Using IDP initiated SSO, I am unable to extract the assertion from the SAMLResponse shown below. Stepping through my code, after ServiceProvider.ReceiveSAMLResponseByHTTPPost, samlResponse.Assertions shows 1 assertion. But samlRespose.GetAssertions()[0] returns null. What am I missing?
<samlp:Response ID=“_3c1f8444-b47f-45ea-bd3a-6c2de40678b5”
Version=“2.0”
IssueInstant=“2015-12-14T23:02:38.407Z”
Destination=“<a href=“https://sesso.qa.summitmg.com/AssertionConsumerService.aspx””>https://sesso.qa.summitmg.com/AssertionConsumerService.aspx"
Consent=“urn:oasis:names:tc:SAML:2.0:consent:unspecified”
xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”
>
http://QFRWFLT2.eur.gad.schneider-electric.com/adfs/services/trust
samlp:Status
<samlp:StatusCode Value=“urn:oasis:names:tc:SAML:2.0:status:Success” />
</samlp:Status>
<Assertion ID=“_83a67afc-13ef-47ab-bed8-e4014dfb0ccf”
IssueInstant=“2015-12-14T23:02:38.407Z”
Version=“2.0”
xmlns=“urn:oasis:names:tc:SAML:2.0:assertion”
>
http://QFRWFLT2.eur.gad.schneider-electric.com/adfs/services/trust
<ds:Signature xmlns:ds=“”>http://www.w3.org/2000/09/xmldsig#“>
ds:SignedInfo
<ds:CanonicalizationMethod Algorithm=”<a href=“http://www.w3.org/2001/10/xml-exc-c14n#”“>http://www.w3.org/2001/10/xml-exc-c14n#” />
<ds:SignatureMethod Algorithm=“<a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1"”>http://www.w3.org/2000/09/xmldsig#rsa-sha1” />
<ds:Reference URI=“#_83a67afc-13ef-47ab-bed8-e4014dfb0ccf”>
ds:Transforms
<ds:Transform Algorithm=“<a href=“http://www.w3.org/2000/09/xmldsig#enveloped-signature””>http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm=“<a href=“http://www.w3.org/2001/10/xml-exc-c14n#””>http://www.w3.org/2001/10/xml-exc-c14n#“ />
</ds:Transforms>
<ds:DigestMethod Algorithm=”<a href=“http://www.w3.org/2000/09/xmldsig#sha1"”>http://www.w3.org/2000/09/xmldsig#sha1" />
ds:DigestValueQylxEzMIpHvDZlGs1Ow4dDZob6w=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
ds:SignatureValue…</ds:SignatureValue>
<KeyInfo xmlns=“”>http://www.w3.org/2000/09/xmldsig#“>
ds:X509Data
ds:X509Certificate…</ds:X509Certificate>
</ds:X509Data>
</ds:Signature>
SESA311960
<SubjectConfirmationData NotOnOrAfter=“2015-12-16T23:07:38.407Z”
Recipient=”<a href=“https://sesso.qa.summitmg.com/AssertionConsumerService.aspx”“>https://sesso.qa.summitmg.com/AssertionConsumerService.aspx”
/>
<Conditions NotBefore=“2015-12-14T23:02:38.298Z”
NotOnOrAfter=“2015-12-16T00:02:38.298Z”
>
https://serecognition.qa.summitmg.com/SSOLogin.aspx
<Attribute Name=“”>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
roberto.ramirez@schneider-electric.com
<AuthnStatement AuthnInstant=“2015-12-14T23:02:38.251Z”
SessionIndex=“_83a67afc-13ef-47ab-bed8-e4014dfb0ccf”
>
urn:federation:authentication:windows
</samlp:Response>
We make a distinction between signed and unsigned SAML assertions. The GetAssertions method returns the unsigned SAML assertions. The GetSignedAssertions method returns the signed SAML assertions. The SAML response above includes a signed assertion so you will need to call GetSignedAssertions. The following code shows how to process a signed SAML assertion.
// Get the signed assertion.
XmlElement samlAssertionElement = samlResponse.GetSignedAssertions()[0];
// Verify the XML signature – loading the X.509 certificate is not shown.
if (!SAMLAssertionSignature.Verify(samlAssertionElement, x509Certificate)) {
// Handle signature verification
}
// Construct the SAML assertion from the XML
SAMLAssertion samlAssertion = new SAMLAssertion(samlAssertionElement);
The ServiceProvider.ReceiveSAMLResponseByHTTPPost API is part of our low-level API. We also have a high-level SAML API which makes receiving and processing SAML responses much easier. The corresponding API is SAMLServiceProvider.ReceiveSSO. You’ll find this demonstrated in the projects under the HighLevelAPI project folder.