ReceiveAuthnRequestByHTTPRedirect for multiple Service Providers

Hi, I am using the low level API because we need lot of customized functionality. I am implementing an Identity Provider that will be used by many Service Providers on the same endpoints. I wonder how to call ReceiveAuthnRequestByHTTPRedirect with a public key when every SP that sends authentication requests to the IdP has its own certificate? To retrieve the right X509Certificate I need to know the SP (by the issuer name for example) but I don’t have the issuer name until after the call to ReceiveAuthnRequestByHTTPRedirect. The examples use a single certificate set at application start, which obviously doesn’t work for what I need. The same question for ReceiveLogoutMessageByHTTPRedirect.
Thank you.

I suggest using the ComponentSpace.SAML2.Bindings.HTTPRedirectBinding class rather than ReceiveAuthnRequestByHTTPRedirect.
This way you can split the processing into three operations.
1. Receive the authn request over HTTP-Redirect. The signature isn’t verified in this step.
2. Identify the SP from the issuer field in the authn request.
3. Verify the HTTP-Redirect signature.
The outline of the code is as follows.

// Receive the SAML authn request over HTTP-Redirect.
HTTPRedirectBinding.ReceiveRequest(httpRequest, out authnRequestElement, out relayState, out signatureAlgorithm, out signature);

// Get the issuer field from the authn request. This identifies the SP.
string issuerName = Issuer.GetIssuerName(authnRequestElement);

// Lookup the X.509 certificate for the SP - details not shown.

// Verify the HTTP-Redirect signature. Throws a SAMLSignatureException if verification fails.
HTTPRedirectBinding.VerifyRequestSignature(httpRequest, signatureAlgorithm, signature, x509Certificate.PublicKey.Key);

Similar code can be used for logout messages.

[quote]
ComponentSpace - 7/24/2018
I suggest using the ComponentSpace.SAML2.Bindings.HTTPRedirectBinding class rather than ReceiveAuthnRequestByHTTPRedirect.
This way you can split the processing into three operations.
1. Receive the authn request over HTTP-Redirect. The signature isn't verified in this step.
2. Identify the SP from the issuer field in the authn request.
3. Verify the HTTP-Redirect signature.
The outline of the code is as follows.

// Receive the SAML authn request over HTTP-Redirect.
HTTPRedirectBinding.ReceiveRequest(httpRequest, out authnRequestElement, out relayState, out signatureAlgorithm, out signature);

// Get the issuer field from the authn request. This identifies the SP.
string issuerName = Issuer.GetIssuerName(authnRequestElement);

// Lookup the X.509 certificate for the SP - details not shown.

// Verify the HTTP-Redirect signature. Throws a SAMLSignatureException if verification fails.
HTTPRedirectBinding.VerifyRequestSignature(httpRequest, signatureAlgorithm, signature, x509Certificate.PublicKey.Key);

Similar code can be used for logout messages.
[/quote]

Thank you, this is what I did except I called ReceiveAuthnRequestByHTTPRedirect with null as the certificate parameter but I was not sure this is the right approach. One more thing, I think I saw somewhere in the examples a comment that requests are not signed for HTTPRedirect because the resulting string may be too long for a GET in some browsers? If so, what is the point of verifying the signature in this case? Or is signing optional?

ReceiveAuthnRequestByHTTPRedirect with the null certificate parameter is equivalent.
SAML messages aren’t signed using XML signatures when using the HTTP-Redirect binding as the resulting query string parameter could be too long for some browsers.
Therefore, the HTTP-Redirect binding defines its own signature scheme.
So, a SAML authn request sent over HTTP-Post may include an XML signature.
A SAML authn request sent over HTTP-Redirect won’t have an XML signature but instead may be signed using the HTTP-Redirect signature scheme.

[quote]
ComponentSpace - 7/24/2018
ReceiveAuthnRequestByHTTPRedirect with the null certificate parameter is equivalent.
SAML messages aren't signed using XML signatures when using the HTTP-Redirect binding as the resulting query string parameter could be too long for some browsers.
Therefore, the HTTP-Redirect binding defines its own signature scheme.
So, a SAML authn request sent over HTTP-Post may include an XML signature.
A SAML authn request sent over HTTP-Redirect won't have an XML signature but instead may be signed using the HTTP-Redirect signature scheme.

[/quote]

Thank you, it's clear now.

You’re welcome.

[quote]
ComponentSpace - 7/24/2018
I suggest using the ComponentSpace.SAML2.Bindings.HTTPRedirectBinding class rather than ReceiveAuthnRequestByHTTPRedirect.
This way you can split the processing into three operations.
1. Receive the authn request over HTTP-Redirect. The signature isn't verified in this step.
2. Identify the SP from the issuer field in the authn request.
3. Verify the HTTP-Redirect signature.
The outline of the code is as follows.

// Receive the SAML authn request over HTTP-Redirect.
HTTPRedirectBinding.ReceiveRequest(httpRequest, out authnRequestElement, out relayState, out signatureAlgorithm, out signature);

// Get the issuer field from the authn request. This identifies the SP.
string issuerName = Issuer.GetIssuerName(authnRequestElement);

// Lookup the X.509 certificate for the SP - details not shown.

// Verify the HTTP-Redirect signature. Throws a SAMLSignatureException if verification fails.
HTTPRedirectBinding.VerifyRequestSignature(httpRequest, signatureAlgorithm, signature, x509Certificate.PublicKey.Key);

Similar code can be used for logout messages.
[/quote]

Is it possible for signature to be null or empty after HTTPRedirectBinding.ReceiveRequest call?
If it's possilbe and signature is null, the authnRequest will be treated as verified so we don't need to run the rest code? That is,
if(!string.IsNullOrEmpty(signature))
{
string issuerName = Issuer.GetIssuerName(authnRequestElement);
// Lookup the X.509 certificate for the SP - details not shown.
// Verify the HTTP-Redirect signature. Throws a SAMLSignatureException if verification fails.
HTTPRedirectBinding.VerifyRequestSignature(httpRequest, signatureAlgorithm, signature, x509Certificate.PublicKey.Key);
}


Thanks

HTTPRedirectBinding.ReceiveRequest returns null for the signature if the SAML request is not signed.
If you require the SAML request to be signed then you should treat this as an error.

[quote]
ComponentSpace - 10/30/2018
HTTPRedirectBinding.ReceiveRequest returns null for the signature if the SAML request is not signed.
If you require the SAML request to be signed then you should treat this as an error.
[/quote]

That makes sense. Thanks!

You’re welcome.