All geek questions in one place

Thinktecture - Unable to process SAML encrypted security token in Web API

In the .net Web API, how can I configure the Thinktechture Saml2SecurityTokenHandler to use the X509 certificate to process the encrypted SAML2 security token (decrypt it before verification).

The token was encrypted using Identity Server, configuring the RP to use the certificate for encryption.

The following is the working configuration (without encrypted token processing) taken from Thinktechture samples:

#region IdentityServer SAML authentication.AddSaml2( issuerThumbprint: Constants.IdSrv.SigningCertThumbprint, issuerName: Constants.IdSrv.IssuerUri, audienceUri: Constants.Realm, certificateValidator: X509CertificateValidator.None, options: AuthenticationOptions.ForAuthorizationHeader(Constants.IdSrv.SamlScheme), scheme: AuthenticationScheme.SchemeOnly(Constants.IdSrv.SamlScheme)); #endregion
+4
source share
2 answers

To enable encrypted tokens using the Web API, I found this useful: http://www.alexthissen.nl/blogs/main/archive/2011/07/18/using-active-profile-for.aspx

Towards the end, you will see the code setting the ServiceTokenResolver property in the Configuration property for SecurityTokenHandlerCollection using the X509 certificate from the LocalMachine store. The Configuration property is SecurityTokenHandlerConfiguration, which is one of the parameters for overloading the AddSaml2 extension method in AuthenticationConfigurationExtensionsCore.cs from the ThinkTecture.IdentityModel source. I finished below.

 var registry = new ConfigurationBasedIssuerNameRegistry(); registry.AddTrustedIssuer(Constants.IdSrv.SigningCertThumbprint, Constants.IdSrv.IssuerUri); var handlerConfig = new SecurityTokenHandlerConfiguration(); handlerConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm)); handlerConfig.IssuerNameRegistry = registry; handlerConfig.CertificateValidator = GetX509CertificateValidatorSetting(); X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine); store.Open(OpenFlags.ReadOnly); X509Certificate2Collection certificates = store.Certificates; X509Certificate2Collection matchingCertificates = certificates.Find( X509FindType.FindBySubjectDistinguishedName, "CN=RPTokenCertificate", false); X509Certificate2 certificate = certificates[0]; List<SecurityToken> serviceTokens = new List<SecurityToken>(); serviceTokens.Add(new X509SecurityToken(certificate)); SecurityTokenResolver serviceResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver( serviceTokens.AsReadOnly(), false); handlerConfig.ServiceTokenResolver = serviceResolver; authentication.AddSaml2(handlerConfig, AuthenticationOptions.ForAuthorizationHeader(SamlScheme), AuthenticationScheme.SchemeOnly(SamlScheme));

Hope this helps.

+1
source

got this answer from someone:

  public ClaimsIdentity DecryptToken(string token) { XmlReader rdr = XmlReader.Create(new StringReader(token)); SecurityTokenHandlerConfiguration config = new SecurityTokenHandlerConfiguration(); config.AudienceRestriction.AllowedAudienceUris.Add(new Uri("urn:yourRP")); config.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None; config.RevocationMode = X509RevocationMode.NoCheck; ConfigurationBasedIssuerNameRegistry inr = new ConfigurationBasedIssuerNameRegistry(); X509Certificate2 cert = new X509Certificate2(pathToSigningCert); inr.AddTrustedIssuer(cert.Thumbprint, "STS Name"); config.IssuerNameRegistry = inr; config.CertificateValidator = System.IdentityModel.Selectors.X509CertificateValidator.None; SecurityTokenHandlerCollection handlers = System.IdentityModel.Tokens.SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(config); if (handlers.CanReadToken(rdr)) { var tmpToken = handlers.ReadToken(rdr); var claimsIds = handlers.ValidateToken(tmpToken); var id = claimsIds.FirstOrDefault(); } }

not sure if this helps.

What did you use as the name of the issuer? the name of the website that you configured in IIS? or the value you entered in the "Site ID" field on the "General Settings" page in the "IdentityServer Administration" section?

0
source

Source: https://habr.com/ru/post/1496769/

More articles:


All Articles