Question

我正在阅读Okta对申请的回应如下。请让我知道是否有nuget包或开源类来读取属性。

        var xml = HttpContext.Request.Form["SAMLResponse"];
        byte[] byteData = Convert.FromBase64String(xml);
        string samlXmlString = Encoding.UTF8.GetString(byteData);
        var stream = new StringReader(samlXmlString);
        var xmlReader = XmlReader.Create(stream);
        XmlDocument doc = new XmlDocument();
        doc.LoadXml(samlXmlString);
        var emailElement = doc.GetElementsByTagName("saml2:NameID");
        var attributes = doc.GetElementsByTagName("saml2:Attribute"); 
        var attributesValues = doc.GetElementsByTagName("saml2:AttributeValue");
        var username = emailElement[0].InnerText;
        var role = attributesValues[0].InnerText;

Answer 1

可以从以下代码中读取SAML响应属性。

var responseDecoded = System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(HttpUtility.HtmlDecode(HttpContext.Current.Request.Form["SAMLResponse"])));

        // Pick out the token
        using (StringReader sr = new StringReader(responseDecoded))
        {
            using (XmlReader reader = XmlReader.Create(sr))
            {
                reader.ReadToFollowing("Assertion", "urn:oasis:names:tc:SAML:2.0:assertion");

                // Deserialize the token so that data can be taken from it and plugged into the RSTR
                SecurityTokenHandlerCollection coll = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
                token = (Saml2SecurityToken)coll.ReadToken(reader.ReadSubtree());
            }
        }

        if (token != null)
        {
            UserName = token.Assertion.Subject.NameId.Value;
            Issuer = token.Assertion.Issuer.Value;

            var saml2Statement = token.Assertion.Statements.FirstOrDefault(x => x.GetType() == new Saml2AttributeStatement().GetType());
            if (saml2Statement != null)
            {
                var attributes = ((Saml2AttributeStatement)saml2Statement).Attributes;
                if (attributes != null)
                {
                    if (attributes.FirstOrDefault(x => x.Name.ToString().ToLower().Equals("firstname")) != null)
                        FirstName = attributes.FirstOrDefault(x => x.Name.ToString().ToLower().Equals("firstname")).Values.FirstOrDefault();

                    if (attributes.FirstOrDefault(x => x.Name.ToString().ToLower().Equals("lastname")) != null)
                        LastName = attributes.FirstOrDefault(x => x.Name.ToString().ToLower().Equals("lastname")).Values.FirstOrDefault();
                }
            }
        }

Answer 2

不要直接解析SAML响应。您检查XML Signature SAML响应是 critical 。否则，未经授权的用户很容易使用SAML登录您的系统。

我无法找到一个好的NuGet或Open Source包来解析.NET中的SAML。因此，我建议使用ComponentSpace中的SAML v2.0 SSO component。配置ComponentSpace包之后，解析SAML响应就像这样简单：

bool isInResponseTo = false;
string partnerIdP = null;
string userName = null;
IDictionary<string, string> attributes = null;
string targetUrl = null;

try
{
    SAMLServiceProvider.ReceiveSSO(Request, out isInResponseTo, out partnerIdP, out userName, out attributes, out targetUrl);
}
catch (ComponentSpace.SAML2.Exceptions.SAMLException exception)
{
    throw exception;
}

在上面的示例代码中，SAML响应中的属性将位于attributes IDictionary中。

如果您已将SAML v2.0 SSO组件安装到系统的默认位置，则可在C:\Program Files (x86)\ComponentSpace SAML v2.0 for .NET\Examples\SSO\HighLevelAPI\MVC\MvcExampleServiceProvider\Controllers

中找到更多示例

从nuget包或opensource类中读取Okta SAML响应属性

2 个答案: