/// <summary>
/// Creates a new <see cref = " RelyingParty" />.
/// </summary>
/// <param name = "name">Name of this new <see cref = " RelyingParty" />.</param>
/// <param name = "realm">Realm of the relying party.</param>
/// <param name = "reply">ReplyTo address for the relying party. May be null.</param>
/// <param name = "tokenType">The type of token that the relying party consumes.</param>
/// <param name = "requireEncryption">Whether to require asymmetric token encryption.</param>
/// <returns>The new <see cref = " RelyingParty" /> created.</returns>
public static RelyingParty CreateRelyingParty(
this ManagementService svc, string name, string realm, string reply, RelyingPartyTokenType tokenType, bool requireEncryption)
{
svc.DeleteRelyingPartyByRealmIfExists(realm);
var relyingParty = new RelyingParty
{
AsymmetricTokenEncryptionRequired = requireEncryption, Name = name, TokenType = tokenType.ToString(), TokenLifetime = 3600,
};
svc.AddToRelyingParties(relyingParty);
//
// Create the Realm address
//
var realmAddress = new RelyingPartyAddress {
Address = realm, EndpointType = RelyingPartyAddressType.Realm.ToString(),
};
svc.AddRelatedObject(relyingParty, "RelyingPartyAddresses", realmAddress);
if (!string.IsNullOrEmpty(reply))
{
//
// Create the ReplyTo address
//
var replyAddress = new RelyingPartyAddress {
Address = reply, EndpointType = RelyingPartyAddressType.Reply.ToString(),
};
svc.AddRelatedObject(relyingParty, "RelyingPartyAddresses", replyAddress);
}
return(relyingParty);
}
public void ExecuteCmdletBase(PSCmdlet callingCmdlet)
{
ManagementService client = CreateManagementServiceClient();
var relyingParties = client.RelyingParties;
if (relyingParties != null)
{
foreach (var relyingParty in relyingParties)
{
string name = relyingParty.Name;
if (name == RelyingParty)
{
RelyingPartyAddress address = new RelyingPartyAddress();
address.Address = RelyingPartyRelayAddress;
address.EndpointType = "Reply";
client.AddRelatedObject(relyingParty, "RelyingPartyAddresses", address);
client.SaveChanges(SaveChangesOptions.Batch);
}
}
}
else
{
throw new Exception("Failed to get the Relying Parties list from the ACS Management Service.");
}
}
/// <summary>
/// Configures the ACS service namespace with the proper objects for this sample.
/// </summary>
/// <remarks>
/// Existing objects that are needed for this sample will be deleted and recreated.
/// </remarks>
static void Main(string[] args)
{
const string rpName = "ASPNET Simple MVC Sample";
const string rpRealm = "http://localhost:63000/";
const string rpErrorUrl = "http://localhost:63000/Error";
const string ruleGroupName = "Default rule group for ASPNET Simple MVC Sample";
const string googleIdpName = "Google";
const string yahooIdpName = "Yahoo!";
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
svc.DeleteRelyingPartyByRealmIfExists(rpRealm);
svc.DeleteRuleGroupByNameIfExists(ruleGroupName);
svc.DeleteIdentityProviderIfExists(googleIdpName);
svc.DeleteIdentityProviderIfExists(yahooIdpName);
svc.SaveChangesBatch();
IdentityProvider live = svc.GetIdentityProviderByName("uri:WindowsLiveID");
IdentityProvider google = svc.CreateOpenIdIdentityProvider(googleIdpName, "https://www.google.com/accounts/o8/ud");
IdentityProvider yahoo = svc.CreateOpenIdIdentityProvider(yahooIdpName, "https://open.login.yahooapis.com/openid/op/auth");
IdentityProvider[] associatedProviders = new[] { live, google, yahoo };
//
// Create the relying party. In this case, the Realm and the ReplyTo are the same address.
//
RelyingParty relyingParty = svc.CreateRelyingParty(rpName, rpRealm, rpRealm, RelyingPartyTokenType.SAML_2_0, false);
svc.AssociateIdentityProvidersWithRelyingParties(associatedProviders, new[] { relyingParty });
//
// Configure the error URL.
//
RelyingPartyAddress errorUrl = new RelyingPartyAddress()
{
Address = rpErrorUrl,
EndpointType = RelyingPartyAddressType.Error.ToString()
};
svc.AddRelatedObject(relyingParty, "RelyingPartyAddresses", errorUrl);
RuleGroup ruleGroup = svc.CreateRuleGroup(ruleGroupName);
svc.AssignRuleGroupToRelyingParty(ruleGroup, relyingParty);
//
// Create simple rules to pass through all claims from each issuer.
//
foreach (IdentityProvider identityProvider in associatedProviders)
{
string ruleDescription = String.Format(CultureInfo.InvariantCulture, "Pass through all claims from '{0}'", identityProvider.Issuer.Name);
svc.CreateRule(identityProvider.Issuer, null, null, null, null, ruleGroup, ruleDescription);
}
svc.SaveChangesBatch();
Console.WriteLine("Sample successfully configured. Press ENTER to continue ...");
Console.ReadLine();
}
/// <summary>
/// Deletes a RelyingParty having the given name, if it exists.
/// </summary>
public static void DeleteRelyingPartyByRealmIfExists(this ManagementService svc, string realm)
{
// Retrieve Relying Party and then delete it if it exists.
RelyingPartyAddress rpAddress = svc.RelyingPartyAddresses.Expand("RelyingParty").Where(addr => addr.Address == realm && addr.EndpointType == RelyingPartyAddressType.Realm.ToString()).FirstOrDefault();
if (rpAddress != null)
{
svc.DeleteObject(rpAddress.RelyingParty);
}
}
static void DisplayRelyingPartyAddress(RelyingPartyAddress relyingPartyAddress)
{
if (relyingPartyAddress != null)
{
Console.WriteLine("\tRelying Party Address (Id = {0})\n", relyingPartyAddress.Id);
Console.WriteLine("\t\tId = {0}\n", relyingPartyAddress.Id);
Console.WriteLine("\t\tAddress = {0}\n", relyingPartyAddress.Address);
Console.WriteLine("\t\tEndpointType = {0}\n", relyingPartyAddress.EndpointType);
}
}
public void AddRelyingPartyWithKey(string relyingPartyName, string realmAddress, string replyAddress, byte[] symmetricKey,
TokenType tokenType, int tokenLifetime,
byte[] signingCert, string signingCertPassword, DateTime?signingStartDate, DateTime?signingEndDate,
byte[] encryptionCert, string ruleGroupName, string[] allowedIdentityProviders)
{
try
{
var client = this.CreateManagementServiceClient();
var defaultStartDate = DateTime.UtcNow;
var defaultEndDate = defaultStartDate.AddYears(1);
var asymmetricTokenEncryptionRequired = encryptionCert != null;
RelyingParty relyingParty;
CreateRelyingParty(client, relyingPartyName, ruleGroupName, realmAddress, string.Empty, tokenType, tokenLifetime,
asymmetricTokenEncryptionRequired, out relyingParty);
// Create the Reply for Relying Party
var reply = new RelyingPartyAddress
{
Address = replyAddress,
EndpointType = RelyingPartyAddressEndpointType.Reply.ToString(),
RelyingParty = relyingParty
};
client.AddRelatedObject(relyingParty, "RelyingPartyAddresses", reply);
client.SaveChanges();
if (signingCert != null)
{
AddSigningKeyToRelyingParty(client, relyingPartyName, signingCert, signingCertPassword, signingStartDate.Value, signingEndDate.Value, relyingParty);
}
if (symmetricKey != null)
{
AddSigningKeyToRelyingParty(client, relyingPartyName, symmetricKey, defaultStartDate, defaultEndDate, relyingParty);
}
if (asymmetricTokenEncryptionRequired)
{
AddEncryptionKeyToRelyingParty(client, relyingPartyName, encryptionCert, defaultStartDate, defaultEndDate, relyingParty);
}
client.SaveChanges();
AddIdentityProviderToRelyingParty(client, allowedIdentityProviders, relyingParty);
}
catch (Exception ex)
{
throw TryGetExceptionDetails(ex);
}
}
public static RelyingParty AddRelyingParty(this ManagementService svc, Uri realm,
string relyingPartyName, DateTime startDate, DateTime endDate,
byte[] tokenSigningKey, int tokenLifetime)
{
Contract.Requires(svc != null);
Contract.Requires(realm != null);
Contract.Requires(realm.IsAbsoluteUri);
Contract.Requires(realm.AbsolutePath == "/");
Contract.Requires(!string.IsNullOrWhiteSpace(relyingPartyName));
Contract.Requires(startDate != default(DateTime));
Contract.Requires(endDate > startDate);
Contract.Requires(tokenSigningKey != null);
Contract.Requires(tokenLifetime >= 1);
var relyingParty = new RelyingParty()
{
Name = relyingPartyName,
AsymmetricTokenEncryptionRequired = false,
TokenType = "SWT",
TokenLifetime = tokenLifetime
};
svc.AddToRelyingParties(relyingParty);
var relyingPartyAddress = new RelyingPartyAddress()
{
Address = realm.AbsoluteUri,
EndpointType = "Realm"
};
svc.AddRelatedObject(relyingParty, "RelyingPartyAddresses", relyingPartyAddress);
var relyingPartyKey = new RelyingPartyKey()
{
StartDate = startDate,
EndDate = endDate,
Type = "Symmetric",
Usage = "Signing",
IsPrimary = true,
Value = tokenSigningKey
};
svc.AddRelatedObject(relyingParty, "RelyingPartyKeys", relyingPartyKey);
svc.SaveChanges(SaveChangesOptions.Batch);
return(relyingParty);
}
static void UpdateSampleRelyingParty(string relyingPartyName)
{
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
// Retrieve Relying Party and then delete it
RelyingParty relyingParty = svc.RelyingParties.Expand("RelyingPartyAddresses").Where(m => m.Name == relyingPartyName).FirstOrDefault();
if (relyingParty != null)
{
// update DisplayName
relyingParty.DisplayName = "TestRelyingPartyNewDisplayName";
//update Realm
RelyingPartyAddress realm = relyingParty.RelyingPartyAddresses.Where(m => m.EndpointType == "Realm").FirstOrDefault();
if (realm != null)
{
realm.Address = "http://TestRelyingParty/NewRealm";
svc.UpdateObject(realm);
}
svc.UpdateObject(relyingParty);
svc.SaveChangesBatch();
}
}
public static AccessControlList GetAccessControlList(Uri relyingPartyUri, AccessControlSettings settings)
{
string localPath = relyingPartyUri.LocalPath;
relyingPartyUri =
new UriBuilder(relyingPartyUri)
{
Scheme = "http", Port = -1, Path = localPath.Substring(0, localPath.EndsWith("/") ? localPath.Length - 1 : localPath.Length)
}.Uri;
string relyingPartyAddress = relyingPartyUri.AbsoluteUri;
ManagementService serviceClient = ManagementServiceHelper.CreateManagementServiceClient(settings);
RelyingPartyAddress longestPrefixRpAddress = GetLongestPrefixRelyingPartyAddress(serviceClient, relyingPartyAddress);
if (longestPrefixRpAddress != null)
{
RelyingParty relyingParty = GetRelyingPartyByAddress(serviceClient, longestPrefixRpAddress);
if (relyingParty != null)
{
return(new AccessControlList(relyingPartyUri, relyingParty, serviceClient));
}
}
throw new InvalidOperationException();
}
private static void CreateRelyingParty(ManagementService client, string relyingPartyName, string ruleGroupName, string realmAddress, string replyAddress, TokenType tokenType, int tokenLifetime, bool asymmetricTokenEncryptionRequired, out RelyingParty relyingParty)
{
// Create Relying Party
relyingParty = new RelyingParty
{
Name = relyingPartyName,
DisplayName = relyingPartyName,
Description = relyingPartyName,
TokenType = tokenType.ToString(),
TokenLifetime = tokenLifetime,
AsymmetricTokenEncryptionRequired = asymmetricTokenEncryptionRequired
};
client.AddObject("RelyingParties", relyingParty);
client.SaveChanges();
if (!string.IsNullOrWhiteSpace(ruleGroupName))
{
RuleGroup ruleGroup = client.RuleGroups.Where(rg => rg.Name.Equals(ruleGroupName, StringComparison.OrdinalIgnoreCase)).FirstOrDefault();
if (ruleGroup == null)
{
ruleGroup = new RuleGroup
{
Name = ruleGroupName
};
client.AddToRuleGroups(ruleGroup);
client.SaveChanges();
}
var relyingPartyRuleGroup = new RelyingPartyRuleGroup
{
RuleGroupId = ruleGroup.Id,
RelyingParty = relyingParty
};
client.AddRelatedObject(relyingParty, "RelyingPartyRuleGroups", relyingPartyRuleGroup);
}
// Create the Realm for Relying Party
var realm = new RelyingPartyAddress
{
Address = realmAddress,
EndpointType = RelyingPartyAddressEndpointType.Realm.ToString(),
RelyingParty = relyingParty
};
client.AddRelatedObject(relyingParty, "RelyingPartyAddresses", realm);
if (!string.IsNullOrEmpty(replyAddress))
{
var reply = new RelyingPartyAddress
{
Address = replyAddress,
EndpointType = RelyingPartyAddressEndpointType.Reply.ToString(),
RelyingParty = relyingParty
};
client.AddRelatedObject(relyingParty, "RelyingPartyAddresses", reply);
}
client.SaveChanges(SaveChangesOptions.Batch);
}
static RelyingParty GetRelyingPartyByAddress(ManagementService serviceClient, RelyingPartyAddress longestPrefixRpAddress)
{
return((from rp in serviceClient.RelyingParties.Expand("RelyingPartyAddresses,RelyingPartyIdentityProviders,RelyingPartyRuleGroups")
where rp.Id == longestPrefixRpAddress.RelyingPartyId
select rp).FirstOrDefault());
}
public static RelyingPartyAddress CreateRelyingPartyAddress(long ID, long relyingPartyId, bool systemReserved)
{
RelyingPartyAddress relyingPartyAddress = new RelyingPartyAddress();
relyingPartyAddress.Id = ID;
relyingPartyAddress.RelyingPartyId = relyingPartyId;
relyingPartyAddress.SystemReserved = systemReserved;
return relyingPartyAddress;
}
public void AddToRelyingPartyAddresses(RelyingPartyAddress relyingPartyAddress)
{
base.AddObject("RelyingPartyAddresses", relyingPartyAddress);
}
public void SaveChanges()
{
foreach (var segmentRuleGroup in this.ruleGroups)
{
if (segmentRuleGroup.RuleGroup == null)
{
segmentRuleGroup.RuleGroup = this.serviceClient.CreateRuleGroup(segmentRuleGroup.Uri.AbsoluteUri);
this.serviceClient.SaveChanges();
}
}
var ruleGroup = this.ruleGroups.Last().RuleGroup;
foreach (var accessControlRule in this.localRules)
{
if (accessControlRule.Deleted)
{
if (accessControlRule.Rule != null)
{
this.serviceClient.DeleteObject(accessControlRule.Rule);
}
}
else if (accessControlRule.Rule != null)
{
if (accessControlRule.PrepareChanges())
{
this.serviceClient.UpdateObject(accessControlRule.Rule);
}
}
else
{
this.serviceClient.CreateRule(
this.serviceClient.GetIssuerByName(accessControlRule.Condition.IssuerName),
accessControlRule.Condition.ClaimType,
accessControlRule.Condition.ClaimValue,
accessControlRule.Right.ClaimType,
accessControlRule.Right.ClaimValue,
ruleGroup,
accessControlRule.Description);
}
}
this.serviceClient.SaveChanges();
if (this.newRelyingPartyRequired)
{
var rpaddress = this.relyingPartyUri.AbsoluteUri;
var rp = this.serviceClient.GetRelyingPartyByName(rpaddress, true);
if (rp == null)
{
rp = new RelyingParty();
rp.DisplayName = rp.Name = rpaddress;
rp.Description = String.Empty;
rp.TokenLifetime = this.relyingParty.TokenLifetime;
rp.TokenType = this.relyingParty.TokenType;
rp.AsymmetricTokenEncryptionRequired = this.relyingParty.AsymmetricTokenEncryptionRequired;
this.serviceClient.AddToRelyingParties(rp);
}
if (rp.RelyingPartyAddresses.Count == 0)
{
var rpa = new RelyingPartyAddress {
Address = rpaddress, EndpointType = "Realm"
};
this.serviceClient.AddRelatedObject(rp, "RelyingPartyAddresses", rpa);
}
this.serviceClient.SaveChanges();
foreach (var segmentRuleGroup in this.ruleGroups)
{
var relyingPartyRuleGroup = new RelyingPartyRuleGroup();
relyingPartyRuleGroup.RelyingPartyId = rp.Id;
relyingPartyRuleGroup.RuleGroupId = segmentRuleGroup.RuleGroup.Id;
this.serviceClient.AddToRelyingPartyRuleGroups(relyingPartyRuleGroup);
}
this.serviceClient.SaveChanges();
}
else
{
foreach (var segmentRuleGroup in this.ruleGroups)
{
var grpid = segmentRuleGroup.RuleGroup.Id;
if (!this.relyingParty.RelyingPartyRuleGroups.Any(i => i.RuleGroupId == grpid))
{
var relyingPartyRuleGroup = new RelyingPartyRuleGroup();
relyingPartyRuleGroup.RelyingPartyId = this.relyingParty.Id;
relyingPartyRuleGroup.RuleGroupId = segmentRuleGroup.RuleGroup.Id;
this.serviceClient.AddToRelyingPartyRuleGroups(relyingPartyRuleGroup);
}
}
this.serviceClient.SaveChanges();
}
}
