How to convert SAML XML token string to either SecurityToken or ClaimsPrincipal instance?

c# .net rest saml wif
Tyler picture Tyler · Apr 1, 2010 · Viewed 16.5k times · Source

My context:

  • .Net RESTful web service
  • Client (mixed platforms, technologies, lib capabilities) has obtained a SAML token
  • Trying to accept the token for authentication/authorization in the REST service
    • in HTTP Authorization / X-Authorization header
    • as query parameter
  • Will also support SWT later, but need to get SAML tokens going

Details:

I have a SAML token in a string:

<saml:Assertion xmlns:saml="..." ...> ..etc... </>

In an HttpModule, I want to convert this into a ClaimsPrincipal so that my service can do the usual Thread.CurrentPrincipal as IClaimsPrincipal stuff.

I found a couple enticing pages/blogs/etc... that looked helpful:

I'm stuck literally trying to turn the SAML token into the ClaimsPrincipal (via SecurityToken intermediate step or direct... happy either way). The sample code from Cibrax's idea uses the following for the crucial verification and deserialization step: 

SecurityTokenSerializer securityTokenSerializer 
    = new SecurityTokenSerializerAdapter(
        FederatedAuthentication.SecurityTokenHandlers, 
        MessageSecurityVersion.Default.SecurityVersion, 
        false, new SamlSerializer(), null, null);

SecurityToken theToken 
    = WSFederationAuthenticationModule.GetSecurityToken(
        theSamlTokenInStringForm, securityTokenSerializer);

The wall I've hit is that the RTM version of WIF does not expose this overload of GetSecurityToken... it only exposes: 

WSFederationAuthenticationModule fam = new WSFederationAuthenticationModule();
SecurityToken theToken = fam.GetSecurityToken(HttpRequest theRequest);
SecurityToken theToken = fam.GetSecurityToken(SignInResponseMessage message);

Thanks for helping me to get unstuck!

Tyler

Answer

Robert Muehsig picture Robert Muehsig · Sep 16, 2013

Just found this helpful. http://www.tecsupra.com/blog/system-identitymodel-manually-parsing-the-saml-token/

Basic idea: You need the XML of the "Audience"-node and then you can use the SecurityTokenHandlerCollection and use "ValidateToken"

From the post:

       string samlTokenXml = signInResponseXml
            .DocumentElement  // <trust:RequestSecurityTokenResponseCollection>
            .ChildNodes[0] // <trust:RequestSecurityTokenResponse>
            .ChildNodes[2] // <trust:RequestedSecurityToken>
            .InnerXml; // <Assertion>

        var xmlTextReader = new XmlTextReader(new StringReader(samlTokenXml));

        SecurityTokenHandlerCollection handlers = 
       FederatedAuthentication.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlers;

        // read the token
        SecurityToken securityToken = handlers.ReadToken(xmlTextReader);

Related questions

Deciding between HttpClient and WebClient

Our web app is running in .Net Framework 4.0. The UI calls controller methods through ajax calls. We need to consume REST service from our vendor. I am evaluating the best way to call REST service in .Net 4.0. The REST service …

Read More
Download file with WebClient or HttpClient?

I am trying to download file from a URL and I have to choose between WebClient and HttpClient. I have referenced this article and several other articles on the internet. Everywhere, it is suggested to go for HttpClient due to …

Read More
How can I return a custom HTTP status code from a WCF REST method?

If something goes wrong in a WCF REST call, such as the requested resource is not found, how can I play with the HTTP response code (setting it to something like HTTP 404, for example) in my OperationContract method?

Read More