Skip to main content

A Validating Saml2SecurityTokenHandler

In a previous blog post, I talked about a SecurityTokenHandlers collection of different security tokens. This is a class from the .NET security framework and it allows a unified entry to different types of tokens.

In this post, I explain the need for a validating Saml2SecurityTokenHandler.

The code for my overloaded property is something like this:

private SecurityTokenHandlerCollection securityTokenHandlers;
private SecurityTokenHandlerCollection SecurityTokenHandlers
{
    get
    {
        if (securityTokenHandlers == null)
        {
            securityTokenHandlers = new SecurityTokenHandlerCollection(
                FederatedAuthentication.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlers);
            for (int i = 0; i < securityTokenHandlers.Count; i++)
            {
                if (securityTokenHandlers[i] is Saml2SecurityTokenHandler)
                {
                    securityTokenHandlers[i] = new ValidatingSaml2SecurityTokenHandler
                    {
                        Configuration = securityTokenHandlers[0].Configuration
                    };
                }
            }
        }

        return securityTokenHandlers;
    }
}

The property SecurityTokenHandlers above modifies the predefined collection of handlers and inserts my own ValidatingSaml2SecurityTokenHandler. This is required because the ADFS server issues a token that contains a property InResponseTo. The default handler would throw an exception if this property is present in the SAML token, hence the need to implement my own handler with validation. The validating handler makes sure the SAML token we received, is indeed the token we requested (i.e. it matches our request ID).

The class ValidatingSaml2SecurityTokenHandler is a specialized class of Saml2SecurityTokenHandler, which implements the ValidateConfirmationData method. This method is called by the .NET security framework, if the SAML2 token contains a field SubjectId, which contains an InResponseTo value. This extra check is done to prevent DOS attacks. When a SAML2 issue request is made, the request contains an ID that only the client knows. When a token is issued, it contains the same ID in the InResponseTo field. This way, the client can check that the token was indeed issued in response to the request ID that the client initially sent. This logic is not implemented by default in .NET security API, and thus we implement it ourselves.

public class ValidatingSaml2SecurityTokenHandler : Saml2SecurityTokenHandler
{
    protected override void ValidateConfirmationData(Saml2SubjectConfirmationData confirmationData)
    {
        Saml2Id saml2Id = confirmationData.InResponseTo;
        if (saml2Id == null)
        {
            return;
        }

        string key = saml2Id.Value;
        HttpCookie cookie = HttpContext.Current.Request.Cookies[key];

        if (cookie == null)
        {
            throw new Exception("Original request id not found");
        }
    }
}

The method above expects a cookie that contains the request ID that was initially sent. If no such cookie is present, we consider the response to be invalid and reject the token.




Comments

Popular posts from this blog

Running sp_updatestats on AWS RDS database

Part of the maintenance tasks that I perform on a MSSQL Content Manager database is to run stored procedure sp_updatestats . exec sp_updatestats However, that is not supported on an AWS RDS instance. The error message below indicates that only the sa  account can perform this: Msg 15247 , Level 16 , State 1 , Procedure sp_updatestats, Line 15 [Batch Start Line 0 ] User does not have permission to perform this action. Instead there are several posts that suggest using UPDATE STATISTICS instead: https://dba.stackexchange.com/questions/145982/sp-updatestats-vs-update-statistics I stumbled upon the following post from 2008 (!!!), https://social.msdn.microsoft.com/Forums/sqlserver/en-US/186e3db0-fe37-4c31-b017-8e7c24d19697/spupdatestats-fails-to-run-with-permission-error-under-dbopriveleged-user , which describes a way to wrap the call to sp_updatestats and execute it under a different user: create procedure dbo.sp_updstats with execute as 'dbo' as

Scaling Policies

This post is part of a bigger topic Autoscaling Publishers in AWS . In a previous post we talked about the Auto Scaling Groups , but we didn't go into details on the Scaling Policies. This is the purpose of this blog post. As defined earlier, the Scaling Policies define the rules according to which the group size is increased or decreased. These rules are based on instance metrics (e.g. CPU), CloudWatch custom metrics, or even CloudWatch alarms and their states and values. We defined a Scaling Policy with Steps, called 'increase_group_size', which is triggered first by the CloudWatch Alarm 'Publish_Alarm' defined earlier. Also depending on the size of the monitored CloudWatch custom metric 'Waiting for Publish', the Scaling Policy with Steps can add a difference number of instances to the group. The scaling policy sets the number of instances in group to 1 if there are between 1000 and 2000 items Waiting for Publish in the queue. It also sets the

Toolkit - Dynamic Content Queries

This post if part of a series about the  File System Toolkit  - a custom content delivery API for SDL Tridion. This post presents the Dynamic Content Query capability. The requirements for the Toolkit API are that it should be able to provide CustomMeta queries, pagination, and sorting -- all on the file system, without the use third party tools (database, search engines, indexers, etc). Therefore I had to implement a simple database engine and indexer -- which is described in more detail in post Writing My Own Database Engine . The querying logic does not make use of cache. This means the query logic is executed every time. When models are requested, the models are however retrieved using the ModelFactory and those are cached. Query Class This is the main class for dynamic content queries. It is the entry point into the execution logic of a query. The class takes as parameter a Criterion (presented below) which triggers the execution of query in all sub-criteria of a Criterio