public void Saml2AuthenticationRequest_ToXElement_RootNode()
{
var x = new Saml2AuthenticationRequest().ToXElement();
x.Should().NotBeNull().And.Subject.Name.Should().Be(
Saml2Namespaces.Saml2P + "AuthnRequest");
}
public void Saml2AuthenticationRequest_Read_ShouldReturnNullOnNullXml()
{
string xmlData = null;
var subject = Saml2AuthenticationRequest.Read(xmlData, null);
subject.Should().BeNull();
}
public void Saml2AuthenticationRequest_ForceAuthentication_OmittedIfFalse()
{
var subject = new Saml2AuthenticationRequest()
{
ForceAuthentication = false
}.ToXElement();
subject.Should().NotBeNull().And.Subject.Attribute("ForceAuthn").Should().BeNull();
}
public void Saml2AuthenticationRequest_ToXElement_AddsAttributeConsumingServiceIndex()
{
var subject = new Saml2AuthenticationRequest()
{
AttributeConsumingServiceIndex = 17
}.ToXElement();
subject.Attribute("AttributeConsumingServiceIndex").Value.Should().Be("17");
}
public void SignInCommand_Run_Calls_Notifications()
{
var options = StubFactory.CreateOptions();
var idp = options.IdentityProviders.Default;
var relayData = new Dictionary <string, string>();
options.SPOptions.DiscoveryServiceUrl = null;
var request = new HttpRequestData("GET",
new Uri("http://sp.example.com"));
var selectedIdpCalled = false;
options.Notifications.SelectIdentityProvider =
(ei, r) =>
{
ei.Should().BeSameAs(idp.EntityId);
r.Should().BeSameAs(relayData);
selectedIdpCalled = true;
return(null);
};
Saml2AuthenticationRequest saml2AuthenticationRequest = null;
options.Notifications.AuthenticationRequestCreated = (a, i, r) =>
{
a.Should().NotBeNull();
i.Should().BeSameAs(idp);
r.Should().BeSameAs(relayData);
saml2AuthenticationRequest = a;
};
CommandResult notifiedCommandResult = null;
options.Notifications.SignInCommandResultCreated = (cr, r) =>
{
notifiedCommandResult = cr;
r.Should().BeSameAs(relayData);
};
bool authenticationRequestXmlCreatedCalled = false;
options.Notifications.AuthenticationRequestXmlCreated = (ar, xd, bt) =>
{
authenticationRequestXmlCreatedCalled = true;
ar.Should().BeSameAs(saml2AuthenticationRequest);
bt.Should().Be(Saml2BindingType.HttpRedirect);
};
SignInCommand.Run(idp.EntityId, null, request, options, relayData)
.Should().BeSameAs(notifiedCommandResult);
saml2AuthenticationRequest.Should().NotBeNull("the AuthenticationRequestCreated notification should have been called");
selectedIdpCalled.Should().BeTrue("the SelectIdentityProvider notification should have been called.");
authenticationRequestXmlCreatedCalled.Should().BeTrue("the AuthenticationedRequestXmlCreated should have been called.");
}
public async Task <ActionResult> Index(HomePageModel model)
{
if (ModelState.IsValid)
{
var LDAPEndpoint = ConfigurationManager.AppSettings["LDAP.Endpoint"];
if (String.IsNullOrEmpty(LDAPEndpoint))
{
throw new ConfigurationErrorsException("ConfigurationManager.AppSettings[\"LDAP.Endpoint\"] should not be null.");
}
var client = new HttpClient();
var result = await client.PostAsJsonAsync(LDAPEndpoint, new { Username = model.Username, Password = model.Password });
if (!result.IsSuccessStatusCode)
{
if (result.StatusCode == HttpStatusCode.Unauthorized)
{
ModelState.AddModelError("LDAP.Endpoint", "Username or Password not valid.");
}
else
{
ModelState.AddModelError("LDAP.Endpoint", "An error has ocurred. Please contact administrator.");
}
return(View(model));
}
var assertionModel = AssertionModel.Create(nameId: model.Username);
var requestData = Request.ToHttpRequestData(true);
if (requestData.QueryString["SAMLRequest"].Any())
{
var extractedMessage = Saml2Binding.Get(Saml2BindingType.HttpRedirect)
.Unbind(requestData, null);
var request = new Saml2AuthenticationRequest(
extractedMessage.Data,
extractedMessage.RelayState);
assertionModel.InResponseTo = request.Id.Value;
assertionModel.AssertionConsumerServiceUrl = request.AssertionConsumerServiceUrl.ToString();
assertionModel.RelayState = extractedMessage.RelayState;
assertionModel.Audience = request.Issuer.Id;
assertionModel.AuthnRequestXml = extractedMessage.Data.PrettyPrint();
var response = assertionModel.ToSaml2Response();
return(Saml2Binding.Get(assertionModel.ResponseBinding)
.Bind(response).ToActionResult());
}
}
return(View(model));
}
public void Saml2AuthenticationRequest_ToXElement_ShouldHandleNullAcsUri()
{
var subject = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = null
}.ToXElement();
subject.Should().NotBeNull().And.Subject.Attribute("AssertionConsumerServiceURL")
.Should().BeNull();
}
public void Saml2AuthenticationRequest_ToXElement_OmitsRequestedAuthnContext_OnNullClassRef()
{
var subject = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = new Uri("http://destination.example.com"),
RequestedAuthnContext = new Saml2RequestedAuthnContext(null, AuthnContextComparisonType.Exact)
}.ToXElement();
subject.Element(Saml2Namespaces.Saml2P + "RequestedAuthnContext").Should().BeNull();
}
public void Saml2AuthenticationRequest_ForceAuthentication()
{
var subject = new Saml2AuthenticationRequest()
{
ForceAuthentication = true
}.ToXElement();
subject.Should().NotBeNull().And.Subject.Attribute("ForceAuthn")
.Should().NotBeNull().And.Subject.Value.Should().Be("true");
}
public void Saml2AuthenticationRequest_ToXElement_AddsRequestBaseFields()
{
// Just checking for the id field and assuming that means that the
// base fields are added. The details of the fields are tested
// by Saml2RequestBaseTests.
var x = new Saml2AuthenticationRequest().ToXElement();
x.Should().NotBeNull().And.Subject.Attribute("ID").Should().NotBeNull();
}
public void Saml2AuthenticationRequest_ToXElement_AddsRequestBaseFields()
{
// Just checking for the id field and assuming that means that the
// base fields are added. The details of the fields are tested
// by Saml2RequestBaseTests.
var x = new Saml2AuthenticationRequest().ToXElement();
x.Should().NotBeNull().And.Subject.Attribute("ID").Should().NotBeNull();
}
public void Saml2AuthenticationRequest_IsPassive()
{
var subject = new Saml2AuthenticationRequest()
{
IsPassive = true
}.ToXElement();
subject.Should().NotBeNull().And.Subject.Attribute("IsPassive")
.Should().NotBeNull().And.Subject.Value.Should().Be("true");
}
private void Saml2AuthenticationRequest_ToXElement_AddsProtocolBinding(AuthServices.WebSso.Saml2BindingType protocolBinding, string expectedProtocolBinding)
{
var subject = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = new Uri("http://destination.example.com"),
Binding = protocolBinding
}.ToXElement();
subject.Attribute("ProtocolBinding").Value.Should().Equals(expectedProtocolBinding);
}
public void Saml2AuthenticationRequest_AssertionConsumerServiceUrl()
{
string url = "http://some.example.com/Saml2AuthenticationModule/acs";
var x = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = new Uri(url)
}.ToXElement();
x.Should().NotBeNull().And.Subject.Attribute("AssertionConsumerServiceURL")
.Should().NotBeNull().And.Subject.Value.Should().Be(url);
}
public void Saml2AuthenticationRequest_AssertionConsumerServiceUrl()
{
string url = "http://some.example.com/Saml2AuthenticationModule/acs";
var subject = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = new Uri(url)
}.ToXElement();
subject.Should().NotBeNull().And.Subject.Attribute("AssertionConsumerServiceURL")
.Should().NotBeNull().And.Subject.Value.Should().Be(url);
}
public void Saml2AuthenticationRequest_ToXElement_ShouldCorrectSerializeAcsUri()
{
var url = "http://some.example.com/Saml2AuthenticationModule/acs?RelayState=https%3A%2F%2Fmy.relaystate.nl";
var subject = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = new Uri(url)
}.ToXElement();
subject.Should().NotBeNull().And.Subject.Attribute("AssertionConsumerServiceURL")
.Should().NotBeNull().And.Subject.Value.Should().Be(url);
}
public void Saml2AuthenticationRequest_ToXElement_NameFormatTransientForbidsAllowCreate()
{
var subject = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = new Uri("http://destination.example.com"),
NameIdPolicy = new Saml2NameIdPolicy(true, NameIdFormat.Transient)
};
subject.Invoking(s => s.ToXElement())
.ShouldThrow <InvalidOperationException>()
.And.Message.Should().Be("When NameIdPolicy/Format is set to Transient, it is not permitted to specify AllowCreate. Change Format or leave AllowCreate as null.");
}
public void Saml2AuthenticationRequest_Extensions()
{
var request = new Saml2AuthenticationRequest();
request.ExtensionContents.Add(new XElement(XNamespace.Get("test") + "aditional"));
var subject = request.ToXElement();
subject.Should().NotBeNull().And.Subject
.Element(Saml2Namespaces.Saml2P + "Extensions").Should().NotBeNull().And.Subject
.Elements().Should().HaveCount(1).And.Subject
.First().Name.LocalName.Should().Be("aditional");
}
public void Saml2AuthenticationRequest_ToXml_PreservesCustomChanges()
{
var subject = new Saml2AuthenticationRequest();
subject.XmlCreated += (s, e) =>
{
e.Add(new XAttribute("CustomAttribute", "CustomValue"));
};
var xml = subject.ToXml();
xml.Should().Contain("CustomAttribute=\"CustomValue\"");
}
public ActionResult Index()
{
var model = AssertionModel.CreateFromConfiguration();
var request = Saml2AuthenticationRequest.Read(Saml2Binding.Get(Saml2BindingType.HttpRedirect).Unbind(Request));
if (request != null)
{
model.InResponseTo = request.Id;
model.AssertionConsumerServiceUrl = request.AssertionConsumerServiceUrl.ToString();
}
return(View(model));
}
public void Saml2AuthenticationRequest_ToXElement_Scoping_NullContents_EmptyScoping()
{
var subject = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = new Uri("http://destination.example.com"),
Scoping = new Saml2Scoping()
}.ToXElement().Element(Saml2Namespaces.Saml2P + "Scoping");
var expected = new XElement(Saml2Namespaces.Saml2P + "root",
new XAttribute(XNamespace.Xmlns + "saml2p", Saml2Namespaces.Saml2P),
new XElement(Saml2Namespaces.Saml2P + "Scoping"))
.Elements().Single();
subject.Should().BeEquivalentTo(expected);
}
public void Saml2AuthenticationRequest_ToXElement_AddsElementSaml2NameIdPolicy()
{
var subject = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = new Uri("http://destination.example.com"),
NameIdPolicy = new Saml2NameIdPolicy {
AllowCreate = false, Format = NameIdFormat.EmailAddress
}
}.ToXElement();
XNamespace ns = "urn:oasis:names:tc:SAML:2.0:protocol";
subject.Attribute("AttributeConsumingServiceIndex").Should().BeNull();
subject.Should().NotBeNull().And.Subject.Element(ns + "NameIDPolicy").Should().NotBeNull();
}
public ActionResult Index(Guid?idpId)
{
var model = new HomePageModel
{
AssertionModel = AssertionModel.CreateFromConfiguration(),
};
if (idpId.HasValue)
{
var fileData = GetCachedConfiguration(idpId.Value);
if (fileData != null)
{
if (!string.IsNullOrEmpty(fileData.DefaultAssertionConsumerServiceUrl))
{
// Override default StubIdp Acs with Acs from IdpConfiguration
model.AssertionModel.AssertionConsumerServiceUrl = fileData.DefaultAssertionConsumerServiceUrl;
}
if (!string.IsNullOrEmpty(fileData.DefaultAssertionConsumerServiceUrl))
{
model.AssertionModel.Audience = fileData.DefaultAudience;
}
model.CustomDescription = fileData.IdpDescription;
model.AssertionModel.NameId = null;
model.HideDetails = fileData.HideDetails;
}
}
var requestData = Request.ToHttpRequestData(false);
if (requestData.QueryString["SAMLRequest"].Any())
{
var extractedMessage = Saml2Binding.Get(Saml2BindingType.HttpRedirect)
.Unbind(requestData, null);
var request = new Saml2AuthenticationRequest(
extractedMessage.Data,
extractedMessage.RelayState);
model.AssertionModel.InResponseTo = request.Id.Value;
model.AssertionModel.AssertionConsumerServiceUrl = request.AssertionConsumerServiceUrl.ToString();
model.AssertionModel.RelayState = extractedMessage.RelayState;
model.AssertionModel.Audience = request.Issuer.Id;
model.AssertionModel.AuthnRequestXml = extractedMessage.Data.PrettyPrint();
}
return(View(model));
}
public void Saml2AuthenticationRequest_ToXElement_AddsElementSaml2NameIdPolicy_ForNameIdFormat()
{
var subject = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = new Uri("http://destination.example.com"),
NameIdPolicy = new Saml2NameIdPolicy(null, NameIdFormat.EmailAddress)
}.ToXElement();
var expected = new XElement(Saml2Namespaces.Saml2P + "root",
new XAttribute(XNamespace.Xmlns + "saml2p", Saml2Namespaces.Saml2P),
new XElement(Saml2Namespaces.Saml2P + "NameIDPolicy",
new XAttribute("Format", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")))
.Elements().Single();
subject.Element(Saml2Namespaces.Saml2P + "NameIDPolicy")
.Should().BeEquivalentTo(expected);
}
public void Saml2AuthenticationRequest_ToXElement_AddsElementSaml2NameIdPolicy_ForAllowCreate()
{
var subject = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = new Uri("http://destination.example.com"),
NameIdPolicy = new Saml2NameIdPolicy(false, NameIdFormat.NotConfigured)
}.ToXElement();
var expected = new XElement(Saml2Namespaces.Saml2P + "root",
new XAttribute(XNamespace.Xmlns + "saml2p", Saml2Namespaces.Saml2P),
new XElement(Saml2Namespaces.Saml2P + "NameIDPolicy",
new XAttribute("AllowCreate", false)))
.Elements().Single();
subject.Attribute("AttributeConsumingServiceIndex").Should().BeNull();
subject.Element(Saml2Namespaces.Saml2P + "NameIDPolicy")
.Should().BeEquivalentTo(expected);
}
public void IdentityProvider_CreateAuthenticateRequest_BasicInfo()
{
var options = Options.FromConfiguration;
var idp = options.IdentityProviders.Default;
var urls = StubFactory.CreateAuthServicesUrls();
var subject = idp.CreateAuthenticateRequest(null, urls);
var expected = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = urls.AssertionConsumerServiceUrl,
DestinationUrl = idp.SingleSignOnServiceUrl,
Issuer = options.SPOptions.EntityId,
AttributeConsumingServiceIndex = 0,
};
subject.ShouldBeEquivalentTo(expected, opt => opt.Excluding(au => au.Id));
}
public ActionResult Index()
{
var model = AssertionModel.CreateFromConfiguration();
var requestData = Request.ToHttpRequestData();
if (requestData.QueryString["SAMLRequest"].Any())
{
var decodedXmlData = Saml2Binding.Get(Saml2BindingType.HttpRedirect)
.Unbind(requestData);
var request = Saml2AuthenticationRequest.Read(decodedXmlData);
model.InResponseTo = request.Id;
model.AssertionConsumerServiceUrl = request.AssertionConsumerServiceUrl.ToString();
model.AuthnRequestXml = decodedXmlData;
}
return(View(model));
}
public void Saml2AuthenticationRequest_Read_NoACS()
{
var xmlData = @"<?xml version=""1.0"" encoding=""UTF-8""?>
<samlp:AuthnRequest
xmlns:samlp=""urn:oasis:names:tc:SAML:2.0:protocol""
xmlns:saml=""urn:oasis:names:tc:SAML:2.0:assertion""
ID=""Saml2AuthenticationRequest_Read_NoACS""
Version=""2.0""
Destination=""http://destination.example.com""
IssueInstant=""2004-12-05T09:21:59Z"">
<saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
/>
</samlp:AuthnRequest>
";
var subject = Saml2AuthenticationRequest.Read(xmlData, null);
subject.Id.Should().Be(new Saml2Id("Saml2AuthenticationRequest_Read_NoACS"));
subject.AssertionConsumerServiceUrl.Should().Be(null);
}
public void Saml2AuthenticationRequest_Read_NoFormat()
{
var xmlData = @"<?xml version=""1.0"" encoding=""UTF-8""?>
<saml2p:AuthnRequest xmlns:saml2p=""urn:oasis:names:tc:SAML:2.0:protocol""
xmlns:saml2 =""urn:oasis:names:tc:SAML:2.0:assertion""
ID=""ide3c2f1c88255463ab4eb1b158fa6f616""
Version=""2.0""
IssueInstant=""2016-01-25T13:01:09Z""
Destination=""http://destination.example.com""
AssertionConsumerServiceURL=""https://sp.example.com/SAML2/Acs""
>
<saml2:Issuer>https://sp.example.com/SAML2</saml2:Issuer>
<saml2p:NameIDPolicy AllowCreate = ""false""/>
</saml2p:AuthnRequest>";
var subject = Saml2AuthenticationRequest.Read(xmlData, null);
subject.NameIdPolicy.AllowCreate.Should().Be(false);
subject.NameIdPolicy.Format.Should().Be(NameIdFormat.NotConfigured);
}
private void Saml2AuthenticationRequest_ToXElement_AddsRequestedAuthnContextUtil(AuthnContextComparisonType comparisonType, string expectedComparisonType)
{
var classRef = "http://www.kentor.se";
var subject = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = new Uri("http://destination.example.com"),
RequestedAuthnContext = new Saml2RequestedAuthnContext(new Uri(classRef), comparisonType)
}.ToXElement();
var expected = new XElement(Saml2Namespaces.Saml2P + "root",
new XAttribute(XNamespace.Xmlns + "saml2p", Saml2Namespaces.Saml2P),
new XAttribute(XNamespace.Xmlns + "saml2", Saml2Namespaces.Saml2),
new XElement(Saml2Namespaces.Saml2P + "RequestedAuthnContext",
new XAttribute("Comparison", expectedComparisonType),
new XElement(Saml2Namespaces.Saml2 + "AuthnContextClassRef", classRef)))
.Elements().Single();
var actual = subject.Element(Saml2Namespaces.Saml2P + "RequestedAuthnContext");
actual.Should().BeEquivalentTo(expected);
}
public void Saml2AuthenticationRequest_Read_ShouldThrowOnInvalidMessageName()
{
var xmlData = @"<?xml version=""1.0"" encoding=""UTF-8""?>
<samlp:NotAuthnRequest
xmlns:samlp=""urn:oasis:names:tc:SAML:2.0:protocol""
xmlns:saml=""urn:oasis:names:tc:SAML:2.0:assertion""
ID=""Saml2AuthenticationRequest_Read_ShouldThrowOnInvalidMessageName""
Version=""2.0""
Destination=""http://destination.example.com""
AssertionConsumerServiceURL=""https://sp.example.com/SAML2/Acs""
IssueInstant=""2004-12-05T09:21:59Z""
InResponseTo=""111222333"">
<saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
/>
</samlp:NotAuthnRequest>
";
Action a = () => Saml2AuthenticationRequest.Read(xmlData, null);
a.ShouldThrow <XmlException>().WithMessage("Expected a SAML2 authentication request document");
}
public void Saml2AuthenticationRequest_ToXElement_Scoping_ZeroProxyCount_AttributeAdded()
{
var subject = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = new Uri("http://destination.example.com"),
Scoping = new Saml2Scoping()
{
ProxyCount = 0
}
};
var actual = subject.ToXElement().Element(Saml2Namespaces.Saml2P + "Scoping");
var expected = new XElement(Saml2Namespaces.Saml2P + "root",
new XAttribute(XNamespace.Xmlns + "saml2p", Saml2Namespaces.Saml2P),
new XElement(Saml2Namespaces.Saml2P + "Scoping",
new XAttribute("ProxyCount", "0")))
.Elements().Single();
actual.Should().BeEquivalentTo(expected);
}
public ActionResult Index(Guid?idpId)
{
var requestData = Request.ToHttpRequestData();
if (requestData.QueryString["SAMLRequest"].Any())
{
var decodedXmlData = Saml2Binding.Get(Saml2BindingType.HttpRedirect)
.Unbind(requestData);
var request = Saml2AuthenticationRequest.Read(decodedXmlData);
var model = new AssertionModel();
model.InResponseTo = request.Id;
model.AssertionConsumerServiceUrl = request.AssertionConsumerServiceUrl.ToString();
model.AuthnRequestXml = decodedXmlData;
model.NameId = ((ClaimsIdentity)User.Identity).Name;
var manager = SessionManager.Instance;
var response = model.ToSaml2Response();
manager.AddSession(model.NameId, new Session()
{
Id = Guid.Parse(request.Id.Substring(2)),
Ip = Request.UserHostAddress,
UserAgent = Request.UserAgent,
LogoutUrl = request.Issuer.Id,
Issuer = response.Issuer.Id
});
var commandResult = Saml2Binding.Get(Saml2BindingType.HttpPost)
.Bind(response);
return(commandResult.ToActionResult());
}
throw new InvalidOperationException();
}
/// <summary>
/// Create an authenticate request aimed for this idp.
/// </summary>
/// <param name="returnUrl">The return url where the browser should be sent after
/// successful authentication.</param>
/// <param name="authServicesUrls">Urls for AuthServices, used to populate fields
/// in the created AuthnRequest</param>
/// <param name="relayData">Aux data that should be preserved across the authentication</param>
/// <returns>AuthnRequest</returns>
public Saml2AuthenticationRequest CreateAuthenticateRequest(
Uri returnUrl,
AuthServicesUrls authServicesUrls,
object relayData)
{
if (authServicesUrls == null)
{
throw new ArgumentNullException("authServicesUrls");
}
var authnRequest = new Saml2AuthenticationRequest()
{
DestinationUrl = SingleSignOnServiceUrl,
AssertionConsumerServiceUrl = authServicesUrls.AssertionConsumerServiceUrl,
Issuer = spOptions.EntityId,
// For now we only support one attribute consuming service.
AttributeConsumingServiceIndex = spOptions.AttributeConsumingServices.Any() ? 0 : (int?)null
};
var responseData = new StoredRequestState(EntityId, returnUrl, relayData);
PendingAuthnRequests.Add(new Saml2Id(authnRequest.Id), responseData);
return authnRequest;
}
public Saml2AuthenticationRequest CreateAuthenticateRequest(
Uri returnUrl,
AuthServicesUrls authServicesUrls,
object relayData)
{
if (authServicesUrls == null)
{
throw new ArgumentNullException(nameof(authServicesUrls));
}
var authnRequest = new Saml2AuthenticationRequest()
{
DestinationUrl = SingleSignOnServiceUrl,
AssertionConsumerServiceUrl = authServicesUrls.AssertionConsumerServiceUrl,
Issuer = spOptions.EntityId,
// For now we only support one attribute consuming service.
AttributeConsumingServiceIndex = spOptions.AttributeConsumingServices.Any() ? 0 : (int?)null,
};
if(spOptions.AuthenticateRequestSigningBehavior == SigningBehavior.Always)
{
if(spOptions.SigningServiceCertificate == null)
{
throw new ConfigurationErrorsException(
string.Format(
CultureInfo.InvariantCulture,
"Idp \"{0}\" is configured for signed AuthenticateRequests, but ServiceCertificates configuration contains no certificate with usage \"Signing\" or \"Both\".",
EntityId.Id));
}
authnRequest.SigningCertificate = spOptions.SigningServiceCertificate;
}
var responseData = new StoredRequestState(EntityId, returnUrl, authnRequest.Id, relayData);
PendingAuthnRequests.Add(authnRequest.RelayState, responseData);
return authnRequest;
}
public Saml2AuthenticationRequest CreateAuthenticateRequest(
AuthServicesUrls authServicesUrls)
{
if (authServicesUrls == null)
{
throw new ArgumentNullException(nameof(authServicesUrls));
}
var authnRequest = new Saml2AuthenticationRequest()
{
DestinationUrl = SingleSignOnServiceUrl,
AssertionConsumerServiceUrl = authServicesUrls.AssertionConsumerServiceUrl,
Issuer = spOptions.EntityId,
// For now we only support one attribute consuming service.
AttributeConsumingServiceIndex = spOptions.AttributeConsumingServices.Any() ? 0 : (int?)null,
NameIdPolicy = spOptions.NameIdPolicy,
RequestedAuthnContext = spOptions.RequestedAuthnContext
};
if (spOptions.AuthenticateRequestSigningBehavior == SigningBehavior.Always
|| (spOptions.AuthenticateRequestSigningBehavior == SigningBehavior.IfIdpWantAuthnRequestsSigned
&& WantAuthnRequestsSigned))
{
if (spOptions.SigningServiceCertificate == null)
{
throw new ConfigurationErrorsException(
string.Format(
CultureInfo.InvariantCulture,
"Idp \"{0}\" is configured for signed AuthenticateRequests, but ServiceCertificates configuration contains no certificate with usage \"Signing\" or \"Both\". To resolve this issue you can a) add a service certificate with usage \"Signing\" or \"Both\" (default if not specified is \"Both\") or b) Set the AuthenticateRequestSigningBehavior configuration property to \"Never\".",
EntityId.Id));
}
authnRequest.SigningCertificate = spOptions.SigningServiceCertificate;
}
return authnRequest;
}