Menu
I need to create SAML token with custom data.
There is a good looking example on MSDN but it's not compiling....
Have anybody got smt to read about it of working sample?
Or is just adding new claims to Assertion collection? Do i need to describe them in federationmetadata? What other issues should i do? Would be glad to see any help.
659
Custom SAML attributes must be included in the new SAML token. The SAML token is created manually instead of using the SAMLTokenFactory to populate the SAML token from a JAAS subject automatically. There is no existing SAML token in the subject.
SAML is the older format and is based on XML. It's used commonly in protocols like SAML-P, WS-Trust and WS-Federation (although not strictly required). JWT (JSON Web Token) tokens are based on JSON and used in new authentication and authorization protocols like OpenID Connect and OAuth 2.0.
A SAML assertion is an XML security token issued by an identity provider and consumed by a service provider. The service provider relies on its content to identify the assertion's subject for security-related purposes. The SAML assertion is posted to the OAuth token endpoint.
I remember there's some custom SAML token generation code in one of the ACS samples. That would be a good place to start. You can download it here, look for the OAuth2CertificateSample, SelfSignedSaml2TokenGenerator.cs. The code looks like this:
/// <summary>
/// Creates a SAML assertion signed with the given certificate.
/// </summary>
public static Saml2SecurityToken GetSamlAssertionSignedWithCertificate(String nameIdentifierClaim, byte[] certificateWithPrivateKeyRawBytes, string password)
{
string acsUrl = string.Format(CultureInfo.InvariantCulture, "https://{0}.{1}", SamplesConfiguration.ServiceNamespace, SamplesConfiguration.AcsHostUrl);
Saml2Assertion assertion = new Saml2Assertion(new Saml2NameIdentifier(nameIdentifierClaim));
Saml2Conditions conditions = new Saml2Conditions();
conditions.NotBefore = DateTime.UtcNow;
conditions.NotOnOrAfter = DateTime.MaxValue;
conditions.AudienceRestrictions.Add(new Saml2AudienceRestriction(new Uri(acsUrl, UriKind.RelativeOrAbsolute)));
assertion.Conditions = conditions;
Saml2Subject subject = new Saml2Subject();
subject.SubjectConfirmations.Add(new Saml2SubjectConfirmation(Saml2Constants.ConfirmationMethods.Bearer));
subject.NameId = new Saml2NameIdentifier(nameIdentifierClaim);
assertion.Subject = subject;
X509SigningCredentials clientSigningCredentials = new X509SigningCredentials(
new X509Certificate2(certificateWithPrivateKeyRawBytes, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable));
assertion.SigningCredentials = clientSigningCredentials;
return new Saml2SecurityToken(assertion);
}
Also, the authentication process doesn't require issued claims to be described in federation metadata. The claims published in federation metadata are only hints for the token consumer as to what they should expect to find in the issued token.
190
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
