asp.net web api - ASP .NET Web API ADFS SAML Token -

-



i trying achieve same in link

in case have relaying party trust registered in adfs (adfs 3.0).

an external application (mobile) authenticates adfs , encoded saml token (base64 encoded).

i have web api on on-premise iis. have webconfig.cs follows :

public static class webapiconfig     {         public static void register(httpconfiguration config)         {             // authentication configuration identity controller             var authentication = createauthenticationconfiguration();             config.messagehandlers.add(new authenticationhandler(authentication));             // web api routes             config.maphttpattributeroutes();             config.routes.maphttproute(                 name: "defaultapi",                 routetemplate: "api/{controller}/{id}",                 defaults: new { id = routeparameter.optional }             );         }          private static authenticationconfiguration createauthenticationconfiguration()         {             try             {                 var authentication = new authenticationconfiguration                 {                     claimsauthenticationmanager = new claimstransformer(),                     requiressl = false,                     enablesessiontoken = true                 };                 #region identityserver saml                 authentication.addsaml2(                     issuerthumbprint: "c4f598c334683n2952b93efa8570b3550e71633",                     issuername: "https://adfsserver.sample.com/adfs/ls",                     audienceuri: "https://<web api local server address>/", // https://localhost/                     certificatevalidator: x509certificatevalidator.none,                     options: authenticationoptions.forauthorizationheader("saml"),                     scheme: authenticationscheme.schemeonly("saml"));                 #endregion                 return authentication;             }             catch(exception de)             {                 throw de;             }         }    }

i have questions : 1. issuer uri correct ? 2. thumbprint expected here ? in adfs have 3 certificates (decrypt, signing, service communication) different thumbprint 3. option , scheme correct here ("saml") ?

in adfs rp have registered 2 endpoints :

  1. the endpoint external application authenticates against
  2. my local web api address (http:///)

i testing console token of manually , call web api. code looks :

static uri _baseaddress = new uri("https://<web api server name>/");      static void main(string[] args)     {         string token = <paste raw xml token>         callservice(token);     }      private static void callservice(string saml)     {         var client = new httpclient { baseaddress = _baseaddress };         client.defaultrequestheaders.authorization = new authenticationheadervalue("saml", saml);         var response = client.getasync("api/values").result;         response.ensuresuccessstatuscode();         var content = response.content.readasstringasync();         content.wait();         console.writeline(content.result);         console.readline();     }

this code fails unauthorized (401 error).

i have tried various permutation , combination not able working. not sure if need change @ adfs side because :

  1. i using 1 relaying party trust 2 endpoints. 1 external application uses , 1 web api hosted on.

  2. i not able debug claimstransformer , see actual error break point not hit.

i getting token in encoded format. manually decoding token , using in test application. token sample after decoding given below.

<samlp:response id="_3798017a9-3d9f-4f5e-8b8f-2654543a3652" version="2.0" issueinstant="2017-08-23t13:40:56.343z" destination="https://sample.demo.com:8443/api/saml" consent="urn:oasis:names:tc:saml:2.0:consent:unspecified" xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol"><issuer xmlns="urn:oasis:names:tc:saml:2.0:assertion">http://adfsserver.sample.com/adfs/services/trust</issuer><samlp:status><samlp:statuscode value="urn:oasis:names:tc:saml:2.0:status:success" /></samlp:status><assertion id="_324fdea4-b44b-40f9-908c-ddbfcbef9eaa" issueinstant="2017-08-23t13:40:56.343z" version="2.0" xmlns="urn:oasis:names:tc:saml:2.0:assertion"><issuer>http://adfsserver.sample.com/adfs/services/trust</issuer><ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:signedinfo><ds:canonicalizationmethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:signaturemethod algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:reference uri="#_324fdea4-b44b-40f9-908c-ddbfcbef9eaa"><ds:transforms><ds:transform algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:transforms><ds:digestmethod algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:digestvalue>eaegiestv0mkto01ynhb6vd+ips0pc6uwxji33czrgy=</ds:digestvalue></ds:reference></ds:signedinfo><ds:signaturevalue>hawcxrbfwt/nfgr0nvtq3njefba8/isy7pjgq/0wvq7mmdktzqml968djt+cvuj+9heaiccifnoh0y3lcm3vdykmtvpsrfptlo33uehdcogeexhyfbbo1eqjkqf43sw+xwh/1rrjoodbkv8a3wa==</ds:signaturevalue><keyinfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:x509data><ds:x509certificate>miic5dccacygawibagiqhejghckwdyvnx1mbmkhkszanbgkqhkig9w0baqsfadaumswwkgydvqqdeynbreztifnpz25pbmcglsbhzgzzlmrlbw9vbw5py29tlmnvbtaefw0xnza4mjiwnpirpcaf1n5v5wyto7he5teidfpxqclifl7iq19v5cnalgq6pxgesuhldiwbxwibpic2uxrc6dsgx6xey3z7vmaziaxzodmsbdt3lew/zd3xwvcgecfpkgcey5kwcq38agplmy1huibq7ea/ab16dkz6ago9ci/u4mfgrhevo+funrkf7pre7a3/s/wys1opssqvxtf22fpk2zicin6eweg6zmw5uvsjoc5nmnu/ymvdcsqgnjn/pt</ds:x509certificate></ds:x509data></keyinfo></ds:signature><subject><nameid>girija@sampledemo.com</nameid><subjectconfirmation method="urn:oasis:names:tc:saml:2.0:cm:bearer"><subjectconfirmationdata notonorafter="2017-08-23t13:45:56.343z" recipient="https://sample.demo.com:8443/client-api/api/saml" /></subjectconfirmation></subject><conditions notbefore="2017-08-23t13:40:56.327z" notonorafter="2017-08-23t14:40:56.327z"><audiencerestriction><audience>https://sample.demo.com:8443/client-api/api/saml</audience></audiencerestriction></conditions><attributestatement><attribute name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"><attributevalue>girija</attributevalue></attribute></attributestatement><authnstatement authninstant="2017-08-23t10:55:09.624z" sessionindex="_324fdea4-b44b-40f9-908c-ddbfcbef9eaa"><authncontext><authncontextclassref>urn:oasis:names:tc:saml:2.0:ac:classes:passwordprotectedtransport</authncontextclassref></authncontext></authnstatement></assertion></samlp:response>

the encoded token looks (not full 1 part)

phnhbwxwoljlc3bvbnnlielepsjfmzc4nte3ytktm2q5zi00zjlllthimwytmjq3nju0m2eznjuyiibwzxjzaw9upsiyljaiielzc3vlsw5zdgfudd0imjaxny0woc0ym1qxmzo0mdo1ni4zndnaiibezxn0aw5hdglvbj0iahr0chm6ly9vbw5py29tlmrlbw9vbw5py29tlmnvbto4ndqzl2nsawvudc1hcgkvyxbpl3nhbwwiienvbnnlbnq9invybjpvyxnpczpuyw1lczp0yzptqu1mojiumdpjb25zzw50onvuc3bly2lmawvkiib4bwxuczpzyw1scd0idxjuom9hc2lzom5hbwvzonrjolnbtuw6mi4wonbyb3rvy29sij48sxnzdwvyihhtbg5zpsj1cm46b2fzaxm6bmftzxm6dgm6u0fntdoylja6yxnzzxj0aw9uij5odhrwoi8vywrmcy5kzw1vb21uawnvbs5jb20vywrmcy9zzxj2awnlcy90cnvzddwvsxnzdwvypjxzyw1scdptdgf0dxm+phnhbwxwoln0yxr1c0nvzgugvmfsdwu9invybjpvyxnpczpuyw1lczp0yzptqu1mojiumdpzdgf0dxm6u3vjy2vzcyiglz48l3nhbwxwoln0yxr1cz48qxnzzxj0aw9uielepsjfmzi0zmrlytqtyjq0yi00mgy5ltkwogmtzgrizmnizwy5zwfhiibjc3n1zuluc3rhbnq9ijiwmtctmdgtmjnumtm6nda6ntyumzqzwiigvmvyc2lvbj0imi4wiib4bwxucz0idxjuom9hc2lzom5hbwvzonrjolnbtuw6mi4womfzc2vydglvbii+pelzc3vlcj5odhrwoi8vywrmcy5kzw1vb21uawnvbs5jb20vywrmcy9zzxj2awnlcy90cnvzddwvsxnzdwvypjxkczptawduyxr1cmugeg1sbnm6zhm9imh0dha6ly93d3cudzmub3jnlziwmdavmdkveg1szhnpzymipjxkczptawduzwrjbmzvpjxkczpdyw5vbmljywxpemf0aw9utwv0ag9kiefsz29yaxrobt0iahr0cdovl3d3dy53my5vcmcvmjawms8xmc94bwwtzxhjlwmxng4jiiavpjxkczptawduyxr1cmvnzxrob2qgqwxnb3jpdghtpsjodhrwoi8vd3d3lnczlm9yzy8ymdaxlza0l3htbgrzawctbw9yzsnyc2etc2hhmju2iiavpjxkczpszwzlcmvuy2ugvvjjpsijxzmyngzkzwe0lwi0ngitndbmos05mdhjlwrkymzjymvmowvhysi+

i ideally want pass encoded token web api , @ web api decode , authenticate , return values.

i know long post, wanted share can.

thanks help. looking forward pointers and/or solutions.

  • shankar





wiki

Comments

Post a Comment

Popular posts from this blog

python - Read npy file directly from S3 StreamingBody -

-
i have many .npy (numpy) , .json files saved in s3, need download , load these files. for json files downloading files , loading dictionary using following code: obj = s3.object(bucket, key) response = obj.get() body = response['body'].read().decode('utf-8') data = json.loads(body) that way avoid writing .json file disk , reading it. now want same .npy files, equivalent? currently downloading file, saving temp file on disk , loading np.load avoid if possible. following https://stackoverflow.com/a/28196540/3509999 : obj = s3.object(bucket, key) io.bytesio(obj.get()["body"].read()) f: # rewind file f.seek(0) arr = np.load(f) wiki
Read more

kotlin - Out-projected type in generic interface prohibits the use of metod with generic parameter -

-
i start using kotlin , defined interface this: interface aadapter<vh : recyclerview.viewholder> { fun oncreateaviewholder(parent: viewgroup): vh fun onbindaviewholder(v: vh, position: int) } and when try use on code: class klasa ( private val adapter: aadapter<*> ) { fun dosth(){ //... val vh = this.adapter.oncreateaviewholder(parent) //on below line error adapter.onbindaviewholder(v, position) //... } } i error out-projected type 'aadapter<*>' prohibits use of 'public abstract fun onbindaviewholder(v: t, position: int): unit i tied add "in" or "out" definition i'm confused. how allow it. replace aadapter<*> aadapter<recyclerview.viewholder> . class klasa ( private val adapter: aadapter<recyclerview.viewholder> ) { // ... because have declared aadapter has type parameter vh type subclass of recyclerview....
Read more

Asterisk AGI Python Script to Dialplan does not work -

-
i'm stuck project have check database of sip extension incoming caller id , dial sip extension. below receive when run script on asterisk cli. -- registered sip '9125' @ 192.168.1.102:50142 > saved useragent "zoiper rv2.8.40" peer 9125 [2017-08-22 13:53:33] notice[5095]: chan_sip.c:24558 handle_response_peerpoke: peer '9125' reachable. (17ms / 2000ms) == using sip rtp tos bits 184 == using sip rtp cos mark 5 -- executing [0112617769@from-trunk:1] answer("sip/obitrunk1-0000000d", "") in new stack > 0x1ca50d0 -- probation passed - setting rtp source address 192.168.1.98:16834 -- executing [0112617769@from-trunk:2] agi("sip/obitrunk1-0000000d", "test.py") in new stack -- launched agi script /var/lib/asterisk/agi-bin/test.py args: ['/var/lib/asterisk/agi-bin/test.py'] env line: agi_request: test.py env line: agi_channel: sip/obitrunk1-0000000d env line: agi_language: en env line: a...
Read more