In a previous blog post, I talked about a SecurityTokenHandlers collection of different security tokens. This is a class from the .NET security framework and it allows a unified entry to different types of tokens.
In this post, I explain the need for a validating Saml2SecurityTokenHandler.
The code for my overloaded property is something like this:
The property SecurityTokenHandlers above modifies the predefined collection of handlers and inserts my own ValidatingSaml2SecurityTokenHandler. This is required because the ADFS server issues a token that contains a property InResponseTo. The default handler would throw an exception if this property is present in the SAML token, hence the need to implement my own handler with validation. The validating handler makes sure the SAML token we received, is indeed the token we requested (i.e. it matches our request ID).
The class ValidatingSaml2SecurityTokenHandler is a specialized class of Saml2SecurityTokenHandler, which implements the ValidateConfirmationData method. This method is called by the .NET security framework, if the SAML2 token contains a field SubjectId, which contains an InResponseTo value. This extra check is done to prevent DOS attacks. When a SAML2 issue request is made, the request contains an ID that only the client knows. When a token is issued, it contains the same ID in the InResponseTo field. This way, the client can check that the token was indeed issued in response to the request ID that the client initially sent. This logic is not implemented by default in .NET security API, and thus we implement it ourselves.
The method above expects a cookie that contains the request ID that was initially sent. If no such cookie is present, we consider the response to be invalid and reject the token.
In this post, I explain the need for a validating Saml2SecurityTokenHandler.
The code for my overloaded property is something like this:
private SecurityTokenHandlerCollection securityTokenHandlers; private SecurityTokenHandlerCollection SecurityTokenHandlers { get { if (securityTokenHandlers == null) { securityTokenHandlers = new SecurityTokenHandlerCollection( FederatedAuthentication.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlers); for (int i = 0; i < securityTokenHandlers.Count; i++) { if (securityTokenHandlers[i] is Saml2SecurityTokenHandler) { securityTokenHandlers[i] = new ValidatingSaml2SecurityTokenHandler { Configuration = securityTokenHandlers[0].Configuration }; } } } return securityTokenHandlers; } }
The property SecurityTokenHandlers above modifies the predefined collection of handlers and inserts my own ValidatingSaml2SecurityTokenHandler. This is required because the ADFS server issues a token that contains a property InResponseTo. The default handler would throw an exception if this property is present in the SAML token, hence the need to implement my own handler with validation. The validating handler makes sure the SAML token we received, is indeed the token we requested (i.e. it matches our request ID).
The class ValidatingSaml2SecurityTokenHandler is a specialized class of Saml2SecurityTokenHandler, which implements the ValidateConfirmationData method. This method is called by the .NET security framework, if the SAML2 token contains a field SubjectId, which contains an InResponseTo value. This extra check is done to prevent DOS attacks. When a SAML2 issue request is made, the request contains an ID that only the client knows. When a token is issued, it contains the same ID in the InResponseTo field. This way, the client can check that the token was indeed issued in response to the request ID that the client initially sent. This logic is not implemented by default in .NET security API, and thus we implement it ourselves.
public class ValidatingSaml2SecurityTokenHandler : Saml2SecurityTokenHandler { protected override void ValidateConfirmationData(Saml2SubjectConfirmationData confirmationData) { Saml2Id saml2Id = confirmationData.InResponseTo; if (saml2Id == null) { return; } string key = saml2Id.Value; HttpCookie cookie = HttpContext.Current.Request.Cookies[key]; if (cookie == null) { throw new Exception("Original request id not found"); } } }
The method above expects a cookie that contains the request ID that was initially sent. If no such cookie is present, we consider the response to be invalid and reject the token.
Comments