private void ReadMetadataIdpDescriptor(ExtendedEntityDescriptor metadata)
{
var idpDescriptor = metadata.RoleDescriptors
.OfType <IdentityProviderSingleSignOnDescriptor>().Single();
// Prefer an endpoint with a redirect binding, then check for POST which
// is the other supported by AuthServices.
var ssoService = idpDescriptor.SingleSignOnServices
.FirstOrDefault(s => s.Binding == Saml2Binding.HttpRedirectUri) ??
idpDescriptor.SingleSignOnServices
.First(s => s.Binding == Saml2Binding.HttpPostUri);
binding = Saml2Binding.UriToSaml2BindingType(ssoService.Binding);
singleSignOnServiceUrl = ssoService.Location;
var key = idpDescriptor.Keys
.Where(k => k.Use == KeyType.Unspecified || k.Use == KeyType.Signing)
.SingleOrDefault();
if (key != null)
{
signingKey = ((AsymmetricSecurityKey)key.KeyInfo.CreateKey())
.GetAsymmetricAlgorithm(SignedXml.XmlDsigRSASHA1Url, false);
}
}
private void ReadMetadataIdpDescriptor(ExtendedEntityDescriptor metadata)
{
var idpDescriptor = metadata.RoleDescriptors
.OfType <IdentityProviderSingleSignOnDescriptor>().Single();
// Prefer an endpoint with a redirect binding, then check for POST which
// is the other supported by AuthServices.
var ssoService = idpDescriptor.SingleSignOnServices
.FirstOrDefault(s => s.Binding == Saml2Binding.HttpRedirectUri) ??
idpDescriptor.SingleSignOnServices
.FirstOrDefault(s => s.Binding == Saml2Binding.HttpPostUri);
if (ssoService != null)
{
binding = Saml2Binding.UriToSaml2BindingType(ssoService.Binding);
singleSignOnServiceUrl = ssoService.Location;
}
foreach (var ars in idpDescriptor.ArtifactResolutionServices)
{
artifactResolutionServiceUrls[ars.Value.Index] = ars.Value.Location;
}
foreach (var ars in artifactResolutionServiceUrls.Keys
.Where(k => !idpDescriptor.ArtifactResolutionServices.Keys.Contains(k)))
{
artifactResolutionServiceUrls.Remove(ars);
}
var keys = idpDescriptor.Keys.Where(k => k.Use == KeyType.Unspecified || k.Use == KeyType.Signing);
signingKeys.SetLoadedItems(keys.Select(k => ((AsymmetricSecurityKey)k.KeyInfo.CreateKey())
.GetAsymmetricAlgorithm(SignedXml.XmlDsigRSASHA1Url, false)).ToList());
}
internal IdentityProvider(IdentityProviderElement config, ISPOptions spOptions)
{
singleSignOnServiceUrl = config.DestinationUrl;
EntityId = new EntityId(config.EntityId);
binding = config.Binding;
AllowUnsolicitedAuthnResponse = config.AllowUnsolicitedAuthnResponse;
metadataUrl = config.MetadataUrl;
ShowNameIdPolicy = config.ShowNameIdPolicy;
// If configured to load metadata, this will immediately do the load.
VerifyCertificate = config.VerifyCertificate;
LoadMetadata = config.LoadMetadata;
this.spOptions = spOptions;
// Certificates from metadata already present, add eventual other certificates
// from web.config.
var certificate = config.SigningCertificate.LoadCertificate();
if (certificate != null)
{
signingKeys = new ConfiguredAndLoadedCollection<AsymmetricAlgorithm>();
signingKeys.AddConfiguredItem(certificate.PublicKey.Key);
}
// Validate if values are only from config. If metadata is loaded, validation
// is done on metadata load.
if (!LoadMetadata)
{
Validate();
}
}
internal IdentityProvider(IdentityProviderElement config, ISPOptions spOptions)
{
singleSignOnServiceUrl = config.DestinationUrl;
EntityId = new EntityId(config.EntityId);
binding = config.Binding;
AllowUnsolicitedAuthnResponse = config.AllowUnsolicitedAuthnResponse;
metadataUrl = config.MetadataUrl;
LoadMetadata = config.LoadMetadata;
this.spOptions = spOptions;
var certificate = config.SigningCertificate.LoadCertificate();
if (certificate != null)
{
signingKey = certificate.PublicKey.Key;
}
try
{
if (LoadMetadata)
{
DoLoadMetadata();
}
Validate();
}
catch (WebException)
{
// If we had a web exception, the metadata failed. It will
// be automatically retried.
}
}
internal IdentityProvider(IdentityProviderElement config, ISPOptions spOptions)
{
singleSignOnServiceUrl = config.DestinationUrl;
EntityId = new EntityId(config.EntityId);
binding = config.Binding;
AllowUnsolicitedAuthnResponse = config.AllowUnsolicitedAuthnResponse;
metadataLocation = string.IsNullOrEmpty(config.MetadataLocation)
? null : config.MetadataLocation;
WantAuthnRequestsSigned = config.WantAuthnRequestsSigned;
var certificate = config.SigningCertificate.LoadCertificate();
if (certificate != null)
{
signingKeys.AddConfiguredKey(
new X509RawDataKeyIdentifierClause(certificate));
}
// If configured to load metadata, this will immediately do the load.
LoadMetadata = config.LoadMetadata;
this.spOptions = spOptions;
// Validate if values are only from config. If metadata is loaded, validation
// is done on metadata load.
if (!LoadMetadata)
{
Validate();
}
}
internal IdentityProvider(IdentityProviderElement config, SPOptions spOptions)
{
singleSignOnServiceUrl = config.SignOnUrl;
SingleLogoutServiceUrl = config.LogoutUrl;
EntityId = new EntityId(config.EntityId);
binding = config.Binding;
AllowUnsolicitedAuthnResponse = config.AllowUnsolicitedAuthnResponse;
metadataLocation = string.IsNullOrEmpty(config.MetadataLocation)
? null : config.MetadataLocation;
WantAuthnRequestsSigned = config.WantAuthnRequestsSigned;
DisableOutboundLogoutRequests = config.DisableOutboundLogoutRequests;
var certificate = config.SigningCertificate.LoadCertificate();
if (certificate != null)
{
signingKeys.AddConfiguredKey(
new X509RawDataKeyIdentifierClause(certificate));
}
foreach (var ars in config.ArtifactResolutionServices)
{
ArtifactResolutionServiceUrls[ars.Index] = ars.Location;
}
// If configured to load metadata, this will immediately do the load.
this.spOptions = spOptions;
LoadMetadata = config.LoadMetadata;
// Validate if values are only from config. If metadata is loaded, validation
// is done on metadata load.
if (!LoadMetadata)
{
Validate();
}
}
internal IdentityProvider(IdentityProviderElement config, ISPOptions spOptions)
{
singleSignOnServiceUrl = config.DestinationUrl;
EntityId = new EntityId(config.EntityId);
binding = config.Binding;
AllowUnsolicitedAuthnResponse = config.AllowUnsolicitedAuthnResponse;
metadataUrl = config.MetadataUrl;
var certificate = config.SigningCertificate.LoadCertificate();
if (certificate != null)
{
signingKeys.AddConfiguredItem(certificate.PublicKey.Key);
}
// If configured to load metadata, this will immediately do the load.
LoadMetadata = config.LoadMetadata;
this.spOptions = spOptions;
// Validate if values are only from config. If metadata is loaded, validation
// is done on metadata load.
if (!LoadMetadata)
{
Validate();
}
}
/// <summary>
/// Gets the Uri for a Saml2BindingType.
/// </summary>
/// <param name="type">Saml2BindingType</param>
/// <returns>Uri constant for the speicified Binding Type</returns>
/// <exception cref="ArgumentException">If the type is not mapped.</exception>
public static Uri Saml2BindingTypeToUri(Saml2BindingType type)
{
if (bindingUriMap.TryGetValue(type, out Uri uri))
{
return(uri);
}
var msg = string.Format(CultureInfo.InvariantCulture, "Unknown Saml2 Binding Type \"{0}\".", type);
throw new ArgumentException(msg);
}
/// <summary>
/// Get a cached binding instance that supports the requested type.
/// </summary>
/// <param name="binding">Type of binding to get</param>
/// <returns>A derived class instance that supports the requested binding.</returns>
public static Saml2Binding Get(Saml2BindingType binding)
{
try
{
return bindings[binding];
}
catch(KeyNotFoundException ex)
{
throw new ArgumentException(string.Format(CultureInfo.InvariantCulture,
"{0} is not a valid value for the Saml2BindingType enum. Have you forgotten to configure a binding for your identity provider?",
binding), ex);
}
}
/// <summary>
/// Get a cached binding instance that supports the requested type.
/// </summary>
/// <param name="binding">Type of binding to get</param>
/// <returns>A derived class instance that supports the requested binding.</returns>
public static Saml2Binding Get(Saml2BindingType binding)
{
try
{
return(bindings[binding]);
}
catch (KeyNotFoundException ex)
{
throw new ArgumentException(string.Format(CultureInfo.InvariantCulture,
"{0} is not a valid value for the Saml2BindingType enum. Have you forgotten to configure a binding for your identity provider?",
binding), ex);
}
}
private void ReadMetadataIdpDescriptor(ExtendedEntityDescriptor metadata)
{
var idpDescriptor = metadata.RoleDescriptors
.OfType <IdentityProviderSingleSignOnDescriptor>().Single();
WantAuthnRequestsSigned = idpDescriptor.WantAuthenticationRequestsSigned;
// Prefer an endpoint with a redirect binding, then check for POST which
// is the other supported by AuthServices.
var ssoService = idpDescriptor.SingleSignOnServices
.FirstOrDefault(s => s.Binding == Saml2Binding.HttpRedirectUri) ??
idpDescriptor.SingleSignOnServices
.FirstOrDefault(s => s.Binding == Saml2Binding.HttpPostUri);
if (ssoService != null)
{
binding = Saml2Binding.UriToSaml2BindingType(ssoService.Binding);
singleSignOnServiceUrl = ssoService.Location;
}
var sloService = idpDescriptor.SingleLogoutServices
.Where(slo => slo.Binding == Saml2Binding.HttpRedirectUri ||
slo.Binding == Saml2Binding.HttpPostUri)
.FirstOrDefault();
if (sloService != null)
{
SingleLogoutServiceUrl = sloService.Location;
SingleLogoutServiceBinding = Saml2Binding.UriToSaml2BindingType(sloService.Binding);
singleLogoutServiceResponseUrl = sloService.ResponseLocation;
}
foreach (var ars in idpDescriptor.ArtifactResolutionServices)
{
artifactResolutionServiceUrls[ars.Value.Index] = ars.Value.Location;
}
foreach (var ars in artifactResolutionServiceUrls.Keys
.Where(k => !idpDescriptor.ArtifactResolutionServices.Keys.Contains(k)))
{
artifactResolutionServiceUrls.Remove(ars);
}
var keys = idpDescriptor.Keys.Where(k => k.Use == KeyType.Unspecified || k.Use == KeyType.Signing);
signingKeys.SetLoadedItems(keys.Select(k => k.KeyInfo.First(c => c.CanCreateKey)).ToList());
}
private void ReadMetadataIdpDescriptor(EntityDescriptor metadata)
{
var idpDescriptor = metadata.RoleDescriptors
.OfType <IdpSsoDescriptor>().Single();
WantAuthnRequestsSigned = idpDescriptor.WantAuthnRequestsSigned ?? false;
var ssoService = GetPreferredEndpoint(idpDescriptor.SingleSignOnServices);
if (ssoService != null)
{
binding = Saml2Binding.UriToSaml2BindingType(ssoService.Binding);
singleSignOnServiceUrl = ssoService.Location;
}
var sloService = GetPreferredEndpoint(idpDescriptor.SingleLogoutServices);
if (sloService != null)
{
SingleLogoutServiceUrl = sloService.Location;
SingleLogoutServiceBinding = Saml2Binding.UriToSaml2BindingType(sloService.Binding);
singleLogoutServiceResponseUrl = sloService.ResponseLocation;
}
foreach (var kv in idpDescriptor.ArtifactResolutionServices)
{
var ars = kv.Value;
artifactResolutionServiceUrls[ars.Index] = ars.Location;
}
var arsKeys = idpDescriptor.ArtifactResolutionServices.ToLookup(x => x.Value.Index);
foreach (var ars in artifactResolutionServiceUrls.Keys
.Where(k => !arsKeys.Contains(k)))
{
artifactResolutionServiceUrls.Remove(ars);
}
var keys = idpDescriptor.Keys.Where(k => k.Use == KeyType.Unspecified || k.Use == KeyType.Signing);
signingKeys.SetLoadedItems(keys.Select(k => k.KeyInfo
.MakeSecurityKeyIdentifier().First(c => c.CanCreateKey)).ToList());
}
/// <summary>
/// Get a cached binding instance that supports the requested type.
/// </summary>
/// <param name="binding">Type of binding to get</param>
/// <returns>A derived class instance that supports the requested binding.</returns>
public static Saml2Binding Get(Saml2BindingType binding)
{
return(bindings[binding]);
}
public AssertionModel()
{
ResponseBinding = Saml2BindingType.HttpPost;
}
private void ReadMetadataIdpDescriptor(ExtendedEntityDescriptor metadata)
{
var idpDescriptor = metadata.RoleDescriptors
.OfType<IdentityProviderSingleSignOnDescriptor>().Single();
WantAuthnRequestsSigned = idpDescriptor.WantAuthenticationRequestsSigned;
// Prefer an endpoint with a redirect binding, then check for POST which
// is the other supported by AuthServices.
var ssoService = idpDescriptor.SingleSignOnServices
.FirstOrDefault(s => s.Binding == Saml2Binding.HttpRedirectUri) ??
idpDescriptor.SingleSignOnServices
.FirstOrDefault(s => s.Binding == Saml2Binding.HttpPostUri);
if (ssoService != null)
{
binding = Saml2Binding.UriToSaml2BindingType(ssoService.Binding);
singleSignOnServiceUrl = ssoService.Location;
}
var sloService = idpDescriptor.SingleLogoutServices
.Where(slo => slo.Binding == Saml2Binding.HttpRedirectUri
|| slo.Binding == Saml2Binding.HttpPostUri)
.FirstOrDefault();
if (sloService != null)
{
SingleLogoutServiceUrl = sloService.Location;
SingleLogoutServiceBinding = Saml2Binding.UriToSaml2BindingType(sloService.Binding);
singleLogoutServiceResponseUrl = sloService.ResponseLocation;
}
foreach (var ars in idpDescriptor.ArtifactResolutionServices)
{
artifactResolutionServiceUrls[ars.Value.Index] = ars.Value.Location;
}
foreach (var ars in artifactResolutionServiceUrls.Keys
.Where(k => !idpDescriptor.ArtifactResolutionServices.Keys.Contains(k)))
{
artifactResolutionServiceUrls.Remove(ars);
}
var keys = idpDescriptor.Keys.Where(k => k.Use == KeyType.Unspecified || k.Use == KeyType.Signing);
signingKeys.SetLoadedItems(keys.Select(k => k.KeyInfo.First(c => c.CanCreateKey)).ToList());
}
private void ReadMetadataIdpDescriptor(ExtendedEntityDescriptor metadata)
{
var idpDescriptor = metadata.RoleDescriptors
.OfType<IdentityProviderSingleSignOnDescriptor>().Single();
// Prefer an endpoint with a redirect binding, then check for POST which
// is the other supported by AuthServices.
var ssoService = idpDescriptor.SingleSignOnServices
.FirstOrDefault(s => s.Binding == Saml2Binding.HttpRedirectUri) ??
idpDescriptor.SingleSignOnServices
.First(s => s.Binding == Saml2Binding.HttpPostUri);
binding = Saml2Binding.UriToSaml2BindingType(ssoService.Binding);
singleSignOnServiceUrl = ssoService.Location;
var key = idpDescriptor.Keys
.Where(k => k.Use == KeyType.Unspecified || k.Use == KeyType.Signing)
.SingleOrDefault();
if (key != null)
{
signingKey = ((AsymmetricSecurityKey)key.KeyInfo.CreateKey())
.GetAsymmetricAlgorithm(SignedXml.XmlDsigRSASHA1Url, false);
}
}
/// <summary>
/// Get a cached binding instance that supports the requested type.
/// </summary>
/// <param name="binding">Type of binding to get</param>
/// <returns>A derived class instance that supports the requested binding.</returns>
public static Saml2Binding Get(Saml2BindingType binding)
{
return bindings[binding];
}
private void ReadMetadataIdpDescriptor(ExtendedEntityDescriptor metadata)
{
var idpDescriptor = metadata.RoleDescriptors
.OfType<IdentityProviderSingleSignOnDescriptor>().Single();
// Prefer an endpoint with a redirect binding, then check for POST which
// is the other supported by AuthServices.
var ssoService = idpDescriptor.SingleSignOnServices
.FirstOrDefault(s => s.Binding == Saml2Binding.HttpRedirectUri) ??
idpDescriptor.SingleSignOnServices
.FirstOrDefault(s => s.Binding == Saml2Binding.HttpPostUri);
if (ssoService != null)
{
binding = Saml2Binding.UriToSaml2BindingType(ssoService.Binding);
singleSignOnServiceUrl = ssoService.Location;
}
foreach(var ars in idpDescriptor.ArtifactResolutionServices)
{
artifactResolutionServiceUrls[ars.Value.Index] = ars.Value.Location;
}
foreach (var ars in artifactResolutionServiceUrls.Keys
.Where(k => !idpDescriptor.ArtifactResolutionServices.Keys.Contains(k)))
{
artifactResolutionServiceUrls.Remove(ars);
}
var keys = idpDescriptor.Keys.Where(k => k.Use == KeyType.Unspecified || k.Use == KeyType.Signing);
signingKeys.SetLoadedItems(keys.Select(k => ((AsymmetricSecurityKey)k.KeyInfo.CreateKey())
.GetAsymmetricAlgorithm(SignedXml.XmlDsigRSASHA1Url, false)).ToList());
}
/// <summary>
/// Gets the Uri for a Saml2BindingType.
/// </summary>
/// <param name="type">Saml2BindingType</param>
/// <returns>Uri constant for the speicified Binding Type</returns>
/// <exception cref="ArgumentException">If the type is not mapped.</exception>
public static Uri Saml2BindingTypeToUri(Saml2BindingType type)
{
Uri uri;
if (bindingUriMap.TryGetValue(type, out uri))
{
return uri;
}
var msg = string.Format(CultureInfo.InvariantCulture, "Unknown Saml2 Binding Type \"{0}\".", type);
throw new ArgumentException(msg);
}
private void ReadMetadataIdpDescriptor(ExtendedEntityDescriptor metadata)
{
var idpDescriptor = metadata.RoleDescriptors
.OfType<IdentityProviderSingleSignOnDescriptor>().Single();
WantAuthnRequestsSigned = idpDescriptor.WantAuthenticationRequestsSigned;
var ssoService = GetPreferredEndpoint(idpDescriptor.SingleSignOnServices);
if (ssoService != null)
{
binding = Saml2Binding.UriToSaml2BindingType(ssoService.Binding);
singleSignOnServiceUrl = ssoService.Location;
}
var sloService = GetPreferredEndpoint(idpDescriptor.SingleLogoutServices);
if (sloService != null)
{
SingleLogoutServiceUrl = sloService.Location;
SingleLogoutServiceBinding = Saml2Binding.UriToSaml2BindingType(sloService.Binding);
singleLogoutServiceResponseUrl = sloService.ResponseLocation;
}
foreach (var ars in idpDescriptor.ArtifactResolutionServices)
{
artifactResolutionServiceUrls[ars.Value.Index] = ars.Value.Location;
}
foreach (var ars in artifactResolutionServiceUrls.Keys
.Where(k => !idpDescriptor.ArtifactResolutionServices.Keys.Contains(k)))
{
artifactResolutionServiceUrls.Remove(ars);
}
var keys = idpDescriptor.Keys.Where(k => k.Use == KeyType.Unspecified || k.Use == KeyType.Signing);
signingKeys.SetLoadedItems(keys.Select(k => k.KeyInfo.First(c => c.CanCreateKey)).ToList());
}
