saml and umbraco

Press Ctrl / CMD + C to copy this to your clipboard.

Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

Jacob Polden 67 posts 178 karma points

Jan 31, 2014 @ 15:33

0

SAML and Umbraco

Hi guys!

We have just start work on an Umbraco 6 project that requires us to use SAML protocol to interface with a security provider. After having a brief Googling session there doesn't seem to be any kind of recent work with Umbraco using a SAML based membership provider. If anyone reading this knows of any projects or good examples of SAML and Umbraco implementation - if you could post your info that would be super!

The only real Umbraco and SAML thing I have found so far:

http://digitaliser.dk/group/404609

Cheers

Jacob

Copy Link
Jacob Polden 67 posts 178 karma points

Jan 31, 2014 @ 15:33

0

Didn't mean to post twice! (sorry!)

Copy Link
Matt Taylor 873 posts 2086 karma points

Apr 23, 2014 @ 12:08

0

Hi Jacob,

Did you find any resources?

Matt

Copy Link
Søren Mastrup 122 posts 564 karma points c-trib

Aug 03, 2015 @ 10:50

0

Did any find a solution to this?

Copy Link
Matt Taylor 873 posts 2086 karma points

Aug 04, 2015 @ 08:03

0

Not me as my project didn't go ahead.

Copy Link
Jacob Polden 67 posts 178 karma points

Aug 04, 2015 @ 08:12

0

We did get SAML working with Umbraco. Basically involved us writing our own membership provider. Any specifics you want to ask about?

Copy Link

Søren Mastrup 122 posts 564 karma points c-trib

Aug 04, 2015 @ 08:17

I am currently getting this exception: "System.ServiceModel.FaultException: ID3082: The request scope is not valid or is unsupported."

I can't figure out how to solve this exception - The code I use is pasted in below.

@inherits Umbraco.Web.Mvc.UmbracoTemplatePage
@using System
@using System.Text
@using System.Net
@using System.Net.Http
@using System.Net.Http.Headers
@using System.ServiceModel
@using System.ServiceModel.Channels
@using System.Security.Cryptography.X509Certificates
@using System.IdentityModel
@using System.IdentityModel.Tokens
@using System.ServiceModel.Security
@using System.IdentityModel.Protocols.WSFederation
@using System.IdentityModel.Protocols.WSTrust
@using Thinktecture.IdentityModel
@using Thinktecture.IdentityModel.Http
@using Thinktecture.IdentityModel.Extensions
@using Thinktecture.IdentityModel.Constants
@using Thinktecture.IdentityModel.Metadata
@using Thinktecture.IdentityModel.Tokens
@using Thinktecture.IdentityModel.WSTrust

@{
    Layout = null;

    const string adfs = "adfs.address.dk"; 
    const string serviceIdentifier = "http://my.site.dk";
    const string serviceAccountUsername = "USERNAME";
    const string serviceAccountPassword = "PASSWORD";

    var tokenXml = GetSecurityToken(
        string.Format("https://{0}/adfs/services/trust/13/usernamemixed", adfs),
        serviceIdentifier,
        serviceAccountUsername,
        serviceAccountPassword);

    var authorizationHeaderPayload = DeflatedSamlEncode(tokenXml);
    @tokenXml

    using (var client = new HttpClient()){
        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer",authorizationHeaderPayload);
        var result = client.GetAsync("https://address.to.service.dk/").Result;
        result.EnsureSuccessStatusCode();
        // work with result from service
    }
}

@functions{
    public static string GetSecurityToken(string wsTrustEndpoint, string identifier, string serviceAccountUsername, string serviceAccountPassword){
        WSTrustChannelFactory factory = new WSTrustChannelFactory(new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential), wsTrustEndpoint);
        factory.TrustVersion = TrustVersion.WSTrust13;

        factory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
        factory.Credentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;

        factory.Credentials.UserName.UserName = serviceAccountUsername;
        factory.Credentials.UserName.Password = serviceAccountPassword;

        var rst = new RequestSecurityToken {
            RequestType = WSTrust13Constants.RequestTypes.Issue,
            AppliesTo = new EndpointReference(identifier),
            KeyType = WSTrust13Constants.KeyTypes.Bearer,
        };

        var channel = factory.CreateChannel();
        GenericXmlSecurityToken token = (GenericXmlSecurityToken)channel.Issue(rst);
        return token.TokenXml.OuterXml;
    }

    public static string DeflatedSamlEncode(string token){
        var bytes = Encoding.UTF8.GetBytes(token);
        var deflatedBytes = new DeflateCookieTransform().Encode(bytes);
        var base64String = Convert.ToBase64String(deflatedBytes);
        var urlEncodedString = HttpUtility.UrlEncode(base64String);
        return urlEncodedString;
        return bytes.ToString();
    }
}

Copy Link

Jacob Polden 67 posts 178 karma points

Aug 04, 2015 @ 10:20

0

Is there any particular reason you are doing this logic in the view? This looks like it should be further up in the request pipeline.

Copy Link
Søren Mastrup 122 posts 564 karma points c-trib

Aug 04, 2015 @ 11:10

0

No not really - It's just a quick and dirty test!

Got it to work though! There was an issue on the identity provider server.

Copy Link
Jacob Polden 67 posts 178 karma points

Aug 04, 2015 @ 13:55

0

Yeah that's something we experienced with our client. A lot of the issues came from the configuration setup of the providing server.

Copy Link
Francisco Lino U. Ano 4 posts 74 karma points

May 30, 2016 @ 10:52

0

Hi guys,

is the code coming from this link: http://digitaliser.dk/group/404609 still applicable to umbraco 7.3 or later?

thanks!

Copy Link
is working on a reply...

This forum is in read-only mode while we transition to the new forum.

You can continue this topic on the new forum by tapping the "Continue discussion" link below.

Please Sign in or register to post replies

Flag this post as spam?

SAML and Umbraco