I need to complete the following steps using your API.
We have a portal that authenticates our user. I need to pass their credentials to our partner (signed and encrypted) along with redirecting the user to their site.
Here are the basic steps the partner requires (step 1 is taken care of outside of your API):
1. User logs in to their asserting companies Intranet (portal)
• User token is generated upon successful authentication
• Application links presented are based on user’s entitlements
*NEED TO KNOW HOW TO USE YOUR API TO DO THE BELOW STEPS.
2. User clicks on link to vendor site
• SAML2 assertion response is generated
o The Subject NameID is set
o Additional optional attributes can be sent per application requirements
o Attributes include: firstname, lastname, emailaddress, applicationname, errorURL
• SAML2 assertion is signed by asserting companies certificate
• SAML2 assertion is base64 encoded
3. Asserting company sends SAML assertion to vendor in form post
• Standard hidden form variables are below:
o SAMLResponse
o errorURL (optional)
The SAMLIdentityProvider.InitiateSSO and SAMLIdentityProvider.SendSSO APIs create, sign and send a SAML assertion.
You call SAMLIdentityProvider.InitiateSSO for IdP-initiated SSO and SAMLIdentityProvider.SendSSO for SP-initiated SSO.
The SAML NameID is specified as the userName parameter.
The SAMl attributes are specified as the attributes parameter.
The ExampleIdentityProvider project under the Examples\SSO\HighLevelAPI\WebForms folder demonstrates calling these API calls.
The Examples Guides provides a walk-through of the ExampleIdentityProvider.
You call SAMLIdentityProvider.InitiateSSO for IdP-initiated SSO and SAMLIdentityProvider.SendSSO for SP-initiated SSO.
The SAML NameID is specified as the userName parameter.
The SAMl attributes are specified as the attributes parameter.
The ExampleIdentityProvider project under the Examples\SSO\HighLevelAPI\WebForms folder demonstrates calling these API calls.
The Examples Guides provides a walk-through of the ExampleIdentityProvider.
so I don't see where on the api it allows me to place the signed and encrypted xml into the SAMLResponse parameter of the httprequest. Is there a way to do that?
It does all this for you automatically.
It will send the encoded SAML response in an HTTP Post to the SP.
how do i see the xml that's generated? I need to store it in a file (before it's encrypted).
Where do I pass the "Issuer" value to the SAMLIdentityProvider.InitiateSSO so that it will be included in the XML (or is that just an additional attribute)?
How do I pass the certificate/key info to the method for encryption? I will need to pass different certificates based on specific criteria of the request.
thanks,
Josh
how do i see the xml that's generated? I need to store it in a file (before it's encrypted).
Where do I pass the "Issuer" value to the SAMLIdentityProvider.InitiateSSO so that it will be included in the XML (or is that just an additional attribute)?
How do I pass the certificate/key info to the method for encryption? I will need to pass different certificates based on specific criteria of the request.
thanks,
Josh[/quote]
This is what my sample assertion should look like pre-encryption:
how do i see the xml that's generated? I need to store it in a file (before it's encrypted).
Where do I pass the "Issuer" value to the SAMLIdentityProvider.InitiateSSO so that it will be included in the XML (or is that just an additional attribute)?
How do I pass the certificate/key info to the method for encryption? I will need to pass different certificates based on specific criteria of the request.
thanks,
Josh[/quote]
This is what my sample assertion should look like pre-encryption:
[/quote]
You can enable SAML trace. The generated log file will include the SAML assertion before and after encryption.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
If you wish to do this programmatically, we have an ISAMLObserver interface under the ComponentSpace.SAML2.Notifications namespace.
This includes an OnSAMLAssertionCreated callback method which provides access to the unencrypted SAML assertion and an OnSAMLResponseCreated callback method which provides access to the SAML response included the encrypted SAML assertion.
You should create a class that extends the AbstractSAMLObserver class and override the OnSAMLAssertionCreated and OnSAMLResponseCreated methods.
You register your class by calling the SAMLObservable.Subscribe method.
For example:
SAMLObservable.Subscribe(new MySAMLObserver());
The Issuer field in the SAML response is set automatically to the Name in your saml.config.
The SAML assertion is encrypted using the PartnerCertificateFile in your saml.config.
Thank you, this was helpful.
Did you reference or offer a link on how to pass / give the certificate to the API that should be used to encrypt the xml?
We don’t support passing the certificate through the API.
Instead, the certificate is specified through the SAML configuration as the PartnerCertificateFile.
Normally a given partner SP only has one encryption certificate and this doesn’t change frequently.
So when I call the API, and the XML is generated, it has to be signed and encrypted. How does your API know where to retrieve the certificate for the specific SP value that is provided to the API? (I assume that's what happens? It uses the certificate associated with that specific partnerSP name? Where is that "association" to certificate file maintained and administered?
The signing and encryption is controlled through the SAML configuration.
For the you set SignAssertion=“true” for the assertion to be signed and EncryptAssertion=“true” for it to be encrypted.
If SignAssertion is true, the LocalCertificateFile is used to generate the signature.
If EncryptAssertion is true, the PartnerCertificateFile is used to encrypt the assertion.
When you call SAMLIdentityProvider.InitiateSSO, the partnerSP parameter specifies the SP. This parameter must match a Name in your SAML configuration.
There is a SAMLIdentityProvider.InitiateSSO overload that doesn’t take a partnerSP name but this only applies if there’s a single in your SAML configuration.
For the you set SignAssertion="true" for the assertion to be signed and EncryptAssertion="true" for it to be encrypted.
If SignAssertion is true, the LocalCertificateFile is used to generate the signature.
If EncryptAssertion is true, the PartnerCertificateFile is used to encrypt the assertion.
When you call SAMLIdentityProvider.InitiateSSO, the partnerSP parameter specifies the SP. This parameter must match a Name in your SAML configuration.
There is a SAMLIdentityProvider.InitiateSSO overload that doesn't take a partnerSP name but this only applies if there's a single in your SAML configuration.
Okay, I think I can work with that. Can I simply add a SAML.config file to my project and the API will look for it or does it have to be referenced in some way? I see it in the example project, so I know it's overall structure and think i can replicate one in my project manually, but want to make sure the API will pick up the file (is there a specific location it needs to be found in)?
For the you set SignAssertion="true" for the assertion to be signed and EncryptAssertion="true" for it to be encrypted.
If SignAssertion is true, the LocalCertificateFile is used to generate the signature.
If EncryptAssertion is true, the PartnerCertificateFile is used to encrypt the assertion.
When you call SAMLIdentityProvider.InitiateSSO, the partnerSP parameter specifies the SP. This parameter must match a Name in your SAML configuration.
There is a SAMLIdentityProvider.InitiateSSO overload that doesn't take a partnerSP name but this only applies if there's a single in your SAML configuration.
Okay, I think I can work with that. Can I simply add a SAML.config file to my project and the API will look for it or does it have to be referenced in some way? I see it in the example project, so I know it's overall structure and think i can replicate one in my project manually, but want to make sure the API will pick up the file (is there a specific location it needs to be found in)?[/quote]
I have added a SAML.config file to my project. It has the following content:
<?xml version="1.0"?>
https://www.crump.com"
Description="SIAA SSO"
AssertionConsumerServiceUrl="~/SAML/AssertionConsumerService.aspx"
LocalCertificateFile="Certificates\sp.pfx"
LocalCertificatePassword="password"/>
https://www.siaa4u.com"
Description="SIAA SSO"
SignAuthnRequest="true"
SingleSignOnServiceUrl="https://localhost:44390/SAML/SSOService.aspx"
PartnerCertificateFile="Certificates\idp.cer"/>
However, when I call the SAMLIdentityProvider.InitiateSSO() function I get the error "A local identity provider is not configured". shouldn't it be looking at the tag info? Is there something I have to do to tell it where to find the SAML.config file?
thanks,
Josh
The saml.config file should be in your application’s root folder (ie in the same place as the top-level web.config).
The configuration you have includes a and .
This means your application is the service provider and the partner site is the identity provider.
If you’re the service provider you call the methods on the SAMLServiceProvider class.
If you’re the identity provider your SAML configuration would include an and rather than a and .
You would then call methods on the SAMLIdentityProvider class.
My understanding is that your application is the identity provider so you should take a look at the saml.config for the ExampleIdentityProvider project.
The configuration you have includes a and .
This means your application is the service provider and the partner site is the identity provider.
If you're the service provider you call the methods on the SAMLServiceProvider class.
If you're the identity provider your SAML configuration would include an and rather than a and .
You would then call methods on the SAMLIdentityProvider class.
My understanding is that your application is the identity provider so you should take a look at the saml.config for the ExampleIdentityProvider project.
okay. So I created a private key and public key. Here are a sample (not the exact one I'll be using). How do I get them from this to what your program expects ( a .pfx file)?
This is a private ssl key that our net team provided me.
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIVJt4+CFlskECAggA
MBQGCCqGSIb3DQMHBAgJGohkEi/kewSCAoBDfY9J5tQIWEXturjTixJg4uTnMBHv
CRpuVtgCTPsLpWcLRDXATmU4tY0z1ovBM0cCkztT2WXk8T1xktwo8OpIbuDAsyUp
wsV4K3pHu70f+TGQmgpalzJK+x7gECxSdhN1RU3IIUkFvVlSpIEq8Ysp/jrl9tWp
YWLWz8Sj3k1SZD1JpPLP3laoxMUGZs7/tItWdRVR+qGEYhr1b27CBQld1ZuR7W5K
1nXwFLtWH+PPBE3pdJUQzCaHbtCLqyr17Kz3+uLIk/QV8SxTPC1r8ryG8RC0BROd
CjeBLyPjXoBOxiIQfEKNBaejUW1XUYecmjwoqJQR5ZjyuPr+W18oPlBYEBemYkqi
bkvf1ttSiEvyrS8W+W7d5a/0s9VmHitOPv8a5pzjlZPiyuGD9Ji5XpuNvxHyGLSF
GWQlKexyUn/Zf+rsuZzNHBHAM64NUcjwfV9EglyeZ0LA49q7chvELIVdXR/bFzwY
DOIfsBqiERNXHiC4DIt61z9UeJokwtNtUSBuY4E9IBQcc4H7udo+WLAoSjcd1A3g
dx3jlhZs78beFk2ZAEEY8KgfXqnj+SMUQx4jbaeKxLbllTMq6tFOABEmNjQpxnae
5uwOk3svyHs3921leDWJjBG8vLC6HvtqN8QGEhloWFAZL7yrk0GyCTm4RFQyBYkM
6ATtPREKFQjWJ0WRAozivZI/1KTLdZIClCqE33BKYfcv8ko1aiYP0vlucc069143
Lwx+4b/X0QusHzFiuSpdFpTvnuYI2Qg55mIfGoSmhBPP8m/Xh18dUB+POzmq3eh6
1VCfZCg9gPK2UcG/x9hhsbOPHf6gufJWYolELelIomgop2fZ4+WfN8dE
-----END ENCRYPTED PRIVATE KEY-----
You should use openssl to perform the conversion.
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt
https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/