private static void VerifyAssertion(XmlElement xmlElement)
{
Console.Error.WriteLine("Verifying SAML assertion");
if (SAMLAssertionSignature.IsSigned(xmlElement))
{
bool verified = SAMLAssertionSignature.Verify(xmlElement, x509Certificate);
Console.Error.WriteLine("Verified: " + verified);
}
else
{
Console.Error.WriteLine("The SAML assertion isn't signed");
}
}
// Process a successful SAML response.
private void ProcessSuccessSAMLResponse(SAMLResponse samlResponse, string relayState)
{
Trace.Write("SP", "Processing successful SAML response");
// Extract the asserted identity from the SAML response.
// The SAML assertion may be signed or encrypted and signed.
SAMLAssertion samlAssertion = null;
if (samlResponse.GetUnsignedAssertions().Count > 0)
{
samlAssertion = samlResponse.GetUnsignedAssertions()[0];
}
else if (samlResponse.GetSignedAssertions().Count > 0)
{
Trace.Write("SP", "Verifying assertion signature");
XmlElement samlAssertionXml = samlResponse.GetSignedAssertions()[0];
// Verify the assertion signature. The embedded signing certificate is used.
if (!SAMLAssertionSignature.Verify(samlAssertionXml))
{
throw new ArgumentException("The SAML assertion signature failed to verify.");
}
samlAssertion = new SAMLAssertion(samlAssertionXml);
}
else if (samlResponse.GetEncryptedAssertions().Count > 0)
{
Trace.Write("SP", "Decrypting assertion");
// Load the decryption key.
X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.SPX509Certificate];
// Decrypt the encrypted assertion.
XmlElement samlAssertionXml = samlResponse.GetEncryptedAssertions()[0].DecryptToXml(x509Certificate.PrivateKey, null, null);
if (SAMLAssertionSignature.IsSigned(samlAssertionXml))
{
Trace.Write("SP", "Verifying assertion signature");
// Verify the assertion signature. The embedded signing certificate is used.
if (!SAMLAssertionSignature.Verify(samlAssertionXml))
{
throw new ArgumentException("The SAML assertion signature failed to verify.");
}
}
samlAssertion = new SAMLAssertion(samlAssertionXml);
}
else
{
throw new ArgumentException("No assertions in response");
}
// Get the subject name identifier.
string userName = null;
if (samlAssertion.Subject.NameID != null)
{
userName = samlAssertion.Subject.NameID.NameIdentifier;
}
if (string.IsNullOrEmpty(userName))
{
throw new ArgumentException("The SAML assertion doesn't contain a subject name.");
}
// Create a login context for the asserted identity.
Trace.Write("SP", "Automatically logging in user " + userName);
FormsAuthentication.SetAuthCookie(userName, false);
// Get the originally requested resource URL from the relay state, if any.
string redirectURL = "~/";
RelayState cachedRelayState = RelayStateCache.Remove(relayState);
if (cachedRelayState != null)
{
redirectURL = cachedRelayState.ResourceURL;
}
// Redirect to the originally requested resource URL, if any, or the default page.
Trace.Write("SP", "Redirecting to " + redirectURL);
Response.Redirect(redirectURL, false);
Trace.Write("SP", "Processed successful SAML response");
}
public ActionResult UploadSaml(FormCollection formCollection)
{
var attributes = new List <SAMLAttribute>();
var errorMessages = new List <string>();
var xmlDoc = null as XmlDocument;
SessionHelper.Set(SamlAttributesSessionKey, null);
SessionHelper.Set(SamlErrorMessagesSessionKey, null);
if (Request != null)
{
var file = Request.Files["SamlFile"];
if ((file != null) && (file.ContentLength > 0) && !string.IsNullOrEmpty(file.FileName))
{
try
{
xmlDoc = new XmlDocument();
xmlDoc.Load(file.InputStream);
var samlValidator = new SAMLValidator();
var isValid = samlValidator.Validate(xmlDoc);
if (!isValid)
{
errorMessages.AddRange(samlValidator.Warnings.Select(warning => string.Format("Warning:, {0}", warning.Message)));
errorMessages.AddRange(samlValidator.Errors.Select(error => error.Message));
}
if (SAMLMessageSignature.IsSigned(xmlDoc.DocumentElement))
{
if (!SAMLMessageSignature.Verify(xmlDoc.DocumentElement))
{
errorMessages.Add(string.Format("Failed to verify SAML response signature. [{0}]", xmlDoc.OuterXml));
}
}
var samlResponse = new SAMLResponse(xmlDoc.DocumentElement);
var assertions = samlResponse.GetAssertions();
var encryptedAssertions = samlResponse.GetEncryptedAssertions();
var signedAssertions = samlResponse.GetSignedAssertions();
var x509CertificateFilePath = Path.Combine(HttpRuntime.AppDomainAppPath, SAMLConfiguration.Current.ServiceProviderConfiguration.CertificateFile);
var x509Certificate = new X509Certificate2(x509CertificateFilePath, SAMLConfiguration.Current.ServiceProviderConfiguration.CertificatePassword);
encryptedAssertions.ForEach(a =>
{
var decryptedAssertion = a.DecryptToXml(x509Certificate);
assertions.Add(new SAMLAssertion(decryptedAssertion));
});
signedAssertions.ForEach(a =>
{
if (SAMLAssertionSignature.IsSigned(a))
{
if (!SAMLAssertionSignature.Verify(a))
{
errorMessages.Add(string.Format("Failed to verify SAML assertion signature. [{0}]", a.OuterXml));
}
}
assertions.Add(new SAMLAssertion(a));
});
assertions.ForEach(a =>
{
var nameId = a.GetNameID();
if (!string.IsNullOrEmpty(nameId))
{
attributes.Add("NameId", nameId);
}
a.GetAttributeStatements().ForEach(
s => attributes.AddRange(from object attribute in s.Attributes
select attribute as SAMLAttribute));
});
}
catch (Exception ex)
{
var saml = xmlDoc != null ? xmlDoc.OuterXml : string.Empty;
_logger.Log(ex);
errorMessages.Add(string.Format("{0} [{1}]", ex.Message, saml));
}
}
}
SessionHelper.Set(SamlAttributesSessionKey, attributes.ToArray());
SessionHelper.Set(SamlErrorMessagesSessionKey, errorMessages);
return(Redirect(TestTargetUrl));
}