Tag Archives: Ultimate SAML

Single Sign On (SSO) Web Samples in Ultimate SAML Component

After successfully installing the UltimateSaml for SAML setup package you will see two SAML v1.1 web sample projects in the folder WebFormsC# for C# and WebFormsVB.NET for VB.NET (By default UltimateSaml is installed in folder C:\ComponentPro with Vista, 2008 and above, C:\Program files\ComponentPro with XP, 2003, 2000). To run these web sample projects, open the solution file Saml1_IdpInitiated_WebDemo.XXXX.sln for C# or Saml1_IdpInitiated_WebDemoVB.XXXX.sln for VB.NET.

Identity Provider Web Application (Saml1SsoIdentityProviderWebDemo or Saml1SsoIdentityProviderWebDemoVB)

This sample is configured to run at port 16471 (you can easily change the port number in the project property page). The identity provider web application demonstrates some basic operation of an identity provider. Firstly, you need to login to the system with the user name iuser and a password of password,

IdP

and choose a SAML Single Sign On method from a drop down list, and then click on a link to access the Service Provider site which runs at port 16475.

IdP

Once logged in at the identity provider, any access to the service provider is made through the identity provider’s inter-site transfer page (SamlRedirect.aspx) which handles both the Browser/POST and Browser/Artifact profile for the identity provider.

  • If using the browser/artifact profile, the identity provider‘s SAML responder page (SamlRequestProcess.aspx) handles SAML protocol requests from service providers. It uses the received artifact to look up the previously generated SAML assertion, creates a SAML protocol response containing this SAML assertion, and returns it to the service provider.

How to configure?

You can easily configure the ID Provider web application by modifying the settings within its web.config file’s <appSettings> section:

  • SamlArtifactUrlFormat: The target URL format of the service provider’s consumer service for Browser/Artifact SSO method.
  • SamlAssertionConsumerUrl: The target URL of the service provider’s consumer service for Browser/Post SSO method.

Service Provider Web Application (Saml1SsoServiceProviderWebDemo or Saml1SsoServiceProviderWebDemoVB)

This sample is configured to run at port 16475 (you can easily change the port number in the project property page). The service provider web application demonstrates some basic operation of a service provider.

  • If using browser/post, the assertion consumer page (SamlAssertionProcess.aspx) receives the form posted by the identity provider, reconstructs the SAML protocol response, retrieves the SAML assertion from the response, and uses the subject contained within the SAML assertion to perform an automatic login at the service provider. It then redirects to the target service provider page.
  • If using browser/artifact, the artifact receiver page (SamlArtifactProcess.aspx) receives the artifact from the identity provider. It then sends the identity provider a SAML protocol request containing the artifact, receives the SAML protocol response, retrieves the SAML assertion from the response, and uses the subject contained within the SAML assertion to perform an automatic login at the service provider. It then redirects to the target service provider page.

You can login to the local system with the user name suser and a password of password.

SP

How to configure?

You can easily configure the Service Provider web application by modifying the settings within its web.config file’s <appSettings> section:

  • SamlRequestHandlerUrl: The IdP’s SAML request handler url.

Verifying SAML XML Signatures with Saml1Demo

To verify a certificate that is being used in your application, you can run the Saml1Demo sample and click on the Verifying Signature tab to see whether the signature is valid. The following is the screen shot of the utility:

 SAML Verify

  • The Certificate File is a CER file containing the certificate to use to verify the signature. Only specify this parameter if the certificate is being loaded from a certificate file or store. If the certificate is included in the XML signature, then do not specify this parameter.
  • The SAML Protocol XML file is the file containing the SAML protocol response as XML.

Adding custom attributes to SAML Assertion

In many cases, you need to add custom attributes to a SAML response object and send it to an IdP or an SP. By accessing the attribute list using the Attributes property of the AttributeStatement class, you can easily pass your custom data to the IdP or SP. The following code illustrates how to add some custom attributes including Email, First Name, and Last Name of a user.

C#:

AttributeStatement attributeStatement = new AttributeStatement();
attributeStatement.Attributes.Add(new ComponentPro.Saml2.Attribute("email", SamlAttributeNameFormat.Basic, null,
                                                                             "john@test.com"));
attributeStatement.Attributes.Add(new ComponentPro.Saml2.Attribute("FirstName", SamlAttributeNameFormat.Basic, null,
                                                                             "John"));
attributeStatement.Attributes.Add(new ComponentPro.Saml2.Attribute("LastName", SamlAttributeNameFormat.Basic, null,
                                                                             "Smith"));

// Insert a custom token key to the SAML response.
attributeStatement.Attributes.Add(new ComponentPro.Saml2.Attribute("CustomTokenForVerification", SamlAttributeNameFormat.Basic, null,
                                                                             "YourEncryptedTokenHere"));

samlAssertion.Statements.Add(attributeStatement);

VB.NET:

Dim attributeStatement As New AttributeStatement()
attributeStatement.Attributes.Add(New ComponentPro.Saml2.Attribute("email", SamlAttributeNameFormat.Basic, Nothing, "john@test.com"))
attributeStatement.Attributes.Add(New ComponentPro.Saml2.Attribute("FirstName", SamlAttributeNameFormat.Basic, Nothing, "John"))
attributeStatement.Attributes.Add(New ComponentPro.Saml2.Attribute("LastName", SamlAttributeNameFormat.Basic, Nothing, "Smith"))

' Insert a custom token key to the SAML response.
attributeStatement.Attributes.Add(New ComponentPro.Saml2.Attribute("CustomTokenForVerification", SamlAttributeNameFormat.Basic, Nothing, "YourEncryptedTokenHere"))

samlAssertion.Statements.Add(attributeStatement)

You can add this code to Service.aspx.cs file in Saml2IdpInitiated.IdentityProvider folder. The code after adding custom attributes should look like the following:

C#:

//#define ENCRYPTEDSAML

using System;
using System.Web.Configuration;
using System.Security.Cryptography.X509Certificates;
using System.IO;
using System.Web;
using ComponentPro.Saml2;

namespace SamlIdPInitiated.IdentityProvider
{
    public partial class Service : System.Web.UI.Page
    {
        // Get consumer service URL from the application settings.
        private static readonly string ConsumerServiceUrl = WebConfigurationManager.AppSettings["ConsumerServiceUrl"];

        protected override void OnLoad(EventArgs e)
        {
            base.OnLoad(e);

            try
            {
                // Extract the SP target url.
                string targetUrl = Request.QueryString["spUrl"];

                // Validate it.
                if (string.IsNullOrEmpty(targetUrl))
                {
                    return;
                }

                // Create a SAML response object.
                ComponentPro.Saml2.Response samlResponse = new ComponentPro.Saml2.Response();
                // Assign the consumer service url.
                samlResponse.Destination = ConsumerServiceUrl;
                Issuer issuer = new Issuer(GetAbsoluteUrl("~/"));
                samlResponse.Issuer = issuer;
                samlResponse.Status = new Status(SamlPrimaryStatusCode.Success, null);

                Assertion samlAssertion = new Assertion();
                samlAssertion.Issuer = issuer;

                // Use the local user's local identity.
                Subject subject = new Subject(new NameId(User.Identity.Name));
                SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SamlSubjectConfirmationMethod.Bearer);
                SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
                subjectConfirmationData.Recipient = ConsumerServiceUrl;
                subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
                subject.SubjectConfirmations.Add(subjectConfirmation);
                samlAssertion.Subject = subject;

                // Create a new authentication statement.
                AuthnStatement authnStatement = new AuthnStatement();
                authnStatement.AuthnContext = new AuthnContext();
                authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SamlAuthenticationContext.Password);
                samlAssertion.Statements.Add(authnStatement);

                // If you need to add custom attributes, uncomment the following code
                // #region Custom Attributes
                // AttributeStatement attributeStatement = new AttributeStatement();
                // attributeStatement.Attributes.Add(new ComponentPro.Saml2.Attribute("email", SamlAttributeNameFormat.Basic, null,
                                                                                             // "john@test.com"));
                // attributeStatement.Attributes.Add(new ComponentPro.Saml2.Attribute("FirstName", SamlAttributeNameFormat.Basic, null,
                                                                                             // "John"));
                // attributeStatement.Attributes.Add(new ComponentPro.Saml2.Attribute("LastName", SamlAttributeNameFormat.Basic, null,
                                                                                             // "Smith"));

                // // Insert a custom token key to the SAML response.
                // attributeStatement.Attributes.Add(new ComponentPro.Saml2.Attribute("CustomTokenForVerification", SamlAttributeNameFormat.Basic, null,
                                                                                             // "YourEncryptedTokenHere"));

                // samlAssertion.Statements.Add(attributeStatement);
                // #endregion

                // Define ENCRYPTEDSAML preprocessor flag if you wish to encrypt the SAML response.
#if ENCRYPTEDSAML
                // Load the certificate for the encryption.
                // Please make sure the file is in the root directory.
                X509Certificate2 encryptingCert = new X509Certificate2(Path.Combine(HttpRuntime.AppDomainAppPath, "EncryptionX509Certificate.cer"), "password");

                // Create an encrypted SAML assertion from the SAML assertion we have created.
                EncryptedAssertion encryptedSamlAssertion = new EncryptedAssertion(samlAssertion, encryptingCert, new System.Security.Cryptography.Xml.EncryptionMethod(SamlKeyAlgorithm.TripleDesCbc));

                // Add encrypted assertion to the SAML response object.
                samlResponse.Assertions.Add(encryptedSamlAssertion);
#else
                // Add assertion to the SAML response object.
                samlResponse.Assertions.Add(samlAssertion);
#endif

                // Get the previously loaded certificate.
                X509Certificate2 x509Certificate = (X509Certificate2)Application[Global.CertKeyName];

                // Sign the SAML response with the certificate.
                samlResponse.Sign(x509Certificate);

                // Send the SAML response to the service provider.
                samlResponse.SendHttpPost(Response.OutputStream, ConsumerServiceUrl, targetUrl);
            }

            catch (Exception exception)
            {
                Trace.Write("IdentityProvider", "An Error occurred", exception);
            }
        }

        private string GetAbsoluteUrl(string relativeUrl)
        {
            Uri u = new Uri(Request.Url, ResolveUrl(relativeUrl));
            return u.ToString();
        }
    }
}

Click here to download the Ultimate SAML SSO Component for ASP.NET.