protected override Saml2Request UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, string messageName)
{
UnbindInternal(request, saml2RequestResponse);
if (!"GET".Equals(request.Method, StringComparison.InvariantCultureIgnoreCase))
{
throw new InvalidSaml2BindingException("Not HTTP GET Method.");
}
if (!request.Query.AllKeys.Contains(messageName))
{
throw new Saml2BindingException("HTTP Query String does not contain " + messageName);
}
if ((!(saml2RequestResponse is Saml2AuthnRequest) || saml2RequestResponse.Config.SignAuthnRequest) &&
saml2RequestResponse.SignatureValidationCertificates != null && saml2RequestResponse.SignatureValidationCertificates.Count() > 0)
{
if (!request.Query.AllKeys.Contains(Saml2Constants.Message.Signature))
{
throw new Saml2BindingException("HTTP Query String does not contain " + Saml2Constants.Message.Signature);
}
if (!request.Query.AllKeys.Contains(Saml2Constants.Message.SigAlg))
{
throw new Saml2BindingException("HTTP Query String does not contain " + Saml2Constants.Message.SigAlg);
}
}
if (request.Query.AllKeys.Contains(Saml2Constants.Message.RelayState))
{
RelayState = request.Query[Saml2Constants.Message.RelayState];
}
if ((!(saml2RequestResponse is Saml2AuthnRequest) || saml2RequestResponse.Config.SignAuthnRequest) &&
saml2RequestResponse.SignatureValidationCertificates != null && saml2RequestResponse.SignatureValidationCertificates.Count() > 0)
{
var actualAignatureAlgorithm = request.Query[Saml2Constants.Message.SigAlg];
if (saml2RequestResponse.SignatureAlgorithm == null)
{
saml2RequestResponse.SignatureAlgorithm = actualAignatureAlgorithm;
}
else if (!saml2RequestResponse.SignatureAlgorithm.Equals(actualAignatureAlgorithm, StringComparison.InvariantCulture))
{
throw new Exception($"Signature Algorithm do not match. Expected algorithm {saml2RequestResponse.SignatureAlgorithm} actual algorithm {actualAignatureAlgorithm}");
}
if (saml2RequestResponse.XmlCanonicalizationMethod == null)
{
saml2RequestResponse.XmlCanonicalizationMethod = saml2RequestResponse.Config.XmlCanonicalizationMethod;
}
Cryptography.SignatureAlgorithm.ValidateAlgorithm(saml2RequestResponse.SignatureAlgorithm);
Cryptography.XmlCanonicalizationMethod.ValidateCanonicalizationMethod(saml2RequestResponse.XmlCanonicalizationMethod);
SignatureAlgorithm = saml2RequestResponse.SignatureAlgorithm;
XmlCanonicalizationMethod = saml2RequestResponse.XmlCanonicalizationMethod;
Signature = request.Query[Saml2Constants.Message.Signature];
ValidateQueryStringSignature(saml2RequestResponse, request.QueryString, messageName, Convert.FromBase64String(Signature), saml2RequestResponse.SignatureValidationCertificates);
}
return(Read(request, saml2RequestResponse, messageName, false));
}
protected override Saml2PostBinding BindInternal(Saml2Request saml2RequestResponse, string messageName)
{
BindInternal(saml2RequestResponse);
if (saml2RequestResponse is Saml2AuthnResponse)
{
if (saml2RequestResponse.Config.AuthnResponseSignType != Saml2AuthnResponseSignTypes.SignResponse)
{
(saml2RequestResponse as Saml2AuthnResponse).SignAuthnResponse(CertificateIncludeOption);
}
if (saml2RequestResponse.Config.EncryptionCertificate != null)
{
(saml2RequestResponse as Saml2AuthnResponse).EncryptMessage();
}
}
if ((!(saml2RequestResponse is Saml2AuthnRequest) || saml2RequestResponse.Config.SignAuthnRequest) && saml2RequestResponse.Config.SigningCertificate != null)
{
if (!(saml2RequestResponse is Saml2AuthnResponse && saml2RequestResponse.Config.AuthnResponseSignType == Saml2AuthnResponseSignTypes.SignAssertion))
{
Cryptography.SignatureAlgorithm.ValidateAlgorithm(saml2RequestResponse.Config.SignatureAlgorithm);
Cryptography.XmlCanonicalizationMethod.ValidateCanonicalizationMethod(saml2RequestResponse.Config.XmlCanonicalizationMethod);
XmlDocument = XmlDocument.SignDocument(saml2RequestResponse.Config.SigningCertificate, saml2RequestResponse.Config.SignatureAlgorithm, saml2RequestResponse.Config.XmlCanonicalizationMethod, CertificateIncludeOption, saml2RequestResponse.IdAsString);
}
}
PostContent = string.Concat(HtmlPostPage(saml2RequestResponse.Destination, messageName));
return(this);
}
protected override Saml2RedirectBinding BindInternal(Saml2Request saml2RequestResponse, string messageName)
{
base.BindInternal(saml2RequestResponse);
if (saml2RequestResponse is Saml2AuthnResponse)
{
if (saml2RequestResponse.Config.AuthnResponseSignType != Saml2AuthnResponseSignTypes.SignResponse)
{
throw new InvalidSaml2BindingException($"Redirect binding do not support {saml2RequestResponse.Config.AuthnResponseSignType}, only {nameof(Saml2AuthnResponseSignTypes.SignResponse)} is supported.");
}
if (saml2RequestResponse.Config.EncryptionCertificate != null)
{
throw new InvalidSaml2BindingException("Redirect binding do not support authn response encryption, only supported by post binding.");
}
}
if ((!(saml2RequestResponse is Saml2AuthnRequest) || saml2RequestResponse.Config.SignAuthnRequest) && saml2RequestResponse.Config.SigningCertificate != null)
{
Cryptography.SignatureAlgorithm.ValidateAlgorithm(saml2RequestResponse.Config.SignatureAlgorithm);
SignatureAlgorithm = saml2RequestResponse.Config.SignatureAlgorithm;
}
var requestQueryString = string.Join("&", RequestQueryString(saml2RequestResponse, messageName));
if ((!(saml2RequestResponse is Saml2AuthnRequest) || saml2RequestResponse.Config.SignAuthnRequest) && saml2RequestResponse.Config.SigningCertificate != null)
{
requestQueryString = SigneQueryString(requestQueryString, saml2RequestResponse.Config.SigningCertificate);
}
RedirectLocation = new Uri(string.Join(saml2RequestResponse.Destination.OriginalString.Contains('?') ? "&" : "?", saml2RequestResponse.Destination.OriginalString, requestQueryString));
return(this);
}
protected virtual Saml2Binding <T> BindInternal(Saml2Request saml2RequestResponse)
{
if (saml2RequestResponse == null)
{
throw new ArgumentNullException(nameof(saml2RequestResponse));
}
if (saml2RequestResponse.Config == null)
{
throw new ArgumentNullException("saml2RequestResponse.Config");
}
if (saml2RequestResponse.Config.SigningCertificate != null)
{
if (saml2RequestResponse.Config.SigningCertificate.GetSamlRSAPrivateKey() == null)
{
throw new ArgumentException("No RSA Private Key present in Signing Certificate or missing private key read credentials.");
}
}
XmlDocument = saml2RequestResponse.ToXml();
#if DEBUG
Debug.WriteLine("Saml2P: " + XmlDocument.OuterXml);
#endif
return(this);
}
protected Saml2Request UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse)
{
if (request == null)
{
throw new ArgumentNullException(nameof(request));
}
if (saml2RequestResponse == null)
{
throw new ArgumentNullException(nameof(saml2RequestResponse));
}
if (saml2RequestResponse.Config == null)
{
throw new ArgumentNullException("saml2RequestResponse.Config");
}
if (saml2RequestResponse.SignatureValidationCertificates == null || saml2RequestResponse.SignatureValidationCertificates.Count() < 1)
{
saml2RequestResponse.SignatureValidationCertificates = saml2RequestResponse.Config.SignatureValidationCertificates;
}
if (saml2RequestResponse.SignatureAlgorithm == null)
{
saml2RequestResponse.SignatureAlgorithm = saml2RequestResponse.Config.SignatureAlgorithm;
}
if (saml2RequestResponse.SignatureValidationCertificates != null && saml2RequestResponse.SignatureValidationCertificates.Count(c => c.GetRSAPublicKey() == null) > 0)
{
throw new ArgumentException("No RSA Public Key present in at least Signature Validation Certificate.");
}
return(saml2RequestResponse);
}
protected override Saml2Request Read(HttpRequest request, Saml2Request saml2RequestResponse, string messageName, bool validateXmlSignature)
{
if (request.Form.AllKeys.Contains(Saml2Constants.Message.RelayState))
{
RelayState = request.Form[Saml2Constants.Message.RelayState];
}
saml2RequestResponse.Read(Encoding.UTF8.GetString(Convert.FromBase64String(request.Form[messageName])), validateXmlSignature);
XmlDocument = saml2RequestResponse.XmlDocument;
return(saml2RequestResponse);
}
protected override Saml2PostBinding BindInternal(Saml2Request saml2RequestResponse, string messageName)
{
BindInternal(saml2RequestResponse);
if ((!(saml2RequestResponse is Saml2AuthnRequest) || saml2RequestResponse.Config.SignAuthnRequest) && saml2RequestResponse.Config.SigningCertificate != null)
{
Cryptography.SignatureAlgorithm.ValidateAlgorithm(saml2RequestResponse.Config.SignatureAlgorithm);
XmlDocument = XmlDocument.SignDocument(saml2RequestResponse.Config.SigningCertificate, saml2RequestResponse.Config.SignatureAlgorithm, CertificateIncludeOption, saml2RequestResponse.IdAsString);
}
PostContent = string.Concat(HtmlPostPage(saml2RequestResponse.Destination, messageName));
return(this);
}
private IEnumerable <string> RequestQueryString(Saml2Request saml2RequestResponse, string messageName)
{
yield return(string.Join("=", messageName, Uri.EscapeDataString(CompressRequest())));
if (!string.IsNullOrWhiteSpace(RelayState))
{
yield return(string.Join("=", Saml2Constants.Message.RelayState, Uri.EscapeDataString(RelayState)));
}
if ((!(saml2RequestResponse is Saml2AuthnRequest) || saml2RequestResponse.Config.SignAuthnRequest) && saml2RequestResponse.Config.SigningCertificate != null)
{
yield return(string.Join("=", Saml2Constants.Message.SigAlg, Uri.EscapeDataString(SignatureAlgorithm)));
}
}
private void ValidateQueryStringSignature(Saml2Request saml2RequestResponse, string queryString, string messageName, byte[] signatureValue, IEnumerable <X509Certificate2> signatureValidationCertificates)
{
foreach (var signatureValidationCertificate in signatureValidationCertificates)
{
saml2RequestResponse.IdentityConfiguration.CertificateValidator.Validate(signatureValidationCertificate);
var saml2Sign = new Saml2SignedText(signatureValidationCertificate, SignatureAlgorithm);
if (saml2Sign.CheckSignature(Encoding.UTF8.GetBytes(new RawSaml2QueryString(queryString, messageName).SignedQueryString), signatureValue))
{
// Signature is valid.
return;
}
}
throw new InvalidSignatureException("Signature is invalid.");
}
protected override Saml2Request UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, string messageName)
{
UnbindInternal(request, saml2RequestResponse);
if (!"POST".Equals(request.Method, StringComparison.InvariantCultureIgnoreCase))
{
throw new InvalidSaml2BindingException("Not HTTP POST Method.");
}
if (!request.Form.AllKeys.Contains(messageName))
{
throw new Saml2BindingException("HTTP Form does not contain " + messageName);
}
return(Read(request, saml2RequestResponse, messageName, true));
}
protected override Saml2Request Read(HttpRequest request, Saml2Request saml2RequestResponse, string messageName, bool validateXmlSignature)
{
if (!"GET".Equals(request.Method, StringComparison.InvariantCultureIgnoreCase))
{
throw new InvalidSaml2BindingException("Not HTTP GET Method.");
}
if (!request.Query.AllKeys.Contains(messageName))
{
throw new Saml2BindingException("HTTP Query String does not contain " + messageName);
}
saml2RequestResponse.Read(DecompressResponse(request.Query[messageName]), validateXmlSignature);
XmlDocument = saml2RequestResponse.XmlDocument;
return(saml2RequestResponse);
}
protected override Saml2Request Read(HttpRequest request, Saml2Request saml2RequestResponse, string messageName, bool validateXmlSignature)
{
if (!"POST".Equals(request.Method, StringComparison.InvariantCultureIgnoreCase))
{
throw new InvalidSaml2BindingException("Not HTTP POST Method.");
}
if (!request.Form.AllKeys.Contains(messageName))
{
throw new Saml2BindingException("HTTP Form does not contain " + messageName);
}
if (request.Form.AllKeys.Contains(Saml2Constants.Message.RelayState))
{
RelayState = request.Form[Saml2Constants.Message.RelayState];
}
saml2RequestResponse.Read(Encoding.UTF8.GetString(Convert.FromBase64String(request.Form[messageName])), validateXmlSignature);
XmlDocument = saml2RequestResponse.XmlDocument;
return(saml2RequestResponse);
}
protected override Saml2RedirectBinding BindInternal(Saml2Request saml2RequestResponse, string messageName)
{
base.BindInternal(saml2RequestResponse);
if ((!(saml2RequestResponse is Saml2AuthnRequest) || saml2RequestResponse.Config.SignAuthnRequest) && saml2RequestResponse.Config.SigningCertificate != null)
{
Cryptography.SignatureAlgorithm.ValidateAlgorithm(saml2RequestResponse.Config.SignatureAlgorithm);
SignatureAlgorithm = saml2RequestResponse.Config.SignatureAlgorithm;
}
var requestQueryString = string.Join("&", RequestQueryString(saml2RequestResponse, messageName));
if ((!(saml2RequestResponse is Saml2AuthnRequest) || saml2RequestResponse.Config.SignAuthnRequest) && saml2RequestResponse.Config.SigningCertificate != null)
{
requestQueryString = SigneQueryString(requestQueryString, saml2RequestResponse.Config.SigningCertificate);
}
RedirectLocation = new Uri(string.Join(saml2RequestResponse.Destination.OriginalString.Contains('?') ? "&" : "?", saml2RequestResponse.Destination.OriginalString, requestQueryString));
return(this);
}
protected abstract Saml2Request Read(HttpRequest request, Saml2Request saml2RequestResponse, string messageName, bool validateXmlSignature);
public T Bind(Saml2Request saml2Request)
{
return(BindInternal(saml2Request, Saml2Constants.Message.SamlRequest));
}
protected abstract T BindInternal(Saml2Request saml2RequestResponse, string messageName);
protected override Saml2Request UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, string messageName)
{
UnbindInternal(request, saml2RequestResponse);
return(Read(request, saml2RequestResponse, messageName, true));
}
public Saml2Request ReadSamlRequest(HttpRequest request, Saml2Request saml2Request)
{
return(Read(request, saml2Request, Saml2Constants.Message.SamlRequest, false));
}
public Saml2Request Unbind(HttpRequest request, Saml2Request saml2Request)
{
return(UnbindInternal(request, saml2Request as Saml2Request, Saml2Constants.Message.SamlRequest));
}
protected override Saml2Request Read(HttpRequest request, Saml2Request saml2RequestResponse, string messageName, bool validateXmlSignature)
{
saml2RequestResponse.Read(Encoding.UTF8.GetString(Convert.FromBase64String(request.Form[messageName])), validateXmlSignature);
XmlDocument = saml2RequestResponse.XmlDocument;
return(saml2RequestResponse);
}
protected abstract Saml2Request UnbindInternal(HttpRequest request, Saml2Request saml2RequestResponse, string messageName);