//public ActionResult Login(string returnUrl)
//{
// var binding = new Saml2RedirectBinding();
// binding.SetRelayStateQuery(new Dictionary<string, string> { { relayStateReturnUrl, returnUrl } });
// return binding.Bind(new Saml2AuthnRequest
// {
// //ForceAuthn = true,
// //NameIdPolicy = new NameIdPolicy { AllowCreate = true, Format = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" },
// RequestedAuthnContext = new RequestedAuthnContext
// {
// Comparison = AuthnContextComparisonTypes.Exact,
// AuthnContextClassRef = new string[] { AuthnContextClassTypes.PasswordProtectedTransport.OriginalString },
// },
// Issuer = new EndpointReference("http://udv.itfoxtec.com/webapptest"),
// Destination = new EndpointAddress("https://udv.itfoxtec.com/adfs/ls/"),
// AssertionConsumerServiceUrl = new EndpointAddress("https://udv.itfoxtec.com/webapptest/Auth/AssertionConsumerService")
// }).ToActionResult();
//}
//public ActionResult Login(string returnUrl)
//{
// var binding = new Saml2RedirectBinding();
// binding.SetRelayStateQuery(new Dictionary<string, string> { { relayStateReturnUrl, returnUrl } });
// return binding.Bind(new Saml2AuthnRequest
// {
// //ForceAuthn = true,
// //NameIdPolicy = new NameIdPolicy { AllowCreate = true, Format = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" },
// RequestedAuthnContext = new RequestedAuthnContext
// {
// Comparison = AuthnContextComparisonTypes.Exact,
// AuthnContextClassRef = new string[] { AuthnContextClassTypes.PasswordProtectedTransport.OriginalString },
// },
// Issuer = new EndpointReference("http://udv.itfoxtec.com/webapptest"),
// Destination = new EndpointAddress("https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=77812690-a6a2-42f7-968c-98d4b07a880f"),
// AssertionConsumerServiceUrl = new EndpointAddress("https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=77812690-a6a2-42f7-968c-98d4b07a880f")
// }).ToActionResult();
//}
//public ActionResult AssertionConsumerService()
//{
// var binding = new Saml2PostBinding();
// var saml2AuthnResponse = new Saml2AuthnResponse();
// binding.Unbind(Request, saml2AuthnResponse, CertificateUtil.Load("~/App_Data/signing-adfs.test_Certificate.crt"));
// saml2AuthnResponse.CreateSession();
// var returnUrl = binding.GetRelayStateQuery()[relayStateReturnUrl];
// return Redirect(string.IsNullOrWhiteSpace(returnUrl) ? Url.Content("~/") : returnUrl);
//}
public ActionResult Login()
{
var binding = new Saml2PostBinding();
var saml2AuthnResponse = new Saml2AuthnResponse();
//binding.Unbind(Request, saml2AuthnResponse, CertificateUtil.Load("~/App_Data/signing-adfs.test_Certificate.crt"));
binding.Unbind(Request, saml2AuthnResponse, CertificateUtil.Load("~/App_Data/idp-signing.crt"));
//saml2AuthnResponse.CreateSession();
Saml2StatusCodes testcode = saml2AuthnResponse.Status;
string UserName = "";
foreach (Claim claim in saml2AuthnResponse.ClaimsIdentity.Claims)
{
//string test = claim.Value;
//test = claim.ValueType;
//test = claim.Type;
// ClaimsIdentity test1 = claim.Subject;
// Claim test2 = claim.Subject.FindFirst("Email");
if (claim.Type == "Email")
{
UserName = claim.Value;
}
}
bool testAuth = User.Identity.IsAuthenticated;
FormsAuthentication.SetAuthCookie(UserName, true);
//if (ModelState.IsValid && WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
//{
// return RedirectToLocal(returnUrl);
//}
//// If we got this far, something failed, redisplay form
//ModelState.AddModelError("", "The user name or password provided is incorrect.");
//return View(model);
//var returnUrl = binding.GetRelayStateQuery()[relayStateReturnUrl];
//return Redirect(string.IsNullOrWhiteSpace(returnUrl) ? Url.Content("~/") : returnUrl);
return(Redirect("~/Home/Index"));
}
/// <summary>
/// Create a Claims Principal and a Federated Authentication Session for the authenticated user.
/// </summary>
/// <param name="lifetime">The period from the current time during which the token is valid. Default use the security token valid to time.</param>
/// <param name="isReferenceMode">In reference mode, a simple artifact is produced during serialization and the token material is stored in the token cache that is associated with the token handler. The token cache is an instance of a class that derives from SessionSecurityTokenCache. For Web Farm scenarios, the token cache must operate across all nodes in the farm.</param>
/// <param name="isPersistent">If the IsPersistent property is true, the cookie is written as a persistent cookie. Persistent cookies remain valid after the browser is closed until they expire.</param>
/// <param name="claimsAuthenticationManager">Possible to add a custom ClaimsAuthenticationManager for handling claims transformation.</param>
public static ClaimsPrincipal CreateSession(this Saml2AuthnResponse saml2AuthnResponse, TimeSpan?lifetime = null, bool isReferenceMode = false, bool isPersistent = false, ClaimsAuthenticationManager claimsAuthenticationManager = null)
{
if (Thread.CurrentPrincipal.Identity.IsAuthenticated)
{
throw new InvalidOperationException("There already exist an Authenticated user.");
}
if (saml2AuthnResponse.Status != Saml2StatusCodes.Success)
{
throw new InvalidOperationException($"The SAML2 Response Status is not Success, the Response Status is: {saml2AuthnResponse.Status}.");
}
var principal = new ClaimsPrincipal(saml2AuthnResponse.ClaimsIdentity);
if (principal.Identity == null || !principal.Identity.IsAuthenticated)
{
throw new InvalidOperationException("No Claims Identity created from SAML2 Response.");
}
var transformedPrincipal = claimsAuthenticationManager != null?claimsAuthenticationManager.Authenticate(null, principal) : principal;
var sessionSecurityToken = lifetime.HasValue ?
new SessionSecurityToken(transformedPrincipal, lifetime.Value) :
new SessionSecurityToken(transformedPrincipal, null, saml2AuthnResponse.Saml2SecurityToken.ValidFrom, saml2AuthnResponse.Saml2SecurityToken.ValidTo);
sessionSecurityToken.IsReferenceMode = isReferenceMode;
sessionSecurityToken.IsPersistent = isPersistent;
FederatedAuthentication.SessionAuthenticationModule.AuthenticateSessionSecurityToken(sessionSecurityToken, true);
return(transformedPrincipal);
}
public ActionResult AssertionConsumerService()
{
var binding = new Saml2PostBinding();
var saml2AuthnResponse = new Saml2AuthnResponse();
binding.Unbind(Request, saml2AuthnResponse, CertificateUtil.Load("~/App_Data/signing-adfs.test_Certificate.crt"));
saml2AuthnResponse.CreateSession();
var returnUrl = binding.GetRelayStateQuery()[relayStateReturnUrl];
return Redirect(string.IsNullOrWhiteSpace(returnUrl) ? Url.Content("~/") : returnUrl);
}
public async Task <IActionResult> AssertionConsumerService()
{
var binding = new Saml2PostBinding();
var saml2AuthnResponse = new Saml2AuthnResponse(config);
binding.Unbind(Request.ToGenericHttpRequest(), saml2AuthnResponse);
await saml2AuthnResponse.CreateSession(HttpContext, claimsTransform : (claimsPrincipal) => ClaimsTransform.Transform(claimsPrincipal));
var returnUrl = binding.GetRelayStateQuery()[relayStateReturnUrl];
return(Redirect(string.IsNullOrWhiteSpace(returnUrl) ? Url.Content("~/") : returnUrl));
}
public ActionResult AssertionConsumerService()
{
var binding = new Saml2PostBinding();
var saml2AuthnResponse = new Saml2AuthnResponse();
binding.Unbind(Request, saml2AuthnResponse, CertificateUtil.Load("~/App_Data/signing-adfs.test_Certificate.crt"));
saml2AuthnResponse.CreateSession();
var returnUrl = binding.GetRelayStateQuery()[relayStateReturnUrl];
return(Redirect(string.IsNullOrWhiteSpace(returnUrl) ? Url.Content("~/") : returnUrl));
}
public ActionResult AssertionConsumerService()
{
var binding = new Saml2PostBinding();
var saml2AuthnResponse = new Saml2AuthnResponse(config);
binding.Unbind(Request.ToGenericHttpRequest(), saml2AuthnResponse);
saml2AuthnResponse.CreateSession(claimsAuthenticationManager: new DefaultClaimsAuthenticationManager());
var returnUrl = binding.GetRelayStateQuery()[relayStateReturnUrl];
return(Redirect(string.IsNullOrWhiteSpace(returnUrl) ? Url.Content("~/") : returnUrl));
}
private SAAuthenticationResponse DecodeAuthnResponse(Saml2AuthnResponse saml2AuthnResponse)
{
if (saml2AuthnResponse.Status != Saml2StatusCodes.Success)
{
throw new InvalidOperationException(
string.Format("The SAML2 Response Status is not Success, the Response Status is: {0}.",
saml2AuthnResponse.Status));
}
var incomingPrincipal = new ClaimsPrincipal(saml2AuthnResponse.ClaimsIdentity);
if (incomingPrincipal.Identity == null || !incomingPrincipal.Identity.IsAuthenticated)
{
throw new InvalidOperationException("No Claims Identity created from SAML2 Response.");
}
ClaimsPrincipal claimsPrincipal =
FederatedAuthentication.FederationConfiguration.IdentityConfiguration.ClaimsAuthenticationManager
.Authenticate(null, incomingPrincipal);
return(new SAAuthenticationResponse(claimsPrincipal.Claims));
}
public ActionResult ExternalLoginCallback(string returnUrl)
{
//AuthenticationResult result = OAuthWebSecurity.VerifyAuthentication(Url.Action("ExternalLoginCallback", new { ReturnUrl = returnUrl }));
//if (!result.IsSuccessful)
//{
// return RedirectToAction("ExternalLoginFailure");
//}
//if (OAuthWebSecurity.Login(result.Provider, result.ProviderUserId, createPersistentCookie: false))
//{
// return RedirectToLocal(returnUrl);
//}
//if (User.Identity.IsAuthenticated)
//{
// // If the current user is logged in add the new account
// OAuthWebSecurity.CreateOrUpdateAccount(result.Provider, result.ProviderUserId, User.Identity.Name);
// return RedirectToLocal(returnUrl);
//}
//else
//{
// // User is new, ask for their desired membership name
// string loginData = OAuthWebSecurity.SerializeProviderUserId(result.Provider, result.ProviderUserId);
// ViewBag.ProviderDisplayName = OAuthWebSecurity.GetOAuthClientData(result.Provider).DisplayName;
// ViewBag.ReturnUrl = returnUrl;
// return View("ExternalLoginConfirmation", new RegisterExternalLoginModel { UserName = result.UserName, ExternalLoginData = loginData });
//}
var binding = new Saml2PostBinding();
var saml2AuthnResponse = new Saml2AuthnResponse();
var saml2Response = binding.Unbind(Request, saml2AuthnResponse, CertificateUtil.Load("~/App_Data/idp-signing.crt"));
saml2AuthnResponse.CreateSession();
bool testAuth = User.Identity.IsAuthenticated;
return(RedirectToLocal(returnUrl));
}
public void Resolve(IdpSsoService artifactResolutionService, Saml2AuthnResponse authnResponse)
{
var xmlDoc = this.ToXml();
var soapEnvelope = new SOAPEnvelope();
soapEnvelope.Body = xmlDoc;
xmlDoc = soapEnvelope.ToSoapXml();
WebClient client = new WebClient();
client.Encoding = Encoding.UTF8;
client.Headers.Add(HttpRequestHeader.ContentType, "text/xml; charset=\"utf-8\"");
client.Headers.Add(HttpRequestHeader.Accept, "text/xml");
var result = client.UploadString(artifactResolutionService.Location, xmlDoc.OuterXml);
soapEnvelope.FromSoapXml(result);
var ares = new SamlArtifactResponse(authnResponse)
{
SignatureValidationCertificate = SignatureValidationCertificate
};
ares.Read(soapEnvelope.Body.OuterXml, SignatureValidationCertificate != null);
}
public SamlArtifactResponse(Saml2AuthnResponse response)
{
AuthnResponse = response;
}
public async Task <ActionResult> AssertionConsumerService()
{
var binding = new Saml2PostBinding();
var saml2AuthnResponse = new Saml2AuthnResponse();
binding.Unbind(Request, saml2AuthnResponse, CertificateUtil.Load(Constants.ConfigSettings.SAX509Certificate));
SAAuthenticationResponse claims;
try
{
claims = DecodeAuthnResponse(saml2AuthnResponse);
}
catch (Exception e)
{
AppGlobal.Log.WriteLog(String.Format("Secure Access - Decoding AuthnResponse failed due to {0}.",
e.InnerException));
ViewBag.MessageHtml = AppGlobal.Language.GetText(this, "SSOLogInFailed",
"Log in failed for DfE Secure Access. If you believe you should have access to the Post 16 Provider Portal please contact the DfE Support Team on <a href='tel:08448115028'>0844 8115 028</a> or <a href='mailto:[email protected]'>[email protected]</a>.");
ViewBag.ButtonText = AppGlobal.Language.GetText(this, "BackToSecureAccessButton",
"Back to Secure Access");
ViewBag.ButtonUrl = Constants.ConfigSettings.SAHomePage;
return(View("Info"));
}
if (Thread.CurrentPrincipal.Identity.IsAuthenticated)
{
AuthenticationManager.SignOut();
SessionManager.End();
}
UserResponse userResult = await GetUserAsync(claims);
if (!String.IsNullOrEmpty(userResult.Message))
{
ViewBag.MessageHtml = userResult.Message;
ViewBag.MessageHtml = userResult.Message;
ViewBag.ButtonText = AppGlobal.Language.GetText(this, "BackToSecureAccessButton",
"Back to Secure Access");
ViewBag.ButtonUrl = Constants.ConfigSettings.SAHomePage;
return(View("Info"));
}
ProviderResponse providerResult = await GetValidatedProviderAsync(claims, userResult.User.Id);
if (!String.IsNullOrEmpty(providerResult.Message))
{
ViewBag.MessageHtml = providerResult.Message;
ViewBag.ButtonText = AppGlobal.Language.GetText(this, "BackToSecureAccessButton",
"Back to Secure Access");
ViewBag.ButtonUrl = Constants.ConfigSettings.SAHomePage;
return(View("Info"));
}
// Associate user with the provider
if (!userResult.User.Providers2.Any() ||
userResult.User.Providers2.All(x => x.ProviderId != providerResult.Provider.ProviderId))
{
userResult.User.Providers2.Clear();
userResult.User.Providers2.Add(providerResult.Provider);
}
userResult.User.LastLoginDateTimeUtc = DateTime.UtcNow;
await db.SaveChangesAsync();
// Actually log them in
ApplicationUser user = await UserManager.FindByIdAsync(userResult.User.Id);
await SignInManager.SignInAsync(user, true, false);
// If we are doing a SAML2 log out we need to store this information for later use.
// Set some extra properties so we can log out later
//CacheManagement.CacheHandler.Add("SAML2Claims:" + aspNetUser.Id, new List<Claim>
//{
// new Claim(Saml2ClaimTypes.NameId, claims.NameId),
// new Claim(Saml2ClaimTypes.NameIdFormat, claims.NameIdFormat),
// new Claim(Saml2ClaimTypes.SessionIndex, claims.SessionIndex),
//});
SessionManager.Start();
// Bounce them via the following page so that their session is instantiated correctly
string returnUrl = binding.GetRelayStateQuery()[RelayStateReturnUrl];
return(RedirectToAction("LogInComplete", new { returnUrl }));
}
