/// <summary> /// Decrypts an assertion we received from "fælles-offentlige brugerstyring". /// </summary> private static void DecryptFOBSAssertion(string file) { string assertionBase64 = File.ReadAllText(file); byte[] assertionBytes = Convert.FromBase64String(assertionBase64); XmlDocument doc = new XmlDocument(); doc.PreserveWhitespace = true; doc.Load(new MemoryStream(assertionBytes)); XmlNodeList encryptedList = doc.GetElementsByTagName(EncryptedAssertion.ELEMENT_NAME, Saml20Constants.ASSERTION); Assert.That(encryptedList.Count == 1); // Do some mock configuration. FederationConfig config = FederationConfig.GetConfig(); config.AllowedAudienceUris.Audiences.Add("https://saml.safewhere.net"); SAML20FederationConfig descr = SAML20FederationConfig.GetConfig(); descr.Endpoints.MetadataLocation = @"Saml20\Protocol\MetadataDocs\FOBS"; // Set it manually. Assert.That(Directory.Exists(descr.Endpoints.MetadataLocation)); X509Certificate2 cert = new X509Certificate2(@"Saml20\Certificates\SafewhereTest_SFS.pfx", "test1234"); Saml20EncryptedAssertion encass = new Saml20EncryptedAssertion((RSA)cert.PrivateKey); encass.LoadXml((XmlElement)encryptedList[0]); encass.Decrypt(); // Retrieve metadata Saml20Assertion assertion = new Saml20Assertion(encass.Assertion.DocumentElement, null, false); IDPEndPoint endp = descr.FindEndPoint(assertion.Issuer); Assert.IsNotNull(endp, "Endpoint not found"); Assert.IsNotNull(endp.metadata, "Metadata not found"); try { assertion.CheckValid(AssertionUtil.GetTrustedSigners(assertion.Issuer)); Assert.Fail("Verification should fail. Token does not include its signing key."); } catch (InvalidOperationException) {} Assert.IsNull(assertion.SigningKey, "Signing key is already present on assertion. Modify test."); IEnumerable <string> validationFailures; Assert.That(assertion.CheckSignature(Saml20SignonHandler.GetTrustedSigners(endp.metadata.GetKeys(KeyTypes.signing), endp, out validationFailures))); Assert.IsNotNull(assertion.SigningKey, "Signing key was not set on assertion instance."); }
/// <summary> /// Loads an assertion and tries to deserialize it using the <code>Assertion</code> class. /// </summary> public static Saml20Assertion DeserializeToken(string assertionFile) { FileStream fs = File.OpenRead(assertionFile); XmlDocument document = new XmlDocument(); document.PreserveWhitespace = true; document.Load(fs); fs.Close(); XmlNodeList nodes = document.DocumentElement.GetElementsByTagName("Issuer", Saml20Constants.ASSERTION); Saml20Assertion assertion = new Saml20Assertion(document.DocumentElement, AssertionUtil.GetTrustedSigners(nodes[0].Value), false); return assertion; }
/// <summary> /// Decrypts an assertion we received from "fælles-offentlige brugerstyring". /// </summary> private static void DecryptFOBSAssertion(string file) { string assertionBase64 = File.ReadAllText(file); byte[] assertionBytes = Convert.FromBase64String(assertionBase64); XmlDocument doc = new XmlDocument(); doc.PreserveWhitespace = true; doc.Load( new MemoryStream(assertionBytes) ); XmlNodeList encryptedList = doc.GetElementsByTagName(EncryptedAssertion.ELEMENT_NAME, Saml20Constants.ASSERTION); Assert.That(encryptedList.Count == 1); // Do some mock configuration. FederationConfig config = FederationConfig.GetConfig(); config.AllowedAudienceUris.Audiences.Add("https://saml.safewhere.net"); SAML20FederationConfig descr = ConfigurationReader.GetConfig<SAML20FederationConfig>(); descr.Endpoints.metadataLocation = @"Saml20\Protocol\MetadataDocs\FOBS"; // Set it manually. Assert.That(Directory.Exists(descr.Endpoints.metadataLocation)); descr.Endpoints.Refresh(); X509Certificate2 cert = new X509Certificate2(@"Saml20\Certificates\SafewhereTest_SFS.pfx", "test1234"); Saml20EncryptedAssertion encass = new Saml20EncryptedAssertion((RSA) cert.PrivateKey); encass.LoadXml((XmlElement) encryptedList[0]); encass.Decrypt(); // Retrieve metadata Saml20Assertion assertion = new Saml20Assertion(encass.Assertion.DocumentElement, null, false); IDPEndPoint endp = descr.FindEndPoint(assertion.Issuer); Assert.IsNotNull(endp, "Endpoint not found"); Assert.IsNotNull(endp.metadata, "Metadata not found"); try { assertion.CheckValid(AssertionUtil.GetTrustedSigners(assertion.Issuer)); Assert.Fail("Verification should fail. Token does not include its signing key."); } catch(InvalidOperationException) {} Assert.IsNull(assertion.SigningKey, "Signing key is already present on assertion. Modify test."); Assert.That(assertion.CheckSignature(Saml20SignonHandler.GetTrustedSigners(endp.metadata.GetKeys(KeyTypes.signing), endp))); Assert.IsNotNull(assertion.SigningKey, "Signing key was not set on assertion instance."); }
public void DecryptPingAssertion() { // Load the assertion XmlDocument doc = new XmlDocument(); doc.Load(File.OpenRead(@"c:\tmp\pingassertion.txt")); XmlElement xe = GetElement(EncryptedAssertion.ELEMENT_NAME, Saml20Constants.ASSERTION, doc); XmlDocument doc2 = new XmlDocument(); doc2.AppendChild(doc2.ImportNode(xe, true)); X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine); store.Open(OpenFlags.ReadOnly); X509Certificate2Collection coll = store.Certificates.Find(X509FindType.FindBySubjectDistinguishedName, "CN=SafewhereTest_SFS, O=Safewhere, C=DK", true); Assert.That(coll.Count == 1); X509Certificate2 cert = coll[0]; Saml20EncryptedAssertion encass = new Saml20EncryptedAssertion((RSA)cert.PrivateKey, doc2); encass.Decrypt(); XmlTextWriter writer = new XmlTextWriter(Console.Out); writer.Formatting = Formatting.Indented; writer.Indentation = 3; writer.IndentChar = ' '; encass.Assertion.WriteTo(writer); writer.Flush(); Saml20Assertion assertion = new Saml20Assertion(encass.Assertion.DocumentElement, AssertionUtil.GetTrustedSigners(encass.Assertion.Attributes["Issuer"].Value), false); Assert.That(encass.Assertion != null); Console.WriteLine(); foreach (SamlAttribute attribute in assertion.Attributes) { Console.WriteLine(attribute.Name + " : " + attribute.AttributeValue[0]); } }
public void TestAssertionDecryption_01() { // Load the assertion XmlDocument doc = new XmlDocument(); doc.Load(File.OpenRead(@"Saml20\Assertions\EncryptedAssertion_01")); // Find the transport key. X509Certificate2 cert = new X509Certificate2(@"Saml20\Certificates\sts_dev_certificate.pfx", "test1234"); Saml20EncryptedAssertion encryptedAssertion = new Saml20EncryptedAssertion((RSA)cert.PrivateKey, doc); Assert.IsNull(encryptedAssertion.Assertion); // Check that it does not contain an assertion prior to decryption. encryptedAssertion.Decrypt(); Assert.IsNotNull(encryptedAssertion.Assertion); Saml20Assertion assertion = CreateDKSaml20TokenFromAssertion(encryptedAssertion); }
public void DecryptPingAssertion() { // Load the assertion XmlDocument doc = new XmlDocument(); doc.Load(File.OpenRead(@"c:\tmp\pingassertion.txt")); XmlElement xe = GetElement(EncryptedAssertion.ELEMENT_NAME, Saml20Constants.ASSERTION, doc); XmlDocument doc2 = new XmlDocument(); doc2.AppendChild(doc2.ImportNode(xe, true)); X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine); store.Open(OpenFlags.ReadOnly); X509Certificate2Collection coll = store.Certificates.Find(X509FindType.FindBySubjectDistinguishedName, "CN=SafewhereTest_SFS, O=Safewhere, C=DK", true); Assert.That(coll.Count == 1); X509Certificate2 cert = coll[0]; Saml20EncryptedAssertion encass = new Saml20EncryptedAssertion((RSA)cert.PrivateKey, doc2); encass.Decrypt(); XmlTextWriter writer = new XmlTextWriter(Console.Out); writer.Formatting = Formatting.Indented; writer.Indentation = 3; writer.IndentChar = ' '; encass.Assertion.WriteTo(writer); writer.Flush(); Saml20Assertion assertion = new Saml20Assertion(encass.Assertion.DocumentElement, AssertionUtil.GetTrustedSigners(encass.Assertion.Attributes["Issuer"].Value), false); Assert.That(encass.Assertion != null); Console.WriteLine(); foreach (SamlAttribute attribute in assertion.Attributes) Console.WriteLine(attribute.Name + " : " + attribute.AttributeValue[0]); }
public void AddAttribute_01() { Saml20Assertion assertion = LoadAssertion(@"Saml20\Assertions\Saml2Assertion_01"); List<SamlAttribute> attributes = assertion.Attributes; attributes.Add(DKSaml20PostalAddressAttribute.Create("DK-2200 København")); X509Certificate2 cert = AssertionUtil.GetCertificate1(); assertion.Sign(cert); assertion.CheckValid(new AsymmetricAlgorithm[] { cert.PublicKey.Key }); // Verify that the modified assertion can survive complete serialization and deserialization. string assertionString = assertion.GetXml().OuterXml; XmlDocument deserializedAssertionDoc = new XmlDocument(); deserializedAssertionDoc.PreserveWhitespace = true; deserializedAssertionDoc.Load(new StringReader(assertionString)); Saml20Assertion deserializedAssertion = new Saml20Assertion(deserializedAssertionDoc.DocumentElement, null, false); Assert.IsNotNull(deserializedAssertion.GetSignatureKeys(), "Signing keys must be present"); deserializedAssertion.CheckValid(new AsymmetricAlgorithm[] { cert.PublicKey.Key }); }
/// <summary> /// Loads an assertion, deserializes it using the <code>Assertion</code> class and returns the /// resulting <code>Assertion</code> instance. /// </summary> public static Saml20Assertion DeserializeToken(string assertionFile) { FileStream fs = File.OpenRead(assertionFile); XmlDocument document = new XmlDocument(); document.PreserveWhitespace = true; document.Load(fs); fs.Close(); Saml20Assertion assertion = new Saml20Assertion(document.DocumentElement, null, false); List<AsymmetricAlgorithm> result = new List<AsymmetricAlgorithm>(1); foreach (KeyInfoClause clause in assertion.GetSignatureKeys()) { AsymmetricAlgorithm key = XmlSignatureUtils.ExtractKey(clause); result.Add(key); } assertion.CheckValid(result); return assertion; }
[Ignore] // TODO: test data needs fixing public void TestSigning_03() { // Load an unsigned assertion. Saml20Assertion assertion = new Saml20Assertion(AssertionUtil.GetTestAssertion_01().DocumentElement, null, false); // Check that the assertion is not considered valid in any way. try { assertion.CheckValid(AssertionUtil.GetTrustedSigners(assertion.Issuer)); Assert.Fail("Unsigned assertion was passed off as valid."); } catch { //Added to make resharper happy Assert.That(true); } X509Certificate2 cert = new X509Certificate2(@"Saml20\Certificates\sts_dev_certificate.pfx", "test1234"); Assert.That(cert.HasPrivateKey, "Certificate no longer contains a private key. Modify test."); assertion.Sign(cert); // Check that the signature is now valid assertion.CheckValid(new AsymmetricAlgorithm[] {cert.PublicKey.Key}); WriteToFile(@"\signedassertion.xml", assertion.GetXml()); }
/// <summary> /// Performs the attribute query against the specified IdP endpoint and adds the resulting attributes to Saml20Identity.Current. /// </summary> /// <param name="context">The http context.</param> /// <param name="endPoint">The IdP to perform the query against.</param> /// <param name="nameIdFormat">The nameid format.</param> public void PerformQuery(HttpContext context, IDPEndPoint endPoint, string nameIdFormat) { Trace.TraceMethodCalled(GetType(), "PerformQuery()"); HttpSOAPBindingBuilder builder = new HttpSOAPBindingBuilder(context); NameID name = new NameID(); name.Value = Saml20Identity.Current.Name; name.Format = nameIdFormat; _attrQuery.Subject.Items = new object[] { name }; _attrQuery.SamlAttribute = _attributes.ToArray(); XmlDocument query = new XmlDocument(); query.XmlResolver = null; query.LoadXml(Serialization.SerializeToXmlString(_attrQuery)); var signingCertificate = FederationConfig.GetConfig().SigningCertificate.GetCertificate(); var shaHashingAlgorithm = SignatureProviderFactory.ValidateShaHashingAlgorithm(endPoint.ShaHashingAlgorithm); var signatureProvider = SignatureProviderFactory.CreateFromShaHashingAlgorithmName(shaHashingAlgorithm); signatureProvider.SignAssertion(query, ID, signingCertificate); if (query.FirstChild is XmlDeclaration) { query.RemoveChild(query.FirstChild); } Stream s; if (Trace.ShouldTrace(TraceEventType.Information)) { Trace.TraceData(TraceEventType.Information, string.Format(Tracing.SendAttrQuery, endPoint.metadata.GetAttributeQueryEndpointLocation(), query.OuterXml)); } try { s = builder.GetResponse(endPoint.metadata.GetAttributeQueryEndpointLocation(), query.OuterXml, endPoint.AttributeQuery); } catch (Exception e) { Trace.TraceData(TraceEventType.Error, e.ToString()); throw; } HttpSOAPBindingParser parser = new HttpSOAPBindingParser(s); Status status = parser.GetStatus(); if (status.StatusCode.Value != Saml20Constants.StatusCodes.Success) { Trace.TraceData(TraceEventType.Error, string.Format(Tracing.AttrQueryStatusError, Serialization.SerializeToXmlString(status))); throw new Saml20Exception(status.StatusMessage); } bool isEncrypted; XmlElement xmlAssertion = Saml20SignonHandler.GetAssertion(parser.SamlMessage, out isEncrypted); if (isEncrypted) { Saml20EncryptedAssertion ass = new Saml20EncryptedAssertion( (RSA)FederationConfig.GetConfig().SigningCertificate.GetCertificate().PrivateKey); ass.LoadXml(xmlAssertion); ass.Decrypt(); xmlAssertion = ass.Assertion.DocumentElement; } Saml20Assertion assertion = new Saml20Assertion(xmlAssertion, null, AssertionProfile.Core, endPoint.QuirksMode); assertion.Validate(DateTime.UtcNow); if (Trace.ShouldTrace(TraceEventType.Information)) { Trace.TraceData(TraceEventType.Information, string.Format(Tracing.AttrQueryAssertion, xmlAssertion == null ? string.Empty : xmlAssertion.OuterXml)); } IEnumerable <string> validationFailures; if (!assertion.CheckSignature(Saml20SignonHandler.GetTrustedSigners(endPoint.metadata.Keys, endPoint, out validationFailures))) { Trace.TraceData(TraceEventType.Error, Resources.SignatureInvalid); throw new Saml20Exception(Resources.SignatureInvalid); } foreach (SamlAttribute attr in assertion.Attributes) { Saml20Identity.Current.AddAttributeFromQuery(attr.Name, attr); } }
public static Saml20Assertion DeserializeToken(string assertionFile, bool verify) { if (verify) return DeserializeToken(assertionFile); FileStream fs = File.OpenRead(assertionFile); XmlDocument document = new XmlDocument(); document.PreserveWhitespace = true; document.Load(fs); fs.Close(); Saml20Assertion assertion = new Saml20Assertion(document.DocumentElement, null, false); return assertion; }
/// <summary> /// Raised when the SAML 2.0 response parameter has been detected. /// </summary> /// <param name="url">URL of the page.</param> /// <param name="query">The parsed query of the URL.</param> /// <param name="fragment">The parsed fragment of the URL.</param> /// <param name="formParams">Form parameters, including the 'SAMLResponse'.</param> protected override void OnRedirectPageLoaded (Uri url, System.Collections.Generic.IDictionary<string, string> query, System.Collections.Generic.IDictionary<string, string> fragment, IDictionary<string, string> formParams) { string base64SamlAssertion = formParams.ContainsKey ("SAMLResponse") ? formParams ["SAMLResponse"] : string.Empty; byte[] xmlSamlAssertionBytes = Convert.FromBase64String (base64SamlAssertion); string xmlSamlAssertion = System.Text.UTF8Encoding.Default.GetString (xmlSamlAssertionBytes); XmlDocument xDoc = new XmlDocument (); xDoc.PreserveWhitespace = true; xDoc.LoadXml (xmlSamlAssertion); XmlElement responseElement = (XmlElement)xDoc.SelectSingleNode ("//*[local-name()='Response']"); #if DEBUG Console.WriteLine ("{0}", responseElement.OuterXml); #endif XmlElement assertionElement = (XmlElement)xDoc.SelectSingleNode ("//*[local-name()='Assertion']"); if (assertionElement != null) { #if DEBUG Console.WriteLine ("{0}", assertionElement.OuterXml); #endif Saml20Assertion samlAssertion = new Saml20Assertion (assertionElement, null, AssertionProfile.Core, false, false); List<AsymmetricAlgorithm> trustedIssuers = new List<AsymmetricAlgorithm>(1); foreach (KeyDescriptor key in _idpMetadata.Keys) { System.Security.Cryptography.Xml.KeyInfo ki = (System.Security.Cryptography.Xml.KeyInfo) key.KeyInfo; foreach (KeyInfoClause clause in ki) { AsymmetricAlgorithm aa = XmlSignatureUtils.ExtractKey(clause); trustedIssuers.Add(aa); } } try { samlAssertion.CheckValid (trustedIssuers); SamlAccount sa = new SamlAccount (samlAssertion, responseElement); OnSucceeded (sa); } catch (Saml20Exception samlEx) { Console.WriteLine (samlEx); OnError (samlEx.Message); } catch (Exception ex) { Console.WriteLine (ex); OnError (ex.Message); } } else { OnError ("No SAML Assertion Found"); ; } }
/// <summary> /// Performs the attribute query against the specified IdP endpoint and adds the resulting attributes to Saml20Identity.Current. /// </summary> /// <param name="context">The http context.</param> /// <param name="endPoint">The IdP to perform the query against.</param> /// <param name="nameIdFormat">The nameid format.</param> public void PerformQuery(HttpContext context, IDPEndPoint endPoint, string nameIdFormat) { Trace.TraceMethodCalled(GetType(), "PerformQuery()"); HttpSOAPBindingBuilder builder = new HttpSOAPBindingBuilder(context); NameID name = new NameID(); name.Value = Saml20Identity.Current.Name; name.Format = nameIdFormat; _attrQuery.Subject.Items = new object[] { name }; _attrQuery.SamlAttribute = _attributes.ToArray(); XmlDocument query = new XmlDocument(); query.LoadXml(Serialization.SerializeToXmlString(_attrQuery)); XmlSignatureUtils.SignDocument(query, ID); if(query.FirstChild is XmlDeclaration) query.RemoveChild(query.FirstChild); Stream s; if (Trace.ShouldTrace(TraceEventType.Information)) Trace.TraceData(TraceEventType.Information, string.Format(Tracing.SendAttrQuery, endPoint.metadata.GetAttributeQueryEndpointLocation(), query.OuterXml)); try { s = builder.GetResponse(endPoint.metadata.GetAttributeQueryEndpointLocation(), query.OuterXml, endPoint.AttributeQuery); }catch(Exception e) { Trace.TraceData(TraceEventType.Error, e.ToString()); throw; } HttpSOAPBindingParser parser = new HttpSOAPBindingParser(s); Status status = parser.GetStatus(); if (status.StatusCode.Value != Saml20Constants.StatusCodes.Success) { Trace.TraceData(TraceEventType.Error, string.Format(Tracing.AttrQueryStatusError, Serialization.SerializeToXmlString(status))); throw new Saml20Exception(status.StatusMessage); } bool isEncrypted; XmlElement xmlAssertion = Saml20SignonHandler.GetAssertion(parser.SamlMessage, out isEncrypted); if (isEncrypted) { Saml20EncryptedAssertion ass = new Saml20EncryptedAssertion( (RSA) FederationConfig.GetConfig().SigningCertificate.GetCertificate().PrivateKey); ass.LoadXml(xmlAssertion); ass.Decrypt(); xmlAssertion = ass.Assertion.DocumentElement; } Saml20Assertion assertion = new Saml20Assertion(xmlAssertion, null, AssertionProfile.Core, endPoint.QuirksMode); if(Trace.ShouldTrace(TraceEventType.Information)) { Trace.TraceData(TraceEventType.Information, string.Format(Tracing.AttrQueryAssertion, xmlAssertion == null ? string.Empty : xmlAssertion.OuterXml)); } if(!assertion.CheckSignature(Saml20SignonHandler.GetTrustedSigners(endPoint.metadata.Keys, endPoint))){ Trace.TraceData(TraceEventType.Error, Resources.SignatureInvalid); throw new Saml20Exception(Resources.SignatureInvalid); } foreach (SamlAttribute attr in assertion.Attributes) { Saml20Identity.Current.AddAttributeFromQuery(attr.Name, attr); } }
/// <summary> /// Initializes a new instance of the <see cref="Symplified.Auth.SamlAccount"/> class. /// </summary> /// <param name="assertion">Assertion.</param> /// <param name="samlResponse">Saml response.</param> public SamlAccount (Saml20Assertion assertion, XmlElement samlResponse) { this._saml20Assertion = assertion; this.Username = (assertion.Subject != null) ? assertion.Subject.Value : string.Empty; this._samlResponse = samlResponse; }