Click here to Skip to main content
15,891,253 members
Search within:


How do I sign a SAML authnrequest using private key and certificate in ASP.NET C#
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
C#
ASP.NET
.NET
I am having a certificate and private key as string.I need to generate the SAML in the correct schema. And sign the generated SAML using the private key and certificate provided.

The following is the AuthnRequest format/Schema

XML
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 					AssertionConsumerServiceURL="http://devenv.test.com/Shibboleth.sso/SAML2/POST" 
					Destination="https://wso2is.dev.xzo/samlsso" 
					ForceAuthn="false" 
					ID="pfxc589a912-5c3c-2f24-200f-276a919dfff2" 
					IsPassive="false" 
					IssueInstant="2016-04-14T06:42:46.877Z" 					ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
					Version="2.0">
  <samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">devenv.test.com</samlp:Issuer>
  <saml2p:NameIDPolicy xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="Issuer"/>
  <saml2p:RequestedAuthnContext xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
  </saml2p:RequestedAuthnContext>
</samlp:AuthnRequest>


And the expected signed format is as follows :

XML
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
					AssertionConsumerServiceURL="http://devenv.test.com/Shibboleth.sso/SAML2/POST" 
					Destination="https://wso2is.dev.xzo/samlsso" 
					ForceAuthn="false" 
					ID="pfx4a940756-10ab-2ad4-815e-2ae4884f8d7f" 
					IsPassive="false" 
					IssueInstant="2016-04-14T06:42:46.877Z" 
					ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
					Version="2.0">
  <samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">test@devenv.test.com</samlp:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#pfx4a940756-10ab-2ad4-815e-2ae4884f8d7f">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>I1IjEQzBzYzCCB+IjzOpyD44T4E=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>h0YCK+bVPptUEWr04DDTOv/XlZq2b7MQtCBzLaS439M0QwjYDvPJafQvNIB5S6klqONnhESCnpLJk3GrkH71jNgx2+yf5Q5on/9gAXbZ6gIvTfpgDe/bz44KdS+pVyb8+4eMECXzhanB0LEsvhmIwL/L10/H3KDPI+rC8BBxfK4=</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>MIICTjCCAbegAwIBAgIBADANBgkqhkiG9w0BAQ0FADBEMQswCQYDVQQGEwJpbjEPMA0GA1UECAwGS2VyYWxhMQ8wDQYDVQQKDAZTdXlhdGkxEzARBgNVBAMMCnN1eWF0aS5jb20wHhcNMTYwNDIxMDExMzE3WhcNMTcwNDIxMDExMzE3WjBEMQswCQYDVQQGEwJpbjEPMA0GA1UECAwGS2VyYWxhMQ8wDQYDVQQKDAZTdXlhdGkxEzARBgNVBAMMCnN1eWF0aS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANljwc6rhYqXUjJ3MGkE1GrTg/MWEWV5qVRWatjzFcTnmx7Orr3MsPBxPHpQKQVzDvoApMKu8vV+OHPIBiaGxjn5cp5voKvjuUo+Dc81k67ppzfX+V2icUzi2wnP0Ej8VoBlRIoUlF/sEVDXber01aD6Uf3ti7gXdzL0o9ajtGONAgMBAAGjUDBOMB0GA1UdDgQWBBSJmliUyBor6m+ad7bCxIDIdm1dGTAfBgNVHSMEGDAWgBSJmliUyBor6m+ad7bCxIDIdm1dGTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAMDxS0gtInI6hPbLZvp27dKmq3D3EUYapAGBtG1Yb8CJFAxXAvfe1yXbim7rMlkBlvOzZym3RudpP7kxQSyyojBLJZt9BIIc93cnXpyr4gUn6x19nRCpC9yfNKOH+uCiqT+QjFUiLudjJiBrIGcXnQQYe8QXDEYn5iX13EjDZwYg</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <saml2p:NameIDPolicy xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="Issuer"/>
  <saml2p:RequestedAuthnContext xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
  </saml2p:RequestedAuthnContext>
</samlp:AuthnRequest>


What I have tried:

I have tried to generate the SAML AuthnRequest and Sign it using SignedXml.

C#
public string SignXmlFile(string xmlAuthnRequest, RSA Key,string pfxRef,string certificate)
{
    XmlDocument doc =  LoadXmlDoc(xmlAuthnRequest);
    SignedXml signedXml = new SignedXml(doc);
    signedXml.SignedInfo.CanonicalizationMethod = "http://www.w3.org/2001/10/xml-exc-c14n#";
    // Add the key to the SignedXml document.
    signedXml.SigningKey = Key;

    //Load certificate
     X509Certificate2 cert = new X509Certificate2();
     cert.Import(CertificateStringToByteArray(certificate));

    KeyInfo keyInfo = new KeyInfo();

    KeyInfoX509Data keyInfoData = new KeyInfoX509Data(cert);
    keyInfo.AddClause(keyInfoData);
    signedXml.KeyInfo = keyInfo;

    // Create a reference to be signed.
    Reference reference = new Reference();
    reference.Uri = "#"+ pfxRef;

    // Add an enveloped transformation to the reference.
    XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform();
    XmlDsigExcC14NTransform c14n = new XmlDsigExcC14NTransform();

    reference.AddTransform(env);
    reference.AddTransform(c14n);

    // Add the reference to the SignedXml object.
    signedXml.AddReference(reference);

    // Compute the signature.
    signedXml.ComputeSignature();
    bool checkSignature = signedXml.CheckSignature(cert,true);

    // Get the XML representation of the signature and save
    // it to an XmlElement object.
    XmlElement xmlDigitalSignature = signedXml.GetXml();

    // Append the element to the XML document.
    doc.DocumentElement.AppendChild(doc.ImportNode(xmlDigitalSignature, true));

    //if (doc.FirstChild is XmlDeclaration)
    //{
    //    doc.RemoveChild(doc.FirstChild);
    //}

    return doc.OuterXml;
}


Here i could send only RSA object not private key. And the signed SAML which i get is not showing as Valid.
Any idea on using the string Private key and Certificate to SIGN the SAML and Validate it in C# .Net.
Posted
Updated 24-Apr-16 21:05pm
Add a Solution

1 solution

Hello Anuj,

Have a look at this[^] nice article.

Regards,
Prasad P. Khandekar
 
Share this answer
 
Posted
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
SAML Single Sign On use
SSO with SAML in ASP.NET
SAML Assertion must be signed
Trying to understand using certificate for public /private key for encryption
Authenticate the KEY file in certificate using C#
Create csr with SAN and old private key
SSO saml metadata- unable to generate metadata using private key(in string format)
SAML SSO in cakephp application
SSO in SAML with ASP.NET C#
How to digitally signed using the private key of the user?

Advertise
Privacy
Cookies
Terms of Use
Last Updated 25 Apr 2016
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web02 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900