// Create an authentication request. private XmlElement CreateAuthnRequest() { // Create some URLs to identify the service provider to the identity provider. // As we're using the same endpoint for the different bindings, add a query string parameter // to identify the binding. string issuerURL = CreateAbsoluteURL("~/"); string assertionConsumerServiceURL = CreateAssertionConsumerServiceURL(); // Create the authentication request. AuthnRequest authnRequest = new AuthnRequest(); authnRequest.Destination = WebConfigurationManager.AppSettings["idpssoURL"]; authnRequest.Issuer = new Issuer(issuerURL); authnRequest.ForceAuthn = false; authnRequest.NameIDPolicy = new NameIDPolicy(null, null, true); authnRequest.ProtocolBinding = idpToSPBindingRadioButtonList.SelectedValue; authnRequest.AssertionConsumerServiceURL = assertionConsumerServiceURL; // Serialize the authentication request to XML for transmission. XmlElement authnRequestXml = authnRequest.ToXml(); // Don't sign if using HTTP redirect as the generated query string is too long for most browsers. if (spToIdPBindingRadioButtonList.SelectedValue != SAMLIdentifiers.BindingURIs.HTTPRedirect) { // Sign the authentication request. X509Certificate2 x509Certificate = (X509Certificate2) Application[Global.SPX509Certificate]; SAMLMessageSignature.Generate(authnRequestXml, x509Certificate.PrivateKey, x509Certificate); } return authnRequestXml; }
// Create an authentication request. private XmlElement CreateAuthnRequest() { // Create some URLs to identify the service provider to the identity provider. // As we're using the same endpoint for the different bindings, add a query string parameter // to identify the binding. string issuerURL = CreateAbsoluteURL("~/"); string assertionConsumerServiceURL = CreateAssertionConsumerServiceURL(); // Create the authentication request. AuthnRequest authnRequest = new AuthnRequest(); authnRequest.Destination = WebConfigurationManager.AppSettings["idpssoURL"]; authnRequest.Issuer = new Issuer(issuerURL); authnRequest.ForceAuthn = false; authnRequest.NameIDPolicy = new NameIDPolicy(null, null, true); authnRequest.ProtocolBinding = idpToSPBindingRadioButtonList.SelectedValue; authnRequest.AssertionConsumerServiceURL = assertionConsumerServiceURL; // Serialize the authentication request to XML for transmission. XmlElement authnRequestXml = authnRequest.ToXml(); // Don't sign if using HTTP redirect as the generated query string is too long for most browsers. if (spToIdPBindingRadioButtonList.SelectedValue != SAMLIdentifiers.BindingURIs.HTTPRedirect) { // Sign the authentication request. X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.SPX509Certificate]; SAMLMessageSignature.Generate(authnRequestXml, x509Certificate.PrivateKey, x509Certificate); } return(authnRequestXml); }
//private readonly IStoreSamlCertificates _certificates; //public Test(IStoreSamlCertificates certificatesStore) //{ // _certificates = certificatesStore; //} //private X509Certificate2 GetCertificate() //{ // var store = new X509Store(StoreName.My, StoreLocation.LocalMachine); // try // { // //< add key = "SamlTestServiceProviderEntityId" value = "https://develop.ucosmic.com/sign-on/saml/2" /> // //< add key = "SamlTestCertificateThumbprint" value = "1945D599DF7F3B3D6513C87A8CDDF4CE6E0899B6" /> // store.Open(OpenFlags.ReadOnly); // var certificates = store.Certificates.Find(X509FindType.FindByThumbprint, "1945D599DF7F3B3D6513C87A8CDDF4CE6E0899B6", false); // if (certificates.Count < 1) // { // throw new InvalidOperationException(string.Format( // "Could not find certificate with thumbprint '{0}' in My LocalMachine store.", // "1945D599DF7F3B3D6513C87A8CDDF4CE6E0899B6")); // } // return certificates[0]; // } // finally // { // store.Close(); // } //} public void SendAuthnRequest(string idpLocation, Saml2SsoBinding idpBinding, string fromSpEntityId, string returnUrl, HttpContextBase httpContext) { // Create the authentication request. var authnRequest = new AuthnRequest { Destination = idpLocation, Issuer = new Issuer(fromSpEntityId), ForceAuthn = true, NameIDPolicy = new NameIDPolicy(null, null, true), }; // Serialize the authentication request to XML for transmission. var authnRequestXml = authnRequest.ToXml(); // Don't sign if using HTTP redirect as the generated query string is too long for most browsers. //if (idpBinding != Saml2SsoBinding.HttpRedirect) //{ // // Sign the authentication request. // var signingCertificate = _certificates.GetSigningCertificate(); // SAMLMessageSignature.Generate(authnRequestXml, signingCertificate.PrivateKey, signingCertificate); //} // Create and cache the relay state so we remember which SP resource the user wishes to access after SSO. //SAML.HttpContext = httpContext; string relayState = null; if (!string.IsNullOrWhiteSpace(returnUrl)) { relayState = RelayStateCache.Add(new RelayState(returnUrl, null)); } var privateKey = @"MIIDUDCCAjgCCQDZl9Be7/58pTANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJH QjERMA8GA1UECAwIU29tZXJzZXQxDTALBgNVBAcMBEJhdGgxHDAaBgNVBAoME0Jh dGggU3BhIFVuaXZlcnNpdHkxGzAZBgNVBAMMEmF1dGguYmF0aHNwYS5hYy51azAe Fw0xNzA2MTIxMjMxMjNaFw0zNzA2MDcxMjMxMjNaMGoxCzAJBgNVBAYTAkdCMREw DwYDVQQIDAhTb21lcnNldDENMAsGA1UEBwwEQmF0aDEcMBoGA1UECgwTQmF0aCBT cGEgVW5pdmVyc2l0eTEbMBkGA1UEAwwSYXV0aC5iYXRoc3BhLmFjLnVrMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw54yhGaNi9/5YADBiGWn33YcQNAI f6jagUt7uc/XTcTMoHrirLNftACRzhLXS049fwe48EC6xITe5PWNbiglEXyLmnBF KMOCN7dXDCPWKhSe9vBA2b6+2BS22jAi255WhDj65u4j1+Rg5i0r5E/YLwvG5YAw i9aKSHvvwFwy8Gwo7O3viMqlKsIKx+VV3SfC70NhvtCPh1aHbECfXr05kx5KYXnO UZRZHVLdzG9XP1+BawFcY+kFcflK9uNHUD/i36gCO0X2KciwWWHrmI5ZSR4tymUv FYAIiPklFReOqXUgj0v8pS/NqxKrRzZZWPwbTieJBS0GTt6YvCrQZVnzXQIDAQAB MA0GCSqGSIb3DQEBCwUAA4IBAQBO7NZbRXUfdaICB33BuAwOxsaXaSBkEI6tgZLx wAI/gmOEy639DxWGFuhoUeMhl9B3w5COes7VNvgy9Dl/QaZLH9p3pTBwtc92nN2J U3S4MPdGhtXXKud2DiQuGYtTnp48wbphfAGQDKhz6RI3gionZyHBOkV6Fx5XvSVj Oa7DRfawg951TKGP3OpKI4vuY3kb4hW7XEFfcCEQOcaCujckSwxU6QaI7DnDGP+O wdBmfdEj9Ey37nM0qrzI5cjTz51xJ9c0oNd3+abiGzzL7L7N+AfRVcECowo5l63j vNXAI2IiTocKRsZIWg8qn0pFts3vr7afzJMY6ZQsISwD4fLg"; var bytes = privateKey.GetType(); // Send the authentication request to the identity provider over the configured binding. switch (idpBinding) { case Saml2SsoBinding.HttpPost: ServiceProvider.SendAuthnRequestByHTTPPost(httpContext.Response, idpLocation, authnRequestXml, relayState); httpContext.Response.End(); break; case Saml2SsoBinding.HttpRedirect: var encryptionCertificate = new X509Certificate2(); //var encryptionCertificate = GetCertificate(); encryptionCertificate.Import(Encoding.ASCII.GetBytes(privateKey)); ServiceProvider.SendAuthnRequestByHTTPRedirect(httpContext.Response, idpLocation, authnRequestXml, relayState, encryptionCertificate.PrivateKey); break; default: throw new NotSupportedException(string.Format( "The binding is currently not supported.")); } }
public void SendAuthnRequest(string idpLocation, Saml2SsoBinding idpBinding, string fromSpEntityId, string returnUrl, HttpContextBase httpContext) { // Create the authentication request. var authnRequest = new AuthnRequest { Destination = idpLocation, Issuer = new Issuer(fromSpEntityId), ForceAuthn = false, NameIDPolicy = new NameIDPolicy(null, null, true), }; // Serialize the authentication request to XML for transmission. var authnRequestXml = authnRequest.ToXml(); // Don't sign if using HTTP redirect as the generated query string is too long for most browsers. if (idpBinding != Saml2SsoBinding.HttpRedirect) { // Sign the authentication request. var signingCertificate = _certificates.GetSigningCertificate(); SAMLMessageSignature.Generate(authnRequestXml, signingCertificate.PrivateKey, signingCertificate); } // Create and cache the relay state so we remember which SP resource the user wishes to access after SSO. SAML.HttpContext = httpContext; string relayState = null; if (!string.IsNullOrWhiteSpace(returnUrl)) { relayState = RelayStateCache.Add(new RelayState(returnUrl, null)); } // Send the authentication request to the identity provider over the configured binding. switch (idpBinding) { case Saml2SsoBinding.HttpPost: ServiceProvider.SendAuthnRequestByHTTPPost(httpContext.Response, idpLocation, authnRequestXml, relayState); httpContext.Response.End(); break; case Saml2SsoBinding.HttpRedirect: var encryptionCertificate = _certificates.GetEncryptionCertificate(); ServiceProvider.SendAuthnRequestByHTTPRedirect(httpContext.Response, idpLocation, authnRequestXml, relayState, encryptionCertificate.PrivateKey); break; default: throw new NotSupportedException(string.Format( "The '{0}' binding is currently not supported.", idpBinding.AsUriString())); } }
public void SendAuthnRequest(string idpLocation, Saml2SsoBinding idpBinding, string fromSpEntityId, string returnUrl, HttpContextBase httpContext) { // Create the authentication request. var authnRequest = new AuthnRequest { Destination = idpLocation, Issuer = new Issuer(fromSpEntityId), ForceAuthn = false, NameIDPolicy = new NameIDPolicy(null, null, true), }; // Serialize the authentication request to XML for transmission. var authnRequestXml = authnRequest.ToXml(); // Don't sign if using HTTP redirect as the generated query string is too long for most browsers. if (idpBinding != Saml2SsoBinding.HttpRedirect) { // Sign the authentication request. var signingCertificate = _certificates.GetSigningCertificate(); SAMLMessageSignature.Generate(authnRequestXml, signingCertificate.PrivateKey, signingCertificate); } // Create and cache the relay state so we remember which SP resource the user wishes to access after SSO. SAML.HttpContext = httpContext; string relayState = null; if (!string.IsNullOrWhiteSpace(returnUrl)) relayState = RelayStateCache.Add(new RelayState(returnUrl, null)); // Send the authentication request to the identity provider over the configured binding. switch (idpBinding) { case Saml2SsoBinding.HttpPost: ServiceProvider.SendAuthnRequestByHTTPPost(httpContext.Response, idpLocation, authnRequestXml, relayState); httpContext.Response.End(); break; case Saml2SsoBinding.HttpRedirect: var encryptionCertificate = _certificates.GetEncryptionCertificate(); ServiceProvider.SendAuthnRequestByHTTPRedirect(httpContext.Response, idpLocation, authnRequestXml, relayState, encryptionCertificate.PrivateKey); break; default: throw new NotSupportedException(string.Format( "The '{0}' binding is currently not supported.", idpBinding.AsUriString())); } }
static void Main(string[] args) { try { #if DOTNET45 // Register the SHA-256 cryptographic algorithm. // Only supported in .NET 4.5 and above. CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA256SignatureDescription), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"); #endif // Load the certificate and private key for signature generation. X509Certificate2 x509Certificate = new X509Certificate2("idp.pfx", "password"); // Create a basic SAML assertion and serialize it to XML. SAMLAssertion samlAssertion = new SAMLAssertion(); samlAssertion.Issuer = new Issuer("test"); XmlElement samlAssertionElement = samlAssertion.ToXml(); // Sign the SAML assertion using SHA-256 for the digest and signature algorithms. SAMLAssertionSignature.Generate(samlAssertionElement, x509Certificate.PrivateKey, x509Certificate, null, "http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"); Console.WriteLine("Signed SAML assertion: {0}", samlAssertionElement.OuterXml); // Verify the signature. bool verified = SAMLAssertionSignature.Verify(samlAssertionElement); Console.WriteLine("Signature verified: {0}", verified); // The HTTP-redirect doesn't use XML signatures so check it separately. // Create a basic authn request and serialize it to XML. AuthnRequest authnRequest = new AuthnRequest(); authnRequest.Issuer = new Issuer("test"); XmlElement authnRequestElement = authnRequest.ToXml(); // Create the HTTP-redirect URL included the SHA-256 signature. string url = HTTPRedirectBinding.CreateRequestRedirectURL("http://www.test.com", authnRequestElement, null, x509Certificate.PrivateKey, HTTPRedirectBinding.SignatureAlgorithms.RSA_SHA256); string relayState = null; bool signed = false; // Retrieve the authn request from the HTTP-redirect URL and verify the signature. HTTPRedirectBinding.GetRequestFromRedirectURL(url, out authnRequestElement, out relayState, out signed, x509Certificate.PublicKey.Key); } catch (Exception exception) { // If signature generation/verification fails then most likely the .NET CLR security update // hasn't been installed and configured correctly or the inbuilt .NET SHA-256 support hasn't been initialized. Console.WriteLine(exception.ToString()); } }
private static void SignAndVerify(X509Certificate2 x509Certificate, string digestMethod, string signatureMethod) { try { Console.WriteLine("Testing signature generation and verification using \"{0}\".", signatureMethod); // Create a basic SAML assertion and serialize it to XML. SAMLAssertion samlAssertion = new SAMLAssertion(); samlAssertion.Issuer = new Issuer("test"); XmlElement samlAssertionElement = samlAssertion.ToXml(); // Sign the SAML assertion using the specified digest and signature methods. SAMLAssertionSignature.Generate(samlAssertionElement, x509Certificate.PrivateKey, x509Certificate, null, digestMethod, signatureMethod); // Verify the signature. bool verified = SAMLAssertionSignature.Verify(samlAssertionElement); if (!verified) { throw new Exception("The XML signature failed to verify."); } // The HTTP-redirect doesn't use XML signatures so check it separately. // Create a basic authn request and serialize it to XML. AuthnRequest authnRequest = new AuthnRequest(); authnRequest.Issuer = new Issuer("test"); XmlElement authnRequestElement = authnRequest.ToXml(); // Create the HTTP-redirect URL included the signature. string url = HTTPRedirectBinding.CreateRequestRedirectURL("http://www.test.com", authnRequestElement, null, x509Certificate.PrivateKey, signatureMethod); string relayState = null; bool signed = false; // Retrieve the authn request from the HTTP-redirect URL and verify the signature. HTTPRedirectBinding.GetRequestFromRedirectURL(url, out authnRequestElement, out relayState, out signed, x509Certificate.PublicKey.Key); Console.WriteLine("Signature generation and verification using \"{0}\" was successful.", signatureMethod); } catch (Exception exception) { Console.WriteLine("Signature generation and verification using \"{0}\" failed.", signatureMethod); Console.WriteLine(exception.ToString()); } }
private XmlElement CreateAuthnRequest() { // Create the authentication request. AuthnRequest authnRequest = new AuthnRequest(); authnRequest.Destination = "https://login.microsoftonline.com/021af3dc-d776-4348-8539-7eab9f6ce3fb/saml2";// Configuration.SingleSignOnServiceURL; authnRequest.Issuer = new Issuer("http://localhost/WebDrawer"); authnRequest.ForceAuthn = false; authnRequest.NameIDPolicy = new NameIDPolicy(null, null, true); // Serialize the authentication request to XML for transmission. XmlElement authnRequestXml = authnRequest.ToXml(); return(authnRequestXml); }
// Create an authentication request. private XmlElement CreateAuthnRequest() { // Create the authentication request. AuthnRequest authnRequest = new AuthnRequest(); authnRequest.Destination = Configuration.SingleSignOnServiceURL; authnRequest.Issuer = new Issuer(CreateAbsoluteURL("~/")); authnRequest.ForceAuthn = false; authnRequest.NameIDPolicy = new NameIDPolicy(null, null, true); // Serialize the authentication request to XML for transmission. XmlElement authnRequestXml = authnRequest.ToXml(); // Don't sign if using HTTP redirect as the generated query string is too long for most browsers. if (Configuration.SingleSignOnServiceBinding != SAMLIdentifiers.Binding.HTTPRedirect) { // Sign the authentication request. X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.SPX509Certificate]; SAMLMessageSignature.Generate(authnRequestXml, x509Certificate.PrivateKey, x509Certificate); } return(authnRequestXml); }
// Create an authentication request. private XmlElement CreateAuthnRequest() { // Create the authentication request. AuthnRequest authnRequest = new AuthnRequest(); authnRequest.Destination = Configuration.SingleSignOnServiceURL; authnRequest.Issuer = new Issuer(Configuration.Issuer); authnRequest.ForceAuthn = false; authnRequest.NameIDPolicy = new NameIDPolicy(null, null, true); // Serialize the authentication request to XML for transmission. XmlElement authnRequestXml = authnRequest.ToXml(); // Don't sign if using HTTP redirect as the generated query string is too long for most browsers. if (Configuration.SingleSignOnServiceBinding != SAMLIdentifiers.Binding.HTTPRedirect) { // Sign the authentication request. X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.SPX509Certificate]; SAMLMessageSignature.Generate(authnRequestXml, x509Certificate.PrivateKey, x509Certificate); } return authnRequestXml; }
//private readonly IStoreSamlCertificates _certificates; //public Test(IStoreSamlCertificates certificatesStore) //{ // _certificates = certificatesStore; //} //private X509Certificate2 GetCertificate() //{ // var store = new X509Store(StoreName.My, StoreLocation.LocalMachine); // try // { // //< add key = "SamlTestServiceProviderEntityId" value = "https://develop.ucosmic.com/sign-on/saml/2" /> // //< add key = "SamlTestCertificateThumbprint" value = "1945D599DF7F3B3D6513C87A8CDDF4CE6E0899B6" /> // store.Open(OpenFlags.ReadOnly); // var certificates = store.Certificates.Find(X509FindType.FindByThumbprint, "1945D599DF7F3B3D6513C87A8CDDF4CE6E0899B6", false); // if (certificates.Count < 1) // { // throw new InvalidOperationException(string.Format( // "Could not find certificate with thumbprint '{0}' in My LocalMachine store.", // "1945D599DF7F3B3D6513C87A8CDDF4CE6E0899B6")); // } // return certificates[0]; // } // finally // { // store.Close(); // } //} public void SendAuthnRequest(string idpLocation, Saml2SsoBinding idpBinding, string fromSpEntityId, string returnUrl, HttpContextBase httpContext) { // Create the authentication request. var authnRequest = new AuthnRequest { Destination = idpLocation, Issuer = new Issuer(fromSpEntityId), ForceAuthn = true, NameIDPolicy = new NameIDPolicy(null, null, true), }; // Serialize the authentication request to XML for transmission. var authnRequestXml = authnRequest.ToXml(); // Don't sign if using HTTP redirect as the generated query string is too long for most browsers. //if (idpBinding != Saml2SsoBinding.HttpRedirect) //{ // // Sign the authentication request. // var signingCertificate = _certificates.GetSigningCertificate(); // SAMLMessageSignature.Generate(authnRequestXml, signingCertificate.PrivateKey, signingCertificate); //} // Create and cache the relay state so we remember which SP resource the user wishes to access after SSO. //SAML.HttpContext = httpContext; string relayState = null; if (!string.IsNullOrWhiteSpace(returnUrl)) { relayState = RelayStateCache.Add(new RelayState(returnUrl, null)); } // Send the authentication request to the identity provider over the configured binding. switch (idpBinding) { case Saml2SsoBinding.HttpPost: ServiceProvider.SendAuthnRequestByHTTPPost(httpContext.Response, idpLocation, authnRequestXml, relayState); httpContext.Response.End(); break; case Saml2SsoBinding.HttpRedirect: StreamReader sr = new StreamReader(@"C:\Users\vladi\Source\Repos\othmankh\ShibTesting\SamlProject\App_Data\encrypted_private_key.pem"); PemReader pr = new PemReader(sr, new PasswordFinder("WRONG_PASSWORD")); RSAParameters rsaParams = DotNetUtilities.ToRSAParameters((RsaPrivateCrtKeyParameters)pr.ReadObject()); RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(); rsa.ImportParameters(rsaParams); var encryptionCertificate = new X509Certificate2(); encryptionCertificate.Import(@"C:\Users\vladi\Source\Repos\othmankh\ShibTesting\SamlProject\App_Data\unitu.cer"); encryptionCertificate.PrivateKey = rsa; ServiceProvider.SendAuthnRequestByHTTPRedirect(httpContext.Response, idpLocation, authnRequestXml, relayState, encryptionCertificate.PrivateKey); break; default: throw new NotSupportedException(string.Format( "The binding is currently not supported.")); } }