We have integrated our CMS website (Umbraco) with external Pingfederate identify provider over idp initiated sso.
Pingfederate will post the SAML 2 response over HTTP Post. I would like to know does this SAML component will help the integration without any trouble, so we can try and purchase.
regards
We have many customers who have successfully integrated with PingFederate. I would recommend downloading an evaluation version of our product and prototype the integration you are after to ensure it meets your needs. If you have any questions then feel free to contact us through the forum or our support email.
Thanks for your replay and going to try it out with Trial version now.
Also in for our implementation, the saml tocken is signed and IDP provided the .crt file to us.
The sample code Service provider code (Higher Level API), I do not find certificate validation code, does that mean i’ts handled behind the screen using values from saml.config?
But in the Lower Level API, i see a the code to validate Certificate, but in the global.asax.cs file I see ValidateRemoteServerCertificate method hard coded to return true. How this to be modified in our case.
Please answer.
regqrds
The high level API automatically verifies XML signatures as long as you configure it to do that. For example, if WantSAMLResponseSigned is set to true in the section of saml.config then XML signature verification occurs.
Please note that XML signature verification is different from X.509 certificate validation.
Certificate validation refers to ensuring the certificate can be trusted, hasn't expired, hasn't been revoked etc.
This is independent of XML signature verification using the certificate.
For example, you can use an expired self-signed certificate to verify an XML signature. Of course, you wouldn't want to use a certificate like this in production.
Our API handles XML signature verification. We leave it up to the application to validate X.509 certificates as required. This is something you might do on a scheduled basis or as per your requirements.
In some of our low-level API examples we support the HTTP artifact binding profile. As part of the HTTP artifact profile, an artifact resolve message is sent to the artifact resolution service, typically using SOAP over HTTPS. In a test environment with self-signed certificates, certificate validation is overridden so all certificates are trusted.
Thanks for your response.
I am little bit confused about XML Signagure validation and X.509 certificate validation
I believe the .crt file IDP provided vendor to us is for XML Signagure validation.
Please see the SAML tocken in request send by IDP for testing. Please review and let me know what do you thnk
Thanks a lot.
regards
Bobby.KC
TMP Worldwide
<samlp:Response Version=“2.0”
ID=“zj0mXpdPeUy2j8BDRLYOGSLl2IZ”
IssueInstant=“2014-10-08T12:26:06.520Z”
xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”
>
<saml:Issuer xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>https://.com/dev</saml:Issuer>
samlp:Status
<samlp:StatusCode Value=“urn:oasis:names:tc:SAML:2.0:status:Success” />
</samlp:Status>
<saml:Assertion ID=“zhLw5bHTmWQsjBFxhgUTGn.DD57”
IssueInstant=“2014-10-08T12:26:07.091Z”
Version=“2.0”
xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”
>
saml:Issuerhttps://www.bankofamerica.com/dev</saml:Issuer>
<ds:Signature xmlns:ds=“”=“”>“>http://www.w3.org/2000/09/xmldsig#”>
ds:SignedInfo
<ds:CanonicalizationMethod Algorithm=“<a href=“http://www.w3.org/2001/10/xml-exc-c14n#” “=””><a href=“http://www.w3.org/2001/10/xml-exc-c14n#”“>http://www.w3.org/2001/10/xml-exc-c14n#” />
<ds:SignatureMethod Algorithm=“<a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1"”>http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI=“#zhLw5bHTmWQsjBFxhgUTGn.DD57”>
ds:Transforms
<ds:Transform Algorithm=“<a href=“http://www.w3.org/2000/09/xmldsig#enveloped-signature” “=””><a href=“http://www.w3.org/2000/09/xmldsig#enveloped-signature”“>http://www.w3.org/2000/09/xmldsig#enveloped-signature” />
<ds:Transform Algorithm=“<a href=“http://www.w3.org/2001/10/xml-exc-c14n#” “=””><a href=“http://www.w3.org/2001/10/xml-exc-c14n#”“>http://www.w3.org/2001/10/xml-exc-c14n#” />
</ds:Transforms>
<ds:DigestMethod Algorithm=“<a href=“http://www.w3.org/2000/09/xmldsig#sha1” “=””><a href=“http://www.w3.org/2000/09/xmldsig#sha1"”>http://www.w3.org/2000/09/xmldsig#sha1" />
ds:DigestValueBnZH4+5ISEr9BTk1mKKBMgkSGVQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
ds:SignatureValue
V8GqHDu49Ve9MC3AUqIY32Ll6/GbIFV4YaNJFJZr2q831dxn2IWO/BHjxuhJs4pHe92vyoVA6hmx
4DQpkMIdifffRyhlyoMhaX2iaCOXvl2Ren3+yhasdfGJeDWu/FEVmy6FiO7qtnupadz5
O4KKdlxUTKk22ENh7PWlG7ycM444DEwj9rEXRLND9QJw4ffXEtHZh2cbWk7oZk5e+u4zNv5A816u
BU/hGy/v0JMoqTNgDsWQrMshtlXDhNuQDWBPUqgMvJ5JVqqlUfJGwk9daJ8rYUgRaVEHfkbV2i6I
5KUtDbgiatCNHG71P1veJLSToXUbygedzktzDw==
</ds:SignatureValue>
ds:KeyInfo
ds:X509Data
ds:X509Certificate
MIIFljCCBH6gAwIBAgIQTy/pqw7EdsxVF9jzoX0bGjANBgkqhkiG9w0BAQUFADCBtTELMAkGA1UE
BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBO
ZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t
L3JwYSAoYykxMDEvMC0GA1UEAxMmVmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0g
RzMwHhcNMTMwNTE1MDAwMDAwWhcNMTUwODA0MjM1OTU5WjCBvDELMAkGA1UEBhMCVVMxFzAVBgNV
BAgTDk5vcnRoIENhcm9saW5hMRIwEAYDVQQHFAlDaGFybG90dGUxJDAiBgNVBAoUG0Jhbmsgb2Yg
QW1lcmljYSBDb3Jwb3JhdGlvbjEoMCYGA1UECxQfQWNjZXNzIGFuZCBJZGVudGl0eSBFbmdpbmVl
cmluZzEwMC4GA1UEAxQnRmVkZXJhdGVkU2VydmljZXMtRGV2LkJhbmtPZkFtZXJpY2EuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiLqOdOPYbIY8l4WkWDpoElTkb5VYL0GiGl3N
UOCi7N2JCJ3ASwgze4Yn++W9duvw6dBmr5+KLww15DPciiWzqponJhXw+20ARZrlJlkfOgJNM1jC
cXspzRWXamW8RaEQpG/vz5Cx9OnZvN24GYS6a7dKDajt0P0eRfDHi86+U15EcjkCauCgimI+XMDX
8pOOABidD0nxKBj1c3wx7HG2A1bxo+HJwYzm3/6VIR+QeIms4Q/pTLFNm6/3bO4BT/RPCcpVLhVI
NWqiMdQ/M1+7L9UR47FPWBX7CNSbMMFw5MF7DFPQY/Y24z/aYs+GV4vEhMr3XGleq73w9V1zf3WR
ywIDAQABo4IBlzCCAZMwMgYDVR0RBCswKYInRmVkZXJhdGVkU2VydmljZXMtRGV2LkJhbmtPZkFt
ZXJpY2EuY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjBDBgNVHSAEPDA6MDgGCmCGSAGG+EUBBzYwKjAoBggrBgEFBQcCARYcaHR0cHM6
Ly93d3cudmVyaXNpZ24uY29tL2NwczAfBgNVHSMEGDAWgBQNRFwWU0TBgn4dIKsl9AFj2L55pTBF
BgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vU1ZSU2VjdXJlLUczLWNybC52ZXJpc2lnbi5jb20vU1ZS
U2VjdXJlRzMuY3JsMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVy
aXNpZ24uY29tMEAGCCsGAQUFBzAChjRodHRwOi8vU1ZSU2VjdXJlLUczLWFpYS52ZXJpc2lnbi5j
b20vU1ZSU2VjdXJlRzMuY2VyMA0GCSqGSIadfBuNeSsNEI5XlNLrtcWjyfvx1Gd
dyNr3qtayQVL8qXtB5TWkM2se5NioV+0g0/lRl7SIqvpdJgAslOCLY6FhpBe15+ryWfOoermfS+m
mW0EUxF9LwoY8gGK0KYBf5qYFLG6iIKLgDU/jBEqx3FSmlWikrc7zWfKk7H85Fgrpcy0Huzhekx1
wHg5LOacJJfl0AywYakqpkV4QkjupZmg8NFnpnN1hVcbw74K2Y0MRW7IpQxuNesXzb1gWsPPNqXL
/BipUSOZFoKjvGlbxhyKPkWQXsJRuCohD5pG3CfZ6rfGpaAzIpAqE9q9GqOGXQk34EEambAbhEWh
Wb9BF4l1i9x0
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
saml:Subject
<saml:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”>24831482</saml:NameID>
<saml:SubjectConfirmation Method=“urn:oasis:names:tc:SAML:2.0:cm:bearer”>
<saml:SubjectConfirmationData Recipient=“<a href=“https://obpinternal-admin-qa.tmp-cms.com/sso.aspx” “=””><a href=“https://aaa/sso.aspx”“>https://aaa/sso.aspx”
NotOnOrAfter=“2014-10-08T12:31:07.092Z”
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore=“2014-10-08T12:21:07.092Z”
NotOnOrAfter=“2014-10-08T12:31:07.092Z”
>
saml:AudienceRestriction
saml:AudienceICTMPADMIN</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement SessionIndex=“zhLw5bHTmWQsjBFxhgUTGn.DD57”
AuthnInstant=“2014-10-08T12:26:07.091Z”
>
saml:AuthnContext
saml:AuthnContextClassRefurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
saml:AttributeStatement
<saml:Attribute Name=“Email”
NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”
>
<saml:AttributeValue xsi:type=“xs:string”
xmlns:xs=“<a href=“http://www.w3.org/2001/XMLSchema” “=””><a href=“http://www.w3.org/2001/XMLSchema”“>http://www.w3.org/2001/XMLSchema”
xmlns:xsi=“<a href=“http://www.w3.org/2001/XMLSchema-instance” “=””><a href=“http://www.w3.org/2001/XMLSchema-instance”“>http://www.w3.org/2001/XMLSchema-instance”
>aaa@abc.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“bofaJobCode”
NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”
>
<saml:AttributeValue xsi:type=“xs:string”
xmlns:xs=“<a href=“http://www.w3.org/2001/XMLSchema” “=””><a href=“http://www.w3.org/2001/XMLSchema”“>http://www.w3.org/2001/XMLSchema”
xmlns:xsi=“<a href=“http://www.w3.org/2001/XMLSchema-instance” “=””><a href=“http://www.w3.org/2001/XMLSchema-instance”“>http://www.w3.org/2001/XMLSchema-instance”
>TF002</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“bofaBand”
NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”
>
<saml:AttributeValue xsi:type=“xs:string”
xmlns:xs=“<a href=“http://www.w3.org/2001/XMLSchema” “=””><a href=“http://www.w3.org/2001/XMLSchema”“>http://www.w3.org/2001/XMLSchema”
xmlns:xsi=“<a href=“http://www.w3.org/2001/XMLSchema-instance” “=””><a href=“http://www.w3.org/2001/XMLSchema-instance”“>http://www.w3.org/2001/XMLSchema-instance”
>H4</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“displayName”
NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”
>
<saml:AttributeValue xsi:type=“xs:string”
xmlns:xs=“<a href=“http://www.w3.org/2001/XMLSchema” “=””><a href=“http://www.w3.org/2001/XMLSchema”“>http://www.w3.org/2001/XMLSchema”
xmlns:xsi=“<a href=“http://www.w3.org/2001/XMLSchema-instance” “=””><a href=“http://www.w3.org/2001/XMLSchema-instance”“>http://www.w3.org/2001/XMLSchema-instance”
>Hopkinson, Scott</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
That’s correct. The IdP has signed the SAML assertion. The certificate file they’ve supplied to you should be used to verify the XML signature.
The high-level API ExampleServiceProvider demonstrates how to specify the IdP’s certificate file and that the SAML assertion is signed. The SAML configuration in the saml.config file includes entries. For example:
<PartnerIdentityProvider Name=“urn:componentspace:ExampleIdentityProvider”
SignAuthnRequest=“false”
WantSAMLResponseSigned=“true”
WantAssertionSigned=“false”
WantAssertionEncrypted=“false”
SingleSignOnServiceUrl=“http://localhost/ExampleIdentityProvider/SAML/SSOService.aspx”
SingleLogoutServiceUrl=“http://localhost/ExampleIdentityProvider/SAML/SLOService.aspx”
CertificateFile=“idp.cer”/>
This example expects the SAML response to be signed instead of the SAML assertion.
In your case you would set WantSAMLResponseSigned to false and WantAssertionSigned to true. You would also specify the CertificateFile supplied by the IdP.
Thanks for your prompt reply. I will try it out tomorrow and get back to you if have any issues.
Thanks again.
regards
BObby.
HI,
I was trying to run the ExampleServiceProcider examl with earlier provide SAML file and i am getting an error
“The SAML assertion is outside the valid time period.”
Below is test code i am doing, Does this means The SAML tocken i have outdated and only work on Direct Post? Please let me konw
<form action=“<a href=“http://localhost:51830/SAML/AssertionConsumerService.aspx””>http://localhost:51830/SAML/AssertionConsumerService.aspx" method=“post”>
We check the not-before and no-on-or-after values included in the SAML assertion. If the assertion is outside it's validity time window then it's rejected.
If the SAML assertion is in a file and you're replaying it then it's most likely that it's expired.
You should regenerate rather than replay SAML assertions.
Thanks again for ur answer.
i have the below assertino date in my test tocken.
saml:Conditions NotOnOrAfter=“2014-10-15T12:31:07.092Z” NotBefore=“2014-10-08T12:21:07.092Z”>
teems it’s valid till 15Th out. I asked client to provide a new tocken and will test at the same time and let you know
regards
regards
The SAML assertion would be valid between those dates. Please note that a long validity period is ok for testing but not in a production environment.
If you’re still having issues please enable SAML trace and send the generated log file to support@componentspace.com mentioning this topic.
http://www.componentspace.com/Forums/17/Enabing-SAML-Trace
Hi Morning.
After i tried my example i am getting “The SAML assertion signature failed to verify”
below is my saml.config and i keep my fedidp.cer on root folder. Does i need “ServiceProvider " section, as in my care it’s IDP initiated SSO.
Note: I am following Webform Hight level api ExampleServiceProvider
<?xml version="1.0"?>
<ServiceProvider Name=“urn:componentspace:ExampleServiceProvider”
AssertionConsumerServiceUrl=”~/SAML/AssertionConsumerService.aspx"
CertificateFile=“sp.pfx”
CertificatePassword=“password”/>
<PartnerIdentityProvider Name=“<a href=“https://www.bankofamerica.com/dev””>https://www.bankofamerica.com/dev"
SignAuthnRequest=“false”
WantSAMLResponseSigned=“false”
WantAssertionSigned=“true”
WantAssertionEncrypted=“false”
SingleSignOnServiceUrl=“<a href=“http://localhost/ExampleIdentityProvider/SAML/SSOService.aspx””>http://localhost/ExampleIdentityProvider/SAML/SSOService.aspx"
SingleLogoutServiceUrl=“<a href=“http://localhost/ExampleIdentityProvider/SAML/SLOService.aspx””>http://localhost/ExampleIdentityProvider/SAML/SLOService.aspx"
CertificateFile=“fedidp.cer”/>
Thanks
The fedidp.cer specified in the section is used when attempting to verify the XML signature.
If the signature verification is failing it’s either because the wrong certificate is being used or the XML was altered after signing.
I suggest enabling SAML trace and sending the log file as an email attachment to support@componentspace.com. Please mention this topic.
We can then take a look at the signed XML and do some checks.
Thanks for the replay,
We have tested the direct IDP initiated HTTP post and gettng below error
The audience restriction ICTMPADMIN doesn’t match the expected audience restriction urn:componentspace:ExampleServiceProvider.
emailign the log file support@componentspace.com.
Thanks for the log. I’ve replied to your email.