if samlresponse is not encripted, it is very easy to decript it ans view it signature and data.

to Created the SamalResponse before submit the relaypart,  identity provider did
   string samlResponse = System.Convert.ToBase64String(Encoding.UTF8.GetBytes(requestParameters["assertion"]));
after it recevied the samlREsponse, the Service provide do
 var samlResponse =
                @"PHNhbWxwOlJlc3BvbnNlI...ZXNwb25zZT4=";
            XmlDocument SAMLXML = new XmlDocument();
            SAMLXML.LoadXml(System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(samlResponse)));
so for more security, the assertion should also encripted by using public offer by service provider, just like below diabram


diagram come from:
http://devproconnections.com/development/generate-saml-tokens-using-windows-identity-foundation
http://devproconnections.com/development/generating-saml-tokens-wif-part-2


some example with source code,
https://github.com/covermymeds/saml-http-post-reference/


 
Comments are closed.