0

Currently I Am Using ADFS Login. i am Getting Response From Adfs Server. But I Can't get Any Information From Response Saml.What Can I Do getting Information Is it Right? 

<br /><br />
  <samlp:Response Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
    Destination="https://demo.apps.com/adfsauthlogin/login"
    ID="_cbb5174b-36b4-4e75-9d8a-7f2d47ccb9bc" IssueInstant="2018-01-08T06:09:16.122Z" Version="2.0"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.Sample.com/adfs/services/trust</Issuer>
    <samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
    <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
            xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                    <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/></e:EncryptionMethod>
                    <KeyInfo>
                        <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                            <ds:X509IssuerSerial>
                                <ds:X509IssuerName>CN=ADFS Encryption - demo.apps.com</ds:X509IssuerName>
                                <ds:X509SerialNumber>33157209971584938906555805034885884694</ds:X509SerialNumber>
                            </ds:X509IssuerSerial>
                        </ds:X509Data>
                    </KeyInfo>
                    <e:CipherData>
                        <e:CipherValue> ==- Value -== </e:CipherValue>
                    </e:CipherData>
                </e:EncryptedKey>
            </KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue> ==- Value -== </xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </EncryptedAssertion>
</samlp:Response>
Dinesh92d
  • 11
  • 7
  • You have a response from AD FS and it is successful based on status code. Else it will say urn:oasis:names:tc:SAML:2.0:status:Responder The token is encrypted which is why you cannot see in clear text the claims. You need to decrypt it to view the claims. Based on the keyinfo, you should use the "CN=ADFS Encryption - demo.apps.com" to decrypt. Alternatively, you can configure AD FS not to encrypt assertions for this app which means you will get claims in clear text. Without details of the stack you use to develop the app, and relevant code extracts its not possible to comment anymore. – maweeras Jan 08 '18 at 15:52

1 Answers1

1

I was facing the same issue today and I found the solution to my problem from this thread How to Decrypt EncryptedAssertion using System.Cryptography

I did little tweaking to this to work for ADFS SAMLResponse. Here is my solution....

private void DecryptSamlAssertion(XmlDocument xmlDocument, X509Certificate2 cert)
    {
        EncryptedXmlWithPreconfiguredAsymmetricKey encXml = new EncryptedXmlWithPreconfiguredAsymmetricKey(xmlDocument, cert);
        if (xmlDocument.GetElementsByTagName("EncryptedAssertion").Count > 0)
        {
            var encryptedAssertion = xmlDocument.GetElementsByTagName("EncryptedAssertion")[0];
            xmlDocument.DocumentElement.ReplaceChild(encryptedAssertion.FirstChild, encryptedAssertion);
            while (xmlDocument.GetElementsByTagName("xenc:EncryptedData").Count > 0)
            {
                XmlElement encryptedDataElement = xmlDocument.GetElementsByTagName("xenc:EncryptedData")[0] as XmlElement;
                EncryptedData encryptedData = new EncryptedData();
                encryptedData.LoadXml(encryptedDataElement);

                SymmetricAlgorithm symmKey = encXml.GetDecryptionKey(encryptedData, encryptedData.EncryptionMethod.KeyAlgorithm);
                symmKey.IV = encXml.GetDecryptionIV(encryptedData, encryptedData.EncryptionMethod.KeyAlgorithm);
                symmKey.Padding = encXml.Padding;
                symmKey.Mode = encXml.Mode;

                byte[] decryptedData = encXml.DecryptData(encryptedData, symmKey);
                encXml.ReplaceData(encryptedDataElement, decryptedData);
            }
        }
    }

public class EncryptedXmlWithPreconfiguredAsymmetricKey : EncryptedXml
{
    public readonly X509Certificate2 _encryptionCert;
    public EncryptedXmlWithPreconfiguredAsymmetricKey(XmlDocument xmlDoc, X509Certificate2 encryptionCert) : base(xmlDoc)
    {
        _encryptionCert = encryptionCert;
    }

    public override SymmetricAlgorithm GetDecryptionKey(EncryptedData encryptedData, string symmetricAlgorithmUri)
    {
        if (encryptedData == null)
            throw new ArgumentNullException("encryptedData");

        if (encryptedData.KeyInfo == null)
            return null;
        IEnumerator keyInfoEnum = encryptedData.KeyInfo.GetEnumerator();
        KeyInfoRetrievalMethod kiRetrievalMethod;
        KeyInfoName kiName;
        KeyInfoEncryptedKey kiEncKey;
        EncryptedKey ek = null;

        while (keyInfoEnum.MoveNext())
        {
            kiName = keyInfoEnum.Current as KeyInfoName;

            kiRetrievalMethod = keyInfoEnum.Current as KeyInfoRetrievalMethod;

            kiEncKey = keyInfoEnum.Current as KeyInfoEncryptedKey;
            if (kiEncKey != null)
            {
                ek = kiEncKey.EncryptedKey;
                break;
            }
        }

        // if we have an EncryptedKey, decrypt to get the symmetric key
        if (ek != null)
        {
            // now process the EncryptedKey, loop recursively
            // If the Uri is not provided by the application, try to get it from the EncryptionMethod 
            if (symmetricAlgorithmUri == null)
            {
                if (encryptedData.EncryptionMethod == null)
                    throw new CryptographicException("Cryptography_Xml_MissingAlgorithm");
                symmetricAlgorithmUri = encryptedData.EncryptionMethod.KeyAlgorithm;
            }
            byte[] key = ek.CipherData.CipherValue;
            if (key == null)
                throw new CryptographicException("Cryptography_Xml_MissingDecryptionKey");

            // Ignore any information about the asymmetric key in the XML, and just use our predefined certificate
            var rsaKey = (RSA)_encryptionCert.PrivateKey;

            byte[] symkey = DecryptKey(key, rsaKey, true);

            SymmetricAlgorithm symAlg = (SymmetricAlgorithm)CryptoConfig.CreateFromName(symmetricAlgorithmUri);
            symAlg.Key = symkey;
            return symAlg;
        }
        return null;
    }
}
Boobalan Ranganathan
  • 11
  • 1