public void DefaultValues ()
{
SamlAttributeStatement s =
new SamlAttributeStatement ();
Assert.IsNull (s.SamlSubject, "#1");
Assert.AreEqual (0, s.Attributes.Count, "#2");
}
public virtual SamlStatement LoadStatement(XmlDictionaryReader reader, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver)
{
if (reader == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader");
}
if (reader.IsStartElement(DictionaryManager.SamlDictionary.AuthenticationStatement, DictionaryManager.SamlDictionary.Namespace))
{
SamlAuthenticationStatement authStatement = new SamlAuthenticationStatement();
authStatement.ReadXml(reader, this, keyInfoSerializer, outOfBandTokenResolver);
return(authStatement);
}
else if (reader.IsStartElement(DictionaryManager.SamlDictionary.AttributeStatement, DictionaryManager.SamlDictionary.Namespace))
{
SamlAttributeStatement attrStatement = new SamlAttributeStatement();
attrStatement.ReadXml(reader, this, keyInfoSerializer, outOfBandTokenResolver);
return(attrStatement);
}
else if (reader.IsStartElement(DictionaryManager.SamlDictionary.AuthorizationDecisionStatement, DictionaryManager.SamlDictionary.Namespace))
{
SamlAuthorizationDecisionStatement authDecisionStatement = new SamlAuthorizationDecisionStatement();
authDecisionStatement.ReadXml(reader, this, keyInfoSerializer, outOfBandTokenResolver);
return(authDecisionStatement);
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.GetString(SR.SAMLUnableToLoadUnknownElement, reader.LocalName)));
}
}
public virtual SamlStatement LoadStatement(XmlDictionaryReader reader, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver)
{
if (reader == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader");
}
if (reader.IsStartElement(this.DictionaryManager.SamlDictionary.AuthenticationStatement, this.DictionaryManager.SamlDictionary.Namespace))
{
SamlAuthenticationStatement statement = new SamlAuthenticationStatement();
statement.ReadXml(reader, this, keyInfoSerializer, outOfBandTokenResolver);
return(statement);
}
if (reader.IsStartElement(this.DictionaryManager.SamlDictionary.AttributeStatement, this.DictionaryManager.SamlDictionary.Namespace))
{
SamlAttributeStatement statement2 = new SamlAttributeStatement();
statement2.ReadXml(reader, this, keyInfoSerializer, outOfBandTokenResolver);
return(statement2);
}
if (!reader.IsStartElement(this.DictionaryManager.SamlDictionary.AuthorizationDecisionStatement, this.DictionaryManager.SamlDictionary.Namespace))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(System.IdentityModel.SR.GetString("SAMLUnableToLoadUnknownElement", new object[] { reader.LocalName })));
}
SamlAuthorizationDecisionStatement statement3 = new SamlAuthorizationDecisionStatement();
statement3.ReadXml(reader, this, keyInfoSerializer, outOfBandTokenResolver);
return(statement3);
}
/// <summary>
/// Creates a SAML Token with the input parameters
/// </summary>
/// <param name="stsName">Name of the STS issuing the SAML Token</param>
/// <param name="proofToken">Associated Proof Token</param>
/// <param name="issuerToken">Associated Issuer Token</param>
/// <param name="proofKeyEncryptionToken">Token to encrypt the proof key with</param>
/// <param name="samlConditions">The Saml Conditions to be used in the construction of the SAML Token</param>
/// <param name="samlAttributes">The Saml Attributes to be used in the construction of the SAML Token</param>
/// <returns>A SAML Token</returns>
public static SamlSecurityToken CreateSamlToken(string stsName,
BinarySecretSecurityToken proofToken,
SecurityToken issuerToken,
SecurityToken proofKeyEncryptionToken,
SamlConditions samlConditions,
IEnumerable<SamlAttribute> samlAttributes)
{
// Create a security token reference to the issuer certificate
SecurityKeyIdentifierClause skic = issuerToken.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>();
SecurityKeyIdentifier issuerKeyIdentifier = new SecurityKeyIdentifier(skic);
// Create an encrypted key clause containing the encrypted proof key
byte[] wrappedKey = proofKeyEncryptionToken.SecurityKeys[0].EncryptKey(SecurityAlgorithms.RsaOaepKeyWrap, proofToken.GetKeyBytes());
SecurityKeyIdentifierClause encryptingTokenClause = proofKeyEncryptionToken.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>();
EncryptedKeyIdentifierClause encryptedKeyClause = new EncryptedKeyIdentifierClause(wrappedKey, SecurityAlgorithms.RsaOaepKeyWrap, new SecurityKeyIdentifier(encryptingTokenClause) );
SecurityKeyIdentifier proofKeyIdentifier = new SecurityKeyIdentifier(encryptedKeyClause);
// Create a comfirmationMethod for HolderOfKey
List<string> confirmationMethods = new List<string>(1);
confirmationMethods.Add(SamlConstants.HolderOfKey);
// Create a SamlSubject with proof key and confirmation method from above
SamlSubject samlSubject = new SamlSubject(null,
null,
null,
confirmationMethods,
null,
proofKeyIdentifier);
// Create a SamlAttributeStatement from the passed in SamlAttribute collection and the SamlSubject from above
SamlAttributeStatement samlAttributeStatement = new SamlAttributeStatement(samlSubject, samlAttributes);
// Put the SamlAttributeStatement into a list of SamlStatements
List<SamlStatement> samlSubjectStatements = new List<SamlStatement>();
samlSubjectStatements.Add(samlAttributeStatement);
// Create a SigningCredentials instance from the key associated with the issuerToken.
SigningCredentials signingCredentials = new SigningCredentials(issuerToken.SecurityKeys[0],
SecurityAlgorithms.RsaSha1Signature,
SecurityAlgorithms.Sha1Digest,
issuerKeyIdentifier);
// Create a SamlAssertion from the list of SamlStatements created above and the passed in
// SamlConditions.
SamlAssertion samlAssertion = new SamlAssertion("_" + Guid.NewGuid().ToString(),
stsName,
DateTime.UtcNow,
samlConditions,
new SamlAdvice(),
samlSubjectStatements
);
// Set the SigningCredentials for the SamlAssertion
samlAssertion.SigningCredentials = signingCredentials;
// Create a SamlSecurityToken from the SamlAssertion and return it
return new SamlSecurityToken(samlAssertion);
}
public void WriteXml1 ()
{
SamlAttribute attr = new SamlAttribute (Claim.CreateNameClaim ("myname"));
SamlSubject subject = new SamlSubject (
SamlConstants.UserNameNamespace,
"urn:myqualifier",
"myname");
SamlAttributeStatement s = new SamlAttributeStatement (
subject, new SamlAttribute [] {attr});
StringWriter sw = new StringWriter ();
using (XmlDictionaryWriter dw = CreateWriter (sw)) {
s.WriteXml (dw, new SamlSerializer (), null);
}
Assert.AreEqual (String.Format ("<?xml version=\"1.0\" encoding=\"utf-16\"?><saml:AttributeStatement xmlns:saml=\"urn:oasis:names:tc:SAML:1.0:assertion\"><saml:Subject><saml:NameIdentifier Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName\" NameQualifier=\"urn:myqualifier\">myname</saml:NameIdentifier></saml:Subject><saml:Attribute AttributeName=\"name\" AttributeNamespace=\"{0}\"><saml:AttributeValue>myname</saml:AttributeValue></saml:Attribute></saml:AttributeStatement>", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims"), sw.ToString ());
}
SamlSecurityToken GetSamlToken ()
{
SamlAssertion a = new SamlAssertion ();
SamlSubject subject = new SamlSubject (
SamlConstants.UserNameNamespace,
"urn:myqualifier",
"myname");
SamlAttribute attr = new SamlAttribute (Claim.CreateNameClaim ("myname"));
SamlAttributeStatement statement =
new SamlAttributeStatement (subject, new SamlAttribute [] {attr});
a.Statements.Add (statement);
a.Issuer = "my_hero";
X509Certificate2 cert = new X509Certificate2 ("Test/Resources/test.pfx", "mono");
X509AsymmetricSecurityKey key =
new X509AsymmetricSecurityKey (cert);
a.SigningCredentials =
new SigningCredentials (key,
SecurityAlgorithms.HmacSha1Signature,
SecurityAlgorithms.Sha256Digest);
XmlDocument doc = new XmlDocument ();
XmlWriter w = doc.CreateNavigator ().AppendChild ();
using (XmlDictionaryWriter dw = XmlDictionaryWriter.CreateDictionaryWriter (w)) {
a.WriteXml (dw, new SamlSerializer (), new MySecurityTokenSerializer ());
}
Console.Error.WriteLine (doc.OuterXml);
return new SamlSecurityToken (a);
}
/// <summary>
/// Creates a SAML assertion based on input parameters
/// </summary>
/// <param name="claims">A ClaimSet containing the claims to be placed into the SAML assertion</param>
/// <param name="signatureKey">The SecurityKey that will be used to sign the SAML assertion</param>
/// <param name="signatureKeyIdentifier">A key identifier for the signature key</param>
/// <param name="proofKeyIdentifier">A key identifier for the proof key</param>
/// <param name="algoSuite">The algorithm suite to use when performing cryptographic operations</param>
/// <returns>A SAML assertion containing the passed in claims and proof key, signed by the provided signature key</returns>
private static SamlAssertion CreateAssertion(ClaimSet claims, SecurityKey signatureKey, SecurityKeyIdentifier signatureKeyIdentifier, SecurityKeyIdentifier proofKeyIdentifier, SecurityAlgorithmSuite algoSuite)
{
List<string> confirmationMethods = new List<string>(1);
// Create a confirmationMethod for HolderOfKey
confirmationMethods.Add(SamlConstants.HolderOfKey);
// Create a SamlSubject with proof key and confirmation method from above
SamlSubject samlSubject = new SamlSubject(null,
null,
"Self",
confirmationMethods,
null,
proofKeyIdentifier);
IList<SamlAttribute> samlAttributes = new List<SamlAttribute>();
foreach (Claim c in claims)
{
if ( typeof(string) == c.Resource.GetType())
samlAttributes.Add(new SamlAttribute(c));
}
// Create a SamlAttributeStatement from the passed in SamlAttribute collection and the
// SamlSubject from above
SamlAttributeStatement samlAttributeStatement = new SamlAttributeStatement(samlSubject, samlAttributes);
// Put the SamlAttributeStatement into a list of SamlStatements
List<SamlStatement> samlSubjectStatements = new List<SamlStatement>();
samlSubjectStatements.Add(samlAttributeStatement);
// Create a SigningCredentials instance from the signature key
SigningCredentials signingCredentials = new SigningCredentials(signatureKey,
algoSuite.DefaultAsymmetricSignatureAlgorithm,
algoSuite.DefaultDigestAlgorithm,
signatureKeyIdentifier);
// Create a SamlAssertion from the list of SamlStatements created above
DateTime issueInstant = DateTime.UtcNow;
// Create the Saml condition with allowed audience Uris
SamlConditions conditions = new SamlConditions(issueInstant, issueInstant + new TimeSpan(10, 0, 0));
conditions.Conditions.Add(new SamlAudienceRestrictionCondition(new Uri[] { new Uri("http://localhost:8000/servicemodelsamples/service/calc/symm"),
new Uri("http://localhost:8000/servicemodelsamples/service/calc/asymm") }));
SamlAssertion samlAssertion = new SamlAssertion("_" + Guid.NewGuid().ToString(),
"Self",
issueInstant,
conditions,
new SamlAdvice(),
samlSubjectStatements
);
// Set the SigningCredentials for the SamlAssertion
samlAssertion.SigningCredentials = signingCredentials;
// Return the SamlAssertion
return samlAssertion;
}
/// <summary>
/// Serialize a SamlAttributeStatement.
/// </summary>
/// <param name="writer">XmlWriter to serialize the given statement.</param>
/// <param name="statement">SamlAttributeStatement to write to the XmlWriter.</param>
/// <exception cref="ArgumentNullException">The input parameter 'writer' or 'statement' is null.</exception>
protected virtual void WriteAttributeStatement(XmlWriter writer, SamlAttributeStatement statement)
{
if (writer == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("writer");
}
if (statement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("statement");
}
writer.WriteStartElement(SamlConstants.Prefix, SamlConstants.ElementNames.AttributeStatement, SamlConstants.Namespace);
WriteSubject(writer, statement.SamlSubject);
for (int i = 0; i < statement.Attributes.Count; i++)
{
WriteAttribute(writer, statement.Attributes[i]);
}
writer.WriteEndElement();
}
/// <summary>
/// Read saml:AttributeStatement from the given XmlReader.
/// </summary>
/// <param name="reader">XmlReader positioned at a saml:AttributeStatement element.</param>
/// <returns>SamlAttributeStatement</returns>
/// <exception cref="ArgumentNullException">Input parameter 'reader' is null.</exception>
/// <exception cref="XmlException">XmlReader is not positioned at a saml:AttributeStatement element or
/// the AttributeStatement contains unrecognized elements.</exception>
protected virtual SamlAttributeStatement ReadAttributeStatement(XmlReader reader)
{
if (reader == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader");
}
if (!reader.IsStartElement(SamlConstants.ElementNames.AttributeStatement, SamlConstants.Namespace))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.GetString(SR.ID4082, SamlConstants.ElementNames.AttributeStatement, SamlConstants.Namespace, reader.LocalName, reader.NamespaceURI)));
}
reader.ReadStartElement();
SamlAttributeStatement attributeStatement = new SamlAttributeStatement();
if (reader.IsStartElement(SamlConstants.ElementNames.Subject, SamlConstants.Namespace))
{
attributeStatement.SamlSubject = ReadSubject(reader);
}
else
{
// SAML Subject is a required Attribute Statement clause.
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.GetString(SR.ID4092)));
}
while (reader.IsStartElement())
{
if (reader.IsStartElement(SamlConstants.ElementNames.Attribute, SamlConstants.Namespace))
{
// SAML Attribute is a extensibility point. So ask the SAML serializer
// to load this part.
attributeStatement.Attributes.Add(ReadAttribute(reader));
}
else
{
break;
}
}
if (attributeStatement.Attributes.Count == 0)
{
// Each Attribute statement should have at least one attribute.
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.GetString(SR.ID4093)));
}
reader.MoveToContent();
reader.ReadEndElement();
return attributeStatement;
}
/// <summary>
/// Override this virtual to provide custom processing of SamlAttributeStatements.
/// </summary>
/// <param name="samlStatement">The SamlAttributeStatement to process.</param>
/// <param name="subject">The identity that should be modified to reflect the statement.</param>
/// <param name="issuer">The subject that identifies the issuer.</param>
/// <exception cref="ArgumentNullException">The input parameter 'samlStatement' or 'subject' is null.</exception>
protected virtual void ProcessAttributeStatement(SamlAttributeStatement samlStatement, ClaimsIdentity subject, string issuer)
{
if (samlStatement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("samlStatement");
}
if (subject == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("subject");
}
// We will be adding the nameid claim only once for multiple attribute and/or authn statements.
// As of now, we put the nameId claim both inside the saml subject and the saml attribute statement as assertion.
// When generating claims, we will only pick up the saml subject of a saml statement, not the attribute statement value.
ProcessSamlSubject(samlStatement.SamlSubject, subject, issuer);
foreach (SamlAttribute attr in samlStatement.Attributes)
{
string claimType = null;
if (string.IsNullOrEmpty(attr.Namespace))
{
claimType = attr.Name;
}
else if (StringComparer.Ordinal.Equals(attr.Name, SamlConstants.ElementNames.NameIdentifier))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.ID4094)));
}
else
{
// check if Namespace end with slash don't add it
// If no slash or last char is not a slash, add it.
int lastSlashIndex = attr.Namespace.LastIndexOf('/');
if ((lastSlashIndex == -1) || (!(lastSlashIndex == attr.Namespace.Length - 1)))
{
claimType = attr.Namespace + "/" + attr.Name;
}
else
{
claimType = attr.Namespace + attr.Name;
}
}
if (claimType == ClaimTypes.Actor)
{
if (subject.Actor != null)
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4034));
}
SetDelegateFromAttribute(attr, subject, issuer);
}
else
{
for (int k = 0; k < attr.AttributeValues.Count; ++k)
{
// Check if we already have a nameId claim.
if (StringComparer.Ordinal.Equals(ClaimTypes.NameIdentifier, claimType) && GetClaim(subject, ClaimTypes.NameIdentifier) != null)
{
continue;
}
string originalIssuer = issuer;
SamlAttribute SamlAttribute = attr as SamlAttribute;
if ((SamlAttribute != null) && (SamlAttribute.OriginalIssuer != null))
{
originalIssuer = SamlAttribute.OriginalIssuer;
}
string claimValueType = ClaimValueTypes.String;
if (SamlAttribute != null)
{
claimValueType = SamlAttribute.AttributeValueXsiType;
}
subject.AddClaim(new Claim(claimType, attr.AttributeValues[k], claimValueType, issuer, originalIssuer));
}
}
}
}
public virtual SamlStatement LoadStatement(XmlDictionaryReader reader, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver)
{
if (reader == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader");
if (reader.IsStartElement(DictionaryManager.SamlDictionary.AuthenticationStatement, DictionaryManager.SamlDictionary.Namespace))
{
SamlAuthenticationStatement authStatement = new SamlAuthenticationStatement();
authStatement.ReadXml(reader, this, keyInfoSerializer, outOfBandTokenResolver);
return authStatement;
}
else if (reader.IsStartElement(DictionaryManager.SamlDictionary.AttributeStatement, DictionaryManager.SamlDictionary.Namespace))
{
SamlAttributeStatement attrStatement = new SamlAttributeStatement();
attrStatement.ReadXml(reader, this, keyInfoSerializer, outOfBandTokenResolver);
return attrStatement;
}
else if (reader.IsStartElement(DictionaryManager.SamlDictionary.AuthorizationDecisionStatement, DictionaryManager.SamlDictionary.Namespace))
{
SamlAuthorizationDecisionStatement authDecisionStatement = new SamlAuthorizationDecisionStatement();
authDecisionStatement.ReadXml(reader, this, keyInfoSerializer, outOfBandTokenResolver);
return authDecisionStatement;
}
else
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.GetString(SR.SAMLUnableToLoadUnknownElement, reader.LocalName)));
}
public virtual SamlStatement LoadStatement(XmlDictionaryReader reader, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver)
{
if (reader == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader");
}
if (reader.IsStartElement(this.DictionaryManager.SamlDictionary.AuthenticationStatement, this.DictionaryManager.SamlDictionary.Namespace))
{
SamlAuthenticationStatement statement = new SamlAuthenticationStatement();
statement.ReadXml(reader, this, keyInfoSerializer, outOfBandTokenResolver);
return statement;
}
if (reader.IsStartElement(this.DictionaryManager.SamlDictionary.AttributeStatement, this.DictionaryManager.SamlDictionary.Namespace))
{
SamlAttributeStatement statement2 = new SamlAttributeStatement();
statement2.ReadXml(reader, this, keyInfoSerializer, outOfBandTokenResolver);
return statement2;
}
if (!reader.IsStartElement(this.DictionaryManager.SamlDictionary.AuthorizationDecisionStatement, this.DictionaryManager.SamlDictionary.Namespace))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(System.IdentityModel.SR.GetString("SAMLUnableToLoadUnknownElement", new object[] { reader.LocalName })));
}
SamlAuthorizationDecisionStatement statement3 = new SamlAuthorizationDecisionStatement();
statement3.ReadXml(reader, this, keyInfoSerializer, outOfBandTokenResolver);
return statement3;
}
public void WriteXmlValid ()
{
SamlAssertion a = new SamlAssertion ();
SamlSubject subject = new SamlSubject (
SamlConstants.UserNameNamespace,
"urn:myqualifier",
"myname");
SamlAttribute attr = new SamlAttribute (Claim.CreateNameClaim ("myname"));
SamlAttributeStatement statement =
new SamlAttributeStatement (subject, new SamlAttribute [] {attr});
a.Advice = new SamlAdvice (new string [] {"urn:testadvice1"});
DateTime notBefore = DateTime.SpecifyKind (new DateTime (2000, 1, 1), DateTimeKind.Utc);
DateTime notOnAfter = DateTime.SpecifyKind (new DateTime (2006, 1, 1), DateTimeKind.Utc);
a.Conditions = new SamlConditions (notBefore, notOnAfter);
a.Statements.Add (statement);
a.Issuer = "my_hero";
StringWriter sw = new StringWriter ();
string id = a.AssertionId;
DateTime instant = a.IssueInstant;
using (XmlDictionaryWriter dw = CreateWriter (sw)) {
a.WriteXml (dw, new SamlSerializer (), null);
}
string expected = String.Format ("<?xml version=\"1.0\" encoding=\"utf-16\"?><saml:Assertion MajorVersion=\"1\" MinorVersion=\"1\" AssertionID=\"{0}\" Issuer=\"my_hero\" IssueInstant=\"{1}\" xmlns:saml=\"urn:oasis:names:tc:SAML:1.0:assertion\"><saml:Conditions NotBefore=\"{3}\" NotOnOrAfter=\"{4}\" /><saml:Advice><saml:AssertionIDReference>urn:testadvice1</saml:AssertionIDReference></saml:Advice><saml:AttributeStatement><saml:Subject><saml:NameIdentifier Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName\" NameQualifier=\"urn:myqualifier\">myname</saml:NameIdentifier></saml:Subject><saml:Attribute AttributeName=\"name\" AttributeNamespace=\"{2}\"><saml:AttributeValue>myname</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>",
id,
instant.ToString ("yyyy-MM-ddTHH:mm:ss.fff'Z'", CultureInfo.InvariantCulture),
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims",
notBefore.ToString ("yyyy-MM-ddTHH:mm:ss.fff'Z'", CultureInfo.InvariantCulture),
notOnAfter.ToString ("yyyy-MM-ddTHH:mm:ss.fff'Z'", CultureInfo.InvariantCulture));
Assert.AreEqual (expected, sw.ToString ());
}
