-1

我被分配了一项任务,我(iDP)需要连接到服务提供商。

到目前为止,我有代码:

public ActionResult SSO(string SAMLRequest)
{
    var model = new ApiSsoModel();

    try
    {
        if (SAMLRequest == null)
            throw new ArgumentNullException("The parameter \"SAMLRequest\" is null.");

        byte[] decoded2 = Convert.FromBase64String(SAMLRequest);
        string decoded3 = string.Empty;

        using (MemoryStream stream2 = new MemoryStream(decoded2))
        {
            using (MemoryStream stream3 = new MemoryStream())
            {
                using (StreamReader reader3 = new StreamReader(stream3))
                {
                    stream2.Position = 0L;
                    new DeflateStream(stream2, CompressionMode.Decompress).CopyTo(stream3);
                    stream3.Position = 0L;
                    decoded3 = reader3.ReadToEnd();
                    reader3.Close();
                }

                stream3.Close();
            }

            stream2.Close();
        }

        string assertion = System.IO.File.ReadAllText(Server.MapPath("~/assertion.xml"));

        CspParameters cspParams = new CspParameters();
        cspParams.KeyContainerName = "XML_DSIG_RSA_KEY";

        RSACryptoServiceProvider rsaKey = new RSACryptoServiceProvider(cspParams);

        XmlDocument assertionDoc = new XmlDocument();
        assertionDoc.LoadXml(assertion);

        XmlDocument response = new XmlDocument();
        response.LoadXml(decoded3);

        SignedXml signedXml = new SignedXml(assertionDoc);

        Reference reference = new Reference();

        signedXml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigExcC14NTransformUrl;
        signedXml.SignedInfo.SignatureMethod = SignedXml.XmlDsigRSASHA1Url;

        reference.Uri = "#_79723ebe12aed3704c4d8de6ea16cf90c0d7451da0";

        reference.AddTransform(new XmlDsigEnvelopedSignatureTransform());
        reference.AddTransform(new XmlDsigExcC14NTransform());
        reference.DigestMethod = SignedXml.XmlDsigSHA1Url;
        reference.DigestValue = Encoding.ASCII.GetBytes("3jdMJaumbeC3UJ16d8VQJWjKQKU=");

        signedXml.AddReference(reference);

        signedXml.SigningKey = rsaKey;

        HMACSHA256 key = new HMACSHA256();

        signedXml.ComputeSignature(key);

        XmlElement xmlDigitalSignature = signedXml.GetXml();

        assertionDoc.GetElementsByTagName("ds:SignatureValue")[0].InnerText = xmlDigitalSignature.InnerText;

        model.Base64EncodedAssertion = Convert.ToBase64String(Encoding.ASCII.GetBytes(assertionDoc.InnerXml));

        model.Message += "Success";
    }
    catch (Exception ex)
    {
        model.Message = ex.Message;
    }

    return View(model);

}

我正在加载 SSO 2.0 文档文件中提供的断言文件

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="9f84acebb80533147969eac6a0aead9603c807b5b" Version="2.0" IssueInstant="2015-07-08T09:44:20Z" Destination="https://testdata.redpoints.co.uk/saml/consume" InResponseTo="_e4098d80-0783-0133-f409-7cd1c3f7b75b">
  <saml:Issuer>https://openidp.feide.no</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <ds:Reference URI="#_b9f84acebb80533147969eac6a0aead9603c807b5b">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <ds:DigestValue>3jdMJaumbeC3UJ16d8VQJWjKQKU=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>dewQ7U/QjQtaeUHHk/wgzyCLXi0B6mnmMNCUJgj+taxa/c+HsrKVx97iMbMaoFWRd9Ps9SjNr5P40yC2I5j3Dx9pheBAgKX6RRAl0C7CJM36XZAqWwA1CBlDCqx1H3vTeSeotuOovzKVhnpQj9AL38GmFYqHnNS1e5pCfugI72o=</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>MIICizCCAfQCCQCY8tKaMc0BMjANBgkqhkiG9w0BAQUFADCBiTELMAkGA1UEBhMCTk8xEjAQBgNVBAgTCVRyb25kaGVpbTEQMA4GA1UEChMHVU5JTkVUVDEOMAwGA1UECxMFRmVpZGUxGTAXBgNVBAMTEG9wZW5pZHAuZmVpZGUubm8xKTAnBgkqhkiG9w0BCQEWGmFuZHJlYXMuc29sYmVyZ0B1bmluZXR0Lm5vMB4XDTA4MDUwODA5MjI0OFoXDTM1MDkyMzA5MjI0OFowgYkxCzAJBgNVBAYTAk5PMRIwEAYDVQQIEwlUcm9uZGhlaW0xEDAOBgNVBAoTB1VOSU5FVFQxDjAMBgNVBAsTBUZlaWRlMRkwFwYDVQQDExBvcGVuaWRwLmZlaWRlLm5vMSkwJwYJKoZIhvcNAQkBFhphbmRyZWFzLnNvbGJlcmdAdW5pbmV0dC5ubzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAt8jLoqI1VTlxAZ2axiDIThWcAOXdu8KkVUWaN/SooO9O0QQ7KRUjSGKN9JK65AFRDXQkWPAu4HlnO4noYlFSLnYyDxI66LCr71x4lgFJjqLeAvB/GqBqFfIZ3YK/NrhnUqFwZu63nLrZjcUZxNaPjOOSRSDaXpv1kb5k3jOiSGECAwEAATANBgkqhkiG9w0BAQUFAAOBgQBQYj4cAafWaYfjBU2zi1ElwStIaJ5nyp/s/8B8SAPK2T79McMyccP3wSW13LHkmM1jwKe3ACFXBvqGQN0IbcH49hu0FKhYFM/GPDJcIHFBsiyMBXChpye9vBaTNEBCtU3KjjyG0hRT2mAQ9h+bkPmOvlEo/aH0xR68Z9hw4PF13w==</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
  </samlp:Status>
  <saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_79723ebe12aed3704c4d8de6ea16cf90c0d7451da0" Version="2.0" IssueInstant="2015-07-08T09:44:20Z">
    <saml:Issuer>https://openidp.feide.no</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
        <ds:Reference URI="#_79723ebe12aed3704c4d8de6ea16cf90c0d7451da0">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
          <ds:DigestValue>sDFB4zP6PHBacygh64DRtaeowZ8=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>GY1M5iO5yht1JLOAOmFBUdZPtxKZeek5jG77w7Ct6A+H1qbUAbX7u8PmniGdOXkllxPWqB+L4Gtd39WbCEoWiQ9QvY/pVz2xe6xzI9gVsnJBP0alalyCZglnxNpQ2x+692OcpVXnbau4LJoFv2+0zktXPhQEI3CfAyixOpASu1w=</ds:SignatureValue>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>MIICizCCAfQCCQCY8tKaMc0BMjANBgkqhkiG9w0BAQUFADCBiTELMAkGA1UEBhMCTk8xEjAQBgNVBAgTCVRyb25kaGVpbTEQMA4GA1UEChMHVU5JTkVUVDEOMAwGA1UECxMFRmVpZGUxGTAXBgNVBAMTEG9wZW5pZHAuZmVpZGUubm8xKTAnBgkqhkiG9w0BCQEWGmFuZHJlYXMuc29sYmVyZ0B1bmluZXR0Lm5vMB4XDTA4MDUwODA5MjI0OFoXDTM1MDkyMzA5MjI0OFowgYkxCzAJBgNVBAYTAk5PMRIwEAYDVQQIEwlUcm9uZGhlaW0xEDAOBgNVBAoTB1VOSU5FVFQxDjAMBgNVBAsTBUZlaWRlMRkwFwYDVQQDExBvcGVuaWRwLmZlaWRlLm5vMSkwJwYJKoZIhvcNAQkBFhphbmRyZWFzLnNvbGJlcmdAdW5pbmV0dC5ubzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAt8jLoqI1VTlxAZ2axiDIThWcAOXdu8KkVUWaN/SooO9O0QQ7KRUjSGKN9JK65AFRDXQkWPAu4HlnO4noYlFSLnYyDxI66LCr71x4lgFJjqLeAvB/GqBqFfIZ3YK/NrhnUqFwZu63nLrZjcUZxNaPjOOSRSDaXpv1kb5k3jOiSGECAwEAATANBgkqhkiG9w0BAQUFAAOBgQBQYj4cAafWaYfjBU2zi1ElwStIaJ5nyp/s/8B8SAPK2T79McMyccP3wSW13LHkmM1jwKe3ACFXBvqGQN0IbcH49hu0FKhYFM/GPDJcIHFBsiyMBXChpye9vBaTNEBCtU3KjjyG0hRT2mAQ9h+bkPmOvlEo/aH0xR68Z9hw4PF13w==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </ds:Signature>
    <saml:Subject>
      <saml:NameID SPNameQualifier="https://testdata.redpoints.co.uk/saml/metadata" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_36355e0a362adec0f5753911aff3b14f9b21d9c2b8</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData NotOnOrAfter="2017-11-08T09:49:20Z" Recipient="https://testdata.redpoints.co.uk/saml/consume" InResponseTo="_e4098d80-0783-0133-f409-7cd1c3f7b75b" />
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2015-07-08T09:43:50Z" NotOnOrAfter="2017-11-08T09:49:20Z">
      <saml:AudienceRestriction>
        <saml:Audience>https://testdata.redpoints.co.uk/saml/metadata</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2015-07-08T09:15:58Z" SessionNotOnOrAfter="2017-11-08T17:44:20Z" SessionIndex="_066bce0e07565d6a61ae7e94fe95d8bcdd79a3cfd0">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue xsi:type="xs:string">102112</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

我尝试了许多不同的方法来完成这项工作,下载了多个 .net 库,这些库旨在帮助为 iDP 设置 SSO,但没有运气。

4

2 回答 2

1

我的回复可能对你没有帮助,但至少它给了你一些想法。

SAML 中有 2 个流程:

  1. Sp-Initiated [Service Provider Initiated]:服务提供者通过向 Idp 发送 SSO SAML 请求来启动流程。Idp 服务器处理请求并确保用户已通过身份验证并被授权使用此服务,然后 Idp 将 SSO SAML 响应发送到服务提供商 (SP),其中包含断言(有关已验证用户的数据)。 在此处输入图像描述

  2. Idp-Initiated [Identity Provider Initiated]:Idp 对用户进行身份验证和授权,并向服务提供者发送 SSO SAML 请求(仅 Sp-Initiated 的第二部分)。

    idp 发起的

当您等待 SAML 请求时。这意味着您的流程是由 SP 发起的。首先,您需要生成元数据并将其发送到红点。此元数据至少应包括您的 entityId 和 SSO 端点以及用于签名/加密的 X.509 证书。您可以使用onlogin 网站生成元数据

如果你已经这样做了。我建议您使用https://www.componentspace.com/库。它快速、高效且维护良好。不幸的是,它是付费的,但有一个试用期,因此您可以对其进行测试。

查看此链接上的库文档

如果你使用这个库,你需要做的就是添加 saml.config 文件如下

<?xml version="1.0"?>
<SAMLConfiguration xmlns="urn:componentspace:SAML:2.0:configuration">
  <IdentityProvider Name="YourEntityId"
                    Description="Description"
                    LocalCertificateFile="Your certificate private key *.pfx"
                    LocalCertificatePassword="Your certificate password"/>

  <PartnerServiceProviders>
    <PartnerServiceProvider Name="https://testdata.redpoints.co.uk/saml/metadata"
                            Description="Red Point Service Provider"
                            <!-- those options should be based on redpoint metadata WantAuthnRequestSigned="true"
                            SignSAMLResponse="false"
                            SignAssertion="true"
                            EncryptAssertion="false"-->
                            AssertionConsumerServiceUrl="https://testdata.redpoints.co.uk/saml/consume"
                            PartnerCertificateFile="Path to redpoint certificate file .cer"/>

  </PartnerServiceProviders>



</SAMLConfiguration>

并将以下内容添加到您的操作方法中:

 SAMLConfigurationFile.Load();
 string partnerSP = null;
                SSOOptions options = null;
                SAMLIdentityProvider.ReceiveSSO(Request, out partnerSP, out options);
       string userName = "robert@test.com";
 IDictionary<string, string> attributes = new Dictionary<string, string>();
  attributes.Add("NameID", "robert@test.com"); // as an example for possible attribute

    SAMLIdentityProvider.SendSSO(Response, userName, attributes);

我建议您还安装浏览器扩展程序来检测 SAML 请求/响应。这将帮助您查看要发送的输出。

希望我的回复能给你一点帮助。

于 2017-11-12T14:42:01.397 回答
0

围绕 SAML 有许多 SAML 堆栈:SAML 连接/工具包

我绝对建议你不要自己动手。您将解决此问题只是为了遇到下一个问题。

大多数堆栈的问题在于它们是客户端。你想要服务器端。

同意组件空间的建议——它可以做双方。

或者这个-目前处于测试阶段。

或者看看 OpenSAML 源代码——它是 Java,但原理是一样的。

于 2017-11-13T19:11:53.030 回答