public override ClaimsIdentity ProcessSignInResponse(string realm, string originalUrl, HttpContextBase httpContext)
{
Logger.Info("ProcessSignInResponse");
var response = Encoding.UTF8.GetString(Convert.FromBase64String(httpContext.Request.Form["SAMLResponse"]));
Logger.InfoFormat("SAMLResponse: {0}", response);
var doc = new XmlDocument();
doc.LoadXml(response);
if (!VerifySignatures(doc))
{
ThrowAndLog("The thumbprint doesn't match the white list values.");
}
Logger.Info("Verified signature successfully");
if (!VerifyStatus(doc))
{
ThrowAndLog("The SAML response status was not 'status:Success'");
}
Logger.Info("Verified status successfully");
var information = ExtractInformation(doc);
Logger.InfoFormat("Extracted information: SubjectNameId: {0}, Issuer: {1}, NotBefore: {2}, NotOnOrAfter: {3}", information.SubjectNameId, information.Issuer, information.NotBefore, information.NotOnOrAfter);
if (!VerifyAudience(information))
{
ThrowAndLog("Audience does not match the white list values.");
}
Logger.Info("Verified audience successfully");
if (!VerifyAllowedDateTimeRange(information))
{
ThrowAndLog("This SAML response is not valid any longer.");
}
Logger.Info("Verified allowed date time range successfully");
Logger.InfoFormat("information.Issuer: {0}, information.SubjectNameId: {1}", information.Issuer, information.SubjectNameId);
//You must add a claims policy for the protocol identifier!
var issuerIdentifier = information.Issuer;
var claims = new List<Claim>
{
new Claim(ClaimTypes.NameIdentifier, information.SubjectNameId)
};
return new ClaimsIdentity(claims, issuerIdentifier);
}
