+xI suggest using the ComponentSpace.SAML2.Bindings.HTTPRedirectBinding class rather than ReceiveAuthnRequestByHTTPRedirect. This way you can split the processing into three operations. 1. Receive the authn request over HTTP-Redirect. The signature isn't verified in this step. 2. Identify the SP from the issuer field in the authn request. 3. Verify the HTTP-Redirect signature. The outline of the code is as follows. // Receive the SAML authn request over HTTP-Redirect. HTTPRedirectBinding.ReceiveRequest(httpRequest, out authnRequestElement, out relayState, out signatureAlgorithm, out signature);
// Get the issuer field from the authn request. This identifies the SP. string issuerName = Issuer.GetIssuerName(authnRequestElement);
// Lookup the X.509 certificate for the SP - details not shown.
// Verify the HTTP-Redirect signature. Throws a SAMLSignatureException if verification fails. HTTPRedirectBinding.VerifyRequestSignature(httpRequest, signatureAlgorithm, signature, x509Certificate.PublicKey.Key);
Similar code can be used for logout messages. Is it possible for signature to be null or empty after HTTPRedirectBinding.ReceiveRequest call? If it's possilbe and signature is null, the authnRequest will be treated as verified so we don't need to run the rest code? That is, if(!string.IsNullOrEmpty(signature)) { string issuerName = Issuer.GetIssuerName(authnRequestElement); // Lookup the X.509 certificate for the SP - details not shown. // Verify the HTTP-Redirect signature. Throws a SAMLSignatureException if verification fails. HTTPRedirectBinding.VerifyRequestSignature(httpRequest, signatureAlgorithm, signature, x509Certificate.PublicKey.Key); } Thanks
|