解析并验证 WS Trust XML 令牌
Parse and verify a WS Trust XML Token
我有一个用 c#/.NET 编写的 Web 服务,它将未经身份验证的用户重定向到 WS 联合身份提供程序,然后使用具有该用户角色的 SAML 令牌重定向回我的 Web 服务。这是根据被动 WS 联合规范 - http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175008
得到这个后,我收到一个请求,其中将 wresult 设置为令牌。在我的代码中,我有一个 string
wresult 是 xml 文档的字符串。我所知道的是我所在的领域,身份提供者的指纹,wctx(如果已发送)。
安全令牌是此处描述的标准 WS-Trust 令牌:
http://specs.xmlsoap.org/ws/2005/02/trust/WS-Trust.pdf
我想要获得的是 SecurityToken,最终是该用户的 IPrincipal,仅来自 string,即 XML document/security 令牌。
字符串的一个例子是(混淆了一些东西)。
<?xml version="1.0"?>
<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:Lifetime>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2018-09-14T13:40:25.164Z</wsu:Created>
<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2018-09-14T14:40:25.164Z</wsu:Expires>
</t:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>https://localhost:44366/</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<t:RequestedSecurityToken>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_e1580903-02ac-453d-a157-ae27c8614cc9" Issuer="http://adfs.ORGANISATION.com/adfs/services/trust" IssueInstant="2018-09-14T13:40:25.164Z">
<saml:Conditions NotBefore="2018-09-14T13:40:25.164Z" NotOnOrAfter="2018-09-14T14:40:25.164Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>https://localhost:44366/</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>person@stuff.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="givenname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>Jeff</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="surname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>Mandelson</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="windowsaccountname" AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity/claims">
<saml:AttributeValue>jeff.mandelson</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="role" AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity/claims">
<saml:AttributeValue>Stuff\Domain Users</saml:AttributeValue>
<saml:AttributeValue>Stuff\DevTeam</saml:AttributeValue>
<saml:AttributeValue>Stuff\RDS-MSSQLDEV-RW</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="upn" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>stuff@local.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="name" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>Jeff Mandelson</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" AuthenticationInstant="2018-09-14T11:59:16.147Z">
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_e1580903-02ac-453d-a157-ae27c8614cc9">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>a_digest_value_removed</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>signature</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>certificate</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
</saml:Assertion>
</t:RequestedSecurityToken>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
</t:RequestSecurityTokenResponse>
我试过使用内置方法,例如
WSFederationAuthenticationModule,但是,这似乎有问题,除非您使用 System.Web.Request。内置 .NET/C# 函数会更好!
解决方案是将令牌视为常规 XMLDsig 签名 XML - 断言节点已签名并且签名的引用指向它。代码相当简单,但有趣的是 SignedXml class 必须被继承才能拥有遵循 AssertionID 属性的签名验证器(默认约定是签名节点的 id属性仅被调用 ID 并且默认验证器不会找到具有不同调用的 id 属性的节点。
public class SamlSignedXml : SignedXml
{
public SamlSignedXml(XmlElement e) : base(e) { }
public override XmlElement GetIdElement(XmlDocument document, string idValue)
{
XmlNamespaceManager mgr = new XmlNamespaceManager(document.NameTable);
mgr.AddNamespace("trust", "http://docs.oasis-open.org/ws-sx/ws-trust/200512");
mgr.AddNamespace("wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
mgr.AddNamespace("saml", "urn:oasis:names:tc:SAML:1.0:assertion");
XmlElement assertionNode =
(XmlElement)document.SelectSingleNode("//trust:RequestSecurityTokenResponseCollection/trust:RequestSecurityTokenResponse/"+
"trust:RequestedSecurityToken/saml:Assertion", mgr);
if (assertionNode.Attributes["AssertionID"] != null &&
string.Equals(assertionNode.Attributes["AssertionID"].Value, idValue, StringComparison.InvariantCultureIgnoreCase)
)
return assertionNode;
return null;
}
}
请注意,XPath 假定令牌在根中具有 RequestSecurityTokenResponseCollection,请确保您的令牌遵循此约定(在单个令牌的情况下,集合节点可能会丢失并且令牌的根可能是只是 RequestSecurityTokenResponse,相应地更新代码)。
然后是验证码
// token is the string representation of the SAML1 token
// expectedCertThumb is the expected certificate's thumbprint
protected bool ValidateToken( string token, string expectedCertThumb, out string userName )
{
userName = string.Empty;
if (string.IsNullOrEmpty(token)) return false;
var xd = new XmlDocument();
xd.PreserveWhitespace = true;
xd.LoadXml(token);
XmlNamespaceManager mgr = new XmlNamespaceManager(xd.NameTable);
mgr.AddNamespace("trust", "http://docs.oasis-open.org/ws-sx/ws-trust/200512");
mgr.AddNamespace("wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
mgr.AddNamespace("saml", "urn:oasis:names:tc:SAML:1.0:assertion");
// assertion
XmlElement assertionNode = (XmlElement)xd.SelectSingleNode("//trust:RequestSecurityTokenResponseCollection/trust:RequestSecurityTokenResponse/trust:RequestedSecurityToken/saml:Assertion", mgr);
// signature
XmlElement signatureNode = (XmlElement)xd.GetElementsByTagName("Signature")[0];
var signedXml = new SamlSignedXml( assertionNode );
signedXml.LoadXml(signatureNode);
X509Certificate2 certificate = null;
foreach (KeyInfoClause clause in signedXml.KeyInfo)
{
if (clause is KeyInfoX509Data)
{
if (((KeyInfoX509Data)clause).Certificates.Count > 0)
{
certificate =
(X509Certificate2)((KeyInfoX509Data)clause).Certificates[0];
}
}
}
// cert node missing
if (certificate == null) return false;
// check the signature and return the result.
var signatureValidationResult = signedXml.CheckSignature(certificate, true);
if (signatureValidationResult == false) return false;
// validate cert thumb
if ( !string.IsNullOrEmpty( expectedCertThumb ) )
{
if ( !string.Equals( expectedCertThumb, certificate.Thumbprint ) )
return false;
}
// retrieve username
// expires =
var expNode = xd.SelectSingleNode("//trust:RequestSecurityTokenResponseCollection/trust:RequestSecurityTokenResponse/trust:Lifetime/wsu:Expires", mgr );
DateTime expireDate;
if (!DateTime.TryParse(expNode.InnerText, out expireDate)) return false; // wrong date
if (DateTime.UtcNow > expireDate) return false; // token too old
// claims
var claimNodes =
xd.SelectNodes("//trust:RequestSecurityTokenResponseCollection/trust:RequestSecurityTokenResponse/trust:RequestedSecurityToken/"+
"saml:Assertion/saml:AttributeStatement/saml:Attribute", mgr );
foreach ( XmlNode claimNode in claimNodes )
{
if ( claimNode.Attributes["AttributeName"] != null &&
claimNode.Attributes["AttributeNamespace"] != null &&
string.Equals( claimNode.Attributes["AttributeName"].Value, "name", StringComparison.InvariantCultureIgnoreCase ) &&
string.Equals( claimNode.Attributes["AttributeNamespace"].Value, "http://schemas.xmlsoap.org/ws/2005/05/identity/claims", StringComparison.InvariantCultureIgnoreCase ) &&
claimNode.ChildNodes.Count == 1
)
{
userName = claimNode.ChildNodes[0].InnerText;
return true;
}
}
return false;
}
通过一些小的调整,您应该能够做您想做的事。
顺便说一句。大部分答案是从我的博客文章中复制的
https://www.wiktorzychla.com/2018/09/parsing-saml-11-ws-federation-tokens.html
记录了我们在我们的一个应用程序中内部使用的方法。我打算
做这个条目一段时间,你的问题只是我需要的一个触发器。
另一种方法是使用 IdentityModel SamlTokenVerifier 和解析器:
public static bool AuthenticateXmlToken(String wresult)
{
String pstrXML = wresult;
// write it down
File.WriteAllText("C:\Users\USER\Downloads\asdf4.xml", wresult);
// extract the SAML Assertion
XmlReader reader = XmlReader.Create(new StringReader(pstrXML));
reader.ReadToFollowing("Assertion", "urn:oasis:names:tc:SAML:1.0:assertion");
// saml requirements
SamlSecurityTokenRequirement pRequirements = new SamlSecurityTokenRequirement();
pRequirements.CertificateValidator = new CertificateValidator();
SecurityTokenHandlerConfiguration pConfig = new SecurityTokenHandlerConfiguration();
pConfig.AudienceRestriction = new AudienceRestriction(AudienceUriMode.Never);
pConfig.IssuerNameRegistry = new IssuerNames();
//pRequirements.ValidateAudienceRestriction()
SamlSecurityTokenHandler pHandler = new SamlSecurityTokenHandler(pRequirements);
pHandler.Configuration = pConfig;
SecurityTokenHandlerCollection tokenHandlerCollection = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
SamlSecurityToken token = (SamlSecurityToken)pHandler.ReadToken(reader.ReadSubtree());
ReadOnlyCollection<ClaimsIdentity> pClaims = pHandler.ValidateToken(token);
return pClaims.Count > 0;
}
public class IssuerNames : IssuerNameRegistry
{
public override string GetIssuerName(SecurityToken securityToken)
{
return "Issuer";
throw new NotImplementedException();
}
}
public class CertificateValidator : X509CertificateValidator
{
public override void Validate(X509Certificate2 certificate)
{
if (certificate == null)
{
throw new Exception("certificate is null");
}
if (certificate.Thumbprint.ToLower() != "mythumprint")
{
throw new Exception("X509 certficate is signed with the wrong public key!");
}
}
}
我有一个用 c#/.NET 编写的 Web 服务,它将未经身份验证的用户重定向到 WS 联合身份提供程序,然后使用具有该用户角色的 SAML 令牌重定向回我的 Web 服务。这是根据被动 WS 联合规范 - http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175008
得到这个后,我收到一个请求,其中将 wresult 设置为令牌。在我的代码中,我有一个 string wresult 是 xml 文档的字符串。我所知道的是我所在的领域,身份提供者的指纹,wctx(如果已发送)。
安全令牌是此处描述的标准 WS-Trust 令牌: http://specs.xmlsoap.org/ws/2005/02/trust/WS-Trust.pdf
我想要获得的是 SecurityToken,最终是该用户的 IPrincipal,仅来自 string,即 XML document/security 令牌。
字符串的一个例子是(混淆了一些东西)。
<?xml version="1.0"?>
<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:Lifetime>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2018-09-14T13:40:25.164Z</wsu:Created>
<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2018-09-14T14:40:25.164Z</wsu:Expires>
</t:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>https://localhost:44366/</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<t:RequestedSecurityToken>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_e1580903-02ac-453d-a157-ae27c8614cc9" Issuer="http://adfs.ORGANISATION.com/adfs/services/trust" IssueInstant="2018-09-14T13:40:25.164Z">
<saml:Conditions NotBefore="2018-09-14T13:40:25.164Z" NotOnOrAfter="2018-09-14T14:40:25.164Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>https://localhost:44366/</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>person@stuff.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="givenname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>Jeff</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="surname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>Mandelson</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="windowsaccountname" AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity/claims">
<saml:AttributeValue>jeff.mandelson</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="role" AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity/claims">
<saml:AttributeValue>Stuff\Domain Users</saml:AttributeValue>
<saml:AttributeValue>Stuff\DevTeam</saml:AttributeValue>
<saml:AttributeValue>Stuff\RDS-MSSQLDEV-RW</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="upn" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>stuff@local.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="name" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>Jeff Mandelson</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" AuthenticationInstant="2018-09-14T11:59:16.147Z">
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_e1580903-02ac-453d-a157-ae27c8614cc9">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>a_digest_value_removed</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>signature</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>certificate</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
</saml:Assertion>
</t:RequestedSecurityToken>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
</t:RequestSecurityTokenResponse>
我试过使用内置方法,例如 WSFederationAuthenticationModule,但是,这似乎有问题,除非您使用 System.Web.Request。内置 .NET/C# 函数会更好!
解决方案是将令牌视为常规 XMLDsig 签名 XML - 断言节点已签名并且签名的引用指向它。代码相当简单,但有趣的是 SignedXml class 必须被继承才能拥有遵循 AssertionID 属性的签名验证器(默认约定是签名节点的 id属性仅被调用 ID 并且默认验证器不会找到具有不同调用的 id 属性的节点。
public class SamlSignedXml : SignedXml
{
public SamlSignedXml(XmlElement e) : base(e) { }
public override XmlElement GetIdElement(XmlDocument document, string idValue)
{
XmlNamespaceManager mgr = new XmlNamespaceManager(document.NameTable);
mgr.AddNamespace("trust", "http://docs.oasis-open.org/ws-sx/ws-trust/200512");
mgr.AddNamespace("wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
mgr.AddNamespace("saml", "urn:oasis:names:tc:SAML:1.0:assertion");
XmlElement assertionNode =
(XmlElement)document.SelectSingleNode("//trust:RequestSecurityTokenResponseCollection/trust:RequestSecurityTokenResponse/"+
"trust:RequestedSecurityToken/saml:Assertion", mgr);
if (assertionNode.Attributes["AssertionID"] != null &&
string.Equals(assertionNode.Attributes["AssertionID"].Value, idValue, StringComparison.InvariantCultureIgnoreCase)
)
return assertionNode;
return null;
}
}
请注意,XPath 假定令牌在根中具有 RequestSecurityTokenResponseCollection,请确保您的令牌遵循此约定(在单个令牌的情况下,集合节点可能会丢失并且令牌的根可能是只是 RequestSecurityTokenResponse,相应地更新代码)。
然后是验证码
// token is the string representation of the SAML1 token
// expectedCertThumb is the expected certificate's thumbprint
protected bool ValidateToken( string token, string expectedCertThumb, out string userName )
{
userName = string.Empty;
if (string.IsNullOrEmpty(token)) return false;
var xd = new XmlDocument();
xd.PreserveWhitespace = true;
xd.LoadXml(token);
XmlNamespaceManager mgr = new XmlNamespaceManager(xd.NameTable);
mgr.AddNamespace("trust", "http://docs.oasis-open.org/ws-sx/ws-trust/200512");
mgr.AddNamespace("wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
mgr.AddNamespace("saml", "urn:oasis:names:tc:SAML:1.0:assertion");
// assertion
XmlElement assertionNode = (XmlElement)xd.SelectSingleNode("//trust:RequestSecurityTokenResponseCollection/trust:RequestSecurityTokenResponse/trust:RequestedSecurityToken/saml:Assertion", mgr);
// signature
XmlElement signatureNode = (XmlElement)xd.GetElementsByTagName("Signature")[0];
var signedXml = new SamlSignedXml( assertionNode );
signedXml.LoadXml(signatureNode);
X509Certificate2 certificate = null;
foreach (KeyInfoClause clause in signedXml.KeyInfo)
{
if (clause is KeyInfoX509Data)
{
if (((KeyInfoX509Data)clause).Certificates.Count > 0)
{
certificate =
(X509Certificate2)((KeyInfoX509Data)clause).Certificates[0];
}
}
}
// cert node missing
if (certificate == null) return false;
// check the signature and return the result.
var signatureValidationResult = signedXml.CheckSignature(certificate, true);
if (signatureValidationResult == false) return false;
// validate cert thumb
if ( !string.IsNullOrEmpty( expectedCertThumb ) )
{
if ( !string.Equals( expectedCertThumb, certificate.Thumbprint ) )
return false;
}
// retrieve username
// expires =
var expNode = xd.SelectSingleNode("//trust:RequestSecurityTokenResponseCollection/trust:RequestSecurityTokenResponse/trust:Lifetime/wsu:Expires", mgr );
DateTime expireDate;
if (!DateTime.TryParse(expNode.InnerText, out expireDate)) return false; // wrong date
if (DateTime.UtcNow > expireDate) return false; // token too old
// claims
var claimNodes =
xd.SelectNodes("//trust:RequestSecurityTokenResponseCollection/trust:RequestSecurityTokenResponse/trust:RequestedSecurityToken/"+
"saml:Assertion/saml:AttributeStatement/saml:Attribute", mgr );
foreach ( XmlNode claimNode in claimNodes )
{
if ( claimNode.Attributes["AttributeName"] != null &&
claimNode.Attributes["AttributeNamespace"] != null &&
string.Equals( claimNode.Attributes["AttributeName"].Value, "name", StringComparison.InvariantCultureIgnoreCase ) &&
string.Equals( claimNode.Attributes["AttributeNamespace"].Value, "http://schemas.xmlsoap.org/ws/2005/05/identity/claims", StringComparison.InvariantCultureIgnoreCase ) &&
claimNode.ChildNodes.Count == 1
)
{
userName = claimNode.ChildNodes[0].InnerText;
return true;
}
}
return false;
}
通过一些小的调整,您应该能够做您想做的事。
顺便说一句。大部分答案是从我的博客文章中复制的
https://www.wiktorzychla.com/2018/09/parsing-saml-11-ws-federation-tokens.html
记录了我们在我们的一个应用程序中内部使用的方法。我打算 做这个条目一段时间,你的问题只是我需要的一个触发器。
另一种方法是使用 IdentityModel SamlTokenVerifier 和解析器:
public static bool AuthenticateXmlToken(String wresult)
{
String pstrXML = wresult;
// write it down
File.WriteAllText("C:\Users\USER\Downloads\asdf4.xml", wresult);
// extract the SAML Assertion
XmlReader reader = XmlReader.Create(new StringReader(pstrXML));
reader.ReadToFollowing("Assertion", "urn:oasis:names:tc:SAML:1.0:assertion");
// saml requirements
SamlSecurityTokenRequirement pRequirements = new SamlSecurityTokenRequirement();
pRequirements.CertificateValidator = new CertificateValidator();
SecurityTokenHandlerConfiguration pConfig = new SecurityTokenHandlerConfiguration();
pConfig.AudienceRestriction = new AudienceRestriction(AudienceUriMode.Never);
pConfig.IssuerNameRegistry = new IssuerNames();
//pRequirements.ValidateAudienceRestriction()
SamlSecurityTokenHandler pHandler = new SamlSecurityTokenHandler(pRequirements);
pHandler.Configuration = pConfig;
SecurityTokenHandlerCollection tokenHandlerCollection = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
SamlSecurityToken token = (SamlSecurityToken)pHandler.ReadToken(reader.ReadSubtree());
ReadOnlyCollection<ClaimsIdentity> pClaims = pHandler.ValidateToken(token);
return pClaims.Count > 0;
}
public class IssuerNames : IssuerNameRegistry
{
public override string GetIssuerName(SecurityToken securityToken)
{
return "Issuer";
throw new NotImplementedException();
}
}
public class CertificateValidator : X509CertificateValidator
{
public override void Validate(X509Certificate2 certificate)
{
if (certificate == null)
{
throw new Exception("certificate is null");
}
if (certificate.Thumbprint.ToLower() != "mythumprint")
{
throw new Exception("X509 certficate is signed with the wrong public key!");
}
}
}