert.ID); SAMLResponse = SAMLUtility.DeserializeFromXmlString <ResponseType>(doc.InnerXml); HttpPostBinding binding = new HttpPostBinding(SAMLResponse, HttpUtility.UrlDecode(Request[HttpBindingConstants.RelayState])); binding.SendResponse(this.Context, HttpUtility.UrlDecode(SAMLRequest.AssertionConsumerServiceURL), SAMLTypeSSO.signon); }
private void okButton_Click(object sender, EventArgs e) { _assertion = assertionBox.Text; _assertionType = assertExistButton.Checked ? AssertionType.ElementExists : AssertionType.ElementDoesNotExist; }
//A state can be a lookbehind start public ENFA_LookbehindStart(ENFA_Controller controller, AssertionType assertionType, ENFA_GroupingStart parent) : base(controller, parent) { _assertionType = assertionType; }
/// <summary> /// Handles the sign in. /// </summary> /// <returns></returns> /// <exception cref="SecurityTokenException">No token validator was found for the given token.</exception> private async Task <HandleRequestResult> HandleSignIn() { if (Request.Method != HttpMethods.Post) { return(HandleRequestResult.Fail("Request method must be an HTTP-Post Method")); } var form = await Request.ReadFormAsync(); var response = form[Saml2Constants.Parameters.SamlResponse]; var relayState = form[Saml2Constants.Parameters.RelayState].ToString()?.DeflateDecompress(); AuthenticationProperties authenticationProperties = Options.StateDataFormat.Unprotect(relayState); try { if (authenticationProperties == null) { if (!Options.AllowUnsolicitedLogins) { return(HandleRequestResult.Fail("Unsolicited logins are not allowed.")); } } if (authenticationProperties.Items.TryGetValue(CorrelationProperty, out string correlationId) && !ValidateCorrelationId(authenticationProperties)) { return(HandleRequestResult.Fail("Correlation failed.", authenticationProperties)); } string base64EncodedSamlResponse = response; ResponseType idpSamlResponseToken = _saml2Service.GetSamlResponseToken(base64EncodedSamlResponse, Saml2Constants.ResponseTypes.AuthnResponse, Options); IRequestCookieCollection cookies = Request.Cookies; string originalSamlRequestId = cookies[cookies.Keys.FirstOrDefault(key => key.StartsWith(Options.AuthenticationScheme))]; _saml2Service.CheckIfReplayAttack(idpSamlResponseToken.InResponseTo, originalSamlRequestId); _saml2Service.CheckStatus(idpSamlResponseToken); string token = _saml2Service.GetAssertion(idpSamlResponseToken, Options); AssertionType assertion = new AssertionType(); XmlSerializer xmlSerializer = new XmlSerializer(typeof(AssertionType)); using (MemoryStream memStm = new MemoryStream(Encoding.UTF8.GetBytes(token))) { assertion = (AssertionType)xmlSerializer.Deserialize(memStm); } if (Options.WantAssertionsSigned) { var doc = new XmlDocument { XmlResolver = null, PreserveWhitespace = true }; doc.LoadXml(token); if (!_saml2Service.ValidateX509CertificateSignature(doc, Options)) { throw new Exception("Assertion signature is not valid"); } } AuthnStatementType session = new AuthnStatementType(); if (assertion.Items.Any(x => x.GetType() == typeof(AuthnStatementType))) { session = (AuthnStatementType)assertion.Items.FirstOrDefault(x => x.GetType() == typeof(AuthnStatementType)); } if (assertion.Subject.Items.Any(x => x.GetType() == typeof(NameIDType))) { Options.NameIDType = (NameIDType)assertion.Subject.Items.FirstOrDefault(x => x.GetType() == typeof(NameIDType)); } if (_configuration == null) { _configuration = await Options.ConfigurationManager.GetConfigurationAsync(Context.RequestAborted); } var tvp = Options.TokenValidationParameters.Clone(); var validator = Options.Saml2SecurityTokenHandler; ClaimsPrincipal principal = null; SecurityToken parsedToken = null; var issuers = new[] { _configuration.Issuer }; tvp.ValidateIssuerSigningKey = Options.WantAssertionsSigned; tvp.ValidateTokenReplay = !Options.IsPassive; tvp.ValidateIssuer = true; tvp.ValidateAudience = true; tvp.ValidIssuers = (tvp.ValidIssuers == null ? issuers : tvp.ValidIssuers.Concat(issuers)); tvp.IssuerSigningKeys = (tvp.IssuerSigningKeys == null ? _configuration.SigningKeys : tvp.IssuerSigningKeys.Concat(_configuration.SigningKeys)); if (!Options.WantAssertionsSigned) // in case they aren't signed { tvp.RequireSignedTokens = false; } if (validator.CanReadToken(token)) { principal = validator.ValidateToken(token, tvp, out parsedToken); } if (principal == null) { throw new SecurityTokenException("No token validator was found for the given token."); } if (Options.UseTokenLifetime && parsedToken != null) { // Override any session persistence to match the token lifetime. var issued = parsedToken.ValidFrom; if (issued != DateTime.MinValue) { authenticationProperties.IssuedUtc = issued.ToUniversalTime(); } var expires = parsedToken.ValidTo; if (expires != DateTime.MinValue) { authenticationProperties.ExpiresUtc = expires.ToUniversalTime(); } authenticationProperties.AllowRefresh = false; } ClaimsIdentity identity = new ClaimsIdentity(principal.Claims, Scheme.Name); session.SessionIndex = !String.IsNullOrEmpty(session.SessionIndex) ? session.SessionIndex : assertion.ID; //get the session index from assertion so you can use it to logout later identity.AddClaim(new Claim(Saml2ClaimTypes.SessionIndex, session.SessionIndex)); identity.AddClaim(new Claim(ClaimTypes.Name, principal.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier).Value)); string redirectUrl = !string.IsNullOrEmpty(authenticationProperties.RedirectUri) ? authenticationProperties.RedirectUri : Options.CallbackPath.ToString(); Context.Response.Redirect(redirectUrl, true); Context.User = new ClaimsPrincipal(identity); await Context.SignInAsync(Options.SignInScheme, Context.User, authenticationProperties); return(HandleRequestResult.Success(new AuthenticationTicket(Context.User, authenticationProperties, Scheme.Name))); } catch (Exception exception) { return(HandleRequestResult.Fail(exception, authenticationProperties)); } }