Throw on saml response from wrong idp.

- Added new exception class Saml2ResponseFailedValidationException.

Kentor.AuthServices.Tests/Kentor.AuthServices.Tests.csproj

@@ -113,6 +113,7 @@
     <Compile Include="Mvc\AuthServicesControllerTests.cs" />
     <Compile Include="ClaimsAuthenticationManagerStub.cs" />
     <Compile Include="ExceptionTestHelpers.cs" />
+    <Compile Include="Saml2ResponseFailedValidationExceptionTests.cs" />
     <Compile Include="WebSSO\MetadataCommandTests.cs" />
     <Compile Include="ExtendedMetadataSerializerTests.cs" />
     <Compile Include="Metadata\MetadataServer.cs" />

Kentor.AuthServices.Tests/Saml2P/Saml2ResponseTests.cs

@@ -907,7 +907,7 @@ public void Saml2Response_Validate_FalseOnReplayedInResponseTo()
         }
 
         [TestMethod]
-        public void Saml2Response_Validate_FalseOnReplyFromWrongIdp()
+        public void Saml2Response_Validate_ThrowsOnResponseFromWrongIdp()
         {
             // A valid response is received, but it is not from the idp that we
             // did send the AuthnRequest to.
@@ -918,9 +918,10 @@ public void Saml2Response_Validate_FalseOnReplyFromWrongIdp()
             var responseXML =
             @"<?xml version=""1.0"" encoding=""UTF-8""?>
             <saml2p:Response xmlns:saml2p=""urn:oasis:names:tc:SAML:2.0:protocol""
+            xmlns:saml2=""urn:oasis:names:tc:SAML:2.0:assertion""
             ID = ""Saml2Response_Validate_TrueOnCorrectInResponseTo"" Version=""2.0"" IssueInstant=""2013-01-01T00:00:00Z""
             InResponseTo = """ + request.Id + @""">
-                <saml2p:Issuer>https://idp.anotheridp.com</saml2p:Issuer>
+                <saml2:Issuer>https://idp.anotheridp.com</saml2:Issuer>
                 <saml2p:Status>
                     <saml2p:StatusCode Value=""urn:oasis:names:tc:SAML:2.0:status:Requester"" />
                 </saml2p:Status>
@@ -930,7 +931,10 @@ public void Saml2Response_Validate_FalseOnReplyFromWrongIdp()
 
             var response = Saml2Response.Read(responseXML);
 
-            response.Validate(Options.FromConfiguration).Should().BeFalse();
+            Action a = () => response.Validate(Options.FromConfiguration);
+
+            a.ShouldThrow<Saml2ResponseFailedValidationException>().And
+                .Message.Should().Be("Expected response from idp \"https://idp.example.com\" but received response from idp \"https://idp.anotheridp.com\".");
         }
 
         [TestMethod]

Kentor.AuthServices.Tests/Saml2ResponseFailedValidationExceptionTests.cs

@@ -0,0 +1,31 @@
+using System;
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+using FluentAssertions;
+
+namespace Kentor.AuthServices.Tests
+{
+    [TestClass]
+    public class Saml2ResponseFailedValidationExceptionTests
+    {
+        [TestMethod]
+        public void Saml2ResponseFailedValidationExecption_DefaultCtor()
+        {
+            ExceptionTestHelpers.TestDefaultCtor<Saml2ResponseFailedValidationException>();
+        }
+
+        [TestMethod]
+        public void Saml2ResponseFailedValidationExecption_SerializationCtor()
+        {
+            ExceptionTestHelpers.TestSerializationCtor<Saml2ResponseFailedValidationException>();
+        }
+
+        [TestMethod]
+        public void Saml2ResponseFailedValidationExecption_StringCtor()
+        {
+            var msg = "Message!";
+            var subject = new Saml2ResponseFailedValidationException(msg);
+
+            subject.Message.Should().Be(msg);
+        }
+    }
+}

Kentor.AuthServices/Kentor.AuthServices.csproj

@@ -54,6 +54,7 @@
       <Link>VersionInfo.cs</Link>
     </Compile>
     <Compile Include="Metadata\KeyInfoSerializer.cs" />
+    <Compile Include="Saml2ResponseFailedValidationException.cs" />
     <Compile Include="WebSso\AcsCommand.cs" />
     <Compile Include="Metadata\AttributeConsumingService.cs" />
     <Compile Include="Configuration\RequestedAttributeElement.cs" />

Kentor.AuthServices/SAML2P/Saml2Response.cs

@@ -303,7 +303,10 @@ private bool ValidateInResponseTo(IOptions options)
                 RequestState = storedRequestState;
                 if (RequestState.Idp.Id != Issuer.Id)
                 {
-                    return false;
+                    var msg = string.Format(CultureInfo.InvariantCulture,
+                        "Expected response from idp \"{0}\" but received response from idp \"{1}\".",
+                        RequestState.Idp.Id, issuer.Id);
+                    throw new Saml2ResponseFailedValidationException(msg);
                 }
                 return true;
             }

Kentor.AuthServices/Saml2ResponseFailedValidationException.cs

@@ -0,0 +1,47 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Runtime.Serialization;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Kentor.AuthServices
+{
+    /// <summary>
+    /// A SAML2 Response failed validation.
+    /// </summary>
+    [Serializable]
+    public class Saml2ResponseFailedValidationException : AuthServicesException
+    {
+        /// <summary>
+        /// Ctor
+        /// </summary>
+        public Saml2ResponseFailedValidationException()
+        { }
+
+        /// <summary>
+        /// Ctor
+        /// </summary>
+        /// <param name="message">Message of the exception.</param>
+        public Saml2ResponseFailedValidationException(string message) : base(message)
+        { }
+
+        /// <summary>
+        /// Ctor
+        /// </summary>
+        /// <param name="message">Message of the exception.</param>
+        /// <param name="innerException">Inner exception.</param>
+        public Saml2ResponseFailedValidationException(string message, Exception innerException)
+            : base(message, innerException)
+        { }
+
+        /// <summary>
+        /// Serialization Ctor
+        /// </summary>
+        /// <param name="info">Serialization info</param>
+        /// <param name="context">Serialization context</param>
+        protected Saml2ResponseFailedValidationException(SerializationInfo info, StreamingContext context)
+            : base(info, context)
+        { }
+    }
+}