Summary: We need a SAML 1.1 “Consumer?? application written for ASP (Classic) in VBScript. This application will process a standard SAML 1.1 Assertion element. This is essentially a port of our existing C# implementation. (Note: this request is for only a subset/portion of the SAML 1.1 standard. See the included C# sample for details.)
## Deliverables
The application must:
· Be written in ASP (Classic) compatible VBScript
· Duplicate the functionality of the included C# code sample
· Make use of only well-known protocols and document formats (e.g., XML, UTF-8, HTTP and URL encoding, etc…)
· Be ***stateless***
· Run under IIS as a virtual directory / virtual application:
o IIS 5
o IIS 6
o IIS 7
· Run on Windows:
o Windows 98 (latest service pack)
o Windows Server 2003 (latest service pack)
· Be completely self-contained, i.e., it must:
o Function entirely as a server-side application
o Not rely on, or make use of any browser-based technologies other than standard HTTP protocol
o Be capable of running independently of other co-located web applications
o References to external libraries may appropriate, as long as each library is either
§ Present on all Windows OS machines, OR
§ Can be acquired and installed on any Windows OS machine
· Receive a standard, well-formed, cryptographically signed SAML 1.1 Assertion envelope as an HTTP POST
· Verify that the Assertion envelope is well-formed and complete (as per the SAML 1.1 spec, hyperlinked below)
· Validate the following Conditions element attributes to ensure the Assertion falls within the specified time range
o NotBefore
o NotOnOrAfter
· Verify that the Responder correctly cryptographically signed the assertion payload (“saml:Assertion?? node). In doing this, the component must:
o Use a crypto library that is compatible with the .Net Framework’s X509Certificates library ([login to view URL])
o Provide a way to load the appropriate public key (as an XML text file, or some other universal format) for validation
o (Validating the root chain of signing certificate is ***not*** required)
· Extract, and display in the browser window, the following ***required*** Assertion details:
o The NameID or NameIdentifier value ??" as a string
o The following Conditions attributes
§ NotBefore ??" as a DateTime or equivalent value
§ NotOnOrAfter ??" as a DateTime or equivalent value
o Whether or not the Assertion envelope is correctly signed (as a Boolean value)
o One of the following:
§ The text of the entire Assertion envelope, OR
§ A message explaining the likely reason that the Assertion text could not be displayed
o (Other functionality as appropriate ??" optional)
It is the developer’s responsibility to:
· Research and recommend any external or 3rd-party libraries (e.g., ASP X509 cryptographic libraries), and either
o Provide those libraries, and a redistributable license to us, OR
o Include enough information for us to acquire a redistributable license for the libraries ourselves
· Ensure compatibility with the SAML 1.1 standard
· Ensure compatibility with the X509 cryptographic standard
· Provide a ***working prototype or example*** of the solution, complete with:
o All source code and miscellaneous development files
o Functional documentation
o Implementation / API documentation (i.e., “developer’s docs??)
o Setup and troubleshooting documentation (i.e., “Ops docs??)
Note that an example of our current SAML Assertion envelope will be provided to the winner of this bid once we have established a standard Non-disclosure in place.
The core SAML 1.1 standard:
<[login to view URL]>
An overview of the SAML 1.1 standard:
<[login to view URL]>