How to create SAML and encrypt /sign it to send to another proces

Hello,
I am using c# and would like to create SAML using certificate to encrypt and sign it. Are there examples of this?
I was planning to use a self signed cert since it is all internal.

Do you have documentation on this?

Hi Ray
Is this part of SSO? If so, we recommend using the high-level API. When you call SAMLIdentityProvider.InitiateSSO or SAMLIdentityProvider.SendSSO, a SAML response containing a SAML assertion is constructed and sent to the service provider.
If the configuration specifies that the SAML assertion should be signed and/or encrypted, this will occur automatically.

The following code demonstrates how to sign and encrypt a SAML assertion using the low-level API.
However, wherever possible, it’s always recommended to use the high-level API.


// Load the signing and encryption certificates.
// The identity provider signs with it’s private key.
// The identity provider encrypts with the service provider’s public key.
X509Certificate2 idpCertificate = new X509Certificate2(“idp.pfx”, “password”,
X509KeyStorageFlags.MachineKeySet);
X509Certificate2 spCertificate = new X509Certificate2(“sp.cer”);

// Construct a SAML assertion - details not shown.
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = new Issuer(“test”);

// Serialize to XML.
XmlElement xmlElement = samlAssertion.ToXml();

// Sign the SAML assertion.
SAMLAssertionSignature.Generate(xmlElement, idpCertificate.PrivateKey, idpCertificate);

// Encrypt the SAML assertion.
EncryptedAssertion encryptedAssertion = new EncryptedAssertion(xmlElement, spCertificate);

Great information!!! as always…
after I have all of the information how do I post the SAML to another page?

You need to serialize the SAMLResponse object to XML and then call one of the API’s to post the message to the service provider’s assertion consumer service.


using ComponentSpace.SAML2.Profiles.SSOBrowser;

// Serialize to XML.
XmlElement samlResponseElement = samlResponse.ToXml();

// Send the SAML response using the HTTP-Post binding.
// The Response is the HttpResponse or HttpResponseBase object in the current page’s context.
// The assertion consumer service URL is the SP’s endpoint to receive the SAML response.
// The relay state is optional information and may be set to null.
IdentityProvider.SendSAMLResponseByHTTPPost(Response, assertionConsumerUrl, samlResponseElement,
relayState);

Please note that the recommended approach is to use the SAML high-level API.
Instead of the code above, you would simply call either SAMLIdentityProvider.InitiateSSO or SAMLIdentityProvider.SendSSO.
This requires less code and is more flexible as it’s driven by SAML configuration (eg saml.config file).

Hello, I haven't developed in C# in a few years, so forgive me for catching on slow here. I have downloaded your library and used the example above. My one goal right now is just to create the SAML XML response. I noticed the assertion details are skipped in the code example, so I get an error for "Failed to generate the XML signature." Do you have an example of how I would create the signature and the rest of the assertion in the code?

Thanks!

It’s much better to use the high-level API if possible.
The following code constructs, signs and sends a SAML response containing a SAML assertion.
The details are controlled through configuration (eg saml.config file).

SAMLIdentityProvider.InitiateSSO(Response, userName, attributes, targetUrl, partnerSP);


The ExampleIdentityProvider project under Examples\SSO\HighLevelAPI demonstrates calling this API.
If there’s a reason you want to use the low level API please provide some more details of your requirements to make sure it can’t be done more easily using the high level API.

Thanks for the quick reply. We are an insurance conpany and are using ColdFusion for our customer payment portal. Our vendor for credit card payments is a .NET shop and uses your library for SAML. We have tried crafting the SAML XML response through CF using Java’s OpenSAML, but our vendor keeps saying there’s an error in our XML, and they can’t identify the exact issue, as the XML looks to be correct on our end. I have programmed .NET in the past, so the vendor suggested we use your library to craft the SAML XML response. My one goal at the moment is to simply create a .NET assembly that we can call through ColdFusion that will create the SAML XML string. Our vendor seems to think because your library is used on their end to process the XML, us creating the XML through that same library may do the trick.

Thanks!

I suggest asking your vendor to contact us at support@componentspace.com.
We can help with identifying any issues with the SAML response you’re generating.
I suggest they include a SAML log file attachment so we can take a look at what’s happening.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
Once we know what the issue is we can re-visit whether it makes sense to create a .NET assembly to call through ColdFusion.

Can you please post the code for high-level API to achieve same.

The SAML high-level API is driven by SAML configuration. You don’t specify this in the actual API for SSO.
You call SAMLIdentityProvider.InitiateSSO for IdP-initiated SSO or SAMLIdentityProvider.SendSSO for SP-initiated SSO.
The details about whether the SAML assertion your be signed and/or encrypted are specified through the SAML configuration.
For example, here’s a partial configuration that specifies the SAML assertion should be signed and encrypted.


<PartnerServiceProvider
Name=“<a href=“https://ExampleServiceProvider””>https://ExampleServiceProvider"
SignAssertion=“true”
EncryptAssertion=“true”




When SAMLIdentityProvider.InitiateSSO or SAMLIdentityProvider.SendSSO executes to send a SAML response to this partner service provider, these flags are checked and in this case the SAML assertion would be signed and encrypted.