Giter VIP home page Giter VIP logo

saml2's Introduction

SAML2

Fork of SAML2 library on codeplex. This library removes dependencies on Asp.net

This project now consists of three libraries

  1. SAML2.Core: This contains all the core logic from the original SAML2 library on codeplex and remains similar in style and structure. Configuration has been changed to no longer be married to System.Configuration. Filewatchers on metadata were problematic and have been removed on the belief that this additional functionality can be provided outside the core library
  2. SAML2.AspNet: This contains all the ASP.Net bits from the original library including the configuration. This has not been tested, but theoretically SAML2.AspNet + Saml2.Core should be equivalent to the original single library on codeplex (minus the filewatchers)
  3. Owin.Security.Saml: This contains an OWIN middleware implementation of SAMLP Service Provider. This library is the main driver for this effort.

Project Status

The project is currently usable for a Service Provider using redirect binding against a Shibboleth server and is likely usable for other SAMLP IdPs using Redirect binding. The included SelfHostOwinSPExample project provides a usable example against a live server at https://www.testshib.org. Other bindings can likely be added quickly (PRs welcome!).

There remains some cleanup to be done on the Owin side (e.g. configuration) and a number of general warts in the core library (e.g. logging) that were brought over from the original.

Configuring Owin

        appBuilder.UseSamlAuthentication(new Owin.Security.Saml.SamlAuthenticationOptions
        {
            Configuration = config,                     // Saml2 Core configuration
            RedirectAfterLogin = "/my application URI", // Temporary, will auto-detect later. PRs welcome
        });

Configuring the Saml2 Core Library

        var myconfig = new Saml2Configuration
        {
            ServiceProvider = new ServiceProvider
            {
                SigningCertificate = new X509Certificate2(FileEmbeddedResource("cert.pfx"), "pass", MachineKeySet),
                Server = "https://localhost:44333/myapp",
                Id = "https://localhost:44333/myapp"       // EntityId used in SAMLP to identify this SP
            },
            AllowedAudienceUris = new List<Uri>(new[] { new Uri("https://localhost:44333/myapp") })
        };
        // The following URLs are based on the defaults used by the middleware above
        myconfig.ServiceProvider.Endpoints.AddRange(new[] {
            new ServiceProviderEndpoint(EndpointType.SignOn, "/myapp/saml2/login", "/core"),
            new ServiceProviderEndpoint(EndpointType.Logout, "/myapp/saml2/logout", "/core"),
            new ServiceProviderEndpoint(EndpointType.Metadata, "/myapp/saml2/metadata")
        });
        myconfig.IdentityProviders.AddByMetadata("IdPMetadataFile.xml");
        myconfig.IdentityProviders.First().OmitAssertionSignatureCheck = true;
        myconfig.LoggingFactoryType = "SAML2.Logging.DebugLoggerFactory";
        return myconfig;

saml2's People

Contributors

elerch avatar jbparker avatar joel-anderson avatar peerend avatar zarusz avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

saml2's Issues

Mapping for multiple IdPs

Hi! I have a scenario where I have multiple IdPs, and I've put their metadata files in a single folder which I add using saml2Config.IdentityProviders.AddByMetadataDirectory.
Is it possible to map attributes of a request (e.g. host name) to the appropriate IdP? If so, what's the recommended method?

AddMetadataByUrl ??

It would be nice to have an AddMetadataByUrl method in SAML2.Config.IdentityProviders because the identity provider we use only lets us use their metadata for 1 day. So at this moment I should create a Deamon that downloads the metadata every day. Put it in the correct directory and hope it goes well.

Is this easy to implement?

Thanks for the help and for this great library.

Metadata namespace not added

It seems like the metadata your package provides does not really follow the standard.

SimpleSamlPHP metadata

Metadata of Owin.Security.Saml

The SimpleSaml implementation seems to use xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" as namespaces. Most elements are prepended with <md: like <md:EntityDescriptor ......> , is this something we could fix in the source? No idea where to start.

Our third party identity provider states that our metadata (from your package) is not correct.

Sign-On / Sign-Off Binding Locations with ? Fail When Sending Request

In src/Owin.Security.Saml/SamlMessage.cs, the following code produces a bad uri if request.Destination contains a ?:

var redirectLocation = request.Destination + "?" + redirectBuilder.ToQuery();

In trying to use Google Apps new IdP (which passes the IdP as a query parameter), the request fails since the SAMLRequest parameter is not appended with & but instead with an additional ?.

Config with Azure AD

I downloaded AAD metadata from: https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml but following attempt at OWIN config fails with 'Metadata signature could not be verified':
var metadata = new XmlDocument() { PreserveWhitespace = true };
metadata.Load(@"C:\Workspaces\Projects\OwinSAML2\OwinSAML2\metadata.xml");
var samlConfig = new SAML2.Config.Saml2Configuration()
{
ServiceProvider = new SAML2.Config.ServiceProvider()
{
Id = "https://owinwsfedsample.com",
Server = "https://localhost:44381/",
},
IdentityProviders = new IdentityProviders(new IdentityProvider[]
{
new IdentityProvider()
{
Metadata = new Saml20MetadataDocument(metadata), OmitAssertionSignatureCheck = true
}
}),
AllowedAudienceUris = new List { new Uri("https://owinwsfedsample.com") }
};

Unable to decode SAML2 response string

When testing SAML2 responses, this is what I do to decode the response string:
1- URL decode
2- Base64 decode
3- Inflate the string

With this method, I'm able to see SAML2 responses. Many online SAML2 debugging tools provide this as well.

However, this library only URL decodes and then Base64 decodes, and does not inflate the string - hence cannot understand the response (the relevant code is in Utility.cs, GetDecodedSamlResponse method)

Am I missing something - is this not part of the standard?

How to add ACS URL to SAML request?

var config = new Saml2Configuration
            {
                ServiceProvider = new ServiceProvider
                {
                    SigningCertificate = new X509Certificate2(X509Certificate.CreateFromCertFile(certPath)),
                    Server = Settings.Default.SPName,
                    Id = Settings.Default.SPName
                },
                AllowedAudienceUris = new List<Uri>(new[] { new Uri(Settings.Default.SPName) })
            };

            //  The following URLs are based on the defaults used by the middleware above
            config.ServiceProvider.Endpoints.AddRange(new[] {
                                        new ServiceProviderEndpoint(EndpointType.SignOn, "/login", "/login"),
                                        new ServiceProviderEndpoint(EndpointType.Logout, "/logout", "/logout"),
                                        new ServiceProviderEndpoint(EndpointType.Metadata, "/metadata")
                                    });

            config.IdentityProviders.AddByMetadata(metaDataFilePath);
            config.IdentityProviders.First().OmitAssertionSignatureCheck = true;
            config.LoggingFactoryType = "SAML2.Logging.DebugLoggerFactory";

            app.UseSamlAuthentication(new SamlAuthenticationOptions
            {
                AuthenticationType = provider.AuthProviderKey,
                RedirectAfterLogin = provider.CallBackUrl,
                AuthenticationMode = AuthenticationMode.Passive,
                Configuration = config
            });

Act as Identity Provider?

Good day,
is there a way to use the libs for an Identity Provider implementation?

Thanks in advance

Saml2 AttributeValues better be in multiple claims instead of a comma separated string

SAML2/src/Owin.Security.Saml/SamlAttributeExtensions.cs is the related file. It will be better if we can have multiple claims instead of a comma separated string in terms of reading the claims value. I believe that comma is actually a valid character in the SAML2 attribute specs. In the event that the original attribute value contains a common, it will render the claim value to have incorrect value.

It has been kind of suggested in StackOverflow to add multiple claims in case of have multiple attribute values: http://stackoverflow.com/questions/24849031/storing-a-list-of-string-in-claim-system-security-claims

Logout

Guys,

would be nice to have an example on how can I trigger the logout.
Starting from the example, and calling

HttpContext.GetOwinContext().Authentication.SignOut( new AuthenticationProperties { RedirectUri = callbackUrl }, "SAML2");

I am not able to get redirect to a logout page.
Any cloue?

Decryption Method throws FIPS compliant error

I am using SAML2.Core library for decrypting incoming SAML assertions. It was working fine in my local environment and when I pushed the code to server decryption failed. After looking into the logs we are getting the foolwing Error

System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
Generated: Mon, 22 Oct 2018 07:41:40 GMT

System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.RijndaelManaged..ctor()
at SAML2.Saml20EncryptedAssertion.GetKeyInstance(String algorithm)
at SAML2.Saml20EncryptedAssertion.ToSymmetricKey(XmlElement encryptedKeyElement, String keyAlgorithm)
at SAML2.Saml20EncryptedAssertion.Decrypt()
at WebHost.Utilities.FederationHelper.DecryptAssertion(String responseCipher) in C:\WorkArea\PPSSource\QA\Source\PPSWeb\IdentityServer3\Source\WebHost\Utilities\FederationHelper.cs:line 263
at WebHost.Utilities.FederationHelper.DecodeAssertion(String rawAssertion) in C:\WorkArea\PPSSource\QA\Source\PPSWeb\IdentityServer3\Source\WebHost\Utilities\FederationHelper.cs:line 38

When I gone through the source code, In Saml20Encryptedassertion.cs class GetKeyInstance() method it was using RijndaelManaged class which is not FIPS compliant. Then after some research I replaced the RijndaelManaged with AesCryptoServiceProvider() it works fine.

I have put this here since I didn't find much on the internet about this. Hope some one will benifit out of it.

Can you guys put this into next release?

Thanks

does it support .net core?

Need to have saml as service prodiver to validate the saml 2 token using .net core.

Supported?

Thanks

Does Owin.Security.Saml support SAML logout?

Does Owin.Security.Saml support SAML logout? I see that only AuthnRequest gets created for SignIn and SignOut. And redirectUri is set for 'SignIn' irrespective of whether it is SignIn or SignOut.

Not able to complete authentication with Salesforce

Hi,
I am not able to get back the details from the SalesForce Api. Once logged in successfully, i still get redirected to the login page infinitely.

The following are the configurations done in Salesforce

Enabled the SAML SSO
Created the service provider and set the localhost urls for those
Downloaded the Self-signed certificate from Salesforce and added that the the project source so that it will be used to sign the requests
Downloaded the metadata from salesforce and then set that in the metadata folder so that it will be used.
After login, the following method always returns null

AuthenticationTicket ticket = await AuthenticateAsync();

so there is an infinite loop of redirections

I have also verified the steps as given in the following link http://www.jitendrazaa.com/blog/salesforce/step-by-step-guide-to-setup-federated-authentication-saml-based-sso-in-salesforce/

Can you please help me

Object reference is null

Im getting the null ref error on
file - startup.cs
method - FileEmbeddedResource
line - stream.CopyTo(memoryStream);

any help?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.