Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Jacob Polden 67 posts 178 karma points
    Jan 31, 2014 @ 15:33
    Jacob Polden
    0

    SAML and Umbraco

    Hi guys!

     

    We have just start work on an Umbraco 6 project that requires us to use SAML protocol to interface with a security provider. After having a brief Googling session there doesn't seem to be any kind of recent work with Umbraco using a SAML based membership provider. If anyone reading this knows of any projects or good examples of SAML and Umbraco implementation - if you could post your info that would be super!

     

    The only real Umbraco and SAML thing I have found so far:

    http://digitaliser.dk/group/404609

     

    Cheers

     

    Jacob

  • Jacob Polden 67 posts 178 karma points
    Jan 31, 2014 @ 15:33
    Jacob Polden
    0

    Didn't mean to post twice! (sorry!)

  • Matt Taylor 873 posts 2086 karma points
    Apr 23, 2014 @ 12:08
    Matt Taylor
    0

    Hi Jacob,

    Did you find any resources?

    Matt

  • Søren Mastrup 122 posts 564 karma points c-trib
    Aug 03, 2015 @ 10:50
    Søren Mastrup
    0

    Did any find a solution to this?

  • Matt Taylor 873 posts 2086 karma points
    Aug 04, 2015 @ 08:03
    Matt Taylor
    0

    Not me as my project didn't go ahead.

  • Jacob Polden 67 posts 178 karma points
    Aug 04, 2015 @ 08:12
    Jacob Polden
    0

    We did get SAML working with Umbraco. Basically involved us writing our own membership provider. Any specifics you want to ask about?

  • Søren Mastrup 122 posts 564 karma points c-trib
    Aug 04, 2015 @ 08:17
    Søren Mastrup
    0

    I am currently getting this exception: "System.ServiceModel.FaultException: ID3082: The request scope is not valid or is unsupported."

    I can't figure out how to solve this exception - The code I use is pasted in below.

    @inherits Umbraco.Web.Mvc.UmbracoTemplatePage
    @using System
    @using System.Text
    @using System.Net
    @using System.Net.Http
    @using System.Net.Http.Headers
    @using System.ServiceModel
    @using System.ServiceModel.Channels
    @using System.Security.Cryptography.X509Certificates
    @using System.IdentityModel
    @using System.IdentityModel.Tokens
    @using System.ServiceModel.Security
    @using System.IdentityModel.Protocols.WSFederation
    @using System.IdentityModel.Protocols.WSTrust
    @using Thinktecture.IdentityModel
    @using Thinktecture.IdentityModel.Http
    @using Thinktecture.IdentityModel.Extensions
    @using Thinktecture.IdentityModel.Constants
    @using Thinktecture.IdentityModel.Metadata
    @using Thinktecture.IdentityModel.Tokens
    @using Thinktecture.IdentityModel.WSTrust
    
    @{
        Layout = null;
    
        const string adfs = "adfs.address.dk"; 
        const string serviceIdentifier = "http://my.site.dk";
        const string serviceAccountUsername = "USERNAME";
        const string serviceAccountPassword = "PASSWORD";
    
        var tokenXml = GetSecurityToken(
            string.Format("https://{0}/adfs/services/trust/13/usernamemixed", adfs),
            serviceIdentifier,
            serviceAccountUsername,
            serviceAccountPassword);
    
        var authorizationHeaderPayload = DeflatedSamlEncode(tokenXml);
        @tokenXml
    
        using (var client = new HttpClient()){
            client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer",authorizationHeaderPayload);
            var result = client.GetAsync("https://address.to.service.dk/").Result;
            result.EnsureSuccessStatusCode();
            // work with result from service
        }
    }
    
    @functions{
        public static string GetSecurityToken(string wsTrustEndpoint, string identifier, string serviceAccountUsername, string serviceAccountPassword){
            WSTrustChannelFactory factory = new WSTrustChannelFactory(new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential), wsTrustEndpoint);
            factory.TrustVersion = TrustVersion.WSTrust13;
    
            factory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
            factory.Credentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;
    
            factory.Credentials.UserName.UserName = serviceAccountUsername;
            factory.Credentials.UserName.Password = serviceAccountPassword;
    
            var rst = new RequestSecurityToken {
                RequestType = WSTrust13Constants.RequestTypes.Issue,
                AppliesTo = new EndpointReference(identifier),
                KeyType = WSTrust13Constants.KeyTypes.Bearer,
            };
    
            var channel = factory.CreateChannel();
            GenericXmlSecurityToken token = (GenericXmlSecurityToken)channel.Issue(rst);
            return token.TokenXml.OuterXml;
        }
    
        public static string DeflatedSamlEncode(string token){
            var bytes = Encoding.UTF8.GetBytes(token);
            var deflatedBytes = new DeflateCookieTransform().Encode(bytes);
            var base64String = Convert.ToBase64String(deflatedBytes);
            var urlEncodedString = HttpUtility.UrlEncode(base64String);
            return urlEncodedString;
            return bytes.ToString();
        }
    }
    
  • Jacob Polden 67 posts 178 karma points
    Aug 04, 2015 @ 10:20
    Jacob Polden
    0

    Is there any particular reason you are doing this logic in the view? This looks like it should be further up in the request pipeline.

  • Søren Mastrup 122 posts 564 karma points c-trib
    Aug 04, 2015 @ 11:10
    Søren Mastrup
    0

    No not really - It's just a quick and dirty test!

    Got it to work though! There was an issue on the identity provider server.

  • Jacob Polden 67 posts 178 karma points
    Aug 04, 2015 @ 13:55
    Jacob Polden
    0

    Yeah that's something we experienced with our client. A lot of the issues came from the configuration setup of the providing server.

  • Francisco Lino U. Ano 4 posts 74 karma points
    May 30, 2016 @ 10:52
    Francisco Lino U. Ano
    0

    Hi guys,

    is the code coming from this link: http://digitaliser.dk/group/404609 still applicable to umbraco 7.3 or later?

    thanks!

  • This forum is in read-only mode while we transition to the new forum.

    You can continue this topic on the new forum by tapping the "Continue discussion" link below.

Please Sign in or register to post replies