I am having a certificate and private key as string.I need to generate the SAML in the correct schema. And sign the generated SAML using the private key and certificate provided.
The following is the AuthnRequest format/Schema
="1.0"="UTF-8"
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://devenv.test.com/Shibboleth.sso/SAML2/POST"
Destination="https://wso2is.dev.xzo/samlsso"
ForceAuthn="false"
ID="pfxc589a912-5c3c-2f24-200f-276a919dfff2"
IsPassive="false"
IssueInstant="2016-04-14T06:42:46.877Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">devenv.test.com</samlp:Issuer>
<saml2p:NameIDPolicy xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="Issuer"/>
<saml2p:RequestedAuthnContext xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</samlp:AuthnRequest>
And the expected signed format is as follows :
="1.0"="UTF-8"
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="http://devenv.test.com/Shibboleth.sso/SAML2/POST"
Destination="https://wso2is.dev.xzo/samlsso"
ForceAuthn="false"
ID="pfx4a940756-10ab-2ad4-815e-2ae4884f8d7f"
IsPassive="false"
IssueInstant="2016-04-14T06:42:46.877Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">test@devenv.test.com</samlp:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfx4a940756-10ab-2ad4-815e-2ae4884f8d7f">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>I1IjEQzBzYzCCB+IjzOpyD44T4E=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>h0YCK+bVPptUEWr04DDTOv/XlZq2b7MQtCBzLaS439M0QwjYDvPJafQvNIB5S6klqONnhESCnpLJk3GrkH71jNgx2+yf5Q5on/9gAXbZ6gIvTfpgDe/bz44KdS+pVyb8+4eMECXzhanB0LEsvhmIwL/L10/H3KDPI+rC8BBxfK4=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICTjCCAbegAwIBAgIBADANBgkqhkiG9w0BAQ0FADBEMQswCQYDVQQGEwJpbjEPMA0GA1UECAwGS2VyYWxhMQ8wDQYDVQQKDAZTdXlhdGkxEzARBgNVBAMMCnN1eWF0aS5jb20wHhcNMTYwNDIxMDExMzE3WhcNMTcwNDIxMDExMzE3WjBEMQswCQYDVQQGEwJpbjEPMA0GA1UECAwGS2VyYWxhMQ8wDQYDVQQKDAZTdXlhdGkxEzARBgNVBAMMCnN1eWF0aS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANljwc6rhYqXUjJ3MGkE1GrTg/MWEWV5qVRWatjzFcTnmx7Orr3MsPBxPHpQKQVzDvoApMKu8vV+OHPIBiaGxjn5cp5voKvjuUo+Dc81k67ppzfX+V2icUzi2wnP0Ej8VoBlRIoUlF/sEVDXber01aD6Uf3ti7gXdzL0o9ajtGONAgMBAAGjUDBOMB0GA1UdDgQWBBSJmliUyBor6m+ad7bCxIDIdm1dGTAfBgNVHSMEGDAWgBSJmliUyBor6m+ad7bCxIDIdm1dGTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAMDxS0gtInI6hPbLZvp27dKmq3D3EUYapAGBtG1Yb8CJFAxXAvfe1yXbim7rMlkBlvOzZym3RudpP7kxQSyyojBLJZt9BIIc93cnXpyr4gUn6x19nRCpC9yfNKOH+uCiqT+QjFUiLudjJiBrIGcXnQQYe8QXDEYn5iX13EjDZwYg</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:NameIDPolicy xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="Issuer"/>
<saml2p:RequestedAuthnContext xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</samlp:AuthnRequest>
What I have tried:
I have tried to generate the SAML AuthnRequest and Sign it using SignedXml.
public string SignXmlFile(string xmlAuthnRequest, RSA Key,string pfxRef,string certificate)
{
XmlDocument doc = LoadXmlDoc(xmlAuthnRequest);
SignedXml signedXml = new SignedXml(doc);
signedXml.SignedInfo.CanonicalizationMethod = "http://www.w3.org/2001/10/xml-exc-c14n#";
signedXml.SigningKey = Key;
X509Certificate2 cert = new X509Certificate2();
cert.Import(CertificateStringToByteArray(certificate));
KeyInfo keyInfo = new KeyInfo();
KeyInfoX509Data keyInfoData = new KeyInfoX509Data(cert);
keyInfo.AddClause(keyInfoData);
signedXml.KeyInfo = keyInfo;
Reference reference = new Reference();
reference.Uri = "#"+ pfxRef;
XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform();
XmlDsigExcC14NTransform c14n = new XmlDsigExcC14NTransform();
reference.AddTransform(env);
reference.AddTransform(c14n);
signedXml.AddReference(reference);
signedXml.ComputeSignature();
bool checkSignature = signedXml.CheckSignature(cert,true);
XmlElement xmlDigitalSignature = signedXml.GetXml();
doc.DocumentElement.AppendChild(doc.ImportNode(xmlDigitalSignature, true));
return doc.OuterXml;
}
Here i could send only RSA object not private key. And the signed SAML which i get is not showing as Valid.
Any idea on using the string Private key and Certificate to SIGN the SAML and Validate it in C# .Net.