ComponentSpace

Forums



How to create SAML and encrypt /sign it to send to another proces


How to create SAML and encrypt /sign it to send to another proces

Author
Message
Ray Wileman
Ray Wileman
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Forum Members
Posts: 2, Visits: 16
Hello,
I am using c# and would like to create SAML using certificate to encrypt and sign it. Are there examples of this?
I was planning to use a self signed cert since it is all internal.

Do you have documentation on this?
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Hi Ray
Is this part of SSO? If so, we recommend using the high-level API. When you call SAMLIdentityProvider.InitiateSSO or SAMLIdentityProvider.SendSSO, a SAML response containing a SAML assertion is constructed and sent to the service provider.
If the configuration specifies that the SAML assertion should be signed and/or encrypted, this will occur automatically.

Regards
ComponentSpace Development
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The following code demonstrates how to sign and encrypt a SAML assertion using the low-level API.
However, wherever possible, it's always recommended to use the high-level API.


// Load the signing and encryption certificates.
// The identity provider signs with it's private key.
// The identity provider encrypts with the service provider's public key.
X509Certificate2 idpCertificate = new X509Certificate2("idp.pfx", "password",
    X509KeyStorageFlags.MachineKeySet);
X509Certificate2 spCertificate = new X509Certificate2("sp.cer");

// Construct a SAML assertion - details not shown.
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = new Issuer("test");

// Serialize to XML.
XmlElement xmlElement = samlAssertion.ToXml();

// Sign the SAML assertion.
SAMLAssertionSignature.Generate(xmlElement, idpCertificate.PrivateKey, idpCertificate);

// Encrypt the SAML assertion.
EncryptedAssertion encryptedAssertion = new EncryptedAssertion(xmlElement, spCertificate);



Regards
ComponentSpace Development
Ray Wileman
Ray Wileman
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Forum Members
Posts: 2, Visits: 16
Great information!!! as always..
after I have all of the information how do I post the SAML to another page?
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You need to serialize the SAMLResponse object to XML and then call one of the API's to post the message to the service provider's assertion consumer service.


using ComponentSpace.SAML2.Profiles.SSOBrowser;

// Serialize to XML.
XmlElement samlResponseElement = samlResponse.ToXml();

// Send the SAML response using the HTTP-Post binding.
// The Response is the HttpResponse or HttpResponseBase object in the current page's context.
// The assertion consumer service URL is the SP's endpoint to receive the SAML response.
// The relay state is optional information and may be set to null.
IdentityProvider.SendSAMLResponseByHTTPPost(Response, assertionConsumerUrl, samlResponseElement,
    relayState);

Please note that the recommended approach is to use the SAML high-level API.
Instead of the code above, you would simply call either SAMLIdentityProvider.InitiateSSO or SAMLIdentityProvider.SendSSO.
This requires less code and is more flexible as it's driven by SAML configuration (eg saml.config file).

Regards
ComponentSpace Development
matthancock00
matthancock00
New Member
New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)

Group: Forum Members
Posts: 2, Visits: 18
ComponentSpace - 6/27/2016
The following code demonstrates how to sign and encrypt a SAML assertion using the low-level API.
However, wherever possible, it's always recommended to use the high-level API.


// Load the signing and encryption certificates.
// The identity provider signs with it's private key.
// The identity provider encrypts with the service provider's public key.
X509Certificate2 idpCertificate = new X509Certificate2("idp.pfx", "password",
    X509KeyStorageFlags.MachineKeySet);
X509Certificate2 spCertificate = new X509Certificate2("sp.cer");

// Construct a SAML assertion - details not shown.
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = new Issuer("test");

// Serialize to XML.
XmlElement xmlElement = samlAssertion.ToXml();

// Sign the SAML assertion.
SAMLAssertionSignature.Generate(xmlElement, idpCertificate.PrivateKey, idpCertificate);

// Encrypt the SAML assertion.
EncryptedAssertion encryptedAssertion = new EncryptedAssertion(xmlElement, spCertificate);


Hello, I haven't developed in C# in a few years, so forgive me for catching on slow here.  I have downloaded your library and used the example above.  My one goal right now is just to create the SAML XML response.  I noticed the assertion details are skipped in the code example, so I get an error for "Failed to generate the XML signature."  Do you have an example of how I would create the signature and the rest of the assertion in the code?

Thanks!
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
It's much better to use the high-level API if possible.
The following code constructs, signs and sends a SAML response containing a SAML assertion.
The details are controlled through configuration (eg saml.config file).

SAMLIdentityProvider.InitiateSSO(Response, userName, attributes, targetUrl, partnerSP);

 
The ExampleIdentityProvider project under Examples\SSO\HighLevelAPI demonstrates calling this API. 
If there's a reason you want to use the low level API please provide some more details of your requirements to make sure it can't be done more easily using the high level API.

Regards
ComponentSpace Development
matthancock00
matthancock00
New Member
New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)

Group: Forum Members
Posts: 2, Visits: 18
Thanks for the quick reply. We are an insurance conpany and are using ColdFusion for our customer payment portal. Our vendor for credit card payments is a .NET shop and uses your library for SAML. We have tried crafting the SAML XML response through CF using Java’s OpenSAML, but our vendor keeps saying there’s an error in our XML, and they can’t identify the exact issue, as the XML looks to be correct on our end. I have programmed .NET in the past, so the vendor suggested we use your library to craft the SAML XML response. My one goal at the moment is to simply create a .NET assembly that we can call through ColdFusion that will create the SAML XML string. Our vendor seems to think because your library is used on their end to process the XML, us creating the XML through that same library may do the trick.

Thanks!
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
I suggest asking your vendor to contact us at [email protected].
We can help with identifying any issues with the SAML response you're generating.
I suggest they include a SAML log file attachment so we can take a look at what's happening.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
Once we know what the issue is we can re-visit whether it makes sense to create a .NET assembly to call through ColdFusion.

Regards
ComponentSpace Development
Divya
Divya
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Forum Members
Posts: 5, Visits: 13
ComponentSpace - 6/27/2016
The following code demonstrates how to sign and encrypt a SAML assertion using the low-level API.
However, wherever possible, it's always recommended to use the high-level API.


// Load the signing and encryption certificates.
// The identity provider signs with it's private key.
// The identity provider encrypts with the service provider's public key.
X509Certificate2 idpCertificate = new X509Certificate2("idp.pfx", "password",
    X509KeyStorageFlags.MachineKeySet);
X509Certificate2 spCertificate = new X509Certificate2("sp.cer");

// Construct a SAML assertion - details not shown.
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = new Issuer("test");

// Serialize to XML.
XmlElement xmlElement = samlAssertion.ToXml();

// Sign the SAML assertion.
SAMLAssertionSignature.Generate(xmlElement, idpCertificate.PrivateKey, idpCertificate);

// Encrypt the SAML assertion.
EncryptedAssertion encryptedAssertion = new EncryptedAssertion(xmlElement, spCertificate);


Can you please post the code for high-level API to achieve same.
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search