/// <summary>
/// Logs the current configuration for troubleshooting purposes.
/// </summary>
private void LogCurrentConfiguration()
{
var sb = new StringBuilder();
sb.AppendLine("Current plugin configuration");
foreach (SettingsProperty settingsProperty in Settings.Default.Properties)
{
sb.AppendLine($"{settingsProperty.Name} : '{Settings.Default[settingsProperty.Name]}'");
}
sb.AppendLine("Plugin Metadata:");
foreach (var am in this.Metadata.AuthenticationMethods)
{
sb.AppendLine($"AuthenticationMethod: '{am}'");
}
foreach (var ic in this.Metadata.IdentityClaims)
{
sb.AppendLine($"IdentityClaim: '{ic}'");
}
try
{
var options = Kentor.AuthServices.Configuration.Options.FromConfiguration;
sb.AppendLine($"AssertionConsumerService: '{options.SPOptions.ReturnUrl.OriginalString}'");
sb.AppendLine($"ServiceProvider.EntityId: '{Kentor.AuthServices.Configuration.Options.FromConfiguration.SPOptions.EntityId.Id}'");
sb.AppendLine($"IdentityProvider.EntityId: '{SamlService.GetIdentityProvider(Kentor.AuthServices.Configuration.Options.FromConfiguration).EntityId.Id}'");
}
catch (Exception ex)
{
sb.AppendLine($"Error while reading configuration file. Please enter Serviceprovider en IdentityProvider settings. Details: {ex.Message}");
}
this.log.Info(sb);
}
/// <summary>
/// Origina la petición de autenticacion a cl@ve
/// </summary>
protected override Task ApplyResponseChallengeAsync()
{
if (Response.StatusCode == 401)
{
// Only react to 401 if there is an authentication challenge for the authentication
// type of this handler.
var challenge = Helper.LookupChallenge(Options.AuthenticationType, Options.AuthenticationMode);
if (challenge != null)
{
var state = challenge.Properties;
if (string.IsNullOrEmpty(state.RedirectUri))
{
state.RedirectUri = Request.Uri.ToString();
}
var stateString = Options.StateDataFormat.Protect(state);
SamlService claveSrv = new SamlService();
var commandResult = claveSrv.GetSamlCommandResult(stateString);
commandResult.Apply(Context);
}
}
return(Task.FromResult <object>(null));
}
/// <summary>
/// Validates the SAML response and set the necessary claims.
/// </summary>
/// <param name="context">The context.</param>
/// <param name="proofData">The post back data.</param>
/// <param name="request">The request.</param>
/// <param name="claims">The claims.</param>
/// <returns>A form if the the validation fails or claims if the validation succeeds.</returns>
public IAdapterPresentation TryEndAuthentication(IAuthenticationContext context, IProofData proofData, HttpListenerRequest request, out Claim[] claims)
{
this.log.Debug("Enter TryEndAuthentication");
this.log.DebugFormat("context.ActivityId='{0}'; context.ContextId='{1}'; conext.Lcid={2}", context.ActivityId, context.ContextId, context.Lcid);
foreach (var d in context.Data)
{
this.log.DebugFormat("conext.Data: '{0}'='{1}'", d.Key, d.Value);
}
foreach (var p in proofData.Properties)
{
this.log.DebugFormat("proofData.Properties: '{0}'='{1}'", p.Key, p.Value);
}
claims = null;
try
{
var response = SecondFactorAuthResponse.Deserialize(proofData, context);
var authnRequestId = $"_{ context.ContextId}";
this.log.InfoFormat("Received response for request with id '{0}'", authnRequestId);
var samlResponse = new Saml2Response(response.SamlResponse, new Saml2Id(authnRequestId));
if (samlResponse.Status != Saml2StatusCode.Success)
{
return(new AuthFailedForm(samlResponse.StatusMessage));
}
claims = SamlService.VerifyResponseAndGetAuthenticationClaim(samlResponse);
foreach (var claim in claims)
{
this.log.DebugFormat(
"claim.Issuer='{0}'; claim.OriginalIssuer='{1}; claim.Type='{2}'; claim.Value='{3}'",
claim.Issuer,
claim.OriginalIssuer,
claim.Type,
claim.Value);
foreach (var p in claim.Properties)
{
this.log.DebugFormat("claim.Properties: '{0}'='{1}'", p.Key, p.Value);
}
}
this.log.InfoFormat("Successfully processed response for request with id '{0}'", authnRequestId);
return(null);
}
catch (Exception ex)
{
this.log.ErrorFormat("Error while processing the saml response. Details: {0}", ex);
return(new AuthFailedForm());
}
}
public ActionResult LoginSSO(string issuer)
{
var identity = SamlIdentityService.Get(issuer);
if (identity == null)
{
return new ContentResult {
Content = string.Concat(@"SSO failed. \n Issuer ", issuer, " is invalid.")
}
}
;
return(Redirect(string.Concat(identity.IssuerURL, SamlParam(identity.IssuerURL),
Url.Encode(SamlService.GenerateRequest(identity, SamlService.GenerateId(), SamlService.IssueInstant())))));
}
public void ValidateSubject()
{
var claim = new Claim("nameid", "homeorganization.nl:useridentifier");
var request = SamlService.CreateAuthnRequest(claim, Guid.NewGuid().ToString(), new Uri("https://mytest.nl"));
using (var service = new CryptographicService())
{
service.SignSamlRequest(request);
}
var requestXml = request.ToXElement();
var ns = XNamespace.Get("urn:oasis:names:tc:SAML:2.0:assertion");
var element = requestXml.Element(ns + "Subject");
Assert.IsNotNull(element);
Assert.AreEqual(claim.Value, ((XElement)element.FirstNode).Value);
}
protected override async Task <AuthenticationTicket> AuthenticateCoreAsync()
{
string rp = Request.Query["reqPath"];
AuthenticationProperties authProp = Options.StateDataFormat.Unprotect(rp);
SamlService claveSvc = new SamlService();
var commandResult = claveSvc.GetSamlResponseCommandResult(await Context.ToHttpRequestData());
if (commandResult.Principal != null)
{
var identity = commandResult.Principal.Identities
.Select(i => new ClaimsIdentity(i, null, Options.SignInAsAuthenticationType, i.NameClaimType, i.RoleClaimType)).FirstOrDefault();
return(new AuthenticationTicket(identity, authProp));
}
else
{
return(new AuthenticationTicket(null, authProp));
}
}
public ActionResult Consume(string issuer)
{
var response = new XmlResponse(Request.Form[SamlResponse]);
var identity = SamlIdentityService.Get(issuer);
if (identity == null)
{
return new ContentResult {
Content = string.Concat(@"SSO failed. \n Issuer ", issuer, " is invalid.")
}
}
;
if (SamlService.ResponseIsValid(response, identity))
{
var userId = response.GetSubject();
if (userId == null)
{
return(Redirect(identity.IssuerLogoutUrl));
}
var token = SamlService.SetSsoToken(userId);
if (token == null)
{
return new ContentResult {
Content = string.Concat(@"SSO failed. \n User ", userId, " is invalid.")
}
}
;
return(Redirect(string.Concat(identity.AuthenticatedRedirectUrl, "?SSOtoken=", token, "&SamlIssuer=", identity.Issuer)));
}
return(new ContentResult {
Content = @"SSO failed. \n Certificate is invalid."
});
}
/// <summary>
/// Begins the authentication.
/// </summary>
/// <param name="identityClaim">The identity claim.</param>
/// <param name="httpListenerRequest">The HTTP listener request.</param>
/// <param name="context">The context.</param>
/// <returns>A presentation form.</returns>
public IAdapterPresentation BeginAuthentication(Claim identityClaim, HttpListenerRequest httpListenerRequest, IAuthenticationContext context)
{
try
{
this.InitializeLogger();
this.log.Debug("Enter BeginAuthentication");
this.log.DebugFormat("context.ActivityId='{0}'; context.ContextId='{1}'; conext.Lcid={2}", context.ActivityId, context.ContextId, context.Lcid);
string authnRequestId = $"_{context.ContextId}";
var authRequest = SamlService.CreateAuthnRequest(identityClaim, authnRequestId, httpListenerRequest.Url);
using (var cryptographicService = new CryptographicService())
{
this.log.DebugFormat("Signing AuthnRequest with id {0}", authnRequestId);
var signedXml = cryptographicService.SignSamlRequest(authRequest);
return(new AuthForm(Settings.Default.SecondFactorEndpoint, signedXml));
}
}
catch (Exception ex)
{
this.log.ErrorFormat("Error while initiating authentication:{0}", ex);
return(new AuthFailedForm());
}
}
