public Saml2HandlerTestContext()
{
var options = new Saml2Options();
options.SPOptions.EntityId = new EntityId("http://sp.example.com/saml2");
var idp = new IdentityProvider(
new EntityId("https://idp.example.com"),
options.SPOptions)
{
SingleSignOnServiceUrl = new Uri("https://idp.example.com/sso"),
Binding = Saml2BindingType.HttpRedirect
};
idp.SigningKeys.AddConfiguredKey(SignedXmlHelper.TestCert);
options.IdentityProviders.Add(idp);
Options = new DummyOptionsMonitor(options);
Subject = new Saml2Handler(
Options, LoggerFactory, UrlEncoder, Clock, new StubDataProtector());
Subject.InitializeAsync(AuthenticationScheme, HttpContext)
.Wait();
}
public ExtendedSaml2SecurityTokenHandlerTests(Saml2TestFixture fixture, ITestOutputHelper output)
{
_fixture = fixture;
_output = output;
_options = new Saml2Options();
_handler = new ExtendedSaml2SecurityTokenHandler(new ExtendedSaml2Serializer(), _options);
}
public void Saml2Options_Ctor_Defaults()
{
var subject = new Saml2Options();
subject.CallbackPath.Value.Should()
.Match("*CallbackPath*ModulePath*");
}
public void PostConfigureSaml2Options_PostConfigure_ProvidesDefaultCookieManager()
{
var options = new Saml2Options();
var subject = new PostConfigureSaml2Options( null,
TestHelpers.GetAuthenticationOptions() );
subject.PostConfigure( null, options );
options.CookieManager.Should().NotBeNull();
}
public void PostConfigureSaml2Options_PostConfigure_NullLoggerFactoryGivesNullLogger()
{
var options = new Saml2Options();
options.SPOptions.Logger.Should().BeNull("Precondition");
var subject = new PostConfigureSaml2Options(null);
subject.PostConfigure(null, options);
options.SPOptions.Logger.Should().BeOfType <NullLoggerAdapter>();
}
public void PostConfigureSaml2Options_PostConfigure_EnsureSignInSchemePreservesSetScheme()
{
var options = new Saml2Options();
options.SignInScheme = "specificSignInScheme";
var subject = new PostConfigureSaml2Options(null,
TestHelpers.GetAuthenticationOptions());
subject.PostConfigure(null, options);
options.SignInScheme.Should().Be("specificSignInScheme");
}
public void PostConfigureSaml2Options_PostConfigure_CustomCookieManagerIsUsed()
{
var options = new Saml2Options();
var cookieManager = Substitute.For<ICookieManager>();
options.CookieManager = cookieManager;
var subject = new PostConfigureSaml2Options( null,
TestHelpers.GetAuthenticationOptions() );
subject.PostConfigure( null, options );
options.CookieManager.Should().BeSameAs( cookieManager );
}
public void PostConfigureSaml2Options_PostConfigure_EnsureSignInSchemeAssignsDefaultSignInScheme()
{
var options = new Saml2Options();
options.SignInScheme.Should().BeNull("Precondition");
var subject = new PostConfigureSaml2Options(null,
TestHelpers.GetAuthenticationOptions());
subject.PostConfigure(null, options);
options.SignInScheme.Should().Be(TestHelpers.defaultSignInScheme);
}
public void PostConfigureSaml2Options_PostConfigure_EnsureSignInSchemeFallbackDefaultScheme()
{
var options = new Saml2Options();
options.SignInScheme.Should().BeNull("Precondition");
var authOptions = TestHelpers.GetAuthenticationOptions();
authOptions.Value.DefaultSignInScheme = null;
authOptions.Value.DefaultScheme = "defaultScheme";
var subject = new PostConfigureSaml2Options(null,authOptions);
subject.PostConfigure(null, options);
options.SignInScheme.Should().Be("defaultScheme");
}
public void PostConfigureSaml2Options_PostConfigure_Logger()
{
var options = new Saml2Options();
options.SPOptions.Logger.Should().BeNull("Precondition");
var loggerFactory = Substitute.For<ILoggerFactory>();
var logger = new MockLogger();
loggerFactory.CreateLogger<Saml2Handler>().Returns(logger);
var subject = new PostConfigureSaml2Options(
loggerFactory, TestHelpers.GetAuthenticationOptions());
subject.PostConfigure(null, options);
logger.ReceivedLogLevel.Should().Be(LogLevel.Debug);
logger.ReceivedMessage.Should().Match("*enabled*");
}
public void Saml2AuthExtensions_AddSaml2_RegistersSaml2Scheme_DefaultScheme()
{
IServiceCollection serviceCollection = new ServiceCollection();
var builder = new AuthenticationBuilder(serviceCollection);
var configureOptionsCalled = false;
builder.AddSaml2(options =>
{
configureOptionsCalled = true;
}).Should().BeSameAs(builder);
serviceCollection.Should().Contain(
sc => sc.ImplementationType == typeof(Saml2Handler));
serviceCollection.Should().Contain(
sc => sc.ImplementationType == typeof(PostConfigureSaml2Options));
var authOptions = new AuthenticationOptions();
serviceCollection.Single(sd => sd.ServiceType == typeof(IConfigureOptions <AuthenticationOptions>))
.ImplementationInstance.As <IConfigureOptions <AuthenticationOptions> >()
.Configure(authOptions);
var saml2Scheme = authOptions.Schemes.Single();
saml2Scheme.Name.Should().Be(Saml2Defaults.Scheme);
saml2Scheme.DisplayName.Should().Be(Saml2Defaults.DisplayName);
saml2Scheme.HandlerType.Should().Be(typeof(Saml2Handler));
var saml2Options = new Saml2Options();
serviceCollection.Single(sd => sd.ServiceType == typeof(IConfigureOptions <Saml2Options>))
.ImplementationInstance.As <ConfigureNamedOptions <Saml2Options> >()
.Configure(Saml2Defaults.Scheme, saml2Options);
configureOptionsCalled.Should().BeTrue();
}
public SessionCookieBuilder(Saml2Options options)
{
_options = options;
}
public static async Task <bool> CouldHandleAsync(this Saml2Options options, string scheme, HttpContext context)
{
// Determine this is a valid request for our handler
if (!context.Request.Path.StartsWithSegments(options.SPOptions.ModulePath, StringComparison.Ordinal))
{
return(false);
}
var idp = options.IdentityProviders.IsEmpty ? null : options.IdentityProviders.Default;
if (idp == null)
{
return(false);
}
if (context.Request.Query["scheme"].FirstOrDefault() == scheme)
{
return(true);
}
// Determine if the Authority matches the Referrer (short-cut)
var referrer = context.Request.Headers["Referer"].FirstOrDefault();
if (!string.IsNullOrWhiteSpace(referrer) &&
Uri.TryCreate(referrer, UriKind.Absolute, out var referrerUri) &&
(referrerUri.IsBaseOf(idp.SingleSignOnServiceUrl) ||
idp.SingleSignOnServiceUrl.IsBaseOf(referrerUri) ||
referrerUri.IsBaseOf(idp.SingleLogoutServiceUrl) ||
idp.SingleLogoutServiceUrl.IsBaseOf(referrerUri) ||
referrerUri.IsBaseOf(idp.SingleLogoutServiceResponseUrl) ||
idp.SingleLogoutServiceResponseUrl.IsBaseOf(referrerUri)))
{
return(true);
}
// We need to pull out and parse the response or request SAML envelope
XmlElement assertion = null;
try
{
if (string.Equals(context.Request.Method, "POST", StringComparison.OrdinalIgnoreCase) &&
context.Request.HasFormContentType)
{
string encodedMessage;
if (context.Request.Form.TryGetValue("SAMLResponse", out var response))
{
encodedMessage = response.FirstOrDefault();
}
else
{
encodedMessage = context.Request.Form["SAMLRequest"];
}
if (string.IsNullOrWhiteSpace(encodedMessage))
{
return(false);
}
assertion = XmlHelpers.XmlDocumentFromString(
Encoding.UTF8.GetString(Convert.FromBase64String(encodedMessage)))?.DocumentElement;
}
else if (string.Equals(context.Request.Method, "GET", StringComparison.OrdinalIgnoreCase))
{
var encodedPayload = context.Request.Query["SAMLRequest"].FirstOrDefault() ??
context.Request.Query["SAMLResponse"].FirstOrDefault();
try
{
var payload = Convert.FromBase64String(encodedPayload);
using var compressed = new MemoryStream(payload);
using var decompressedStream = new DeflateStream(compressed, CompressionMode.Decompress, true);
using var deCompressed = new MemoryStream();
await decompressedStream.CopyToAsync(deCompressed);
assertion = XmlHelpers.XmlDocumentFromString(
Encoding.UTF8.GetString(deCompressed.GetBuffer(), 0, (int)deCompressed.Length))?.DocumentElement;
}
catch (FormatException ex)
{
throw new FormatException($"\'{encodedPayload}\' is not a valid Base64 encoded string: {ex.Message}", ex);
}
}
}
catch
{
return(false);
}
if (assertion == null)
{
return(false);
}
// Double check the entity Ids
var entityId = assertion["Issuer", Saml2Namespaces.Saml2Name]?.InnerText.Trim();
return(string.Equals(entityId, idp.EntityId.Id, StringComparison.InvariantCultureIgnoreCase));
}
public static string ToXmlMetadata(this Saml2Options options)
{
IndexedEndpointType[] AssertionConsumerService = options.ServiceProvider.AssertionConsumerServices;
EndpointType[] SingleLogoutServices = options.ServiceProvider.SingleLogoutServices;
SamlCore.AspNetCore.Authentication.Saml2.Metadata.KeyDescriptorType[] KeyDescriptor = null;
if (options.hasCertificate)
{
KeyDescriptor = new SamlCore.AspNetCore.Authentication.Saml2.Metadata.KeyDescriptorType[]
{
new SamlCore.AspNetCore.Authentication.Saml2.Metadata.KeyDescriptorType()
{
useSpecified = true,
use = KeyTypes.signing,
KeyInfo = new SamlCore.AspNetCore.Authentication.Saml2.Metadata.KeyInfoType()
{
ItemsElementName = new [] { SamlCore.AspNetCore.Authentication.Saml2.Metadata.ItemsChoiceType2.X509Data },
Items = new SamlCore.AspNetCore.Authentication.Saml2.Metadata.X509DataType[]
{
new SamlCore.AspNetCore.Authentication.Saml2.Metadata.X509DataType()
{
Items = new object[] { options.ServiceProvider.X509Certificate2.GetRawCertData() },
ItemsElementName = new [] { SamlCore.AspNetCore.Authentication.Saml2.Metadata.ItemsChoiceType.X509Certificate }
}
}
}
},
new SamlCore.AspNetCore.Authentication.Saml2.Metadata.KeyDescriptorType()
{
useSpecified = true,
use = KeyTypes.encryption,
KeyInfo = new SamlCore.AspNetCore.Authentication.Saml2.Metadata.KeyInfoType()
{
ItemsElementName = new [] { SamlCore.AspNetCore.Authentication.Saml2.Metadata.ItemsChoiceType2.X509Data },
Items = new SamlCore.AspNetCore.Authentication.Saml2.Metadata.X509DataType[]
{
new SamlCore.AspNetCore.Authentication.Saml2.Metadata.X509DataType()
{
Items = new object[] { options.ServiceProvider.X509Certificate2.GetRawCertData() },
ItemsElementName = new [] { SamlCore.AspNetCore.Authentication.Saml2.Metadata.ItemsChoiceType.X509Certificate }
}
}
}
}
};
}
var entityDescriptor = new EntityDescriptorType()
{
entityID = options.ServiceProvider.EntityId,
Items = new object[]
{
new SPSSODescriptorType()
{
NameIDFormat = new [] { Saml2Constants.NameIDFormats.Email },
protocolSupportEnumeration = new [] { Saml2Constants.Namespaces.Protocol },
AuthnRequestsSignedSpecified = true,
AuthnRequestsSigned = options.hasCertificate,
WantAssertionsSignedSpecified = true,
WantAssertionsSigned = options.WantAssertionsSigned,
KeyDescriptor = KeyDescriptor,
SingleLogoutService = SingleLogoutServices,
AssertionConsumerService = AssertionConsumerService,
AttributeConsumingService = new AttributeConsumingServiceType[]
{
new AttributeConsumingServiceType
{
ServiceName = new localizedNameType[]
{
new localizedNameType()
{
Value = options.ServiceProvider.ServiceName,
lang = options.ServiceProvider.Language
}
},
ServiceDescription = new localizedNameType[]
{
new localizedNameType()
{
Value = options.ServiceProvider.ServiceDescription,
lang = options.ServiceProvider.Language
}
},
index = 0,
isDefault = true,
isDefaultSpecified = true,
RequestedAttribute = options.RequestedAttributes.ToArray()
}
},
Organization = new OrganizationType()
{
OrganizationDisplayName = new localizedNameType[] {
new localizedNameType
{
lang = options.ServiceProvider.Language,
Value = options.ServiceProvider.OrganizationDisplayName
},
},
OrganizationName = new localizedNameType[] {
new localizedNameType
{
lang = options.ServiceProvider.Language,
Value = options.ServiceProvider.OrganizationName
},
},
OrganizationURL = new localizedURIType[] {
new localizedURIType
{
lang = options.ServiceProvider.Language,
Value = options.ServiceProvider.OrganizationURL
},
},
},
},
},
ContactPerson = new ContactType[]
{
new ContactType()
{
Company = options.ServiceProvider.ContactPerson.Company,
GivenName = options.ServiceProvider.ContactPerson.GivenName,
EmailAddress = options.ServiceProvider.ContactPerson.EmailAddress,
contactType = options.ServiceProvider.ContactPerson.contactType,
TelephoneNumber = options.ServiceProvider.ContactPerson.TelephoneNumber
}
}
};
//generate the sp metadata xml file
string xmlTemplate = string.Empty;
XmlSerializer xmlSerializer = new XmlSerializer(typeof(EntityDescriptorType));
using (MemoryStream memStm = new MemoryStream())
{
xmlSerializer.Serialize(memStm, entityDescriptor);
memStm.Position = 0;
xmlTemplate = new StreamReader(memStm).ReadToEnd();
}
return(xmlTemplate);
}
public static async Task <bool> CouldHandleAsync(this Saml2Options options, string scheme, HttpContext context)
{
// Determine this is a valid request for our handler
if (!context.Request.Path.StartsWithSegments(options.SPOptions.ModulePath, StringComparison.Ordinal))
{
return(false);
}
var idp = options.IdentityProviders.IsEmpty ? null : options.IdentityProviders.Default;
if (idp == null)
{
return(false);
}
if (context.Request.Query["scheme"].FirstOrDefault() == scheme)
{
return(true);
}
// We need to pull out and parse the response or request SAML envelope
XmlElement envelope = null;
try
{
if (string.Equals(context.Request.Method, "POST", StringComparison.OrdinalIgnoreCase) &&
context.Request.HasFormContentType)
{
string encodedMessage;
if (context.Request.Form.TryGetValue("SAMLResponse", out var response))
{
encodedMessage = response.FirstOrDefault();
}
else
{
encodedMessage = context.Request.Form["SAMLRequest"];
}
if (string.IsNullOrWhiteSpace(encodedMessage))
{
return(false);
}
envelope = XmlHelpers.XmlDocumentFromString(
Encoding.UTF8.GetString(Convert.FromBase64String(encodedMessage)))?.DocumentElement;
}
else if (string.Equals(context.Request.Method, "GET", StringComparison.OrdinalIgnoreCase))
{
var encodedPayload = context.Request.Query["SAMLRequest"].FirstOrDefault() ??
context.Request.Query["SAMLResponse"].FirstOrDefault();
try
{
var payload = Convert.FromBase64String(encodedPayload);
using var compressed = new MemoryStream(payload);
using var decompressedStream = new DeflateStream(compressed, CompressionMode.Decompress, true);
using var deCompressed = new MemoryStream();
await decompressedStream.CopyToAsync(deCompressed);
envelope = XmlHelpers.XmlDocumentFromString(
Encoding.UTF8.GetString(deCompressed.GetBuffer(), 0, (int)deCompressed.Length))?.DocumentElement;
}
catch (FormatException ex)
{
throw new FormatException($"\'{encodedPayload}\' is not a valid Base64 encoded string: {ex.Message}", ex);
}
}
}
catch
{
return(false);
}
if (envelope == null)
{
return(false);
}
// Double check the entity Ids
var entityId = envelope["Issuer", Saml2Namespaces.Saml2Name]?.InnerText.Trim();
if (!string.Equals(entityId, idp.EntityId.Id, StringComparison.InvariantCultureIgnoreCase))
{
return(false);
}
if (options.SPOptions.WantAssertionsSigned)
{
var assertion = envelope["Assertion", Saml2Namespaces.Saml2Name];
var isAssertionSigned = assertion != null && XmlHelpers.IsSignedByAny(assertion, idp.SigningKeys,
options.SPOptions.ValidateCertificates, options.SPOptions.MinIncomingSigningAlgorithm);
if (!isAssertionSigned)
{
throw new Exception("Cannot verify SAML assertion signature.");
}
}
return(true);
}
public async Task <IActionResult> Add([FromBody] SchemeData schemeData)
{
var schemeName = string.Format("{0}_{1}", schemeData.Domain, schemeData.Scheme);
if (schemeData.Scheme == "Google")
{
IOptionsMonitorCache <GoogleOptions> oAuthOptionsCache = serviceProvider.GetRequiredService <IOptionsMonitorCache <GoogleOptions> >();
OAuthPostConfigureOptions <GoogleOptions, GoogleHandler> oAuthPostConfigureOptions = serviceProvider.GetRequiredService <OAuthPostConfigureOptions <GoogleOptions, GoogleHandler> >();
if (await schemeProvider.GetSchemeAsync(schemeName) == null)
{
schemeProvider.AddScheme(new AuthenticationScheme(schemeName, schemeData.Scheme, typeof(GoogleHandler)));
}
else
{
oAuthOptionsCache.TryRemove(schemeName);
}
var options = new GoogleOptions
{
ClientId = "xxxxxxx",
ClientSecret = "xxxxxxxxxxxx"
};
oAuthPostConfigureOptions.PostConfigure(schemeName, options);
oAuthOptionsCache.TryAdd(schemeName, options);
}
else if (schemeData.Scheme == "Auth0")
{
IOptionsMonitorCache <Saml2Options> oAuthOptionsCache = serviceProvider.GetRequiredService <IOptionsMonitorCache <Saml2Options> >();
PostConfigureSaml2Options oAuthPostConfigureOptions = serviceProvider.GetRequiredService <PostConfigureSaml2Options>();
if (await schemeProvider.GetSchemeAsync(schemeName) == null)
{
schemeProvider.AddScheme(new AuthenticationScheme(schemeName, schemeData.Scheme, typeof(Saml2Handler)));
}
else
{
oAuthOptionsCache.TryRemove(schemeName);
}
//urn:ccidentity.auth0.com
var options = new Saml2Options();
options.SPOptions.EntityId = new EntityId("https://localhost:44332/auth0");
options.SPOptions.ModulePath = "/Saml2Auth0";
options.SPOptions.MinIncomingSigningAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
var idp = new IdentityProvider(new EntityId("urn:ccidentity.auth0.com"), options.SPOptions)
{
MetadataLocation = "https://xxxxxxxx/samlp/metadata/7HmaqIPuC32Pc95e0clSqN3n3ogzkTkP",
LoadMetadata = true,
AllowUnsolicitedAuthnResponse = true,
Binding = Saml2BindingType.HttpRedirect,
SingleSignOnServiceUrl = new Uri("https://xxxxxxx/samlp/7HmaqIPuC32Pc95e0clSqN3n3ogzkTkP"),
};
idp.SigningKeys.AddConfiguredKey(new X509Certificate2(Convert.FromBase64String("MIIDAzCCAeugAwIBAgIJLNhPpvvzUXRnMA0GCSqGSIb3DQEBCwUAMB8xHTAbBgNVBAMTFGNjaWRlbnRpdHkuYXV0aDAuY29tMB4XDTIwMDQwMTEwMTEzMVoXDTMzMTIwOTEwMTEzMVowHzEdMBsGA1UEAxMUY2NpZGVudGl0eS5hdXRoMC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXOaxVEhjYW+eT3YduAnRMGrJGcriVU1e3n3RXB6SPt4QsmXsOcdLItaqKthSKeRTkOtXvRANvve1YrEUeMwWzv9gsKoQrwM5fDKwG+chEJNxEZEtMmGfqasb++taLTduNPphSm1xs0RNHeeFXdJHt4QWVsCMJfH2RRUlRHaqj4niew/uzJOZNiWLnXp+03tiy5uwOyxyOhpMOX9QZqpSwHHzZ8OoLIIxynuSiWipZoeCoxrZKM3kHW9YlwLVZvcqAZhWTbut6sC+Y+1O1Sfh1tr6XxWzcP5GaMMV2xQPgPYYKjYMiMeFSe4E5P3R4QxmEoeOpAhWzHQbiyzMYLIO1AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFldi8Vcq5IwPROX5ssxqm+uuQaZMA4GA1UdDwEB/wQEAwIChDANBgkqhkiG9w0BAQsFAAOCAQEA1DWRiUaTCHqPUQRzOOnuiSib2dga2Qd1v39dqaaHrLe345c0eo1yn0cE50xtSTlx++WeIQ3RbXCMm70Za3+AfQhTOisqiHS0Nb+ZrxkHFzl0JNgY4AHQFbYsM3QwZQLBjfhL3KyYoTiQRifn/L9N1F/ZJN5PatoybwwJAbo4V0Y1g9pMSWXhbUKJCBP3Eq/8LPx2erAs3RkheYtz+beviOiXNeNYvUNxmPNy+vpp/zvFG5q20vtK7a3EBbOh1pputoctmAfnGoyjZ06JDAa006iJiGwXlwNonBFClLwbds4H3fc9hv4RsCWlVVdcO+l5FL17nhMRYZUn74lGHOCMZg==")));
options.IdentityProviders.Add(idp);
oAuthPostConfigureOptions.PostConfigure(schemeName, options);
oAuthOptionsCache.TryAdd(schemeName, options);
}
else if (schemeData.Scheme == "Saml2")
{
IOptionsMonitorCache <Saml2Options> oAuthOptionsCache = serviceProvider.GetRequiredService <IOptionsMonitorCache <Saml2Options> >();
PostConfigureSaml2Options oAuthPostConfigureOptions = serviceProvider.GetRequiredService <PostConfigureSaml2Options>();
if (await schemeProvider.GetSchemeAsync(schemeName) == null)
{
schemeProvider.AddScheme(new AuthenticationScheme(schemeName, schemeData.Scheme, typeof(Saml2Handler)));
}
else
{
oAuthOptionsCache.TryRemove(schemeName);
}
var options = new Saml2Options();
options.SPOptions.EntityId = new EntityId("https://localhost:44332/Saml2");
options.SPOptions.MinIncomingSigningAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
var idp = new IdentityProvider(new EntityId("https://xxxxxxxxxxxx/adfs/services/trust"), options.SPOptions)
{
//MetadataLocation = "https://xxxxxxxxxxxx/FederationMetadata/2007-06/FederationMetadata.xml",
//LoadMetadata = true,
AllowUnsolicitedAuthnResponse = true,
Binding = Saml2BindingType.HttpRedirect,
SingleSignOnServiceUrl = new Uri("https://xxxxxxxxx/adfs/ls/"),
};
idp.SigningKeys.AddConfiguredKey(new X509Certificate2(Convert.FromBase64String("MIIC5jCCAc6gAwIBAgIQOMQMbu2YTpFIO7bLoDczgjANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBEZXYtMTAxLkJhbmtPZlpvbmUubGswHhcNMjAwMzMwMTQyOTQ5WhcNMjEwMzMwMTQyOTQ5WjAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBEZXYtMTAxLkJhbmtPZlpvbmUubGswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0sv1rrY0QcVy8kCYz48dTE0qWlwg7J67kNDuO4um37DKnmSK43QTKMkN4Oe / q6 + a8YV2XW7aHqVzirdyeCWDqWf0fuef0jBhysylwdZI8P8PHAhX632jkQ9dXKqKC9kVEsV + LMzMB98xv3ue + rAjQMctrvdapTgvRTOyu5SEHV7zKN / AXDgqM1AT9ae4prRhg7F37Y6h4DVjCdOZgV7LpmgkkFxFnmk0G5il9yfFnLs2Xw3dQxh8HPj9XCgeNT3GGnui + d69BnESsWDjUBUuBGB / +6WQixC4SnKzbssVTy3W4h3aSSsGljAAJfh5YUafzqCjG7Z6xE16LNBieKjbVAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAH / a2bttVBkWzk4Q7K8qjgC / GQboK1NJewEPdi + 8GKG5RD + hWWz /qmXKT0u6ZklzmNrsxj + jPxIOzlv7Aaa5CbGUHHRoG7mgWnvV7y0Qys3OfRUpIzOK0HzDhe / LlyHyX3TpKDH / b1YQJiE6yHgwEdkO4ZBQsOHDNm9pvWH2YJQqMFbWPA4ZeUASeUO0h + BdR4Fog / MYu86lensZwZUKbq / 1 + M5xao3LZfQh5oyEBpH0roRJOazjMSHV + U4sLdvkvXx6in4BLwt1HiMAm0oA6c + vSW5GANAJBXPupfP6Njt0lpGGC3bLgWOlU65NTPwIZhvAjs / gV / pBa + jVMVxDP0g = ")));
options.IdentityProviders.Add(idp);
oAuthPostConfigureOptions.PostConfigure(schemeName, options);
oAuthOptionsCache.TryAdd(schemeName, options);
}
else
{
IOptionsMonitorCache <FacebookOptions> oAuthOptionsCache = serviceProvider.GetRequiredService <IOptionsMonitorCache <FacebookOptions> >();
OAuthPostConfigureOptions <FacebookOptions, FacebookHandler> oAuthPostConfigureOptions = serviceProvider.GetRequiredService <OAuthPostConfigureOptions <FacebookOptions, FacebookHandler> >();
if (await schemeProvider.GetSchemeAsync(schemeName) == null)
{
schemeProvider.AddScheme(new AuthenticationScheme(schemeName, schemeData.Scheme, typeof(FacebookHandler)));
}
else
{
oAuthOptionsCache.TryRemove(schemeName);
}
var options = new FacebookOptions
{
AppId = "xxxxxxxxxxxx",
AppSecret = "xxxxxxxxxxxxxxxxx"
};
oAuthOptionsCache.TryAdd(schemeName, options);
oAuthPostConfigureOptions.PostConfigure(schemeName, options);
oAuthOptionsCache.TryAdd(schemeName, options);
}
return(Redirect("/"));
}
public RequestIdCookieBuilder(Saml2Options options)
{
_options = options;
}
public WsSecuritySaml2SecurityTokenHandler(ExtendedSaml2Serializer serializer, Saml2Options options) : base(serializer, options)
{
}
private static void ConfigureSamlIdp(Configuration.IdentityProvider identityProvider, Saml2Options options)
{
Log.Information($"Adding EntityId: {identityProvider.EntityId}");
var idp = new IdentityProvider(new EntityId(identityProvider.EntityId), options.SPOptions)
{
Binding = Saml2BindingType.HttpRedirect,
SingleSignOnServiceUrl = new Uri(identityProvider.SignOnUrl),
};
if (identityProvider.LoadMetadata)
{
idp.MetadataLocation = identityProvider.MetadataLocation;
idp.LoadMetadata = true;
}
else
{
Log.Information($"Adding certificate. Name: {identityProvider.CertificateName}");
idp.SigningKeys.AddConfiguredKey(new X509Certificate2(identityProvider.CertificateName));
}
options.IdentityProviders.Add(idp);
}
public static void SetSPOptions(Saml2Options options)
{
var paramSPOptions = Parameters.Authentication.SamlParameters.SPOptions;
options.SPOptions.AuthenticateRequestSigningBehavior
= paramSPOptions.AuthenticateRequestSigningBehavior
.ToEnum(SigningBehavior.IfIdpWantAuthnRequestsSigned);
options.SPOptions.ReturnUrl
= paramSPOptions.ReturnUrl.IsNullOrEmpty() ? null : new Uri(paramSPOptions.ReturnUrl);
options.SPOptions.EntityId
= paramSPOptions.EntityId.IsNullOrEmpty() ? null : new EntityId(paramSPOptions.EntityId);
options.SPOptions.MinIncomingSigningAlgorithm
= paramSPOptions.MinIncomingSigningAlgorithm
?? options.SPOptions.MinIncomingSigningAlgorithm;
options.SPOptions.OutboundSigningAlgorithm
= paramSPOptions.OutboundSigningAlgorithm
?? options.SPOptions.OutboundSigningAlgorithm;
options.SPOptions.PublicOrigin
= paramSPOptions.PublicOrigin.IsNullOrEmpty()? null: new Uri(paramSPOptions.PublicOrigin);
if (paramSPOptions.IgnoreMissingInResponseTo == true)
{
options.SPOptions.Compatibility.IgnoreMissingInResponseTo = true;
}
if (paramSPOptions.ServiceCertificates != null)
{
foreach (var cert in paramSPOptions.ServiceCertificates)
{
var x509Store = new X509Store(
cert.StoreName.ToEnum(StoreName.My),
cert.StoreLocation.ToEnum(StoreLocation.CurrentUser));
x509Store.Open(OpenFlags.OpenExistingOnly);
try
{
var cer = x509Store.Certificates.Find(
cert.X509FindType.ToEnum(X509FindType.FindByThumbprint),
cert.FindValue,
false);
var serviceCert = new Sustainsys.Saml2.ServiceCertificate()
{
Certificate = cer[0],
Status = cert.Status.ToEnum(CertificateStatus.Current),
Use = cert.Use.ToEnum(CertificateUse.Both)
};
options.SPOptions.ServiceCertificates.Add(serviceCert);
}
finally
{
x509Store.Close();
}
}
}
var paramIdps = Parameters.Authentication.SamlParameters.IdentityProviders;
if (paramIdps != null)
{
foreach (var paramIdp in paramIdps)
{
var idp = new Sustainsys.Saml2.IdentityProvider(
new EntityId(paramIdp.EntityId),
options.SPOptions)
{
SingleSignOnServiceUrl = paramIdp.SignOnUrl.IsNullOrEmpty() ? null : new Uri(paramIdp.SignOnUrl),
SingleLogoutServiceUrl = paramIdp.LogoutUrl.IsNullOrEmpty() ? null : new Uri(paramIdp.LogoutUrl),
AllowUnsolicitedAuthnResponse = paramIdp.AllowUnsolicitedAuthnResponse,
Binding = paramIdp.Binding.ToEnum(Saml2BindingType.HttpRedirect),
WantAuthnRequestsSigned = paramIdp.WantAuthnRequestsSigned,
DisableOutboundLogoutRequests = paramIdp.DisableOutboundLogoutRequests
};
if (paramIdp.LoadMetadata)
{
idp.MetadataLocation = paramIdp.MetadataLocation.IsNullOrEmpty()
? idp.MetadataLocation
: paramIdp.MetadataLocation;
idp.LoadMetadata = paramIdp.LoadMetadata;
}
if (paramIdp.SigningCertificate != null)
{
var store = new X509Store(
paramIdp.SigningCertificate.StoreName.ToEnum(StoreName.My),
paramIdp.SigningCertificate.StoreLocation.ToEnum(StoreLocation.CurrentUser));
store.Open(OpenFlags.OpenExistingOnly);
try
{
var certs = store.Certificates.Find(
paramIdp.SigningCertificate.X509FindType.ToEnum(X509FindType.FindByThumbprint),
paramIdp.SigningCertificate.FindValue, false);
idp.SigningKeys.AddConfiguredKey(certs[0]);
}
finally
{
store.Close();
}
}
options.IdentityProviders.Add(idp);
}
}
}