Tag Archives: Single-Sign-On

Single Sign On (SSO) Web Samples in Ultimate SAML Component

After successfully installing the UltimateSaml for SAML setup package you will see two SAML v1.1 web sample projects in the folder WebFormsC# for C# and WebFormsVB.NET for VB.NET (By default UltimateSaml is installed in folder C:\ComponentPro with Vista, 2008 and above, C:\Program files\ComponentPro with XP, 2003, 2000). To run these web sample projects, open the solution file Saml1_IdpInitiated_WebDemo.XXXX.sln for C# or Saml1_IdpInitiated_WebDemoVB.XXXX.sln for VB.NET.

Identity Provider Web Application (Saml1SsoIdentityProviderWebDemo or Saml1SsoIdentityProviderWebDemoVB)

This sample is configured to run at port 16471 (you can easily change the port number in the project property page). The identity provider web application demonstrates some basic operation of an identity provider. Firstly, you need to login to the system with the user name iuser and a password of password,

IdP

and choose a SAML Single Sign On method from a drop down list, and then click on a link to access the Service Provider site which runs at port 16475.

IdP

Once logged in at the identity provider, any access to the service provider is made through the identity provider’s inter-site transfer page (SamlRedirect.aspx) which handles both the Browser/POST and Browser/Artifact profile for the identity provider.

  • If using the browser/artifact profile, the identity provider‘s SAML responder page (SamlRequestProcess.aspx) handles SAML protocol requests from service providers. It uses the received artifact to look up the previously generated SAML assertion, creates a SAML protocol response containing this SAML assertion, and returns it to the service provider.

How to configure?

You can easily configure the ID Provider web application by modifying the settings within its web.config file’s <appSettings> section:

  • SamlArtifactUrlFormat: The target URL format of the service provider’s consumer service for Browser/Artifact SSO method.
  • SamlAssertionConsumerUrl: The target URL of the service provider’s consumer service for Browser/Post SSO method.

Service Provider Web Application (Saml1SsoServiceProviderWebDemo or Saml1SsoServiceProviderWebDemoVB)

This sample is configured to run at port 16475 (you can easily change the port number in the project property page). The service provider web application demonstrates some basic operation of a service provider.

  • If using browser/post, the assertion consumer page (SamlAssertionProcess.aspx) receives the form posted by the identity provider, reconstructs the SAML protocol response, retrieves the SAML assertion from the response, and uses the subject contained within the SAML assertion to perform an automatic login at the service provider. It then redirects to the target service provider page.
  • If using browser/artifact, the artifact receiver page (SamlArtifactProcess.aspx) receives the artifact from the identity provider. It then sends the identity provider a SAML protocol request containing the artifact, receives the SAML protocol response, retrieves the SAML assertion from the response, and uses the subject contained within the SAML assertion to perform an automatic login at the service provider. It then redirects to the target service provider page.

You can login to the local system with the user name suser and a password of password.

SP

How to configure?

You can easily configure the Service Provider web application by modifying the settings within its web.config file’s <appSettings> section:

  • SamlRequestHandlerUrl: The IdP’s SAML request handler url.

Encrypting and Decrypting SAML Response XML

This topic illustrates how to encrypt a SAML Response XML on the Identity website and decrypt the XML on the Service Provider website.

Encrypting a SAML Response XML:

Instead of adding an unencrypted SAML Assertion to the SAML response with

// Add assertion to the SAML response object.
samlResponse.Assertions.Add(samlAssertion);

, we need to create an EncryptedAssertion object from the unencrypted Assertion object and add the EncryptedAssertion object to the SAML response object as shown in the code below:

// Load the certificate for the encryption.
// Please make sure the file is in the root directory.
X509Certificate2 encryptingCert = new X509Certificate2(Path.Combine(HttpRuntime.AppDomainAppPath, "EncryptionX509Certificate.cer"), "password");
// Create an encrypted SAML assertion from the SAML assertion we have created.
EncryptedAssertion encryptedSamlAssertion = new EncryptedAssertion(samlAssertion, encryptingCert, new System.Security.Cryptography.Xml.EncryptionMethod(SamlKeyAlgorithm.TripleDesCbc));
// Add encrypted assertion to the SAML response object.
samlResponse.Assertions.Add(encryptedSamlAssertion);

Decrypting the SAML Response XML:

In order to read the encrypted SAML response from the IdP on the Service Provider website, you need to decrypt it and convert to an Assertion object. The following code demonstrates how to do so:

if (samlResponse.GetEncryptedAssertions().Count > 0)
{
    EncryptedAssertion encryptedAssertion = samlResponse.GetEncryptedAssertions()[0];

    // Load the private key.
    // Consider caching the loaded key in production environment for better performance.
    X509Certificate2 decryptionKey = new X509Certificate2(Path.Combine(HttpRuntime.AppDomainAppPath, "EncryptionKey.pfx"), "password");

    // Decrypt the encrypted assertion.
    samlAssertion = encryptedAssertion.Decrypt(decryptionKey.PrivateKey, null);
}
else
{
    throw new ApplicationException("No encrypted assertions found in the SAML response");
}

How about decrypting encrypted attributes?

Very simple. All you need to do is to load a private key file for decrypting attributes and call the Decrypt method of the EncryptedAttribute class. The following code demonstrates how to do so.

// Load the SAML response from the XML document.
Response samlResponse = new Response(xmlDocument.DocumentElement);

// Access the first assertion object.
Assertion assertion = (Assertion)samlResponse.Assertions[0];

if (assertion.AttributeStatements[0].EncryptedAttributes.Count > 0)
{
    // Load the private key file.
    X509Certificate2 certificate = new X509Certificate2(privateCertificateFile, "password");

    // Loop through the encrypted attributes list.
    foreach (EncryptedAttribute encryptedAttribute in assertion.AttributeStatements[0].EncryptedAttributes)
    {
        // Get the encrypted key.
        EncryptedKey encryptedKey = encryptedAttribute.GetEncryptedKeyObjects()[0];

        // Decrypt the encrypted attribute.
        ComponentPro.Saml2.Attribute decryptedAttribute = encryptedAttribute.Decrypt(certificate.PrivateKey, encryptedKey, null);

        // ...
    }
}
else
{
    // Loop through the encrypted attributes list.
    foreach (ComponentPro.Saml2.Attribute attribute in assertion.AttributeStatements[0].Attributes)
    {
        // TO DO: Your code here.

        // ...
    }
}

Click here to download the Ultimate SAML SSO Component for ASP.NET.

Salesforce Web Applications

After successfully installing the UltimateSaml for SAML v2.0 setup package you will see ten web sample projects in the folder WebFormsC# for C# and WebFormsVB.NET for VB.NET (By default UltimateSaml is installed in folder C:\ComponentPro with Vista, 2008 and above, C:\Program files\ComponentPro with XP, 2003, 2000). This sample demonstrates Single Sign-on (SSO) with Salesforce in ComponentPro SAML Library. It acts as the Identity Provider while Salesforce is the Service Provider. To run this web sample project, open the solution file Saml2_Salesforce_WebDemo.XXXX.sln for C# or Saml2_Salesforce_WebDemoVB.XXXX.sln for VB.NET, and then select Saml2Salesforce.IdentifyProviderWebDemo.

Configuring the Salesforce Identify Provider Web Application

You can easily configure the ID Provider web application by modifying the settings within its web.config file’s <appSettings> section:

  • SalesforceUserId: The Salesforce account.
  • SalesforceLoginUrl: The Salesforce login URL. No need to change this value.
  • ServiceProviderUrl: The target URL of the service provider web application. No need to change this value.
  • CertificateIssuer: The certificate issuer name. This value must match the issuer name of the certificate submitted to Salesforce.
  • EntityId: Used to create an audience for a SAML response. No need to change this value.

Configuring Salesforce to work with your Identity Provider

To enable and configure single sign-on in Salesforce, you can follow the following steps:

  1. Login to Salesforce.
  2. Click on the Setup link, you should then be redirected to the Personal Setup page.
  3. Expand the Security Controls in the Adminsitration Setup menu, and select Single Sign-On Settings.
  4. Click on the Edit button.
    Ultimate SAML Salesforce Settings
  5. Choose SAML 2.0 as the SAML Version.
  6. Upload the Identity Provider Certificate if needed. If you wish to test the Identity Provider sample app, you will need to upload the certificate file named SP_X509Certificate_ForSalesforce.cer.
  7. You should select Assertion contains User’s salesforce.com username for the SAML User ID Type option, and User ID is in the NameIdentifier element of the Subject statement for the SAML User ID Location.
  8. Fill in the Identity Provider Certificate Name.
  9. Click on the Save button.

Testing the Identify Provider Web Application using UltimateSaml Library

This sample is configured to run at port 33181 (you can easily change the port number in the project property page). The ComponentPro identity provider web application, in conjunction with Salesforce, demonstrates IdP initiated single sign-on. Firstly, you can login to the local system with the user name salesforce and a password of password:

  1. Click on the Login button.
  2. Click on the link “here”. You should then be presented with the Salesforce Account page.
    IdpLogin

You have successfully completed a SAML 2.0 Single Sign-On and are logged in at the Service Provider with your Salesforce user name.

If you need to setup Google SSO, please visit topic Setting up Google SSO to work with Ultimate SAML.

Click here to download the Ultimate SAML SSO Component for ASP.NET.