public async Task<SignInResponseMessage> GenerateResponseAsync(SignInValidationResult validationResult)
{
Logger.Info("Creating WS-Federation signin response");
// create subject
var outgoingSubject = await CreateSubjectAsync(validationResult);
// create token for user
var token = CreateSecurityToken(validationResult, outgoingSubject);
// return response
var rstr = new RequestSecurityTokenResponse
{
AppliesTo = new EndpointReference(validationResult.RelyingParty.Realm),
Context = validationResult.SignInRequestMessage.Context,
ReplyTo = validationResult.ReplyUrl,
RequestedSecurityToken = new RequestedSecurityToken(token)
};
var serializer = new WSFederationSerializer(
new WSTrust13RequestSerializer(),
new WSTrust13ResponseSerializer());
var mgr = SecurityTokenHandlerCollectionManager.CreateEmptySecurityTokenHandlerCollectionManager();
mgr[SecurityTokenHandlerCollectionManager.Usage.Default] = CreateSupportedSecurityTokenHandler();
var responseMessage = new SignInResponseMessage(
new Uri(validationResult.ReplyUrl),
rstr,
serializer,
new WSTrustSerializationContext(mgr));
return responseMessage;
}
internal bool Logoff(string userName, string password, SecurityToken sessionToken)
{
using (WSTrustChannelFactory factory = GetTrustChannelFactory())
{
//// Set up credentials
if (factory.Credentials == null)
{
throw new Exception("Credentails are null");
}
factory.Credentials.UserName.UserName = userName;
factory.Credentials.UserName.Password = password;
factory.Credentials.SupportInteractive = false;
// Create a "request for token" SOAP message.
// We want the security server to Issue us with a token
RequestSecurityToken rst = new RequestSecurityToken(RequestTypes.Cancel);
// the token we want to cancel
rst.CancelTarget = new SecurityTokenElement(sessionToken);
// Create the communicaiton channel
IWSTrustChannelContract channel = factory.CreateChannel();
// Cancel token
// ReSharper disable once UnusedVariable
RequestSecurityTokenResponse response = channel.Cancel(rst);
return(response.RequestedTokenCancelled);
}
}
private SecurityToken GetActAsToken()
{
// Retrieve the token that was saved during initial user login
BootstrapContext bootstrapContext = ClaimsPrincipal.Current.Identities.First().BootstrapContext as BootstrapContext;
// Use the Thinktecture-implementation of the UserNameWSBinding to setup the channel factory to ADFS
var binding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential);
var factory = new WSTrustChannelFactory(binding, new EndpointAddress("https://[ADFS]/adfs/services/trust/13/usernamemixed"));
// For demo purposes, we're authenticating to ADFS using a user name and password representing the web application
// If the web server is domain-joined, you can use Windows Authentication instead
factory.Credentials.UserName.UserName = "******";
factory.Credentials.UserName.Password = "******";
factory.TrustVersion = TrustVersion.WSTrust13;
// Setup the request details to ask for a token for the backend service, acting as the logged in user
var request = new RequestSecurityToken();
request.RequestType = Thinktecture.IdentityModel.Constants.WSTrust13Constants.RequestTypes.Issue;
request.AppliesTo = new EndpointReference("https://[BackendService]/Service.svc");
request.ActAs = new SecurityTokenElement(bootstrapContext.SecurityToken);
// Create the channel
var channel = factory.CreateChannel();
RequestSecurityTokenResponse response = null;
SecurityToken delegatedToken = channel.Issue(request, out response);
// Return the acquired token
return(delegatedToken);
}
protected virtual void OnLoggedIn(RequestSecurityTokenResponse requestSecurityTokenResponse)
{
if (requestSecurityTokenResponse == null)
{
Mvx.TaggedTrace(MvxTraceLevel.Error, "DefaultIdentityProviderCollectionViewModel", "Got an empty response from IdentityProvider");
if (LoginError != null)
{
LoginError(this, new LoginErrorEventArgs {
Message = "Got an empty response from IdentityProvider, try logging in again."
});
}
return;
}
var tokenStore = Mvx.Resolve <ISimpleWebTokenStore>();
var tokenFactory = Mvx.Resolve <ISimpleWebToken>();
var token = tokenFactory.CreateTokenFromRaw(requestSecurityTokenResponse.SecurityToken);
tokenStore.SimpleWebToken = token;
if (!CanGoBack)
{
ShowProgressAfterLogin = true;
}
RaisePropertyChanged(() => IsLoggedIn);
RaisePropertyChanged(() => LoggedInProvider);
if (tokenStore.IsValid() && CanGoBack)
{
NavigateBackCommand.Execute(null);
}
}
private void SignInWebBrowserControl_Navigating(object sender, NavigatingEventArgs e)
{
if (e.Uri == new Uri("https://break_here"))
{
e.Cancel = true;
var acsReply = this.BrowserSigninControl.SaveToString();
Regex tagRegex = CreateRegexForHtmlTag("BinarySecurityToken");
var acsBinaryToken = tagRegex.Match(acsReply).Groups[1].Value;
var acsTokenBytes = Convert.FromBase64String(acsBinaryToken);
var acsToken = System.Text.Encoding.UTF8.GetString(acsTokenBytes, 0, acsTokenBytes.Length);
tagRegex = CreateRegexForHtmlTag("Expires");
var expires = DateTime.Parse(tagRegex.Match(acsReply).Groups[1].Value);
tagRegex = CreateRegexForHtmlTag("TokenType");
var tokenType = tagRegex.Match(acsReply).Groups[1].Value;
if (null != RequestSecurityTokenResponseCompleted)
{
var rstr = new RequestSecurityTokenResponse();
rstr.TokenString = acsToken;
rstr.Expiration = expires;
rstr.TokenType = tokenType;
RequestSecurityTokenResponseCompleted(this, new RequestSecurityTokenResponseCompletedEventArgs(rstr, null));
}
}
lock (_setBrowserVisibleLock)
{
_setBrowserVisible = false;
ShowProgressBar(null);
}
}
public static PeerHashToken CreateHashTokenFrom(Message message)
{
PeerHashToken invalid = PeerHashToken.Invalid;
RequestSecurityTokenResponse response = RequestSecurityTokenResponse.CreateFrom(message.GetReaderAtBodyContents(), MessageSecurityVersion.Default, new PeerSecurityTokenSerializer());
if (string.Compare(response.TokenType, "http://schemas.microsoft.com/net/2006/05/peer/peerhashtoken", StringComparison.OrdinalIgnoreCase) == 0)
{
XmlElement requestSecurityTokenResponseXml = response.RequestSecurityTokenResponseXml;
if (requestSecurityTokenResponseXml == null)
{
return(invalid);
}
foreach (XmlElement element2 in requestSecurityTokenResponseXml.ChildNodes)
{
if (PeerRequestSecurityToken.CompareWithNS(element2.LocalName, element2.NamespaceURI, "Status", "http://schemas.xmlsoap.org/ws/2005/02/trust"))
{
if (element2.ChildNodes.Count == 1)
{
XmlElement element = element2.ChildNodes[0] as XmlElement;
if (PeerRequestSecurityToken.CompareWithNS(element.LocalName, element.NamespaceURI, "Code", "http://schemas.xmlsoap.org/ws/2005/02/trust") && (string.Compare(XmlHelper.ReadTextElementAsTrimmedString(element), "http://schemas.xmlsoap.org/ws/2005/02/trust/status/valid", StringComparison.OrdinalIgnoreCase) != 0))
{
return(invalid);
}
}
}
else if (PeerRequestSecurityToken.CompareWithNS(element2.LocalName, element2.NamespaceURI, "RequestedSecurityToken", "http://schemas.xmlsoap.org/ws/2005/02/trust"))
{
return(PeerHashToken.CreateFrom(element2));
}
}
}
return(invalid);
}
public XmlElement RenewTicket(X509Certificate2 sessionCert, XmlElement previousTicket)
{
//make the request
var request = new RequestSecurityTokenRequest()
{
RequestSecurityToken = new RequestSecurityTokenType()
{
Context = "urn:uuid:" + Guid.NewGuid().ToString(),
TokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1",
RequestType = RequestTypeEnum.httpdocsoasisopenorgwssxwstrust200512Renew,
RenewTarget = new RenewTargetType()
{
SecurityTokenReference = new SecurityTokenReferenceType()
{
Embedded = new EmbeddedType()
{
Any = previousTicket
}
}
}
}
};
RequestSecurityTokenResponse step1 = base.Channel.RequestSecurityToken(request);
return(Complete(sessionCert, step1));
}
public CreateCoordinationContextResponse(Message message, Microsoft.Transactions.Wsat.Protocol.ProtocolVersion protocolVersion) : this(protocolVersion)
{
if (message.IsEmpty)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidMessageException(Microsoft.Transactions.SR.GetString("InvalidMessageBody")));
}
XmlDictionaryReader readerAtBodyContents = message.GetReaderAtBodyContents();
using (readerAtBodyContents)
{
this.ReadFrom(readerAtBodyContents);
try
{
message.ReadFromBodyContentsToEnd(readerAtBodyContents);
}
catch (XmlException exception)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidMessageException(Microsoft.Transactions.SR.GetString("InvalidMessageBody"), exception));
}
}
try
{
this.IssuedToken = CoordinationServiceSecurity.GetIssuedToken(message, this.CoordinationContext.Identifier, protocolVersion);
}
catch (XmlException exception2)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidMessageException(exception2.Message, exception2));
}
}
public void LogIn(string url, Action <RequestSecurityTokenResponse> onLoggedIn, Action assumeCancelled, string identityProviderName = null)
{
var appContext = Mvx.Resolve <IMvxAndroidGlobals>().ApplicationContext;
CookieSyncManager.CreateInstance(appContext);
var manager = CookieManager.Instance;
if (manager != null)
{
manager.SetAcceptCookie(true);
}
_onLoggedIn = onLoggedIn;
_assumeCancelled = assumeCancelled;
_messageHub = Mvx.Resolve <IMvxMessenger>();
_subscriptionToken = _messageHub.Subscribe <RequestTokenMessage>(message =>
{
_response = message.TokenResponse;
});
var intent = new Intent(appContext, typeof(AccessControlWebAuthActivity));
intent.PutExtra("cheesebaron.mvxplugins.azureaccesscontrol.droid.Url", url);
StartActivityForResult(LoginIdentityRequestCode, intent);
}
public static void CreateIssuedToken(Guid transactionId, string coordinationContextId, ProtocolVersion protocolVersion, out RequestSecurityTokenResponse issuedToken, out string sctId)
{
sctId = CoordinationContext.CreateNativeIdentifier(Guid.NewGuid());
byte[] key = DeriveIssuedTokenKey(transactionId, sctId);
DateTime utcNow = DateTime.UtcNow;
SecurityContextSecurityToken token = new SecurityContextSecurityToken(new UniqueId(sctId), key, utcNow, utcNow + TimeSpan.FromDays(36500.0));
BinarySecretSecurityToken token2 = new BinarySecretSecurityToken(key);
SecurityStandardsManager standardsManager = CreateStandardsManager(protocolVersion);
RequestSecurityTokenResponse response = new RequestSecurityTokenResponse(standardsManager) {
TokenType = standardsManager.SecureConversationDriver.TokenTypeUri,
RequestedUnattachedReference = SecurityContextSecurityTokenParameters.CreateKeyIdentifierClause(token, SecurityTokenReferenceStyle.External),
RequestedAttachedReference = SecurityContextSecurityTokenParameters.CreateKeyIdentifierClause(token, SecurityTokenReferenceStyle.Internal),
RequestedSecurityToken = token,
RequestedProofToken = token2
};
DataContractSerializer serializer = IdentifierElementSerializer(protocolVersion);
ProtocolVersionHelper.AssertProtocolVersion(protocolVersion, typeof(CoordinationServiceSecurity), "CreateIssuedToken");
switch (protocolVersion)
{
case ProtocolVersion.Version10:
response.SetAppliesTo<IdentifierElement10>(new IdentifierElement10(coordinationContextId), serializer);
break;
case ProtocolVersion.Version11:
response.SetAppliesTo<IdentifierElement11>(new IdentifierElement11(coordinationContextId), serializer);
break;
}
response.MakeReadOnly();
if (DebugTrace.Verbose)
{
DebugTrace.Trace(TraceLevel.Verbose, "Created issued token with id {0} for transaction {1}", sctId, transactionId);
}
issuedToken = response;
}
public void LogIn(
string url, Action<RequestSecurityTokenResponse> onLoggedIn, Action assumeCancelled,
string identityProviderName = null)
{
var root = Application.Current.RootVisual as Frame;
_messageHub = Mvx.Resolve<IMvxMessenger>();
_subscriptionToken = _messageHub.Subscribe<RequestTokenMessage>(message =>
{
_response = message.TokenResponse;
if (_response != null)
{
onLoggedIn(_response);
}
else
{
assumeCancelled();
}
if (root == null) return;
if (root.CanGoBack)
root.GoBack();
});
if (root != null)
{
root.Navigate(
new Uri(
string.Format(
"/Cheesebaron.MvxPlugins.AzureAccessControl.WindowsPhone;component/Views/AccessControlWebAuthView.xaml?url={0}&name={1}",
WebUtility.UrlEncode(url), WebUtility.UrlEncode(identityProviderName)),
UriKind.Relative));
}
}
private void SignInWebBrowserControl_ScriptNotify(object sender, NotifyEventArgs e)
{
RequestSecurityTokenResponse rstr = null;
Exception exception = null;
try
{
ShowProgressBar("Signing In");
rstr = RequestSecurityTokenResponse.FromJSON(e.Value);
if (null == rstr)
{
DisplayErrorMessage("Failed reading RSTR");
exception = new InvalidOperationException("Failed to get a valid RequestSecurityTokenResponse");
}
if (null != _rstrStore)
{
_rstrStore.RequestSecurityTokenResponse = rstr;
}
}
catch (Exception ex)
{
DisplayErrorMessageFromException(ex);
exception = ex;
}
if (null != RequestSecurityTokenResponseCompleted)
{
RequestSecurityTokenResponseCompleted(this, new RequestSecurityTokenResponseCompletedEventArgs(rstr, exception));
}
}
public SignInResponseMessage Generate(SignInRequestMessage request, WindowsPrincipal windowsPrincipal)
{
Logger.Info("Creating WS-Federation signin response");
// create subject
var outgoingSubject = SubjectGenerator.Create(windowsPrincipal, _options);
// create token for user
var token = CreateSecurityToken(outgoingSubject);
// return response
var rstr = new RequestSecurityTokenResponse
{
AppliesTo = new EndpointReference(_options.IdpRealm),
Context = request.Context,
ReplyTo = _options.IdpReplyUrl,
RequestedSecurityToken = new RequestedSecurityToken(token)
};
var serializer = new WSFederationSerializer(
new WSTrust13RequestSerializer(),
new WSTrust13ResponseSerializer());
var mgr = SecurityTokenHandlerCollectionManager.CreateEmptySecurityTokenHandlerCollectionManager();
mgr[SecurityTokenHandlerCollectionManager.Usage.Default] = CreateSupportedSecurityTokenHandler();
var responseMessage = new SignInResponseMessage(
new Uri(_options.IdpReplyUrl),
rstr,
serializer,
new WSTrustSerializationContext(mgr));
return(responseMessage);
}
private static string GetWindowsTokenHelper(string windowsAuthSiteEndPoint)
{
var identityProviderEndpoint = new EndpointAddress(new Uri(windowsAuthSiteEndPoint + "/wstrust/issue/windowstransport"));
var identityProviderBinding = new WS2007HttpBinding(SecurityMode.Transport);
identityProviderBinding.Security.Message.EstablishSecurityContext = false;
identityProviderBinding.Security.Message.ClientCredentialType = MessageCredentialType.None;
identityProviderBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
var trustChannelFactory = new WSTrustChannelFactory(identityProviderBinding, identityProviderEndpoint)
{
TrustVersion = TrustVersion.WSTrust13,
};
trustChannelFactory.Credentials.ServiceCertificate.SslCertificateAuthentication = new X509ServiceCertificateAuthentication()
{
CertificateValidationMode = X509CertificateValidationMode.None
};
var channel = trustChannelFactory.CreateChannel();
var rst = new RequestSecurityToken(RequestTypes.Issue)
{
AppliesTo = new EndpointReference("http://azureservices/AdminSite"),
KeyType = KeyTypes.Bearer,
};
RequestSecurityTokenResponse rstr = null;
SecurityToken token = null;
token = channel.Issue(rst, out rstr);
var tokenString = (token as GenericXmlSecurityToken).TokenXml.InnerText;
var jwtString = Encoding.UTF8.GetString(Convert.FromBase64String(tokenString));
return(jwtString);
}
internal static SecurityToken ComputeProofKey(RequestSecurityToken rst, RequestSecurityTokenResponse rstr)
{
if (rstr.Entropy == null)
{
throw new NotSupportedException("RSTR entropy is null");
}
if (rst.Entropy == null)
{
throw new NotSupportedException("RST entropy is null");
}
int?keySizeInBits = rst.KeySizeInBits;
int num = keySizeInBits.HasValue ? keySizeInBits.GetValueOrDefault() : 0x400;
if (rstr.KeySizeInBits.HasValue)
{
num = rstr.KeySizeInBits.Value;
}
return(new BinarySecretSecurityToken(
KeyGenerator.ComputeCombinedKey(
rst.Entropy.GetKeyBytes(),
rstr.Entropy.GetKeyBytes(),
num)));
}
/// <summary>
/// Turns a RST/ProofKey pair into a GenericXmlSecurityToken.
/// </summary>
/// <param name="rstr">The RSTR.</param>
/// <param name="proofKey">The ProofKey.</param>
/// <returns>A GenericXmlSecurityToken</returns>
public static GenericXmlSecurityToken ToGenericXmlSecurityToken(this RequestSecurityTokenResponse rstr, SecurityToken proofKey)
{
DateTime?created = null;
DateTime?expires = null;
if (rstr.Lifetime != null)
{
created = rstr.Lifetime.Created;
expires = rstr.Lifetime.Expires;
if (!created.HasValue)
{
created = new DateTime?(DateTime.UtcNow);
}
if (!expires.HasValue)
{
expires = new DateTime?(DateTime.UtcNow.AddHours(10.0));
}
}
else
{
created = new DateTime?(DateTime.UtcNow);
expires = new DateTime?(DateTime.UtcNow.AddHours(10.0));
}
return(new GenericXmlSecurityToken(
ExtractTokenXml(rstr),
proofKey,
created.Value,
expires.Value,
rstr.RequestedAttachedReference,
rstr.RequestedUnattachedReference,
new ReadOnlyCollection <IAuthorizationPolicy>(new List <IAuthorizationPolicy>())));
}
private XmlElement Complete(X509Certificate2 sessionCert, RequestSecurityTokenResponse response)
{
//we expect SignChallenge, which we need to return as SignChallengeResponse using the body cert/key.
if (response.RequestSecurityTokenResponse1.SignChallenge == null)
{
throw new InvalidOperationException("eHealth WS-Trust service didn't return sign challenge response");
}
response.RequestSecurityTokenResponse1.SignChallengeResponse = response.RequestSecurityTokenResponse1.SignChallenge;
response.RequestSecurityTokenResponse1.SignChallenge = null;
//create a secondary channel to send the challenge
ChannelFactory <IWsTrustPortFixed> channelFactory = new ChannelFactory <IWsTrustPortFixed>(base.Endpoint.Binding, base.Endpoint.Address);
channelFactory.Credentials.ClientCertificate.Certificate = sessionCert;
IWsTrustPortFixed secondary = channelFactory.CreateChannel();
//send the (signed) Challenge, get the reponse as message to not break the internal signature
Message responseMsg = secondary.Challenge(response);
if (responseMsg.IsFault)
{
throw new FaultException(MessageFault.CreateFault(responseMsg, 10240), responseMsg.Headers.Action);
}
var responseBody = new XmlDocument();
responseBody.PreserveWhitespace = true;
responseBody.Load(responseMsg.GetReaderAtBodyContents());
//better to check if correcty wrapped, but for now we do not care.
return((XmlElement)responseBody.GetElementsByTagName("Assertion", "urn:oasis:names:tc:SAML:1.0:assertion")[0]);
}
public virtual void ApplyTo(RequestSecurityTokenResponse response)
{
if (TokenType != null)
{
response.TokenType = TokenType;
}
if (TokenElement != null)
{
response.RequestedSecurityToken = new RequestedSecurityToken(TokenElement)
{
SecurityToken = Token
};
}
else if (Token != null)
{
response.RequestedSecurityToken = new RequestedSecurityToken(Token);
}
if (AttachedReference != null)
{
response.AttachedReference = AttachedReference;
}
if (UnattachedReference != null)
{
response.UnattachedReference = UnattachedReference;
}
if (IssuedAt != null && Expires != null)
{
response.Lifetime = new Lifetime(IssuedAt, Expires);
}
}
private static string GetTokenFromAdfs20()
{
var binding = new WS2007HttpBinding(SecurityMode.TransportWithMessageCredential);
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
binding.Security.Message.NegotiateServiceCredential = true;
binding.Security.Message.EstablishSecurityContext = false;
var address = new EndpointAddress(
new Uri(@"https://yourserver.com/adfs/services/trust/13/usernamemixed"));
WSTrustChannelFactory factory = new WSTrustChannelFactory(binding, address);
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.UserName.UserName = "******";
factory.Credentials.UserName.Password = "******";
WSTrustChannel channel = (WSTrustChannel)factory.CreateChannel();
var request = new RequestSecurityToken(System.IdentityModel.Protocols.WSTrust.RequestTypes.Issue)
{
AppliesTo = new EndpointReference("https://relyingparty"),
KeyType = KeyTypes.Bearer
};
RequestSecurityTokenResponse response = null;
var token = channel.Issue(request, out response) as GenericXmlSecurityToken;
return(token.TokenXml.OuterXml);
}
private bool ShouldStartLoad(UIWebView webView, NSUrlRequest request, UIWebViewNavigationType navigationType)
{
if (Url != null && request.Url.Equals(Url))
{
return(true);
}
Url = request.Url;
if (Url.Scheme.Equals("acs"))
{
var b = new StringBuilder(Uri.UnescapeDataString(request.Url.ToString()));
b.Replace("acs://settoken?token=", string.Empty);
var token = RequestSecurityTokenResponse.FromJSON(b.ToString());
_messageHub.Publish(new RequestTokenMessage(this)
{
TokenResponse = token
});
DismissViewController(true, null);
}
NSUrlConnection.FromRequest(request, new LoginConnectionDelegate(this));
return(false);
}
private SecurityToken GetTokenFromSts(out RequestSecurityTokenResponse rstr)
{
int num = 3;
SecurityToken result;
while (true)
{
try
{
if (this.username == null && this.password == null)
{
result = this.GetLoggedInUserToken(out rstr);
break;
}
result = this.GetImpersonatedUserToken(out rstr);
break;
}
catch (TimeoutException)
{
if (--num == 0)
{
throw;
}
}
catch (ServerTooBusyException)
{
if (--num == 0)
{
throw;
}
}
}
return(result);
}
private static Tuple <string, byte[]> GetToken()
{
var binding = new WS2007HttpBinding(SecurityMode.Message);
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
binding.Security.Message.NegotiateServiceCredential = true;
binding.Security.Message.EstablishSecurityContext = false;
var address = new EndpointAddress(new Uri(@"http://localhost:6000/MySTS"),
new DnsEndpointIdentity("MySTS"));
WSTrustChannelFactory factory = new WSTrustChannelFactory(binding, address);
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.None;
factory.Credentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;
factory.Credentials.UserName.UserName = "******";
factory.Credentials.UserName.Password = "******"; // got to be same as user name in our example
WSTrustChannel channel = (WSTrustChannel)factory.CreateChannel();
var request = new RequestSecurityToken(System.IdentityModel.Protocols.WSTrust.RequestTypes.Issue)
{
AppliesTo = new EndpointReference("http://my-server.com")
};
RequestSecurityTokenResponse response = null;
var token = channel.Issue(request, out response) as GenericXmlSecurityToken;
var proofKey = response.RequestedProofToken.ProtectedKey.GetKeyBytes();
return(new Tuple <string, byte[]>(token.TokenXml.OuterXml, proofKey));
}
public string GetToken(string idpEndpoint, string rstsRealm)
{
var binding = new WindowsWSTrustBinding(SecurityMode.TransportWithMessageCredential);
var factory = new System.ServiceModel.Security.WSTrustChannelFactory(binding, new EndpointAddress(new Uri(idpEndpoint)));
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.SupportInteractive = false;
var rst = new System.IdentityModel.Protocols.WSTrust.RequestSecurityToken
{
RequestType = RequestTypes.Issue,
AppliesTo = new System.IdentityModel.Protocols.WSTrust.EndpointReference(rstsRealm),
KeyType = KeyTypes.Bearer,
TokenType = "urn:oasis:names:tc:SAML:1.0:assertion" // "urn:oasis:names:tc:SAML:2.0:assertion"
};
var channel = factory.CreateChannel();
RequestSecurityTokenResponse response = null;
try {
var securityToken = channel.Issue(rst, out response);
return(Serialize(response));
}catch
{
var x = response;
}
return(null);
}
/// <summary>
/// Reads the 'wresult' and returns the embeded security token.
/// </summary>
/// <returns>the 'SecurityToken'.</returns>
public virtual string GetToken()
{
if (Wresult == null)
{
IdentityModelEventSource.Logger.WriteWarning(string.Format(CultureInfo.InvariantCulture, LogMessages.IDX10000, "wresult"));
return(null);
}
using (StringReader sr = new StringReader(Wresult))
{
XmlReader xmlReader = XmlReader.Create(sr);
xmlReader.MoveToContent();
WSTrustResponseSerializer serializer = new WSTrust13ResponseSerializer();
if (serializer.CanRead(xmlReader))
{
RequestSecurityTokenResponse response = serializer.ReadXml(xmlReader, new WSTrustSerializationContext());
return(response.RequestedSecurityToken.SecurityTokenXml.OuterXml);
}
serializer = new WSTrustFeb2005ResponseSerializer();
if (serializer.CanRead(xmlReader))
{
RequestSecurityTokenResponse response = serializer.ReadXml(xmlReader, new WSTrustSerializationContext());
return(response.RequestedSecurityToken.SecurityTokenXml.OuterXml);
}
}
return(null);
}
private TransactionContext CreateTransactionContext()
{
Microsoft.Transactions.Bridge.EnlistmentOptions enlistmentOptions = this.enlistment.EnlistmentOptions;
string remoteTransactionId = this.enlistment.RemoteTransactionId;
Guid localTransactionId = this.enlistment.LocalTransactionId;
CoordinationContext context = new CoordinationContext(this.state.ProtocolVersion)
{
Expires = (enlistmentOptions.Expires == TimeSpan.MaxValue) ? uint.MaxValue : ((uint)((int)enlistmentOptions.Expires.TotalMilliseconds)),
Identifier = remoteTransactionId,
LocalTransactionId = localTransactionId,
IsolationLevel = enlistmentOptions.IsoLevel,
IsolationFlags = enlistmentOptions.IsolationFlags,
Description = enlistmentOptions.Description
};
string contextId = CoordinationContext.IsNativeIdentifier(remoteTransactionId, localTransactionId) ? null : remoteTransactionId;
string sctId = null;
RequestSecurityTokenResponse issuedToken = null;
if (this.state.Config.PortConfiguration.SupportingTokensEnabled)
{
CoordinationServiceSecurity.CreateIssuedToken(localTransactionId, remoteTransactionId, this.state.ProtocolVersion, out issuedToken, out sctId);
}
AddressHeader refParam = new WsatRegistrationHeader(localTransactionId, contextId, sctId);
context.RegistrationService = this.state.RegistrationCoordinatorListener.CreateEndpointReference(refParam);
return(new TransactionContext(context, issuedToken));
}
public GenericXmlSecurityToken DeserializeTokenFromRstr(RequestSecurityTokenResponse rstr)
{
SecurityToken proofKey = null;
DateTime? created = null;
DateTime? expires = null;
if (rstr.Lifetime != null)
{
created = rstr.Lifetime.Created;
expires = rstr.Lifetime.Expires;
}
if (!created.HasValue)
{
throw new Exception("Created unspecified");
}
if (!expires.HasValue)
{
throw new Exception("Expires unspecified");
}
GenericXmlSecurityToken securityToken = new GenericXmlSecurityToken(
rstr.RequestedSecurityToken.SecurityTokenXml,
proofKey,
created.Value,
expires.Value,
rstr.RequestedAttachedReference,
rstr.RequestedUnattachedReference,
new ReadOnlyCollection <IAuthorizationPolicy>(new List <IAuthorizationPolicy>())
);
return(securityToken);
}
/// <summary>
/// Call the STS to get an appropriate token for a request and build a response.
/// </summary>
/// <param name="requestMessage"></param>
/// <returns>The <see cref="SignInResponseMessage"/></returns>
private SignInResponseMessage ProcessSignInRequest(SignInRequestMessage requestMessage)
{
// Ensure that the requestMessage has the required wtrealm parameter
if (String.IsNullOrEmpty(requestMessage.Realm))
{
throw new InvalidOperationException("Missing realm");
}
SecurityTokenServiceConfiguration stsconfig = new SecurityTokenServiceConfiguration("PassiveFlowSTS");
// Create our STS backend
SecurityTokenService sts = new CustomSecurityTokenService(stsconfig);
// Create the WS-Federation serializer to process the request and create the response
WSFederationSerializer federationSerializer = new WSFederationSerializer();
// Create RST from the request
RequestSecurityToken request = federationSerializer.CreateRequest(requestMessage, new WSTrustSerializationContext());
// Get RSTR from our STS backend
RequestSecurityTokenResponse response = sts.Issue((ClaimsPrincipal)Thread.CurrentPrincipal, request);
// Create Response message from the RSTR
return(new SignInResponseMessage(new Uri(response.ReplyTo),
federationSerializer.GetResponseAsString(response, new WSTrustSerializationContext())));
}
public async Task <SignInResponseMessage> GenerateResponseAsync(SignInValidationResult validationResult)
{
Logger.Info("Creating WS-Federation signin response");
// create subject
var outgoingSubject = await CreateSubjectAsync(validationResult);
// create token for user
var token = CreateSecurityToken(validationResult, outgoingSubject);
// return response
var rstr = new RequestSecurityTokenResponse
{
AppliesTo = new EndpointReference(validationResult.RelyingParty.Realm),
Context = validationResult.SignInRequestMessage.Context,
ReplyTo = validationResult.ReplyUrl,
RequestedSecurityToken = new RequestedSecurityToken(token)
};
var serializer = new WSFederationSerializer(
new WSTrust13RequestSerializer(),
new WSTrust13ResponseSerializer());
var responseMessage = new SignInResponseMessage(
new Uri(validationResult.ReplyUrl),
rstr,
serializer,
new WSTrustSerializationContext());
return(responseMessage);
}
/// <summary>
/// Reads the 'wresult' and returns the embeded security token.
/// </summary>
/// <returns>the 'SecurityToken'.</returns>
public virtual string GetToken()
{
if (Wresult == null)
{
return(null);
}
using (StringReader sr = new StringReader(Wresult))
{
XmlReader xmlReader = XmlReader.Create(sr);
xmlReader.MoveToContent();
WSTrustResponseSerializer serializer = new WSTrust13ResponseSerializer();
if (serializer.CanRead(xmlReader))
{
RequestSecurityTokenResponse response = serializer.ReadXml(xmlReader, new WSTrustSerializationContext());
return(response.RequestedSecurityToken.SecurityTokenXml.OuterXml);
}
serializer = new WSTrustFeb2005ResponseSerializer();
if (serializer.CanRead(xmlReader))
{
RequestSecurityTokenResponse response = serializer.ReadXml(xmlReader, new WSTrustSerializationContext());
return(response.RequestedSecurityToken.SecurityTokenXml.OuterXml);
}
}
return(null);
}
private async void SignInWebBrowserControlScriptNotify(object sender, NotifyEventArgs e)
{
BrowserSignInControl.ScriptNotify -= SignInWebBrowserControlScriptNotify;
GdProgress.Visibility = Visibility.Visible;
try
{
var rswt = await RequestSecurityTokenResponse.FromJSONAsync(e.Value);
_messageHub.Publish(rswt == null
? new RequestTokenMessage(this)
{
TokenResponse = null
}
: new RequestTokenMessage(this)
{
TokenResponse = rswt
});
}
catch (Exception)
{
_timeoutTimer.Stop();
_messageHub.Publish(new RequestTokenMessage(this)
{
TokenResponse = null
});
}
}
protected override void OnActivityResult(int requestCode, Result resultCode, Intent data)
{
// We've got a result from the webactivity
if (WEB_AUTH_ACTIVITY == requestCode && Result.Ok == resultCode)
{
var requestSecurityTokenResponse = data.GetStringExtra("monodroid.watoolkit.library.login.RequestSecurityTokenResponse");
// Lets try parse it!
var token = RequestSecurityTokenResponse.FromJSON(requestSecurityTokenResponse);
RequestSecurityTokenResponseStore.Instance.RequestSecurityTokenResponse = token;
if (Parent == null)
{
SetResult(Result.Ok);
}
else
{
Parent.SetResult(Result.Ok);
}
Finish();
}
// Something bad happened (or we pressed back!) and we did not get the Token :-/
else if (WEB_AUTH_ACTIVITY == requestCode && Result.Canceled == resultCode)
{
ShowAlertDialog("An error occured!", "Could not retrieve security token, please try again");
}
}
public CreateCoordinationContext(Message message, Microsoft.Transactions.Wsat.Protocol.ProtocolVersion protocolVersion) : this(protocolVersion)
{
if (message.IsEmpty)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidMessageException(Microsoft.Transactions.SR.GetString("InvalidMessageBody")));
}
XmlDictionaryReader readerAtBodyContents = message.GetReaderAtBodyContents();
using (readerAtBodyContents)
{
this.ReadFrom(readerAtBodyContents);
try
{
message.ReadFromBodyContentsToEnd(readerAtBodyContents);
}
catch (XmlException exception)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidMessageException(Microsoft.Transactions.SR.GetString("InvalidMessageBody"), exception));
}
}
if (this.CurrentContext != null)
{
try
{
this.IssuedToken = CoordinationServiceSecurity.GetIssuedToken(message, this.CurrentContext.Identifier, protocolVersion);
}
catch (XmlException exception2)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidMessageException(exception2.Message, exception2));
}
}
}
public static void AddIssuedToken(Message message, RequestSecurityTokenResponse rstr)
{
TransactionFlowProperty.Ensure(message).IssuedTokens.Add(rstr);
if (DebugTrace.Verbose)
{
DebugTrace.Trace(TraceLevel.Verbose, "Added issued token to message");
}
}
public CreateCoordinationContextResponse(Microsoft.Transactions.Wsat.Protocol.ProtocolVersion protocolVersion)
{
this.CoordinationContext = null;
this.IssuedToken = null;
this.protocolVersion = protocolVersion;
this.coordinationStrings = CoordinationStrings.Version(protocolVersion);
this.coordinationXmlDictionaryStrings = CoordinationXmlDictionaryStrings.Version(protocolVersion);
}
public WsatTransactionInfo(WsatProxy wsatProxy,
CoordinationContext context,
RequestSecurityTokenResponse issuedToken)
{
this.wsatProxy = wsatProxy;
this.context = context;
this.issuedToken = issuedToken;
}
public WsatTransactionInfo(WsatProxy wsatProxy,
CoordinationContext context,
RequestSecurityTokenResponse issuedToken)
{
this.wsatProxy = wsatProxy;
this.context = context;
this.issuedToken = issuedToken;
}
public static void AddIssuedToken(Message message, RequestSecurityTokenResponse rstr)
{
TransactionFlowProperty.Ensure(message).IssuedTokens.Add(rstr);
if (DebugTrace.Verbose)
{
DebugTrace.Trace(TraceLevel.Verbose, "Added issued token to message");
}
}
public CoordinatorEnlistment(ProtocolState state, TransactionContextManager contextManager, CoordinationContext context, RequestSecurityTokenResponse rstr) : base(state)
{
base.ourContextManager = contextManager;
this.superiorContext = context;
this.superiorRstr = rstr;
this.ConfigureEnlistment(context);
base.stateMachine = new CoordinatorStateMachine(this);
base.stateMachine.ChangeState(state.States.CoordinatorInitializing);
}
/// <summary>
/// Requests a token desribed by an RST.
/// </summary>
/// <param name="stsAddress">The STS address.</param>
/// <param name="binding">The binding.</param>
/// <param name="credentials">The credentials.</param>
/// <param name="rst">The RST.</param>
/// <param name="rstr">The RSTR.</param>
/// <returns>A SecurityToken</returns>
public static SecurityToken Issue(EndpointAddress stsAddress, Binding binding, ClientCredentials credentials, RequestSecurityToken rst, out RequestSecurityTokenResponse rstr)
{
var channel = CreateWSTrustChannel(
stsAddress,
binding,
credentials);
var token = channel.Issue(rst, out rstr);
return token;
}
public Register(Microsoft.Transactions.Wsat.Protocol.ProtocolVersion protocolVersion)
{
this.Protocol = ControlProtocol.None;
this.ParticipantProtocolService = null;
this.Loopback = Guid.Empty;
this.SupportingToken = null;
this.protocolVersion = protocolVersion;
this.coordinationStrings = CoordinationStrings.Version(protocolVersion);
this.coordinationXmlDictionaryStrings = CoordinationXmlDictionaryStrings.Version(protocolVersion);
}
public IssuedTokensHeader(RequestSecurityTokenResponse tokenIssuance, SecurityStandardsManager standardsManager)
: base()
{
if (tokenIssuance == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenIssuance");
}
Collection<RequestSecurityTokenResponse> coll = new Collection<RequestSecurityTokenResponse>();
coll.Add(tokenIssuance);
Initialize(coll, standardsManager);
}
public void MarshalAsCoordinationContext(Transaction transaction, out CoordinationContext context, out RequestSecurityTokenResponse issuedToken)
{
uint num;
IsolationFlags flags;
string str2;
WsatExtendedInformation information;
string str3;
Guid distributedIdentifier = transaction.TransactionInformation.DistributedIdentifier;
string contextId = null;
context = new CoordinationContext(this.protocolVersion);
OleTxTransactionFormatter.GetTransactionAttributes(transaction, out num, out flags, out str2);
context.IsolationFlags = flags;
context.Description = str2;
if (TransactionCache<Transaction, WsatExtendedInformation>.Find(transaction, out information))
{
context.Expires = information.Timeout;
if (!string.IsNullOrEmpty(information.Identifier))
{
context.Identifier = information.Identifier;
contextId = information.Identifier;
}
}
else
{
context.Expires = num;
if (context.Expires == 0)
{
context.Expires = (uint) TimeoutHelper.ToMilliseconds(this.wsatConfig.MaxTimeout);
}
}
if (context.Identifier == null)
{
context.Identifier = CoordinationContext.CreateNativeIdentifier(distributedIdentifier);
contextId = null;
}
if (!this.wsatConfig.IssuedTokensEnabled)
{
str3 = null;
issuedToken = null;
}
else
{
CoordinationServiceSecurity.CreateIssuedToken(distributedIdentifier, context.Identifier, this.protocolVersion, out issuedToken, out str3);
}
AddressHeader refParam = new WsatRegistrationHeader(distributedIdentifier, contextId, str3);
context.RegistrationService = this.wsatConfig.CreateRegistrationService(refParam, this.protocolVersion);
context.IsolationLevel = transaction.IsolationLevel;
context.LocalTransactionId = distributedIdentifier;
if (this.wsatConfig.OleTxUpgradeEnabled)
{
context.PropagationToken = TransactionInterop.GetTransmitterPropagationToken(transaction);
}
}
public static void AddSupportingToken(Message message, RequestSecurityTokenResponse rstr)
{
GenericXmlSecurityToken token = rstr.GetIssuedToken(null, null, SecurityKeyEntropyMode.ServerEntropy, null, null, null);
SecurityMessageProperty property = new SecurityMessageProperty();
SupportingTokenSpecification item = new SupportingTokenSpecification(token, new List<IAuthorizationPolicy>().AsReadOnly(), SecurityTokenAttachmentMode.Endorsing, SecurityContextSecurityTokenParameters);
property.OutgoingSupportingTokens.Add(item);
message.Properties.Security = property;
if (DebugTrace.Verbose)
{
DebugTrace.Trace(TraceLevel.Verbose, "Attached supporting token {0} to register message", rstr.Context);
}
}
public CreateCoordinationContext(Microsoft.Transactions.Wsat.Protocol.ProtocolVersion protocolVersion)
{
this.expiration = 0;
this.expiresPresent = false;
this.CurrentContext = null;
this.IssuedToken = null;
this.IsolationLevel = System.Transactions.IsolationLevel.Serializable;
this.protocolVersion = protocolVersion;
this.coordinationXmlDictionaryStrings = CoordinationXmlDictionaryStrings.Version(protocolVersion);
this.atomicTransactionXmlDictionaryStrings = AtomicTransactionXmlDictionaryStrings.Version(protocolVersion);
this.atomicTransactionStrings = AtomicTransactionStrings.Version(protocolVersion);
this.coordinationStrings = CoordinationStrings.Version(protocolVersion);
}
public void LogIn(string url, Action<RequestSecurityTokenResponse> onLoggedIn, Action assumeCancelled, string identityProviderName = null)
{
_onLoggedIn = onLoggedIn;
_assumeCancelled = assumeCancelled;
_messageHub = Mvx.Resolve<IMvxMessenger>();
_subscriptionToken = _messageHub.Subscribe<RequestTokenMessage>(message =>
{
_response = message.TokenResponse;
});
var intent = new Intent(Mvx.Resolve<IMvxAndroidGlobals>()
.ApplicationContext, typeof(AccessControlWebAuthActivity));
intent.PutExtra("cheesebaron.mvxplugins.azureaccesscontrol.droid.Url", url);
StartActivityForResult(LoginIdentityRequestCode, intent);
}
public IssuedTokensHeader(RequestSecurityTokenResponse tokenIssuance, MessageSecurityVersion version, SecurityTokenSerializer tokenSerializer)
: this(tokenIssuance, new SecurityStandardsManager(version, tokenSerializer))
{
}
/// <summary>
/// Checks the authentication.
/// </summary>
/// <param name="claimsPrincipal">The claims principal.</param>
public void CheckAuthentication( IClaimsPrincipal claimsPrincipal )
{
var bootStrapToken = ( from ident in claimsPrincipal.Identities
where ident.BootstrapToken != null && ident.BootstrapToken is SamlSecurityToken
select ident.BootstrapToken ).FirstOrDefault ();
var responseSerializer = new WSTrust13ResponseSerializer ();
var requestSecurityTokenResponse = new RequestSecurityTokenResponse
{
AppliesTo = new EndpointAddress ( "https://localhost/Rem.Web" ),
Context = "passive",
Lifetime = new Lifetime ( bootStrapToken.ValidFrom, bootStrapToken.ValidTo ),
RequestedSecurityToken = new RequestedSecurityToken ( bootStrapToken ),
TokenType = Saml2SecurityTokenHandler.TokenProfile11ValueType,
RequestType = WSTrust13Constants.RequestTypes.Issue,
KeyType = WSTrust13Constants.KeyTypes.Bearer
};
string content;
using ( var swriter = new StringWriter () )
{
using ( var xmlWriter = XmlWriter.Create ( swriter ) )
{
responseSerializer.WriteXml (
requestSecurityTokenResponse,
xmlWriter,
new WSTrustSerializationContext () );
xmlWriter.Flush ();
swriter.Flush ();
var xmlString = swriter.ToString ().Replace ( "<?xml version=\"1.0\" encoding=\"utf-16\"?>", "" );
content = string.Format (
"wa=wsignin1.0&wresult={0}&wctx=rm%3D0%26id%3Dpassive%26ru%3D%252fRem.Web%252f",
HttpContext.Current.Server.UrlEncode ( xmlString ) );
}
}
var currentHttpRequest = HttpContext.Current.Request;
var cookieContainer = new CookieContainer ();
//foreach (string cookieName in currentHttpRequest.Cookies)
//{
// var httpcookie = currentHttpRequest.Cookies[cookieName];
// var cookie = new Cookie(cookieName, httpcookie.Value, httpcookie.Path, httpcookie.Domain ?? "localhost");
// cookieContainer.Add(cookie);
//}
var appSettingsConfiguration = new AppSettingsConfiguration ();
var remWebApplicationAddress = appSettingsConfiguration.GetProperty ( "RemWebApplicationAddress" );
var request = ( HttpWebRequest )WebRequest.CreateDefault ( new Uri ( remWebApplicationAddress ) );
request.Method = currentHttpRequest.HttpMethod;
request.CookieContainer = cookieContainer;
request.ContentType = currentHttpRequest.ContentType;
request.Accept = string.Empty;
foreach ( var acceptType in currentHttpRequest.AcceptTypes )
{
request.Accept += acceptType;
if ( acceptType != currentHttpRequest.AcceptTypes.Last () )
{
request.Accept += ", ";
}
}
request.ContentLength = content.Length;
request.Referer = currentHttpRequest.UrlReferrer.AbsoluteUri.Replace ( "Rem.Mvc", "Rem.Web" );
request.AllowAutoRedirect = false;
using ( var streamWriter = new StreamWriter ( request.GetRequestStream () ) )
{
streamWriter.Write ( content );
}
try
{
var response = ( HttpWebResponse )request.GetResponse ();
while ( response.StatusCode == HttpStatusCode.Found )
{
response.Close ();
var location = response.Headers["Location"];
if ( !location.StartsWith ( "http" ) )
{
location = string.Format ( "{0}://{1}", request.RequestUri.Scheme, request.RequestUri.Host ) + location;
}
request = GetNewRequest ( location, cookieContainer );
response = ( HttpWebResponse )request.GetResponse ();
}
if ( response.StatusCode != HttpStatusCode.OK )
{
throw new Exception ( "Failed authentication." );
}
var cookieStringBuilder = new StringBuilder ();
foreach ( Cookie cookie in cookieContainer.GetCookies ( new Uri ( "https://localhost" ) ) )
{
if ( cookie.Name.StartsWith ( "FedAuth" ) )
{
HttpContext.Current.Response.Cookies.Add ( new HttpCookie ( "Server" + cookie.Name, cookie.Value ) );
cookieStringBuilder.Append ( cookie.Value );
}
if ( cookie.Name == "ASP.NET_SessionId" )
{
HttpContext.Current.Response.Cookies.Add ( new HttpCookie ( cookie.Name, cookie.Value ) );
}
}
}
catch ( Exception e )
{
throw;
}
}
private string SerializeResponse(RequestSecurityTokenResponse response)
{
var serializer = new WSTrust13ResponseSerializer();
var context = new WSTrustSerializationContext(FederatedAuthentication.ServiceConfiguration.SecurityTokenHandlerCollectionManager);
var sb = new StringBuilder(128);
using (var writer = XmlWriter.Create(new StringWriter(sb)))
{
serializer.WriteXml(response, writer, context);
return sb.ToString();
}
}
protected virtual void OnLoggedIn(RequestSecurityTokenResponse requestSecurityTokenResponse)
{
if (requestSecurityTokenResponse == null)
{
Mvx.TaggedTrace(MvxTraceLevel.Error, "DefaultIdentityProviderCollectionViewModel", "Got an empty response from IdentityProvider");
return;
}
var simpleWebToken = Mvx.Resolve<ISimpleWebToken>().CreateTokenFromRaw(requestSecurityTokenResponse.SecurityToken);
_simpleWebTokenStore.SimpleWebToken = simpleWebToken;
RaisePropertyChanged("IsLoggedIn");
RaisePropertyChanged("LoggedInProvider");
if (IsLoggedIn)
NavigateBackCommand.Execute(null);
}
/// <summary>
///
/// </summary>
/// <param name="response"></param>
/// <param name="context"></param>
/// <returns></returns>
public String GetResponseAsString(RequestSecurityTokenResponse response, WSTrustSerializationContext context)
{
if (null == response)
throw new ArgumentNullException("response");
if (null == context)
throw new ArgumentNullException("context");
StringBuilder sb = new StringBuilder();
using (StringWriter stringWriter = new StringWriter(sb, CultureInfo.InvariantCulture))
{
using (XmlTextWriter xmlWriter = new XmlTextWriter(stringWriter))
{
responseSerializer.WriteXml(response, xmlWriter, context);
}
}
return sb.ToString();
}
private static SecurityToken ConvertToSimpleWebToken(SecurityToken token, RequestSecurityTokenResponse response)
{
ClaimsIdentityCollection claims = FederatedAuthentication.ServiceConfiguration.SecurityTokenHandlers.ValidateToken(token);
var values = new Dictionary<String, String>();
foreach (var claim in claims[0].Claims)
values[claim.ClaimType] = claim.Value;
values[WrapConstants.SimpleWebTokenParameters.Issuer] = "issuer";
values[WrapConstants.SimpleWebTokenParameters.Audience] = response.AppliesTo.Uri.ToString();
var config = SimpleWebTokenConfigurationSection.Instance;
return new SimpleWebToken(values, token.ValidTo, new Sha256SigningCredentials(config.GetKey()));
}
//=======================================================================================
public WsatTransactionInfo CreateTransactionInfo(CoordinationContext context,
RequestSecurityTokenResponse issuedToken)
{
return new WsatTransactionInfo(this.wsatProxy, context, issuedToken);
}
//=======================================================================================
// The demand is not added now (in 4.5), to avoid a breaking change. To be considered in the next version.
/*
// We demand full trust because we use CoordinationContext and CoordinationServiceSecurity from a non-APTCA assembly.
// The CoordinationContext constructor can call Environment.FailFast and it's recommended to not let partially trusted callers to bring down the process.
// WSATs are not supported in partial trust, so customers should not be broken by this demand.
[PermissionSet(SecurityAction.Demand, Unrestricted = true)]
*/
public void MarshalAsCoordinationContext(Transaction transaction,
out CoordinationContext context,
out RequestSecurityTokenResponse issuedToken)
{
Guid transactionId = transaction.TransactionInformation.DistributedIdentifier;
string nonNativeContextId = null;
context = new CoordinationContext(this.protocolVersion);
// Get timeout, description and isolation flags
uint timeout;
IsolationFlags isoFlags;
string description;
OleTxTransactionFormatter.GetTransactionAttributes(transaction,
out timeout,
out isoFlags,
out description);
context.IsolationFlags = isoFlags;
context.Description = description;
// If we can, use cached extended information
// Note - it may be worth using outgoing contexts more than once.
// We'll let performance profiling decide that question
WsatExtendedInformation info;
if (WsatExtendedInformationCache.Find(transaction, out info))
{
context.Expires = info.Timeout;
// The extended info cache only contains an identifier when it's non-native
if (!string.IsNullOrEmpty(info.Identifier))
{
context.Identifier = info.Identifier;
nonNativeContextId = info.Identifier;
}
}
else
{
context.Expires = timeout;
if (context.Expires == 0)
{
// If the timeout is zero, there are two possibilities:
// 1) This is a root transaction with an infinite timeout.
// 2) This is a subordinate transaction whose timeout was not flowed.
// We have no mechanism for distinguishing between the two cases.
//
// We could always return zero here, instead of using the local max timeout.
// The problem is that the 2004/08 WS-C spec does not specify the meaning
// of a zero expires field. While we accept zero to mean "as large as possible"
// it would be risky to expect others to do the same. So we only propagate
// zero in the expires field if the local max timeout has been disabled.
//
// This is MB 34596: how can we flow the real timeout?
context.Expires = (uint)TimeoutHelper.ToMilliseconds(this.wsatConfig.MaxTimeout);
}
}
if (context.Identifier == null)
{
context.Identifier = CoordinationContext.CreateNativeIdentifier(transactionId);
nonNativeContextId = null;
}
string tokenId;
if (!this.wsatConfig.IssuedTokensEnabled)
{
tokenId = null;
issuedToken = null;
}
else
{
CoordinationServiceSecurity.CreateIssuedToken(transactionId,
context.Identifier,
this.protocolVersion,
out issuedToken,
out tokenId);
}
AddressHeader refParam = new WsatRegistrationHeader(transactionId, nonNativeContextId, tokenId);
context.RegistrationService = wsatConfig.CreateRegistrationService(refParam, this.protocolVersion);
context.IsolationLevel = transaction.IsolationLevel;
context.LocalTransactionId = transactionId;
if (this.wsatConfig.OleTxUpgradeEnabled)
{
context.PropagationToken = TransactionInterop.GetTransmitterPropagationToken(transaction);
}
}
public TransactionContext(Microsoft.Transactions.Wsat.Messaging.CoordinationContext context, RequestSecurityTokenResponse issuedToken)
{
this.context = context;
this.issuedToken = issuedToken;
}
/// <summary>
/// Get Claims Principal from incoming response.
/// </summary>
/// <param name="rstr"></param>
/// <returns></returns>
private static IClaimsPrincipal GetClaimsIdentity(RequestSecurityTokenResponse rstr)
{
var rstrXml = rstr.RequestedSecurityToken.SecurityTokenXml;
if (rstrXml.OwnerDocument != null)
{
var xnm = new XmlNamespaceManager(rstrXml.OwnerDocument.NameTable);
xnm.AddNamespace(Microsoft.IdentityModel.Tokens.Saml2.Saml2Constants.Prefix, Microsoft.IdentityModel.Tokens.Saml2.Saml2Constants.Namespace);
}
XNamespace ast = "urn:oasis:names:tc:SAML:2.0:assertion";
var xElement = ToXElement(rstrXml);
var xElement1 = xElement.Element(ast + "Assertion");
if (xElement1 != null)
{
var attributeStatement1 = xElement1.Element(ast + "AttributeStatement");
if (attributeStatement1 != null)
{
var attributes1 = attributeStatement1.Elements(ast + "Attribute");
IClaimsIdentity claimsIdentity1 = new ClaimsIdentity();
foreach (var element in attributes1)
{
var claimType = element.Attribute("NameFormat") + "/" + element.Attribute("Name");
var value = element.Value;
var xAttribute = element.Attribute("Name");
if (xAttribute != null && xAttribute.Value == "urn:FirstName")
claimsIdentity1.Claims.Add(new Claim(ClaimTypes.Name, element.Value));
claimsIdentity1.Claims.Add(new Claim(claimType, value));
}
var claimsIdentitycol = new ClaimsIdentityCollection(new[] { claimsIdentity1 });
return ClaimsPrincipal.CreateFromIdentities(claimsIdentitycol);
}
}
return null;
}
protected virtual void OnLoggedIn(RequestSecurityTokenResponse requestSecurityTokenResponse)
{
if (requestSecurityTokenResponse == null)
{
Mvx.TaggedTrace(MvxTraceLevel.Error, "DefaultIdentityProviderCollectionViewModel", "Got an empty response from IdentityProvider");
return;
}
RaisePropertyChanged("IsLoggedIn");
RaisePropertyChanged("LoggedInProvider");
if (IsLoggedIn)
NavigateBackCommand.Execute(null);
}
internal static SecurityToken ComputeProofKey(RequestSecurityToken rst, RequestSecurityTokenResponse rstr)
{
if (rstr.Entropy == null)
{
throw new NotSupportedException("RSTR entropy is null");
}
if (rst.Entropy == null)
{
throw new NotSupportedException("RST entropy is null");
}
int? keySizeInBits = rst.KeySizeInBits;
int num = keySizeInBits.HasValue ? keySizeInBits.GetValueOrDefault() : 0x400;
if (rstr.KeySizeInBits.HasValue)
{
num = rstr.KeySizeInBits.Value;
}
return new BinarySecretSecurityToken(
KeyGenerator.ComputeCombinedKey(
rst.Entropy.GetKeyBytes(),
rstr.Entropy.GetKeyBytes(),
num));
}
private static XmlElement ExtractTokenXml(RequestSecurityTokenResponse rstr)
{
if (rstr.RequestedSecurityToken.SecurityToken != null)
{
var xmlString = rstr.RequestedSecurityToken.SecurityToken.ToTokenXmlString();
return XElement.Parse(xmlString).ToXmlElement();
}
if (rstr.RequestedSecurityToken.SecurityTokenXml != null)
{
return rstr.RequestedSecurityToken.SecurityTokenXml;
}
return null;
}
protected virtual void OnLoggedIn(RequestSecurityTokenResponse requestSecurityTokenResponse)
{
if (requestSecurityTokenResponse == null)
{
Mvx.TaggedTrace(MvxTraceLevel.Error, "DefaultIdentityProviderCollectionViewModel", "Got an empty response from IdentityProvider");
if (LoginError != null)
LoginError(this, new LoginErrorEventArgs { Message = "Got an empty response from IdentityProvider, try logging in again."});
return;
}
var tokenStore = Mvx.Resolve<ISimpleWebTokenStore>();
var tokenFactory = Mvx.Resolve<ISimpleWebToken>();
var token = tokenFactory.CreateTokenFromRaw(requestSecurityTokenResponse.SecurityToken);
tokenStore.SimpleWebToken = token;
if (!CanGoBack || _forceShowProgressAfterLogin)
ShowProgressAfterLogin = true;
RaisePropertyChanged(() => IsLoggedIn);
RaisePropertyChanged(() => LoggedInProvider);
_messenger.Publish(new LoggedInMessage(this));
}
public ActionResult IssueResponse()
{
if (Request.Form.HasKeys())
{
if (Request.Form["SAMLResponse"] != null)
{
var samlResponse = Request.Form["SAMLResponse"];
var responseDecoded = Encoding.UTF8.GetString(Convert.FromBase64String(HttpUtility.HtmlDecode(samlResponse)));
Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityToken token;
using (var sr = new StringReader(responseDecoded))
{
using (var reader = XmlReader.Create(sr))
{
reader.ReadToFollowing("Assertion", "urn:oasis:names:tc:SAML:2.0:assertion");
var coll = Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
token = (Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityToken)coll.ReadToken(reader.ReadSubtree());
}
}
var realm = token.Assertion.Conditions.AudienceRestrictions[0].Audiences[0].ToString();
var issuer = token.Assertion.Issuer.Value;
var rstr = new RequestSecurityTokenResponse
{
TokenType = Constants.TokenKeys.TokenType,
RequestType = Constants.TokenKeys.RequestType,
KeyType = Constants.TokenKeys.KeyType,
Lifetime = new Lifetime(token.Assertion.IssueInstant, token.Assertion.Conditions.NotOnOrAfter),
AppliesTo = new System.ServiceModel.EndpointAddress(new Uri(realm)),
RequestedSecurityToken = new RequestedSecurityToken(GetElement(responseDecoded))
};
var principal = GetClaimsIdentity(rstr);
if (principal != null)
{
var claimsPrinciple = ClaimsPrincipal.CreateFromPrincipal(principal);
var requestMessage = new SignInRequestMessage(new Uri("http://foo"), realm);
var ipc = new SamlTokenServiceConfiguration(issuer);
SecurityTokenService identityProvider = new SamlTokenService(ipc);
var responseMessage = Microsoft.IdentityModel.Web.FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(requestMessage, claimsPrinciple, identityProvider);
Microsoft.IdentityModel.Web.FederatedPassiveSecurityTokenServiceOperations.ProcessSignInResponse(responseMessage, System.Web.HttpContext.Current.Response);
}
}
}
return View("Error");
}
