我有,我希望在.NET中使用来验证SAML断言 WSSecurityTokenSerializer
。
I have a SAML assertion that I wish to authenticate in .Net using WSSecurityTokenSerializer
.
我已经拿到了钥匙链和SAML XML,尽管几个问题。
I've got the key-chain and SAML XML, despite a few issues.
首先,我得到了HTTPS POST SAML断言:
First I get the SAML assertion from the HTTPS POST:
// spec says "SAMLResponse="
string rawSamlData = Request["SAMLResponse"];
// read the base64 encoded bytes
byte[] samlData = Convert.FromBase64String(rawSamlData);
// read back into a UTF string
string samlAssertion = Encoding.UTF8.GetString(samlData);
// get the SAML data in an XML reader
var assertionPostStream = new StringReader(samlAssertion);
var reader = XmlReader.Create(assertionPostStream);
然后我得到我的IDP提供的键:
Then I get the keys provided by my IdP:
// get the key data
byte[] certificateData = System.IO.File.ReadAllBytes("myKeys.p7b");
// decode the keys
var cms = new SignedCms(SubjectIdentifierType.IssuerAndSerialNumber);
cms.Decode(certificateData);
// we have a keychain of X509Certificate2s, we need a collection of tokens
var certificatesAsTokens =
from X509Certificate2 cert in cms.Certificates
select new X509SecurityToken(cert) as SecurityToken;
// get a token resolver
var tokens = new ReadOnlyCollection<SecurityToken>(
certificatesAsTokens.ToList());
var resolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
tokens, true);
最后,我来到这里抛出一个错误:
Finally I get an error thrown here:
// use the WS Security stuff to parse the reader
var securityToken = WSSecurityTokenSerializer.
DefaultInstance.ReadToken(reader, resolver) as SamlSecurityToken;
在调用该 ReadToken
我收到以下错误:
When calling that ReadToken
I get the following error:
无法读取从'回应'元素的瓮:绿洲:名称:TC:SAML:2.0:协议令牌命名空间BinarySecretSecurityToken,以值类型。如果该元素预期是有效的,确保安全配置消耗的令牌与指定的名称,命名空间和值类型。
Cannot read the token from the 'Response' element with the 'urn:oasis:names:tc:SAML:2.0:protocol' namespace for BinarySecretSecurityToken, with a '' ValueType. If this element is expected to be valid, ensure that security is configured to consume tokens with the name, namespace and value type specified.
我的SAML XML开头:
My SAML XML starts with:
<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" ...
所以显然我有一个响应
元素中的金塔:绿洲:名称:TC:SAML:2.0:协议
命名空间。
So clearly I have a Response
element in the urn:oasis:names:tc:SAML:2.0:protocol
namespace.
任何想法有什么不对/在这里失踪?
Any idea what's wrong/missing here?
它看起来像你收到SAML2响应。虽然对SAML2支持.NET 4.5,但遗憾的是只为断言支持 - 而不是协议本身(包括响应消息)
It looks like you are receiving a SAML2 response. Although there is support for SAML2 in .NET 4.5, there is unfortunately only support for the assertions - not the protocol itself (including the Response message).
要处理在.NET中SAML2响应,你必须:
To process the SAML2 response in .NET you have to:
验证在整个响应消息的签名。 提取消息的声明部分。 阅读与 Saml2SecurityTokenHandler.ReadToken令牌()
。
验证与令牌 Saml2SecurityTokenHandler.DetectReplayedToken()
。
验证与令牌 Saml2SecurityTokenHandler.ValidateConditions()
使用 Saml2SecurityTokenHandler.CreateClaims()
以创建一个声明身份。
Validate the signature on the entire response message.
Extract the assertion part of the message.
Read the token with Saml2SecurityTokenHandler.ReadToken()
.
Validate the token with Saml2SecurityTokenHandler.DetectReplayedToken()
.
Validate the token with Saml2SecurityTokenHandler.ValidateConditions()
Use Saml2SecurityTokenHandler.CreateClaims()
to create a claims identity.
不幸的是大多数的这些方法是受保护的,但你也可以继承 Saml2SecurityTokenHandler
键,可以访问它们。
Unfortunately most of those methods are protected, but you can subclass Saml2SecurityTokenHandler
and get access to them.
一个完整的工作示例可以在 Saml2Response 在 Kentor.AuthServices 的项目。
A complete working example can be found in the Saml2Response class in the Kentor.AuthServices project.