问题读取验证使用WSSecurityTokenSerializer SAML断言在.net [英] Problems reading authenticating a SAML assertion in .Net using WSSecurityTokenSerializer
问题描述
我有,我希望在.NET中使用来验证SAML断言 WSSecurityTokenSerializer
。
I have a SAML assertion that I wish to authenticate in .Net using WSSecurityTokenSerializer
.
我已经拿到了钥匙链和SAML XML,尽管几个问题。
I've got the key-chain and SAML XML, despite a few issues.
首先,我得到了HTTPS POST SAML断言:
First I get the SAML assertion from the HTTPS POST:
// spec says "SAMLResponse="
string rawSamlData = Request["SAMLResponse"];
// read the base64 encoded bytes
byte[] samlData = Convert.FromBase64String(rawSamlData);
// read back into a UTF string
string samlAssertion = Encoding.UTF8.GetString(samlData);
// get the SAML data in an XML reader
var assertionPostStream = new StringReader(samlAssertion);
var reader = XmlReader.Create(assertionPostStream);
然后我得到我的IDP提供的键:
Then I get the keys provided by my IdP:
// get the key data
byte[] certificateData = System.IO.File.ReadAllBytes("myKeys.p7b");
// decode the keys
var cms = new SignedCms(SubjectIdentifierType.IssuerAndSerialNumber);
cms.Decode(certificateData);
// we have a keychain of X509Certificate2s, we need a collection of tokens
var certificatesAsTokens =
from X509Certificate2 cert in cms.Certificates
select new X509SecurityToken(cert) as SecurityToken;
// get a token resolver
var tokens = new ReadOnlyCollection<SecurityToken>(
certificatesAsTokens.ToList());
var resolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
tokens, true);
最后,我来到这里抛出一个错误:
Finally I get an error thrown here:
// use the WS Security stuff to parse the reader
var securityToken = WSSecurityTokenSerializer.
DefaultInstance.ReadToken(reader, resolver) as SamlSecurityToken;
在调用该 ReadToken
我收到以下错误:
When calling that ReadToken
I get the following error:
无法读取从'回应'元素的瓮:绿洲:名称:TC:SAML:2.0:协议令牌命名空间BinarySecretSecurityToken,以值类型。如果该元素预期是有效的,确保安全配置消耗的令牌与指定的名称,命名空间和值类型。
Cannot read the token from the 'Response' element with the 'urn:oasis:names:tc:SAML:2.0:protocol' namespace for BinarySecretSecurityToken, with a '' ValueType. If this element is expected to be valid, ensure that security is configured to consume tokens with the name, namespace and value type specified.
我的SAML XML开头:
My SAML XML starts with:
<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" ...
所以显然我有一个响应
元素中的金塔:绿洲:名称:TC:SAML:2.0:协议
命名空间。
So clearly I have a Response
element in the urn:oasis:names:tc:SAML:2.0:protocol
namespace.
任何想法有什么不对/在这里失踪?
Any idea what's wrong/missing here?
推荐答案
它看起来像你收到SAML2响应。虽然对SAML2支持.NET 4.5,但遗憾的是只为断言支持 - 而不是协议本身(包括响应消息)
It looks like you are receiving a SAML2 response. Although there is support for SAML2 in .NET 4.5, there is unfortunately only support for the assertions - not the protocol itself (including the Response message).
要处理在.NET中SAML2响应,你必须:
To process the SAML2 response in .NET you have to:
- 验证在整个响应消息的签名。
- 提取消息的声明部分。
- 阅读与
Saml2SecurityTokenHandler.ReadToken令牌()
。 - 验证与令牌
Saml2SecurityTokenHandler.DetectReplayedToken()
。 - 验证与令牌
Saml2SecurityTokenHandler.ValidateConditions()
- 使用
Saml2SecurityTokenHandler.CreateClaims()
以创建一个声明身份。
- Validate the signature on the entire response message.
- Extract the assertion part of the message.
- Read the token with
Saml2SecurityTokenHandler.ReadToken()
. - Validate the token with
Saml2SecurityTokenHandler.DetectReplayedToken()
. - Validate the token with
Saml2SecurityTokenHandler.ValidateConditions()
- Use
Saml2SecurityTokenHandler.CreateClaims()
to create a claims identity.
不幸的是大多数的这些方法是受保护的,但你也可以继承 Saml2SecurityTokenHandler
键,可以访问它们。
Unfortunately most of those methods are protected, but you can subclass Saml2SecurityTokenHandler
and get access to them.
一个完整的工作示例可以在<一个被发现href="https://github.com/KentorIT/authservices/blob/master/Kentor.AuthServices/SAML2P/Saml2Response.cs"相对=nofollow> Saml2Response 在 Kentor.AuthServices 的项目。
A complete working example can be found in the Saml2Response class in the Kentor.AuthServices project.
这篇关于问题读取验证使用WSSecurityTokenSerializer SAML断言在.net的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!