SOLIDSoftworks
diff --git a/‎src/AspNetCore.IdpSample/Startup.cs‎
Lines changed: 2 additions & 0 deletions b/‎src/AspNetCore.IdpSample/Startup.cs‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/Solid.Identity.Protocols.Saml2p/Authentication/Saml2pAuthenticationHandler.cs‎
Lines changed: 2 additions & 0 deletions b/‎src/Solid.Identity.Protocols.Saml2p/Authentication/Saml2pAuthenticationHandler.cs‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/Solid.Identity.Protocols.Saml2p/Cache/Saml2pCache.cs‎
Lines changed: 27 additions & 0 deletions b/‎src/Solid.Identity.Protocols.Saml2p/Cache/Saml2pCache.cs‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎src/Solid.Identity.Protocols.Saml2p/Exceptions/SamlResponseException.cs‎
Lines changed: 33 additions & 0 deletions b/‎src/Solid.Identity.Protocols.Saml2p/Exceptions/SamlResponseException.cs‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎src/Solid.Identity.Protocols.Saml2p/Extensions/EnumExtensions.cs‎
Lines changed: 61 additions & 4 deletions b/‎src/Solid.Identity.Protocols.Saml2p/Extensions/EnumExtensions.cs‎
Lines changed: 61 additions & 4 deletions
diff --git a/‎src/Solid.Identity.Protocols.Saml2p/Factories/AuthnRequestFactory.cs‎
Lines changed: 2 additions & 1 deletion b/‎src/Solid.Identity.Protocols.Saml2p/Factories/AuthnRequestFactory.cs‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/Solid.Identity.Protocols.Saml2p/Factories/SamlResponseFactory.cs‎
Lines changed: 17 additions & 34 deletions b/‎src/Solid.Identity.Protocols.Saml2p/Factories/SamlResponseFactory.cs‎
Lines changed: 17 additions & 34 deletions
diff --git a/‎src/Solid.Identity.Protocols.Saml2p/Middleware/Idp/AcceptSsoEndpointMiddleware.cs‎
Lines changed: 60 additions & 10 deletions b/‎src/Solid.Identity.Protocols.Saml2p/Middleware/Idp/AcceptSsoEndpointMiddleware.cs‎
Lines changed: 60 additions & 10 deletions
@@ -53,6 +53,8 @@ public void ConfigureServices(IServiceCollection services)
 
                         sp.SupportedBindings.Clear();
                         sp.SupportedBindings.Add(BindingType.Post);
+
+                        sp.Enabled = false;
                     });
                 })
             ;
 
@@ -43,6 +43,8 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
             try
             {
                 var result = await Context.FinishSsoAsync();
+                if(!result.IsSuccessful)
+
                 var properties = new AuthenticationProperties
                 {
                     IssuedUtc = result.SecurityToken.ValidFrom,
 
@@ -1,4 +1,5 @@
 using Microsoft.Extensions.Caching.Distributed;
+using Solid.Identity.Protocols.Saml2p.Models;
 using Solid.Identity.Protocols.Saml2p.Models.Protocol;
 using System;
 using System.Collections.Generic;
@@ -24,12 +25,38 @@ public Task CacheRequestAsync(string key, AuthnRequest request)
             return _inner.SetAsync(key, json);
         }
 
+        public Task CacheStatusAsync(string key, SamlResponseStatus status)
+            => CacheStatusAsync(key, status, null);
+
+        public Task CacheStatusAsync(string key, SamlResponseStatus status, SamlResponseStatus? subStatus)
+            => CacheStatusAsync(key, (Status: status, SubStatus: subStatus));
+
+        private Task CacheStatusAsync(string key, (SamlResponseStatus Status, SamlResponseStatus? SubStatus) status)
+        {
+            var json = JsonSerializer.SerializeToUtf8Bytes(status);
+            return _inner.SetAsync($"{key}_status", json);
+        }
+
         public async Task<AuthnRequest> FetchRequestAsync(string key)
         {
             var json = await _inner.GetAsync(key);
             if (json == null) return null;
 
             return JsonSerializer.Deserialize<AuthnRequest>(json);
         }
+
+        public async Task<(SamlResponseStatus Status, SamlResponseStatus? SubStatus)?> FetchStatusAsync(string key)
+        {
+            var json = await _inner.GetAsync($"{key}_status");
+            if (json == null) return null;
+
+            return JsonSerializer.Deserialize<(SamlResponseStatus Status, SamlResponseStatus? SubStatus)>(json);
+        }
+
+        public async Task RemoveAsync(string key)
+        {
+            await _inner.RemoveAsync(key);
+            await _inner.RemoveAsync($"{key}_status");
+        }
     }
 }
@@ -0,0 +1,33 @@
+using System;
+using System.Collections.Generic;
+using System.Runtime.Serialization;
+using System.Text;
+
+namespace Solid.Identity.Protocols.Saml2p.Exceptions
+{
+    /// <summary>
+    /// A exception that can be thrown during SP authentication.
+    /// </summary>
+    public class SamlResponseException : Exception
+    {
+        /// <summary>
+        /// Creates a new exception.
+        /// </summary>
+        /// <param name="partnerId">The id of the partner to send the response.</param>
+        /// <param name="status">The status of the response.</param>
+        /// <param name="subStatus">The substatus of the response.</param>
+        public SamlResponseException(string partnerId, Uri status, Uri subStatus) 
+            : base(GenerateMessage(partnerId, status, subStatus))
+        {
+        }
+
+        private static string GenerateMessage(string partnerId, Uri status, Uri subStatus)
+        {
+            var builder = new StringBuilder();
+            builder.AppendLine($"SSO using parnter '{partnerId}' failed.");
+            builder.AppendLine($"  SAMLResponse status:    {status}");
+            builder.AppendLine($"  SAMLResponse substatus: {subStatus}");
+            return builder.ToString();
+        }
+    }
+}
@@ -6,7 +6,7 @@ namespace Solid.Identity.Protocols.Saml2p.Models
 {
     internal static class EnumExtensions
     {
-        public static string ToBindingTypeString(this BindingType bindingType)
+        public static string ToProtocolBindingString(this BindingType bindingType)
         {
             switch(bindingType)
             {
@@ -17,9 +17,66 @@ public static string ToBindingTypeString(this BindingType bindingType)
             throw new ArgumentException($"Unsupported binding type: {bindingType}");
         }
 
-        //public static string ToStatusString(this SamlResponseStatus status)
-        //{
+        public static Uri ToStatusUri(this SamlResponseStatus status)
+        {
+            switch (status)
+            {
+                case SamlResponseStatus.Success: return Saml2pConstants.Statuses.Success;
+                case SamlResponseStatus.Requester: return Saml2pConstants.Statuses.Requester;
+                case SamlResponseStatus.Responder: return Saml2pConstants.Statuses.Responder;
+                case SamlResponseStatus.AuthnFailed: return Saml2pConstants.Statuses.AuthnFailed;
+                case SamlResponseStatus.VersionMismatch: return Saml2pConstants.Statuses.VersionMismatch;
+                case SamlResponseStatus.InvalidAttrNameOrValue: return Saml2pConstants.Statuses.InvalidAttrNameOrValue;
+                case SamlResponseStatus.InvalidNameIDPolicy: return Saml2pConstants.Statuses.InvalidNameIDPolicy;
+                case SamlResponseStatus.NoAuthnContext: return Saml2pConstants.Statuses.NoAuthnContext;
+                case SamlResponseStatus.NoAvailableIDP: return Saml2pConstants.Statuses.NoAvailableIDP;
+                case SamlResponseStatus.NoPassive: return Saml2pConstants.Statuses.NoPassive;
+                case SamlResponseStatus.NoSupportedIDP: return Saml2pConstants.Statuses.NoSupportedIDP;
+                case SamlResponseStatus.PartialLogout: return Saml2pConstants.Statuses.PartialLogout;
+                case SamlResponseStatus.ProxyCountExceeded: return Saml2pConstants.Statuses.ProxyCountExceeded;
+                case SamlResponseStatus.RequestDenied: return Saml2pConstants.Statuses.RequestDenied;
+                case SamlResponseStatus.RequestUnsupported: return Saml2pConstants.Statuses.RequestUnsupported;
+                case SamlResponseStatus.RequestVersionDeprecated: return Saml2pConstants.Statuses.RequestVersionDeprecated;
+                case SamlResponseStatus.RequestVersionTooHigh: return Saml2pConstants.Statuses.RequestVersionTooHigh;
+                case SamlResponseStatus.RequestVersionTooLow: return Saml2pConstants.Statuses.RequestVersionTooLow;
+                case SamlResponseStatus.ResourceNotRecognized: return Saml2pConstants.Statuses.ResourceNotRecognized;
+                case SamlResponseStatus.TooManyResponses: return Saml2pConstants.Statuses.TooManyResponses;
+                case SamlResponseStatus.UnknownAttrProfile: return Saml2pConstants.Statuses.UnknownAttrProfile;
+                case SamlResponseStatus.UnknownPrincipal: return Saml2pConstants.Statuses.UnknownPrincipal;
+                case SamlResponseStatus.UnsupportedBinding: return Saml2pConstants.Statuses.UnsupportedBinding;
+            }
+            throw new ArgumentException($"Unknown status: {status}");
+        }
 
-        //}
+        public static string ToStatusString(this SamlResponseStatus status)
+        {
+            switch (status)
+            {
+                case SamlResponseStatus.Success: return Saml2pConstants.Statuses.SuccessString;
+                case SamlResponseStatus.Requester: return Saml2pConstants.Statuses.RequesterString;
+                case SamlResponseStatus.Responder: return Saml2pConstants.Statuses.ResponderString;
+                case SamlResponseStatus.AuthnFailed: return Saml2pConstants.Statuses.AuthnFailedString;
+                case SamlResponseStatus.VersionMismatch: return Saml2pConstants.Statuses.VersionMismatchString;
+                case SamlResponseStatus.InvalidAttrNameOrValue: return Saml2pConstants.Statuses.InvalidAttrNameOrValueString;
+                case SamlResponseStatus.InvalidNameIDPolicy: return Saml2pConstants.Statuses.InvalidNameIDPolicyString;
+                case SamlResponseStatus.NoAuthnContext: return Saml2pConstants.Statuses.NoAuthnContextString;
+                case SamlResponseStatus.NoAvailableIDP: return Saml2pConstants.Statuses.NoAvailableIDPString;
+                case SamlResponseStatus.NoPassive: return Saml2pConstants.Statuses.NoPassiveString;
+                case SamlResponseStatus.NoSupportedIDP: return Saml2pConstants.Statuses.NoSupportedIDPString;
+                case SamlResponseStatus.PartialLogout: return Saml2pConstants.Statuses.PartialLogoutString;
+                case SamlResponseStatus.ProxyCountExceeded: return Saml2pConstants.Statuses.ProxyCountExceededString;
+                case SamlResponseStatus.RequestDenied: return Saml2pConstants.Statuses.RequestDeniedString;
+                case SamlResponseStatus.RequestUnsupported: return Saml2pConstants.Statuses.RequestUnsupportedString;
+                case SamlResponseStatus.RequestVersionDeprecated: return Saml2pConstants.Statuses.RequestVersionDeprecatedString;
+                case SamlResponseStatus.RequestVersionTooHigh: return Saml2pConstants.Statuses.RequestVersionTooHighString;
+                case SamlResponseStatus.RequestVersionTooLow: return Saml2pConstants.Statuses.RequestVersionTooLowString;
+                case SamlResponseStatus.ResourceNotRecognized: return Saml2pConstants.Statuses.ResourceNotRecognizedString;
+                case SamlResponseStatus.TooManyResponses: return Saml2pConstants.Statuses.TooManyResponsesString;
+                case SamlResponseStatus.UnknownAttrProfile: return Saml2pConstants.Statuses.UnknownAttrProfileString;
+                case SamlResponseStatus.UnknownPrincipal: return Saml2pConstants.Statuses.UnknownPrincipalString;
+                case SamlResponseStatus.UnsupportedBinding: return Saml2pConstants.Statuses.UnsupportedBindingString;
+            }
+            throw new ArgumentException($"Unknown status: {status}");
+        }
     }
 }
@@ -43,7 +43,8 @@ public async Task<AuthnRequest> CreateAuthnRequestAsync(HttpContext context, ISa
             var request = new AuthnRequest
             {
                 Id = $"_{Guid.NewGuid()}",
-                ProviderName = idp.Id,
+                // TODO: have some sort of providername default
+                ProviderName = idp.ExpectedIssuer ?? _options.DefaultIssuer,
                 AssertionConsumerServiceUrl = GetAcsUrl(context.Request),
                 IssueInstant = _systemClock.UtcNow.UtcDateTime,
                 Issuer = idp.ExpectedIssuer ?? _options.DefaultIssuer,
 
@@ -22,11 +22,14 @@ public SamlResponseFactory(IOptions<Saml2pOptions> options)
         public SamlResponse Create(ISaml2pServiceProvider partner, string authnRequestId = null, string relayState = null, SamlResponseStatus status = SamlResponseStatus.Success, SamlResponseStatus? subStatus = null, Saml2SecurityToken token = null)
         {
             var destination = new Uri(partner.BaseUrl, partner.AssertionConsumerServiceEndpoint);
-            if (authnRequestId != null)
-                token.SetRecipient(destination, authnRequestId);
-            else
-                token.SetRecipient(destination);
-            token.SetNotOnOrAfter();
+            if (token != null)
+            {
+                if (authnRequestId != null)
+                    token.SetRecipient(destination, authnRequestId);
+                else
+                    token.SetRecipient(destination);
+                token.SetNotOnOrAfter();
+            }
 
             var response = new SamlResponse
             {
@@ -53,40 +56,20 @@ private Status Convert(SamlResponseStatus status, SamlResponseStatus? subStatus)
                 }
             };
 
+            var sub = Convert(subStatus);
+            if (sub != null)
+                converted.StatusCode.SubCode = new StatusCode
+                {
+                    Value = sub
+                };
+
             return converted;
         }
 
         private Uri Convert(SamlResponseStatus? status)
-        { 
-            switch(status)
-            {
-                case SamlResponseStatus.Success: return Saml2pConstants.Statuses.Success;
-                case SamlResponseStatus.AuthnFailed: return Saml2pConstants.Statuses.AuthnFailed;
-            }
+        {
+            if (status.HasValue) return status.Value.ToStatusUri();
             return null;
-            //"urn:oasis:names:tc:SAML:2.0:status:Success"
-            //"urn:oasis:names:tc:SAML:2.0:status:Requester"
-            //"urn:oasis:names:tc:SAML:2.0:status:Responder"
-            //"urn:oasis:names:tc:SAML:2.0:status:VersionMismatch"
-            //"urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"
-            //"urn:oasis:names:tc:SAML:2.0:status:InvalidAttrNameOrValue"
-            //"urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"
-            //"urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"
-            //"urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP"
-            //"urn:oasis:names:tc:SAML:2.0:status:NoPassive"
-            //"urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP"
-            //"urn:oasis:names:tc:SAML:2.0:status:PartialLogout"
-            //"urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded"
-            //"urn:oasis:names:tc:SAML:2.0:status:RequestDenied"
-            //"urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported"
-            //"urn:oasis:names:tc:SAML:2.0:status:RequestVersionDeprecated"
-            //"urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooHigh"
-            //"urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooLow"
-            //"urn:oasis:names:tc:SAML:2.0:status:ResourceNotRecognized"
-            //"urn:oasis:names:tc:SAML:2.0:status:TooManyResponses"
-            //"urn:oasis:names:tc:SAML:2.0:status:UnknownAttrProfile"
-            //"urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal"
-            //"urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding"
         }
     }
 }
@@ -15,6 +15,8 @@
 using Solid.Identity.Protocols.Saml2p.Models.Context;
 using Solid.Identity.Protocols.Saml2p.Providers;
 using Solid.Identity.Protocols.Saml2p.Services;
+using Solid.Identity.Protocols.Saml2p.Models;
+using Microsoft.IdentityModel.Tokens.Saml2;
 
 namespace Solid.Identity.Protocols.Saml2p.Middleware.Idp
 {
@@ -41,33 +43,81 @@ public override async Task InvokeAsync(HttpContext context)
 
             Logger.LogInformation("Accepting SAML2P authentication (IDP flow).");
             Trace($"Received SAMLRequest using {binding} binding.", request);
-            var partnerId = request.Issuer;
-            var partner = await Partners.GetServiceProviderAsync(partnerId);
+            var partner = await Partners.GetServiceProviderAsync(request.Issuer);
 
             if (partner == null)
-                throw new SecurityException($"Partner '{partnerId}' not found.");
+                throw new SecurityException($"Partner '{request.Issuer}' not found.");
 
-            if (!partner.Enabled)
-                throw new SecurityException($"Partner '{partnerId}' is disabled.");
+            //if (!partner.Enabled)
+            //    throw new SecurityException($"Partner '{partnerId}' is disabled.");
 
-            if (!partner.CanInitiateSso)
-                throw new SecurityException($"Partner '{partnerId}' is not allowed to initiate SSO.");
+            //if (!partner.CanInitiateSso)
+            //    throw new SecurityException($"Partner '{partnerId}' is not allowed to initiate SSO.");
 
             await Cache.CacheRequestAsync(request.Id, request);
             var ssoContext = new AcceptSsoContext
             {
-                PartnerId = partner.Id,
+                PartnerId = request.Issuer,
                 Partner = partner,
                 Request = request,
                 ReturnUrl = GenerateReturnUrl(context, request.Id)
             };
 
             await Events.InvokeAsync(Options, partner, e => e.OnAcceptSso(context.RequestServices, ssoContext));
-
-            if(ssoContext.AuthenticationScheme != null)
+            
+            if (!IsValid(ssoContext, out var status, out var subStatus) && status.HasValue)
+            {
+                await Cache.CacheStatusAsync(request.Id, status.Value, subStatus);
+                context.Response.Redirect(ssoContext.ReturnUrl);
+            }
+            else if (ssoContext.AuthenticationScheme != null)
                 await ChallengeAsync(context, request, ssoContext.ReturnUrl, ssoContext.AuthenticationScheme);
             else
                 await ChallengeAsync(context, request, ssoContext.ReturnUrl);
         }
+
+        // TODO: extract this to a validator class and test it
+        private bool IsValid(AcceptSsoContext context, out SamlResponseStatus? status, out SamlResponseStatus? subStatus)
+        {
+            if(context.Request.Version != Saml2Constants.Version)
+            {
+                status = SamlResponseStatus.VersionMismatch;
+                subStatus = null;
+                return false;
+            }
+
+            if (!string.IsNullOrEmpty(context.Request.ProtocolBinding) && 
+                Options.SupportedBindings.Select(b => b.ToProtocolBindingString()).Any(b => b == context.Request.ProtocolBinding))
+            {
+                status = SamlResponseStatus.Requester;
+                subStatus = SamlResponseStatus.UnsupportedBinding;
+                return false;
+            }
+
+            if (context.Partner == null)
+            {
+                status = SamlResponseStatus.Requester;
+                subStatus = SamlResponseStatus.RequestDenied;
+                return false;
+            }
+
+            if (!context.Partner.Enabled || !context.Partner.CanInitiateSso)
+            {
+                status = SamlResponseStatus.Requester;
+                subStatus = SamlResponseStatus.RequestDenied;
+                return false;
+            }
+
+            if (!context.Partner.SupportedBindings.Any())
+            {
+                status = SamlResponseStatus.Responder;
+                subStatus = SamlResponseStatus.UnsupportedBinding;
+                return false;
+            }
+
+            status = null;
+            subStatus = null;
+            return true;
+        }
     }
 }
Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,8 @@ public void ConfigureServices(IServiceCollection services)`
`53`	`53`
`54`	`54`	`sp.SupportedBindings.Clear();`
`55`	`55`	`sp.SupportedBindings.Add(BindingType.Post);`
	`56`	`+`
	`57`	`+ sp.Enabled = false;`
`56`	`58`	`});`
`57`	`59`	`})`
`58`	`60`	`;`
Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,8 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync`
`43`	`43`	`try`
`44`	`44`	`{`
`45`	`45`	`var result = await Context.FinishSsoAsync();`
	`46`	`+ if(!result.IsSuccessful)`
	`47`	`+`
`46`	`48`	`var properties = new AuthenticationProperties`
`47`	`49`	`{`
`48`	`50`	`IssuedUtc = result.SecurityToken.ValidFrom,`