I have this part of code for XML generation and want to be able to fetch and call variable from inside ExtensionContent for example change this value OTcwNjljYzUwY2JlZTI4NWRkNDM2NmVhMDM3MGJhM2NjNDZlZTJjMjYxZDkwYzUyM2RiZjYyODNkNmQ4ZTM3OA== with variable added in the code
ExtensionContent = #"<sig:UBLDocumentSignatures xmlns:sig=""urn:oasis:names:specification:ubl:schema:xsd:CommonSignatureComponents-2"" xmlns:sac=""urn:oasis:names:specification:ubl:schema:xsd:SignatureAggregateComponents-2"" xmlns:sbc=""urn:oasis:names:specification:ubl:schema:xsd:SignatureBasicComponents-2"">
<sac:SignatureInformation>
<sbc:ReferencedSignatureID>urn:oasis:names:specification:ubl:signature:Invoice</sbc:ReferencedSignatureID>
<ds:Signature xmlns:ds=""http://www.w3.org/2000/09/xmldsig#"" Id=""signature"">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm=""http://www.w3.org/2006/12/xml-c14n11""/>
<ds:SignatureMethod Algorithm=""http://www.w3.org/2001/04/xmldsig-more#rsa-sha256""/>
<ds:Reference Id=""invoiceSignedData"" URI="""">
<ds:Transforms>
<ds:Transform Algorithm=""http://www.w3.org/TR/1999/REC-xpath-19991116"">
<ds:XPath>not(//ancestor-or-self::ext:UBLExtensions)</ds:XPath>
</ds:Transform>
<ds:Transform Algorithm=""http://www.w3.org/TR/1999/REC-xpath-19991116"">
<ds:XPath>not(//ancestor-or-self::cac:Signature)</ds:XPath>
</ds:Transform>
<ds:Transform Algorithm=""http://www.w3.org/TR/1999/REC-xpath-19991116"">
<ds:XPath>not(//ancestor-or-self::cac:AdditionalDocumentReference[cbc:ID='QR'])</ds:XPath>
</ds:Transform>
<ds:Transform Algorithm=""http://www.w3.org/2006/12/xml-c14n11""/>
</ds:Transforms>
<ds:DigestMethod Algorithm=""http://www.w3.org/2001/04/xmlenc#sha256""/>
<ds:DigestValue>lYQcYGXl6hCf+ZZPNdr1wajasZBRGKXlNepHUG+S4HA=</ds:DigestValue>
</ds:Reference>
<ds:Reference Type=""http://www.w3.org/2000/09/xmldsig#SignatureProperties"" URI=""#xadesSignedProperties"">
<ds:DigestMethod Algorithm=""http://www.w3.org/2001/04/xmlenc#sha256""/>
<ds:DigestValue>OTcwNjljYzUwY2JlZTI4NWRkNDM2NmVhMDM3MGJhM2NjNDZlZTJjMjYxZDkwYzUyM2RiZjYyODNkNmQ4ZTM3OA==</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue></ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIB5zCCAY6gAwIBAgIGAX4+qePlMAoGCCqGSM49BAMCMBUxEzARBgNVBAMMCmVJbnZvaWNpbmcwHhcNMjIwMTA5MTE0NzAzWhcNMjcwMTA4MjIwMDAwWjBIMQswCQYDVQQGEwJTQTEVMBMGA1UECwwMUnlpYWQgQnJhbmNoMQ4wDAYDVQQKDAVKZXJpcjESMBAGA1UEAwwJMTI3LjAuMC4xMFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAEprhOfBA8ACO+nTVY7k8f7Kt4aJ0Utb55LUPLmnVUsvYp9/gOH22ix2NoKObrQKw/QI5N1wa3g3a1/ynpUJ8CfKOBmTCBljAMBgNVHRMBAf8EAjAAMIGFBgNVHREEfjB8pHoweDEYMBYGA1UEBAwPMzU0MzU0MzU4ODM0MzI1MR8wHQYKCZImiZPyLGQBAQwPMzEwMTIyMzkzNTAwMDAzMQ0wCwYDVQQMDAQxMDAwMREwDwYDVQQaDAhTYW1wbGUgRTEZMBcGA1UEDwwQU2FtcGxlIEJ1c3NpbmVzczAKBggqhkjOPQQDAgNHADBEAiAJZL0+rr5v9cw5/KOVi1c/5FDvIWg4XQ0d711fQQ5XNAIgTihCpVdM7pSG0kawh7P5PmxkupTWx9ilaDz0G/56IEU=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<ds:Object>
<xades:QualifyingProperties xmlns:xades=""http://uri.etsi.org/01903/v1.3.2#"" Target=""signature"">
<xades:SignedProperties Id=""xadesSignedProperties"">
<xades:SignedSignatureProperties>
<xades:SigningTime>2022-03-31T12:13:18Z</xades:SigningTime>
<xades:SigningCertificate>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm=""http://www.w3.org/2001/04/xmlenc#sha256""/>
<ds:DigestValue>ZGNjZTk3MGIzYjg0M2FlODczNGIyMDQ3ZjczOTM2NjgyNjljYmQ4NGYyZThkOTlmY2ZjYTU0ODFhZWE3MjE4NA==</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>CN=eInvoicing</ds:X509IssuerName>
<ds:X509SerialNumber>1641728828389</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
</xades:SigningCertificate>
</xades:SignedSignatureProperties>
</xades:SignedProperties>
</xades:QualifyingProperties>
</ds:Object>
</ds:Signature>
</sac:SignatureInformation>
</sig:UBLDocumentSignatures>".ToXmlElement()
}
},
There is a tool called xsd.exe in the .NET Framework Tools.
It allows you to create 1 or more C# classes that matches your XML. Then you can use the XML Serializer to deserialize your XML to .NET objects, update your property, then serialize the objects back to XML and save.
This is an article from Microsoft that contains more information about xsd.exe
https://learn.microsoft.com/en-us/dotnet/standard/serialization/xml-schema-def-tool-gen
Related
I have fetched a SAML Token from AD FS for the Relying Party Trust I have set up with my local SharePoint server.
The the important part of the response from ADFS is given below.
Using this, I have been able to retrieve an access token from SharePoint by posting a url-encoded-form to http://mylocalsharepoint/_trust/default.aspx and grabbing the set-cookie - essentially emulating the action of the Login UI.
My question is, is there a better endpoint other than http://mylocalsharepoint/_trust/default.aspx (this is what the Login GUI page uses) as this is returning an entire web page but all I really need is the access token (fedAuth cookie) plus it requires a url-encoded-form -it would be great to be able to just use the XML SOAP message or at least XML.
I have found /_vti_bin/authentication.asmx but that seems to only support username and password mode.
I would really appreciate anyone pointing me in the right direction. Thanks very much.
<trust:RequestSecurityTokenResponse>
<trust:Lifetime>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2022-10-19T16:56:36.105Z</wsu:Created>
<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2022-10-19T17:56:36.105Z</wsu:Expires>
</trust:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>urn:sharepoint:spsites</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<trust:RequestedSecurityToken>
<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_3519cbe0-66fb-4bc3-9a40-91ea06cb0ad7" Issuer="http://ms-adfs.intranet/adfs/services/trust" IssueInstant="2022-10-19T16:56:36.230Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2022-10-19T16:56:36.105Z" NotOnOrAfter="2022-10-19T17:56:36.105Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>urn:sharepoint:spsites</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>billbates#microsotofu.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI" AuthenticationInstant="2022-10-19T16:56:35.639Z">
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_3519cbe0-66fb-4bc3-9a40-91ea06cb0ad7">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>gTz6J3z40UUkqOf1DV3gAe4yel5AD0GVPCJ7xI6ac44=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>ftyI5grqS01/g9zpfUuPn24xXMvJ...</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIICxDCCAaygAwIBAgIQEqN9pL4STbx...</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
</saml:Assertion>
</trust:RequestedSecurityToken>
<trust:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</trust:TokenType>
<trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
<trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
</trust:RequestSecurityTokenResponse>
You need to developing a C# customization as Farm Solution to include a custom endpoint to your SharePoint side like an ASHX prepared to receive the given XML contract above and redirect to this new custom endpoint, the C# code needs the minimal three things:
Guarantee security using CORS approach;
Deserialize the received XML from custom authentication provider;
And, the last one: developing custom Authorization into SharePoint side;
About the item 3, it's recommended this Microsoft Learn topic: Create a claims provider in SharePoint
I have an XML digital signature, serialized with line breaks and indentation, as per the defaults in XmlSerializer. It fails the .net SignedXml.CheckSignature() test. If I strip out the line breaks and indentation, it passes. Is this the expected behaviour? Can the signature be considered robust and cross-platform if the default serialization, or a cosmetic change to the signature, breaks its validity? Should I be considering the binary pkcs formats for robustness. The signature, as serialized with line breaks, is below.
<?xml version="1.0"?>
<ds:Signature Id="SignatureID" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="http://localhost/simondocs/images/succes.png">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>Dv7mVn07JAKmm77J0PzqJ1N00SI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue Id="SignatureID">FHQiNBNrNVm/0yCNrvlifVpw9I10fyEQkXrAGslIOzBRtnPRBUDS3tE9RtvWbVxObQLhkn4Im5wcZoOtvl/K8fiAe45Pwvj3Q7trql+BCq3jDogYi83mlSaoW1ScU5Vmdl/jv6qfros0R7jelEqNiEkIF1n8dCZJBdzY/pY2vhkzM2MeiPxfHRYgMT3tgMUkhBGiU6EjGtitSWT840L/dz3HIRSXr4PCx7qAV108S8ICkXJPTp4Qs+32Tk1T7ha45BN7A+rHtyupd2xrCu7JCEHDn3k0XJL0/ARprqvZVpzqt2c/GLCjrX3fAJy7Yxs/3fOusA7jNm7qVHxFKHJAYA==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFPjCCBCagAwIBAgIRAIzFm3K+lU+T8UNfa4YidgAwDQYJKoZIhvcNAQELBQAwgZsxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTAeFw0xNTEyMDEwMDAwMDBaFw0xNjExMzAyMzU5NTlaMCQxIjAgBgkqhkiG9w0BCQEWE2Jic2ltb25iYkBnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIKK/6gK0lX2PpRT+O5Ghh8JcKShLSyeZ9HTeCH24oponyvcSJwYsXGk0eXH79RNJJI3J6elcjfVISRnujZmCOiAuFd1mdRWnlqtduVjPljxarSIxPj2cUvhZU2ybrp34q+MQ6mQPORb8IxLzglDUwYyAQ+ygt0mNHitdozqSB31j9ynDv+CdWQnXx3K6dfmO9djBlha1nhbqamcnz+XiOIp8YtWHBuDQiRQG1p0HVADHOCGxHo4+6gYCTZkP+t0rG2SZeI3m1GoelEp8KHdwGGGFqINbv+L4er6ZqBLmoMaHyFRQlF5D7t6LlrtJl57D+C+BbjvJdz9Es1io01t8jAgMBAAGjggHxMIIB7TAfBgNVHSMEGDAWgBSSYWuC4aKgqk/sZ/HCo/e0gADB7DAdBgNVHQ4EFgQUzX5+StqAfFWq8akUIZOEr6/OqvYwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYDVR0lBBkwFwYIKwYBBQUHAwQGCysGAQQBsjEBAwUCMBEGCWCGSAGG+EIBAQQEAwIFIDBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0L0NQUzBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9TSEEyNTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3JsMIGQBggrBgEFBQcBAQSBgzCBgDBYBggrBgEFBQcwAoZMaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMB4GA1UdEQQXMBWBE2Jic2ltb25iYkBnbWFpbC5jb20wDQYJKoZIhvcNAQELBQADggEBACxK9UPMHxVhnBacp9nG9E4YK76GcQs3XbbX41VYYIwWgqVOSVfsY4bEQIs6j0JDY26KsIPMcvJL1XS5yT8UzZImL+GzmrPAKcts6jD2/KIXXpCC6FI3dQ+iOlMEJXlRQA6sY+a+viKgApzZHObL+SAh9DaALsaMdaYUKS+u9glS08BsT+LEqPagSwDkvV0molN8WDg1io4OfqY1k2nxx4cvMYHFXoC89d+Qq2+atqBfQZ9b6WzQagazdSZCdHF7dSM0r16SKUAW4XL1LQa+IHyFi8bfYEuqredeOtb9y5pOpTtaZqymCKCn/IeXQfTjSRXUmCR3Gtnsmd550XkSnRQ=</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>yCiv+oCtJV9j6UU/juRoYfCXCkoS0snmfR03gh9uKKaJ8r3EicGLFxpNHlx+/UTSSSNyenpXI31SEkZ7o2ZgjogLhXdZnUVp5arXblYz5Y8Wq0iMT49nFL4WVNsm66d+KvjEOpkDzkW/CMS84JQ1MGMgEPsoLdJjR4rXaM6kgd9Y/cpw7/gnVkJ18dyunX5jvXYwZYWtZ4W6mpnJ8/l4jiKfGLVhwbg0IkUBtadB1QAxzghsR6OPuoGAk2ZD/rdKxtkmXiN5tRqHpRKfCh3cBhhhaiDW7/i+Hq+magS5qDGh8hUUJReQ+7ei5a7SZeew/gvgW47yXc/RLNYqNNbfIw==</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
I wanted to integrated Token Certificate with SAML object coming through ADFS. I can parse [Using C#] every item except value of certification due to KeyInfo format. I think "KeyInfo" is missing 'ds' prefix. I don't know where I am doing mistake.
<samlp:Response ID=\"_00ca83c9-aad0-4210-9174-87ec874c5103\" Version=\"2.0\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">
<Issuer xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\">*******</Issuer><samlp:Status><samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\" /></samlp:Status>
<Assertion ID=\"_bac09d77-c98e-48f6-bf62-8bbbbd1756d9\" IssueInstant=\"2015-08-19T23:07:32.659Z\" Version=\"2.0\" xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\"><Issuer>http://ADFS.*******.com.au/adfs/services/tru</Issuer>
<ds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">
<ds:SignedInfo></ds:SignedInfo>
<ds:SignatureValue>some value</ds:SignatureValue>
<KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>some value</ds:X509Certificate></ds:X509Data></KeyInfo>
</ds:Signature>
<Attribute Name=\"LastName\"><AttributeValue>FFFF</AttributeValue></Attribute>
<Attribute Name=\"Username\"><AttributeValue>fdfdgf</AttributeValue></Attribute>
<Attribute Name=\"VAL6\"><AttributeValue>AAAAA</AttributeValue></Attribute>
<AuthnStatement AuthnInstant=\"2015-08-19T23:07:32.549Z\"><AuthnContext>
<AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement>
</Assertion>
</samlp:Response>
Try this
<?xml version="1.0" encoding="utf-8" ?>
<samlp:Response ID="_00ca83c9-aad0-4210-9174-87ec874c5103" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">*******</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion ID="_bac09d77-c98e-48f6-bf62-8bbbbd1756d9" IssueInstant="2015-08-19T23:07:32.659Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>http://ADFS.*******.com.au/adfs/services/tru</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ds:Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue></ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIICXTCCA..</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Attribute Name="LastName">
<AttributeValue>FFFF</AttributeValue>
</Attribute>
<Attribute Name="Username">
<AttributeValue>fdfdgf</AttributeValue>
</Attribute>
<Attribute Name="VAL6">
<AttributeValue>AAAAA</AttributeValue>
</Attribute>
<AuthnStatement AuthnInstant="2015-08-19T23:07:32.549Z">
<AuthnContext>
<AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
I have setup Shibboleth as an IdP, using its default credentials (the certificates bundled with the installer). I think it is using the idp-signing.crt certificate to sign SAML responses. Using the LowLevelAPI ShibbolethSP example project, I have been able to login through the Shibboleth IdP, as long as I comment out the "Verify the response's signature" code. I made sure I added in SHA-256 XML signature support in Global.asax.cs, Application_Start. The message signature verification always returns false, even when I copy the idp-signing.crt file into the example directory and load that as a X509Certificate2 object, passing that in:
bool retVal = SAMLMessageSignature.Verify(samlResponseXml, x509Certificate); // is false
It even returns false when I pass no second param in, using the key info included with the signature to perform the verification:
bool retVal = SAMLMessageSignature.Verify(samlResponseXml); // is false
I can't figure out why this verification is failing. Here is a SAML response that is posted back from Shibboleth (formatted by FOXE but otherwise unchanged):
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="http://localhost:65231/SAML/AssertionConsumerService.aspx" ID="_b69dae7dd40119cff94ece076e338e82" InResponseTo="_031b0667-d6e5-4845-add1-f82748afe0e6" IssueInstant="2015-02-06T14:07:47.193Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:3380/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_b69dae7dd40119cff94ece076e338e82">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>kL7hYIdYRk+x27VboYeYmIzOSfokmY8iPfucnFzI5Nk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
V/bRv+kjvXcTOQs3d2TjyB4d0fjW5xSl5/8RJzCf1K988DsUWVqZEswxo4iqPVsjQgkelppbcnPa
9UTjLJLIQLg6ztXrfaXYE6iHZcYw58upBcnTXgNGuKazvLm6j2wxBtm5RNe8I4vO0YtDvV3GNf6X
qVICZlhp7VC0bNiCMr7zVXcw0E4ZfCSJt3Tph9MGKK6KrSXzVSpsyagtvBnmDx2CpI+O0hW92ekk
CjjkPcvY0lfl3rYdN/xpUqsJgc6HfhnBeU+y+RgEyb0eLuN/aZBOfiWMSAtMkJhcaoESwBtlaFg/
m46jdarT6ZDGfU9J4JnOzkAHlr8nMlEKcEzD8g==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDIDCCAgigAwIBAgIVANgMuf9G9xkZYBghdEkxjLMPwHJhMA0GCSqGSIb3DQEBCwUAMBgxFjAU
BgNVBAMMDWlzYW1zLXdyay0wNjAwHhcNMTUwMjA0MTU0MjQ1WhcNMzUwMjA0MTU0MjQ1WjAYMRYw
FAYDVQQDDA1pc2Ftcy13cmstMDYwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3l+
c0OfVj6Qex2Rwd+katoP9BLsrur/aR19mfepT5E2E/2TDWkl+dY87O4eS/J/NKTftS0MeL8qhoZB
Hf3y/zetOayoqhW5eCsrWwsY4HuVBhBBctuv0xdBmQPUP8Avmdr83Ps0xvCu2661aAz5SRA1SOlP
QbE/STLnDoFORhaoVAFHUq0zIscjCwUFrhHvEQZQWMTeaDCZdSP6jFmZ6SCWJCvjq7FIz5KbPh5p
IBhaWUVIoGEg3gwGKEt25sZ6y7RSFnqEzWgJhUoHE8HgL4inGulTIeeESxztQqdRK7lkTz1VwwO/
zulQdwcw1xWQc6JOMDh9wqJxcMQOZ2OlgQIDAQABo2EwXzAdBgNVHQ4EFgQUDAZa8uahYPYMrzbv
P8+PRP47IzEwPgYDVR0RBDcwNYINaXNhbXMtd3JrLTA2MIYkaHR0cHM6Ly9pc2Ftcy13cmstMDYw
L2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBCwUAA4IBAQCLh6w9di9jggroTxCsX30eqVv+DSfG
vOy1Ajj9ZFbXz5N7lhnwiLnWkiC4sx9Ls4cObj9AmGCAw/G2VOv2DRfRujFt0QTRfervmT1dJADv
m2RsV4vq13Kbj5fh6ThCzTMU+XsRc6dY2KRiDMrR3ofdqIl90U4J4NeyFYvIwEKHSDrnLM2Fp6tu
pWso0hDDSszuIKlhTue0kKXLpiJMEvc06mCqA8XZCCj26D6DdTNUI24puTfUELWXSMflD2/lg0/w
L1k/5kVbgT4vqVci6Sz9ggi8mge2zjRtx4JkHIjXc20e43oRPh7LF/2wQVqiobmZQYzvMi5TPY1x
w0oA4g5A</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion ID="_9d0be4db6f36fbd7026dc1efd7dfc224" IssueInstant="2015-02-06T14:07:47.193Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>http://localhost:3380/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_9d0be4db6f36fbd7026dc1efd7dfc224">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>hR6KDOh+st3yunebqeUz4aqHMin/5rc6gHrkIwgypLc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
V9BB0UEBqsBGsiUHbVH8mw8sG52pLI6ec/lGMCqeNGqTUYF8HwOPpjkViJ/Pz91HRFIgRoPlVqHy
dRGMAJFpYvakOh/vB1+GP3T0Jh20gF8I7JfzOfMwuF8A5ryEdoxB6JQp0AR6mEXi88RPFfWrAmB1
G/mTt6Q94uW0lrqfiyphp49K6HNhRvyIOCOLWtthBdnMQPLlCh6NAMaJAh+2dzx2CjeT4P58H9FP
ANJQxB+JR3J2cum5XVn+Rrrx6fiL640I514G0dDu2bi4InXMGH/mKXVCLQX4w/1g0fGv/icrdY9H
734JhawjfY/+NfO4Fj3+E6Yx3+k8ytku0qUZkw==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDIDCCAgigAwIBAgIVANgMuf9G9xkZYBghdEkxjLMPwHJhMA0GCSqGSIb3DQEBCwUAMBgxFjAU
BgNVBAMMDWlzYW1zLXdyay0wNjAwHhcNMTUwMjA0MTU0MjQ1WhcNMzUwMjA0MTU0MjQ1WjAYMRYw
FAYDVQQDDA1pc2Ftcy13cmstMDYwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq3l+
c0OfVj6Qex2Rwd+katoP9BLsrur/aR19mfepT5E2E/2TDWkl+dY87O4eS/J/NKTftS0MeL8qhoZB
Hf3y/zetOayoqhW5eCsrWwsY4HuVBhBBctuv0xdBmQPUP8Avmdr83Ps0xvCu2661aAz5SRA1SOlP
QbE/STLnDoFORhaoVAFHUq0zIscjCwUFrhHvEQZQWMTeaDCZdSP6jFmZ6SCWJCvjq7FIz5KbPh5p
IBhaWUVIoGEg3gwGKEt25sZ6y7RSFnqEzWgJhUoHE8HgL4inGulTIeeESxztQqdRK7lkTz1VwwO/
zulQdwcw1xWQc6JOMDh9wqJxcMQOZ2OlgQIDAQABo2EwXzAdBgNVHQ4EFgQUDAZa8uahYPYMrzbv
P8+PRP47IzEwPgYDVR0RBDcwNYINaXNhbXMtd3JrLTA2MIYkaHR0cHM6Ly9pc2Ftcy13cmstMDYw
L2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBCwUAA4IBAQCLh6w9di9jggroTxCsX30eqVv+DSfG
vOy1Ajj9ZFbXz5N7lhnwiLnWkiC4sx9Ls4cObj9AmGCAw/G2VOv2DRfRujFt0QTRfervmT1dJADv
m2RsV4vq13Kbj5fh6ThCzTMU+XsRc6dY2KRiDMrR3ofdqIl90U4J4NeyFYvIwEKHSDrnLM2Fp6tu
pWso0hDDSszuIKlhTue0kKXLpiJMEvc06mCqA8XZCCj26D6DdTNUI24puTfUELWXSMflD2/lg0/w
L1k/5kVbgT4vqVci6Sz9ggi8mge2zjRtx4JkHIjXc20e43oRPh7LF/2wQVqiobmZQYzvMi5TPY1x
w0oA4g5A</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="http://localhost:3380/idp/shibboleth" SPNameQualifier="http://localhost:65231/SAML/metadata.xml">AAdzZWNyZXQxpeMWTEyWX1tgYmk7ixdbi775mfBFBHikiub8dsf7HLwD2Xo5yPhD2HL21GF3Hle9oYEQCMFJ3R2dxZ8y22FknvLoGmDZ++VdymaQB0WpEaMzy3Ox9g8X6ALYMdZWedk78uCbpSvjpqdCM4Lhi13VdAQqvAs=</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="127.0.0.1" InResponseTo="_031b0667-d6e5-4845-add1-f82748afe0e6" NotOnOrAfter="2015-02-06T14:12:47.236Z" Recipient="http://localhost:65231/SAML/AssertionConsumerService.aspx"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2015-02-06T14:07:47.193Z" NotOnOrAfter="2015-02-06T14:12:47.193Z">
<saml2:AudienceRestriction>
<saml2:Audience>http://localhost:65231/SAML/metadata.xml</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2015-02-06T14:07:47.057Z" SessionIndex="_267b5fd351054d45e5961e83427483fe">
<saml2:SubjectLocality Address="127.0.0.1"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="username" Name="urn:ecolint.ch:attribute-def:username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>Jeremy.Morton</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Can anyone tell me why the Verify method might always be returning false?
Assertions from Testshib are encrypted.
I use the low level api from component space. We are an SP for many clients and support numerous idP's
The SAMLResponse class has three methods I use testing the assertions from an idP.
First I try .GetAssertions().
If that doesn't return the assertions, I try .GetSignedAssertion(certificate).
If that doesn't return the assertion, I try .GetEncryptedAssertions()
The last is always where I get the assertions for Testshib.
Then, if you are using X509Certificate2, when you load your pfx file, you have to create that object with X509KeyStorageFlags.Exportable. If not the private key will always be null.
I do something like this:
var key = pfxCertificate.PrivateKey;
if (key==null)
{
throw new NullReferenceException("pfx private key is null");
}
foreach (var encryptedAssertion in encryptedAssertions)
{
assertions.Add(encryptedAssertion.Decrypt(key, null));
}
if (assertions.Count > 0)
{
samlAssertion = assertions[0];
}
Finally, if you alter your SP metadata certificate you MUST upload it again to Testshib on their registration tab. The encrypted assertions use your certificate to encrypt. So, you use your private key to decrypt. If this doesn't match what was uploaded to Testshib, it will never decrypt. Make sure the file name of your SP metadata is unique in the world, something like
CrazyLikelyUniqueInTheWorld2939596.xml Otherwise, someone else will overwrite your SP test metadata on Testshib if you name it something like spmetadata.xml
I have a requirement where I have to call 3rd Party web service using wcf client. The third party service which I have to call is secure web service and uses https so for ex. https://kavyen.com/md. The service provider has provided me both server and client certificates.
I have to create a wcf client which Signs the SOAP Request but doesn't encrypt, so in other words I need to have Signing information in SOAP Header but doesn't want entire body to be encrypted.
Below is the sample of SOAP envelop which I must have to send from wcf client.
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-639F96823FC161A915140921867132422">MIICmDCCAYACEGkpMaS8nUlq58nKTzVZubIwDQYJKoZIhvcNAQEFBQAwRjELMAkGA1UEBhMCSUUxHjAcBgNVBAoTFVJldmVudWUgQ29tbWlzc2lvbmVyczEXMBUGA1UEAxMOREVWUEtJMSBTdWIgQ0EwHhcNMTMwOTI0MDgwNTQxWhcNMTUwOTI0MDgwNTQxWjBTMQswCQYDVQQGEwJJRTEXMBUGA1UEChMOVEVTVCBDT01QQU5ZIDUxEjAQBgNVBAsTCTYxOTEyODc1NzEXMBUGA1UEAxMOVEVTVCBDT01QQU5ZIDUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMiliAb+XYJpkEMkwPAG4IObXlwnMdnQ04jNWrholmjmY/PgiPV4/oe1opScyHxI26sq+u4U+aBKyx2mgRDLqn2rpgVsEsq60mzFwuYBYRHLUS0rrQki13jbvoOvPWlAMgR42iF0V3GKr34Zm6i4lw4vLJzju+Xwup9UJhP8NM1nAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAEOrsjUXMgMUQlnsupvl3e07/SA6r7idXCXZ/cbIi6ZzyAkPZOsUJQ7nUIckUF04jJTNJWfVYzs7+sY1c67G7r1MjypyfVH4JIckDFmF2Q5MmyePTGICm2ZeNm+3sJI8ApfbMNYDfXSSY7UXJVt1jhE+M3d2JGXirG+XrZC29/dcqIYixTkiBfDEP16LUTPcHseA/DKzGP43O92r5VP1oa07HA1nHt7W2CbT4MMqEpurBMC0EWkc/LzK0LKGUomZSDUHTOKisHPG5AKrV71EFJnR46eq+Ro6C781dbztkuHj8HH+8CdFuknq2+B7XCVVJTv1F3PVrCC5x8gsoR79oAo=</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-8">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#Id-762175305">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>WAtX3NtBp52Y5beBeL28QtPq6LE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
OibCc5mrk6noqbukfcxy8Tt/d8+/JlOm9Nmx3nrD1i00HWjqi3v55sbnUowCPGA+fztRcIXhuWYF
GlQyrRxxPLhnvM6vfk9zEZYbS/34dudp9H8gswPh+wsWa0/nowgSoo+eK5I0AbYNqCIHD3EUAfzG
/Br+gMqtRuZyZbhtKbg=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-639F96823FC161A915140921867132623">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-639F96823FC161A915140921867132624">
<wsse:Reference URI="#CertId-639F96823FC161A915140921867132422" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-762175305">
<TestMessage>This is a test.</TestMessage>
</soapenv:Body>
</soapenv:Envelope>
The service provider
Use this binding:
<customBinding>
<binding name="NewBinding0">
<textMessageEncoding messageVersion="Soap11" />
<security authenticationMode="MutualCertificate" includeTimestamp="false"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
<secureConversationBootstrap />
</security>
<httpTransport />
</binding>
</customBinding>
Also decorate your contracts with this attribute:
[System.ServiceModel.ServiceContractAttribute(ConfigurationName=..., ProtectionLevel=System.Net.Security.ProtectionLevel.Sign)]
The contract is in reference.cs.