this is a unsign saml response xml, the value need be change every submit was replaced by {time1} or {guid1}.
before sign the xml, those value will be update.  otherwise it will not pass the Saml validation.
If you got "Assertion was replayed" error. that because the time is not correct or AssertionId already be used.



After the Saml Xml build and signed, there is one more thing need change,
the RSA Saml Relay part only take the signature before the issuer, but the DotNet sign the xml and insert as the last Child, so we need additional code to make it work:

            SignXmlHelper.SignXml(xmlDoc, cert, "ID", guid1);
            //var item=  xmlDoc.GetElementsByTagName("Signature").Item(0);
            XmlElement xmlElement = xmlDoc.DocumentElement;
            var signatureNode = xmlElement.LastChild;
            xmlElement.InsertAfter(signatureNode, xmlElement.FirstChild);

            var outstr = xmlDoc.OuterXml;
Last notice:
 when you post the saml, in saml1, the target url is TargetUrl, but for saml2, it changed to relaystate

 
Categories: Asp.net | C# | Security

Saml Response is Assertion xml with digital signature,
so , when get xml of Saml XML, and your x509 certificate,
you can use follow code to sign it.

Here is examples.
http://msdn.microsoft.com/en-us/library/ms229745%28v=vs.110%29.aspx

using System;
using System.Security.Cryptography;
using System.Security.Cryptography.Xml;
using System.Xml;

public class SignXML
{

    public static void Main(String[] args)
    {
        try
        {
            // Create a new CspParameters object to specify 
            // a key container.
            CspParameters cspParams = new CspParameters();
            cspParams.KeyContainerName = "XML_DSIG_RSA_KEY";

            // Create a new RSA signing key and save it in the container. 
            RSACryptoServiceProvider rsaKey = new RSACryptoServiceProvider(cspParams);

            // Create a new XML document.
            XmlDocument xmlDoc = new XmlDocument();

            // Load an XML file into the XmlDocument object.
            xmlDoc.PreserveWhitespace = true;
            xmlDoc.Load("test.xml");

            // Sign the XML document. 
            SignXml(xmlDoc, rsaKey);

            Console.WriteLine("XML file signed.");

            // Save the document.
            xmlDoc.Save("test.xml");



        }
        catch (Exception e)
        {
            Console.WriteLine(e.Message);
        }
    }


    // Sign an XML file.  
    // This document cannot be verified unless the verifying  
    // code has the key with which it was signed. 
    public static void SignXml(XmlDocument xmlDoc, RSA Key)
    {
        // Check arguments. 
        if (xmlDoc == null)
            throw new ArgumentException("xmlDoc");
        if (Key == null)
            throw new ArgumentException("Key");

        // Create a SignedXml object.
        SignedXml signedXml = new SignedXml(xmlDoc);

        // Add the key to the SignedXml document.
        signedXml.SigningKey = rsaKey;

        // Create a reference to be signed.
        Reference reference = new Reference();
        reference.Uri = "";

        // Add an enveloped transformation to the reference.
        XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform();
        reference.AddTransform(env);

        // Add the reference to the SignedXml object.
        signedXml.AddReference(reference);

        // Compute the signature.
        signedXml.ComputeSignature();

        // Get the XML representation of the signature and save 
        // it to an XmlElement object.
        XmlElement xmlDigitalSignature = signedXml.GetXml();

        // Append the element to the XML document.
        xmlDoc.DocumentElement.AppendChild(xmlDoc.ImportNode(xmlDigitalSignature, true));

    }
}


http://www.codeproject.com/Articles/56640/Performing-a-SAML-Post-with-C
public static XmlElement SignDoc(XmlDocument doc, X509Certificate2 cert2, 
              string referenceId, string referenceValue) {
    SamlSignedXml sig = new SamlSignedXml(doc, referenceId);
    // Add the key to the SignedXml xmlDocument. 
    sig.SigningKey = cert2.PrivateKey;

    // Create a reference to be signed. 
    Reference reference = new Reference();

    reference.Uri = String.Empty;
    reference.Uri = "#" + referenceValue;

    // Add an enveloped transformation to the reference. 
    XmlDsigEnvelopedSignatureTransform env = new
        XmlDsigEnvelopedSignatureTransform();
    XmlDsigC14NTransform env2 = new XmlDsigC14NTransform();

    reference.AddTransform(env);
    reference.AddTransform(env2);

    // Add the reference to the SignedXml object. 
    sig.AddReference(reference);

    // Add an RSAKeyValue KeyInfo
    // (optional; helps recipient find key to validate). 
    KeyInfo keyInfo = new KeyInfo();
    KeyInfoX509Data keyData = new KeyInfoX509Data(cert2);

    keyInfo.AddClause(keyData);
    
    sig.KeyInfo = keyInfo;

    // Compute the signature. 
    sig.ComputeSignature();

    // Get the XML representation of the signature
    // and save it to an XmlElement object. 
    XmlElement xmlDigitalSignature = sig.GetXml();

    return xmlDigitalSignature;
}

Signed xml sample:
http://www.aleksey.com/xmlsec/api/xmlsec-examples-sign-x509.html



 
Categories: Asp.net | C# | Security

if samlresponse is not encripted, it is very easy to decript it ans view it signature and data.

to Created the SamalResponse before submit the relaypart,  identity provider did
   string samlResponse = System.Convert.ToBase64String(Encoding.UTF8.GetBytes(requestParameters["assertion"]));
after it recevied the samlREsponse, the Service provide do
 var samlResponse =
                @"PHNhbWxwOlJlc3BvbnNlI...ZXNwb25zZT4=";
            XmlDocument SAMLXML = new XmlDocument();
            SAMLXML.LoadXml(System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(samlResponse)));
so for more security, the assertion should also encripted by using public offer by service provider, just like below diabram


diagram come from:
http://devproconnections.com/development/generate-saml-tokens-using-windows-identity-foundation
http://devproconnections.com/development/generating-saml-tokens-wif-part-2


some example with source code,
https://github.com/covermymeds/saml-http-post-reference/


 
Categories: Asp.net | Security

I am working on the SAML authentication for our Mobile app,
get some resource to build my test SAML Identity Service Party

http://www.componentpro.com/download/?name=UltimateSaml
http://www.componentpro.com/doc/saml/Introduction_to_Single_Sign-On_Applications.html

http://www.componentspace.com/Downloads.aspx

to create private key and public key,
we can use Visualstudio command line makecert.exe, but easiest way is using the gui tool from:
http://blog.pluralsight.com/selfcert-create-a-self-signed-certificate-interactively-gui-or-programmatically-in-net

first save the rsa key to pfx file by use selfcert tool.

then you can import it and export to to cer file.
you need use "mmc" command and add certificate snap to view the certificates.

or you can use openssl (need install it first),

C:\Users\wsun>openssl pkcs12 -nokeys -clcerts -in ix.pfx -out ix.cer
Enter Import Password:
MAC verified OK


 
Categories: C# | Security | Visual studio 10/up