Sorry if this forum is devoted to a different kind of security, and SAML questions aren't welcome here. Please point me in the right direction if so.
We need to POST a SAML20 request to a business partner. Our user wants to use one of their resources. We are the Identity Provider. Our user has not yet visited their site. She is still on our website. We are sending her over to them.
We are not trying to set up any complicated federation scenario. Just trying to post a signed SAML assertion to the business partner's URL.
I have created a SamlAssertion with subject, issuer, some attributes, and have also got our x509 certificate and have created an X509Certificate2 object, in order to set the SamlAssertion's SigningCredentials property:
Dim cert as X509Certificate2 = GetCertficate() '// function returns the certificate
Dim signingKey as X509AsymmetricSecurityKey = New X509AsymmetricSecurityKey( cert )
mySamlAssertion.SigningCredentials = New SigningCredentials(signingKey, SecurityAlgorithms.RsahSha1Signature,
SecurityAlgorithms.Sha1Digest, New SecurityKeyIdentifier(New X509ThumbprintKeyIdentifierClause(cert)))
But when I serialize the assertion using its WriteXml method:
Dim mysamlAssertSerializer As SamlSerializer = New SamlSerializer()
Dim mySecureTokenSerializer As WSSecurityTokenSerializer = New WSSecurityTokenSerializer()
mySAMLAssertion.WriteXml(myXmlDictionaryWriter, mysamlAssertSerializer, mySecureTokenSerializer)
the output is the XML for a well-formed assertion but it has not been signed. I've wrapped the WriteXml call in a try / catch block but there aren't any exceptions being raised.
How does the SamlAssertion get signed? What step(s) am I missing?
Thanks