Security Assertion Markup Language well known as SAML is an XML standard for exchanging authentication and authorization data between security domains, that is, between an identity provider and a service provider. SAML is a product of the OASIS Security Services Technical Committee.
By implementing of web service security in interoperable application, you will be almost always required to deal with SAML token. Depending on what your are going to do, there are several helpful scenarios. Most important scenarios are:
- Create the new (signed) token
- Obtain the token from STS (Security Token Service) and do verification
- Persist the (unchanged) token (HDD or memory)
- Send the (unchanged) token to some provider (i.e.: WCF service)
Following example shows how to load the token from the file and how to do verification.
private static
void Main(string[] args)
{
XmlReader reader = XmlReader.Create("samltoken.xml");
List<SecurityToken> tokens = new
List<SecurityToken>();
tokens.Add(new
X509SecurityToken("certificate.crt"));
SecurityTokenResolver outOfBandTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new
ReadOnlyCollection<SecurityToken>(tokens), true);
SecurityToken securityToken = WSSecurityTokenSerializer.DefaultInstance.ReadToken(reader, outOfBandTokenResolver);
SamlSecurityToken deserializedSaml = securityToken as
SamlSecurityToken;
}
|
This example first loads the SAML security token from the file. The token is any valid SAML token which can be created as shown in this post. In the second step the certificate with the public key of issuer is loaded.
Then the SAML token has to be loaded in the list of security tokens, which is then deserialized. Note that deserialization process automatically proves the validity of digital signature of the token.
The procedure of verification of the signature is not very intuitive, but it costs just few lines of code. Unfortunately in many cases you will have to deal with SAML token as subset of some XmlDocument. To illustrate this, image you have to load the token from some stream in XmlDocument. In this case it is very important to know that loading and writing of XML by using readers, writes and XmlDocument itself, mostly changes the stream containing the xml data. For example the loading of XML document does not preserve whitespaces.
However, if the document is signed, the loading procedure must not change anything. Otherwise the verification will fail. When you read or write the XML document with signed content, be sure that whitespaces are preserved as shown in following example:
private static
void Main(string[] args)
{
XmlDocument xDoc1 = new
XmlDocument();
xDoc1.PreserveWhitespace = true;
// Note that this token is added in resources as binary data.
xDoc1.Load(new
MemoryStream(Resources.SbbTokenWithNULLUri));
// Adding Loading from file
xDoc1.Load("samltoken.xml");
. . .
XmlDocument xDoc2 = new
XmlDocument();
xDoc2.PreserveWhitespace = true;
xDoc2.Load(@"samltoken.xml");
}
|
Posted
Feb 22 2007, 07:42 PM
by
Damir Dobric