Reputation: 19397
Can WIF Saml2SecurityTokenHandler validate top-level signature?
See this (stripped-down) SAML 2.0 response:
<samlp:Response>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">lkasjdflkasj</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<!--<snip>-->
</Signature>
<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">lkasjdflkasj</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">jsmith</saml:NameID>
<!--<snip>-->
</saml:Subject>
<!--<snip, but there was NOT a Signature node inside the assertion>-->
</saml:Assertion>
</samlp:Response>
In the code below, the xml reader is set to send just the <Assertion> piece of the SAML 2.0 response:
var handlers = FederatedAuthentication.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlers;
var token = handlers.ReadToken( myXmlReader );
var identities = handlers.ValidateToken( token );
If the <Signature> node is part of the assertion, then ValidateToken() will verify it using config settings, e.g. issuerNameRegistry (example in this question).
But if the signature is at a higher level (i.e. the whole xml is signed, not just the assertion), then we'll get an exception like:
ID4152: The Saml2SecurityToken cannot be validated because the IssuerToken property is not set. Unsigned SAML2:Assertions cannot be validated.
Am I understanding correctly that if the <Signature> exists only on the overall xml response, that I cannot call ValidateToken and must instead revert to more general-purpose features such as SignedXml.CheckSignature?
Upvotes: 2
Views: 1565
Answers (2)
Reputation: 878
Create a subclass of Saml2SecurityTokenHandler and override the TryResolveIssuerToken method. If you validate the signature in an earlier step, this method can give a thumbs-up to a signature certificate that it otherwise would have no idea about.
I now have this approach working in production code.
Upvotes: 0
Reputation: 1311
OK, indeed you are parsing real SAML2 messages. WIF does not support that. WIF probably considers this an unsigned Assertion.
I would have to dig in with Reflector and/or the reference source. Any way you would have to do the parsing and verification yourself. And I personally do not use SignedXml. Maybe it is possible. It has other side effects. Welcome to the mine field.
The famous reference article: https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91.pdf
Upvotes: 2
Related Questions
- Can SustainSys.Saml2 sign individual assertions when generating SamlResponses?
- Creating SAML 2 SSO token request using WIF
- Decrypting SAML 2 assertion using .NET 4.5 (System.IdentityModel) / WIF
- Does Saml2SecurityTokenHandler support SAML2 assertions signed using SHA256?
- Failure validating SAML 2 assertion using Windows Identity Foundation
- How SAML Assertion/verification works with X509 public key
- Verify signature on SAML assertion
- How to authenticate a request from a c# application to a WIF enabled ASP.NET WebApi application using a SAML assertion
- Required signature on a SAML assertion
- SAML 2.0 and EncryptedAssertion