Click here to Skip to main content
15,887,596 members
Search within:


Articles / Web Development / ASP.NET
 
Article

Security Assertion Markup Language (SAML2.0)

Rate me:
Please Sign up or sign in to vote.
2.71/5 (11 votes)
22 Jun 2009CPOL3 min read 131.1K   3.9K   29   28
SAML2.0

Introduction

SAML is an XML based framework used by business entities or partners to share the authentication, attribute, and entitlement information about an entity. An entity can be termed as an end user who has some business dealings with these business partners or it can be a business partner or application.

Background

To get the technical overview of SAML, just go through this link.

Overview

SAML can be used in the following three scenarios:

  1. Single Sign On(SSO): SAML is specially used to solve the multidomain problem. For example, a user has an account with example1.com and example2.com, where these two are business partners. With a single sign on facility, the user has to login just once on the Web site and he will be able to access resources from both the Web sites. Sharing authentication information is fairly simple as SAML provides independent grammar and protocol to share information from one server domain to the other domain.
  2. Federated Identity: As maintaining identity information for each of the services that a user is subscribed to is a tedious process, SAML solves this problem by providing grammar to establish a identity known as federated identity. This is a shared name identifier used to refer to an end user or an entity who is using the services offered by various partners.
  3. Web Service Security: SAML also provides a facility to secure the Web services. This is done by using SAML assertion in the soap header to transmit the information which is not possible using other security formats.

Read about SAML Protocols and Assertions here.

Using the Code

Before you start any programming on SAML, all you need is a set of protocols and assertions which you can use for any of the scenarios discussed above. I have been using SAML2.0 for generating federated Identity.

To generate the assertions and protocols, all you need is schema definitions to generate the code. You can get SAML 2.0 schemas from this link. I am uploading the .NET class library project which contains Protocols and Assertions Classes (Core), and also all the schema files and documents. Please go though the SAML documents for the usage.

Use Xsd.exe provided in Visual Studio to generate the code. An example is given below:

C#
// C#
// xsd SAMLSchema.xsd /language:CS
//

Note that you need to provide all dependant schemas in order to generate a full set of SAML protocols and assertions classes. These classes are serializable to XML.

Binding the SAML Assertions and protocols: One important issue with these assertions and protocols used in SAML is on the wire they should be represented as it is. SAML binding defines how SAML assertions and protocols can be embedded in standard communication protocols. For more information, go through this link.

Test Case Scenario

The entity which provided federated Identity for the user is called the Asserting party, which makes assertions also called as SAML authority. The entity which consumes these assertions is called as the Relying party. Here example1.com wants to generate a federated identity for the user (with the consent of the user) with example2.com. So example1.com generated a SAMLAuthentication request and sends it to example2.com to generate a external identity. Example2.com generated SAMLAuthentication response and sends it to example1.com. This response contains Assertions from which a NameIdentifier can be retrieved. I am using HTTPhandlers on both sides to handle this scenario. I use HTTPPost to send a request and receive a response on the wire.

The SAML authentication request inside a soap envelope is as follows:

XML
 <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">

  <SOAP:Body xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">

 <samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xmlns:xsd="http://www.w3.org/2001/XMLSchema"

 ID="RlFme3cd9ThZVDg6a8Yqjg" Version="2.0" IssueInstant="2007-04-04T22:50:32.0860086Z"
Destination="http:://www.Example2.com" ForceAuthn="false" IsPassive="false"
AssertionConsumerServiceURL="http://www.Example1.com"

xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml:Issuer>http://www.Example1.com</saml:Issuer>

  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistant" 
        AllowCreate="true" />
  <saml:Conditions NotBefore="2007-04-04T22:40:32.0860086Z" 
        NotOnOrAfter="2007-04-04T23:00:32.0860086Z" />
 <samlp:RequestedAuthnContext Comparison="minimum">
  <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509
    </saml:AuthnContextClassRef>
  </samlp:RequestedAuthnContext>
 <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

 <SignedInfo>
  <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

  <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

 <Reference URI="#RlFme3cd9ThZVDg6a8Yqjg">
<Transforms>
  <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

  <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

  </Transforms>
  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

  <DigestValue>7rLUhKYbusvESNYjbimJLUrvkXM=</DigestValue>
  </Reference>
  </SignedInfo>
  <SignatureValue>FDG7OPfFDA/MpF3jWTQfhKvsGaopt0W
/pXf0t81ehZDvJ8VYtgvSaSOtD1Mhxt8x/7O8VE4GHBaA4q
/VKbRKYj9F2lEUGi13Gt3iHOXHLYF6Sa5wa1Rrav2RNd
05VUlGunghhxrUNScID+Ks5hVPgWU8bCj7O5EGg84PNlbAZoA=</SignatureValue>
  </Signature>
  </samlp:AuthnRequest>
  </SOAP:Body>
  </env:Envelope>

SAML Authentication response in soap envelope is as follows:

XML
 <soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

 <samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xmlns:xsd="http://www.w3.org/2001/XMLSchema" ID="_od8zwzNH4shfrUGeewHng"

InResponseTo="RlFme3cd9ThZVDg6a8Yqjg" Version="2.0"
IssueInstant="2007-04-04T22:51:52.4172846Z"
Destination="http://www.Example1.com"

xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml:Issuer>http://www.Example2.com</saml:Issuer>

 <samlp:Status>
  <samlp:StatusCode Value="Success" />
  <samlp:StatusMessage>Valid User</samlp:StatusMessage>
  </samlp:Status>
 <saml:Assertion Version="2.0" ID="1DNDh3_IC7KkVwbffd07Jw" 
        IssueInstant="2007-04-04T22:51:52.4172846Z">
  <saml:Issuer>http://www.Example2.com</saml:Issuer>

 <saml:Subject>
  <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistant">
e9da6e5a-81dd-4c31-a7d9-6b4107b5f443</saml:NameID>
  <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
  </saml:Subject>
 <saml:Conditions NotBefore="2007-04-04T22:49:52.4172846Z" 
        NotOnOrAfter="2007-04-04T23:01:52.4172846Z">
 <saml:AudienceRestriction>
  <saml:Audience>http://www.Example1.com</saml:Audience>

  </saml:AudienceRestriction>
  </saml:Conditions>
 <saml:AuthnStatement AuthnInstant="2007-04-04T22:51:52.4485176Z"
 SessionIndex="18ABA929-A685-4935-8D4D-40D3FA26FE3F">
 <saml:AuthnContext>
  <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509
        </saml:AuthnContextClassRef>
  </saml:AuthnContext>
  </saml:AuthnStatement>
 <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

 <SignedInfo>
  <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

  <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

 <Reference URI="#1DNDh3_IC7KkVwbffd07Jw">
 <Transforms>
  <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

  <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

  </Transforms>
  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

  <DigestValue>WnPo9ySpwd5iCyaXpRuBwr8Qjx0=</DigestValue>
  </Reference>
  </SignedInfo>
  <SignatureValue>PYTA7kIWP3stDIiRY+
d5dWUAehwbbThYg+U9woqE61ZNFr/kJzJZTh3m+0MOM3fAnU9ILYsNc
SNhEueXOTSek9yA3nIuYHyowb75hVHI0oR1Kp9DHvWsoLE4U36d6FANNOIAi3BQUe
84vLevfT0gpwnz8nXvttUgO7RnamGRBOI=</SignatureValue>
  </Signature>
  </saml:Assertion>
  </samlp:Response>
  </soapenv:Body>

Hope this will help in getting a good understanding of the SAML language for all those who are interested in SAML.

Points of Interest

Just want to say that if you want to adapt to the independent user or entity information sharing across different domains, then SAML is the best choice of all the identity management models available.

If you have any questions or comments, please email me.

History

  • 5th May, 2007: Initial post
  • 22nd June, 2009: Updated article and added project zip file 

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Mohan Pindyala
Software Developer (Senior) Rovi Corporation
United States United States
Working on web services , Web services security , SAML2.0,WSE, WCF and Asp.net Ajax Applications .

Comments and Discussions

 
First PrevNext
Questiondownload not complete Pin
Code10813-Jan-16 12:16
Code10813-Jan-16 12:16 
Questionhow to get saml authentication request Pin
deepikashr@gmail.com3-Jun-14 22:30
deepikashr@gmail.com3-Jun-14 22:30 
QuestionQuestion on Signature in the Response Pin
anusha katam29-Jul-13 17:11
anusha katam29-Jul-13 17:11 
Question[My vote of 1] Poor at best Pin
VB_Gone-Wild1-Oct-12 2:51
VB_Gone-Wild1-Oct-12 2:51 
QuestionSAML Asssertion File from XSD Schema. Pin
Rambhopal1-Sep-11 3:13
Rambhopal1-Sep-11 3:13 
QuestionReading SAML response Pin
satya R chappidi25-Jan-11 8:50
satya R chappidi25-Jan-11 8:50 
GeneralVery Poor Article Pin
capdragon7-Jan-11 4:02
capdragon7-Jan-11 4:02 
GeneralMy vote of 1 Pin
capdragon7-Jan-11 3:59
capdragon7-Jan-11 3:59 
GeneralReal world SAML Pin
ComponentSpace1-Dec-10 20:20
ComponentSpace1-Dec-10 20:20 
GeneralMy vote of 1 Pin
TheMadCoder7630-Aug-10 2:45
TheMadCoder7630-Aug-10 2:45 
GeneralHTTP post Pin
jharkness30-Mar-10 9:08
jharkness30-Mar-10 9:08 
GeneralRe: HTTP post Pin
Mohan Pindyala30-Mar-10 16:06
Mohan Pindyala30-Mar-10 16:06 
Questionhow to pass user credential(usr/passwd) to IDP using HTTP post Pin
hvap24-Sep-09 9:37
hvap24-Sep-09 9:37 
AnswerRe: how to pass user credential(usr/passwd) to IDP using HTTP post Pin
Mohan Pindyala29-Sep-09 8:17
Mohan Pindyala29-Sep-09 8:17 
GeneralMy vote of 1 Pin
Member 432889323-Aug-09 22:42
Member 432889323-Aug-09 22:42 
GeneralAssistance on SAML2.0 using weblogic 10.3 Pin
Ajitkumarbehera1-Aug-09 17:25
Ajitkumarbehera1-Aug-09 17:25 
Questionwhats the big deal? Pin
spyhunter99927-Jun-09 2:56
spyhunter99927-Jun-09 2:56 
AnswerRe: whats the big deal? Pin
Mohan Pindyala27-Jun-09 7:17
Mohan Pindyala27-Jun-09 7:17 
GeneralRe: whats the big deal? Pin
spyhunter99927-Jun-09 10:03
spyhunter99927-Jun-09 10:03 
Questionis this article damaged? Pin
adamspe15-Jun-09 5:41
adamspe15-Jun-09 5:41 
AnswerRe: is this article damaged? Pin
Mohan Pindyala15-Jun-09 9:12
Mohan Pindyala15-Jun-09 9:12 
GeneralRe: is this article damaged? Pin
adamspe15-Jun-09 9:42
adamspe15-Jun-09 9:42 
Thanks for the response. Well I have a java based web service that is secured by SAML Sender Vouches and I need to write a C# client that can interoperate with it. I can easily write java clients to it and as a result have a lot of example SAML XML but I'm not exactly certain where to start when it comes to securing the messages using a C# client. I've written basic C# web service clients using proxy objects to java services without issue before (basic authentication "secured" services) but have no starting point to deal with the security details (adding assertions, encrypting parts, signing other parts, etc.). I cannot seem to find any decent books or examples on this topic and this was the first hit that looked potentially promising.

In the case of java (specifically Metro) it deals with all of the encryption/signing etc (certificates being part of configuration which is completely separate from your client code). You supply the framework with a callback so you can supply the assertions for the server to validate. But how a client is secured is completely separate from any application logic. That is you could change the security mechanism required on the server without really touching any client code, just change the callback handler required to supply the security info and nothing else changes. For the most part 99% of the ugly details are hidden behind smoke and mirrors supplied by IDEs.

Based on your article it sounds as if perhaps it's a bit more involved with C# but again I can't seem to hardly find a starting point.

Any info you can supply would be greatly appreciated, code example preferable, but I understand if that's not something you have.

I was simply concerned since the article seemed incomplete that perhaps the code examples were there originally but damaged or something? Particularly sense there's a section of the page that appears to be formatted to contain example code but contains nothing but a few comments.

Thanks.
GeneralRe: is this article damaged? Pin
Mohan Pindyala15-Jun-09 10:16
Mohan Pindyala15-Jun-09 10:16 
GeneralRe: is this article damaged? Pin
Mohan Pindyala15-Jun-09 10:18
Mohan Pindyala15-Jun-09 10:18 
GeneralRe: is this article damaged? Pin
Ivn Y.7-Jul-09 23:03
Ivn Y.7-Jul-09 23:03 
Last Visit: 31-Dec-99 18:00     Last Update: 28-Apr-24 7:29Refresh12 Next ᐅ

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink
Advertise
Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Posted 4 May 2007

Article Copyright 2007 by Mohan Pindyala
Everything else Copyright © CodeProject, 1999-2024

Web01 2.8:2024-04-02:1