static void Main(string[] args)
{
try {
#if DOTNET45
// Register the SHA-256 cryptographic algorithm.
// Only supported in .NET 4.5 and above.
CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA256SignatureDescription), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
#endif
// Load the certificate and private key for signature generation.
X509Certificate2 x509Certificate = new X509Certificate2("idp.pfx", "password");
// Create a basic SAML assertion and serialize it to XML.
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = new Issuer("test");
XmlElement samlAssertionElement = samlAssertion.ToXml();
// Sign the SAML assertion using SHA-256 for the digest and signature algorithms.
SAMLAssertionSignature.Generate(samlAssertionElement, x509Certificate.PrivateKey, x509Certificate, null, "http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
Console.WriteLine("Signed SAML assertion: {0}", samlAssertionElement.OuterXml);
// Verify the signature.
bool verified = SAMLAssertionSignature.Verify(samlAssertionElement);
Console.WriteLine("Signature verified: {0}", verified);
// The HTTP-redirect doesn't use XML signatures so check it separately.
// Create a basic authn request and serialize it to XML.
AuthnRequest authnRequest = new AuthnRequest();
authnRequest.Issuer = new Issuer("test");
XmlElement authnRequestElement = authnRequest.ToXml();
// Create the HTTP-redirect URL included the SHA-256 signature.
string url = HTTPRedirectBinding.CreateRequestRedirectURL("http://www.test.com", authnRequestElement, null, x509Certificate.PrivateKey, HTTPRedirectBinding.SignatureAlgorithms.RSA_SHA256);
string relayState = null;
bool signed = false;
// Retrieve the authn request from the HTTP-redirect URL and verify the signature.
HTTPRedirectBinding.GetRequestFromRedirectURL(url, out authnRequestElement, out relayState, out signed, x509Certificate.PublicKey.Key);
}
catch (Exception exception) {
// If signature generation/verification fails then most likely the .NET CLR security update
// hasn't been installed and configured correctly or the inbuilt .NET SHA-256 support hasn't been initialized.
Console.WriteLine(exception.ToString());
}
}
private static void SignAndVerify(X509Certificate2 x509Certificate, string digestMethod, string signatureMethod)
{
try
{
Console.WriteLine("Testing signature generation and verification using \"{0}\".", signatureMethod);
// Create a basic SAML assertion and serialize it to XML.
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = new Issuer("test");
XmlElement samlAssertionElement = samlAssertion.ToXml();
// Sign the SAML assertion using the specified digest and signature methods.
SAMLAssertionSignature.Generate(samlAssertionElement, x509Certificate.PrivateKey, x509Certificate, null, digestMethod, signatureMethod);
// Verify the signature.
bool verified = SAMLAssertionSignature.Verify(samlAssertionElement);
if (!verified)
{
throw new Exception("The XML signature failed to verify.");
}
// The HTTP-redirect doesn't use XML signatures so check it separately.
// Create a basic authn request and serialize it to XML.
AuthnRequest authnRequest = new AuthnRequest();
authnRequest.Issuer = new Issuer("test");
XmlElement authnRequestElement = authnRequest.ToXml();
// Create the HTTP-redirect URL included the signature.
string url = HTTPRedirectBinding.CreateRequestRedirectURL("http://www.test.com", authnRequestElement, null, x509Certificate.PrivateKey, signatureMethod);
string relayState = null;
bool signed = false;
// Retrieve the authn request from the HTTP-redirect URL and verify the signature.
HTTPRedirectBinding.GetRequestFromRedirectURL(url, out authnRequestElement, out relayState, out signed, x509Certificate.PublicKey.Key);
Console.WriteLine("Signature generation and verification using \"{0}\" was successful.", signatureMethod);
}
catch (Exception exception)
{
Console.WriteLine("Signature generation and verification using \"{0}\" failed.", signatureMethod);
Console.WriteLine(exception.ToString());
}
}
private static XmlElement CreateSamlResponse(string assertionConsumerServiceUrl, List <SAMLAttribute> attributes, string requestId = null, bool signAssertion = false, bool signResponse = false, bool encryptAssertion = false)
{
var samlResponse = new SAMLResponse {
Destination = assertionConsumerServiceUrl
};
var issuer = new Issuer(SAMLConfiguration.Current.IdentityProviderConfiguration.Name);
var issuerX509CertificateFilePath = Path.Combine(HttpRuntime.AppDomainAppPath, SAMLConfiguration.Current.IdentityProviderConfiguration.CertificateFile);
var issuerX509Certificate = new X509Certificate2(issuerX509CertificateFilePath, SAMLConfiguration.Current.IdentityProviderConfiguration.CertificatePassword);
var partner = SessionHelper.Get <string>(PartnerSpSessionKey) ?? SAMLConfiguration.Current.ServiceProviderConfiguration.Name;
var partnerConfig = SAMLConfiguration.Current.PartnerServiceProviderConfigurations[partner];
var partnerX509CertificateFilePath = string.Empty;
var partnerX509Certificate = null as X509Certificate2;
if (partnerConfig != null)
{
partnerX509CertificateFilePath = Path.Combine(HttpRuntime.AppDomainAppPath, partnerConfig.CertificateFile);
partnerX509Certificate = new X509Certificate2(partnerX509CertificateFilePath);
signAssertion = partnerConfig.SignAssertion;
signResponse = partnerConfig.SignSAMLResponse;
encryptAssertion = partnerConfig.EncryptAssertion;
}
samlResponse.Issuer = issuer;
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
samlResponse.IssueInstant = DateTime.Now;
samlResponse.InResponseTo = requestId;
var samlAssertion = new SAMLAssertion {
Issuer = issuer, IssueInstant = samlResponse.IssueInstant
};
var profileId = attributes.Where(a => a.Name == PortalClaimTypes.ProfileId).Select(a => a.Values[0].ToString()).FirstOrDefault();
var subject = new Subject(new NameID(profileId));
var subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
var subjectConfirmationData = new SubjectConfirmationData {
Recipient = assertionConsumerServiceUrl
};
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
var conditions = new Conditions(DateTime.Now, DateTime.Now.AddDays(1));
var audienceRestriction = new AudienceRestriction();
audienceRestriction.Audiences.Add(new Audience(partner));
conditions.ConditionsList.Add(audienceRestriction);
samlAssertion.Conditions = conditions;
var authnStatement = new AuthnStatement {
AuthnContext = new AuthnContext(), AuthnInstant = samlResponse.IssueInstant
};
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.X509);
samlAssertion.Statements.Add(authnStatement);
attributes.ForEach(a =>
{
var attributeStatement = new AttributeStatement();
attributeStatement.Attributes.Add(a);
samlAssertion.Statements.Add(attributeStatement);
});
var samlAssertionXml = samlAssertion.ToXml();
if (signAssertion)
{
SAMLAssertionSignature.Generate(samlAssertionXml, issuerX509Certificate.PrivateKey, issuerX509Certificate);
}
if (encryptAssertion)
{
var encryptedAssertion = new EncryptedAssertion(samlAssertionXml, partnerX509Certificate);
samlResponse.Assertions.Add(encryptedAssertion.ToXml());
}
else
{
samlResponse.Assertions.Add(samlAssertionXml);
}
var samlResponseXml = samlResponse.ToXml();
if (signResponse)
{
SAMLMessageSignature.Generate(samlResponseXml, issuerX509Certificate.PrivateKey, issuerX509Certificate);
}
return(samlResponseXml);
}
private static void SignAssertion(XmlElement xmlElement)
{
Console.Error.WriteLine("Signing SAML assertion");
SAMLAssertionSignature.Generate(xmlElement, x509Certificate.PrivateKey, x509Certificate);
}