2
Answers

How can validate SAML Assertion in .net

shrikant kesharwani

shrikant kesharwani

9y
11.1k
1
Hi All,

I am getting the valid SAML response from the vendor and I just want to validate SAML Assertion.

Below is the SAML response and I have mask few things with xxxxxxxxxxxxxxxxxxxxxx due to vendor concern.

<samlp:Response IssueInstant="" ID="gzRaMPjm98mgG0_s0ylFgO85wao" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://xxxxxxxxxx.com/</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion Version="2.0" IssueInstant="6273" ID="wZT13pIVg8n60RZgGm_fWAhYNSP" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>http://xxxxxx.com/</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#wZT13pIVg8n60RZgGm_fWAhYNSP">
<ds:Transforms>
<ds:Transform Algorithm="http://www..w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>xxxxxxxxxxxxxxxxxxxxxxx</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
xxxxxxxx
</ds:Modulus>
<ds:Exponent>xxx</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">staff</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter=" " Recipient="https://xxxxxxxxx.com"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotOnOrAfter="" NotBefore="">
<saml:AudienceRestriction>
<saml:Audience>http://xxxxxxxxxxxxxxxx.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant=" " SessionIndex="wZT13pIVg8n60RZgGm_fWAhYNSP">
<saml:AuthnContext>
<saml:AuthnContextClassRef></saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="role">
<saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">http://xxxx.com/</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>

I have tried the below code in the .NET 3.5 web application and I am always getting the invalid signature message from the code. Please have a look in the code and suggest me.

Thanks in Advance.

XmlDocument doc = new XmlDocument();

doc.Load(Server.MapPath("SAML.xml"));

SignedXml signer = new CustomIdSignedXml(doc);

signer.AddReference(new Reference("#_d4559638-3abf-4433-9fad-b10f8a950351"));
// _d4559638-3abf-4433-9fad-b10f8a950351 is used as reference to DigestMethod & DigestValue.

signer.SigningKey = new RSACryptoServiceProvider();

signer.ComputeSignature();

string s = signer.GetXml().OuterXml;

SignedXml verifier = new CustomIdSignedXml(doc);

verifier.LoadXml(signer.GetXml());

if (verifier.CheckSignature(signer.SigningKey))
     Response.Write("Signature verified");
else
     Response.Write("Invalid signature");




Answers (2)