WCF SAML: how to add X509Certificate and X509IssuerSerial to the same X509Data node?
I need to call an external web service that uses SAML to authenticate a user. I have referenced this sample code to create a saml request.
Here is the expected SAML request segment (note the X509Data node):
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#SAML-9KTXIL9ap20ntAzPdjYdEg22">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>{removed}</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>{removed}</dsig:SignatureValue>
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:X509Data>
<dsig:X509Certificate>{removed}</dsig:X509Certificate>
<dsig:X509IssuerSerial>
<dsig:X509IssuerName>{removed}</dsig:X509IssuerName>
<dsig:X509SerialNumber>{removed}</dsig:X509SerialNumber>
</dsig:X509IssuerSerial>
<dsig:X509SubjectName>{removed}</dsig:X509SubjectName>
<dsig:X509SKI>{removed}</dsig:X509SKI>
</dsig:X509Data>
</dsig:KeyInfo>
</dsig:Signature>
Below is the SAML request segment:
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#SAML-9KTXIL9ap20ntAzPdjYdEg22">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>{removed}</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>{removed}</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>removed</X509Certificate>
</X509Data>
<o:SecurityTokenReference>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>{removed}</X509IssuerName>
<X509SerialNumber>{removed}</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
Here is the key code that creates the SAML claim above:
public static SamlAssertion CreateX509Assertion(X509Certificate2 cert)
{
List<string> confirmationMethods = new List<string>(1);
confirmationMethods.Add("urn:oasis:names:tc:SAML:1.0:cm:bearer");
SamlSubject samlSubject = new SamlSubject("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", null, "admin", confirmationMethods, null, null);
SamlAuthenticationStatement samlAuthenticationStatement = new SamlAuthenticationStatement(samlSubject, "urn:oasis:names:tc:SAML:1.0:am:password", DateTime.Now, null, null, null);
List<SamlStatement> samlSubjectStatements = new List<SamlStatement>();
samlSubjectStatements.Add(samlAuthenticationStatement);
DateTime issueInstant = DateTime.UtcNow;
SamlAssertion samlAssertion = new SamlAssertion("SAML-9KTXIL9ap20ntAzPdjYdEg22", "www.site.com",
issueInstant,
new SamlConditions(issueInstant, issueInstant + new TimeSpan(0, 5, 0)),
null,
samlSubjectStatements
);
SecurityKeyIdentifier ski = new SecurityKeyIdentifier();
// Here is the problem!!!
X509RawDataKeyIdentifierClause secClause = new X509RawDataKeyIdentifierClause(cert);
X509IssuerSerialKeyIdentifierClause x509Clause = new X509IssuerSerialKeyIdentifierClause(cert);
ski.Add(secClause);
ski.Add(x509Clause);
X509AsymmetricSecurityKey signingKey = new X509AsymmetricSecurityKey(cert);
samlAssertion.SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.RsaSha1Signature, SecurityAlgorithms.Sha1Digest, ski);
return samlAssertion;
}
You can see that using the above code will split the X509Data in the KeyInfo node. I need to put them in the same node key. Is there a way to do this?
+3
source to share
No one has answered this question yet
Check out similar questions: