public void IdentityProvider_NoMetadataLoadConfiguredFromCode()
{
var subject = new IdentityProvider(
new EntityId("http://idp.example.com"),
StubFactory.CreateSPOptions())
{
AllowUnsolicitedAuthnResponse = true,
Binding = Saml2BindingType.HttpPost,
SingleSignOnServiceUrl = new Uri("http://idp.example.com/sso")
};
subject.SigningKeys.AddConfiguredKey(SignedXmlHelper.TestKey);
subject.AllowUnsolicitedAuthnResponse.Should().BeTrue();
subject.Binding.Should().Be(Saml2BindingType.HttpPost);
subject.EntityId.Id.Should().Be("http://idp.example.com");
subject.LoadMetadata.Should().BeFalse();
subject.MetadataLocation.Should().Be("http://idp.example.com");
subject.MetadataValidUntil.Should().NotHaveValue();
var subjectKeyParams = subject.SigningKeys.Single().CreateKey()
.As <RsaSecurityKey>().GetAsymmetricAlgorithm(SecurityAlgorithms.RsaSha1Signature, false).As <RSA>()
.ExportParameters(false);
var expectedKeyParams = SignedXmlHelper.TestCert.PublicKey.Key.As <RSA>()
.ExportParameters(false);
subjectKeyParams.Modulus.Should().BeEquivalentTo(expectedKeyParams.Modulus);
subjectKeyParams.Exponent.Should().BeEquivalentTo(expectedKeyParams.Exponent);
subject.SingleSignOnServiceUrl.AbsoluteUri.Should().Be("http://idp.example.com/sso");
}
public void IdentityProvider_ConstructedFromEntityDescriptor_DoesntReloadMetadataWhenDisabled()
{
var ed = new EntityDescriptor
{
ValidUntil = DateTime.UtcNow.AddYears(-1),
EntityId = new EntityId("someEntityId")
};
var idpSsoDescriptor = new IdpSsoDescriptor();
idpSsoDescriptor.ProtocolsSupported.Add(new Uri("urn:oasis:names:tc:SAML:2.0:protocol"));
ed.RoleDescriptors.Add(idpSsoDescriptor);
idpSsoDescriptor.SingleSignOnServices.Add(new SingleSignOnService()
{
Binding = Saml2Binding.HttpRedirectUri,
Location = new Uri("http://idp.example.com/sso")
});
idpSsoDescriptor.Keys.Add(SignedXmlHelper.TestKeyDescriptor);
var subject = new IdentityProvider(ed.EntityId, StubFactory.CreateSPOptions());
Action a = () => { var b = subject.Binding; };
subject.LoadMetadata.Should().BeFalse();
// Will throw invalid Uri if it tries to use EntityId as metadata url.
a.Should().NotThrow();
}
public void IdentityProvider_MetadataLoadedConfiguredFromCode()
{
var spOptions = StubFactory.CreateSPOptions();
spOptions.ServiceCertificates.Add(new ServiceCertificate()
{
Certificate = SignedXmlHelper.TestCert
});
var subject = new IdentityProvider(
new EntityId("http://other.entityid.example.com"), spOptions)
{
MetadataLocation = "http://localhost:13428/idpMetadataOtherEntityId",
AllowUnsolicitedAuthnResponse = true
};
subject.AllowUnsolicitedAuthnResponse.Should().BeTrue();
subject.Binding.Should().Be(Saml2BindingType.HttpRedirect);
subject.EntityId.Id.Should().Be("http://other.entityid.example.com");
// If a metadatalocation is set, metadata loading is automatically enabled.
subject.LoadMetadata.Should().BeTrue();
subject.MetadataLocation.Should().Be("http://localhost:13428/idpMetadataOtherEntityId");
subject.MetadataValidUntil.Should().BeCloseTo(
DateTime.UtcNow.Add(MetadataRefreshScheduler.DefaultMetadataCacheDuration.ToTimeSpan()), precision: 100);
subject.SingleSignOnServiceUrl.Should().Be("http://wrong.entityid.example.com/acs");
subject.WantAuthnRequestsSigned.Should().Be(true, "WantAuthnRequestsSigned should have been loaded from metadata");
Action a = () => subject.CreateAuthenticateRequest(StubFactory.CreateSaml2Urls());
a.Should().NotThrow();
}
public void Saml2PSecurityTokenHandler_SaveBootstrapContextDefaultFalse()
{
var spOptions = StubFactory.CreateSPOptions();
var subject = new Saml2PSecurityTokenHandler(spOptions);
subject.Configuration.SaveBootstrapContext.Should().BeFalse();
}
public void IdentityProvider_Ctor_LogoutBindingDefaultsToBinding()
{
var config = CreateConfig();
var subject = new IdentityProvider(config, StubFactory.CreateSPOptions());
subject.Binding.Should().Be(Saml2BindingType.HttpPost);
subject.SingleLogoutServiceBinding.Should().Be(Saml2BindingType.HttpPost);
}
public void SPOptionsExtensions_CreateMetadata_IncludesContactPersons()
{
var spOptions = StubFactory.CreateSPOptions();
var subject = spOptions.CreateMetadata(StubFactory.CreateSaml2Urls()).Contacts;
subject.Should().Contain(spOptions.Contacts);
}
public void IdentityProvider_SingleLogoutServiceResponseUrl()
{
var subject = new IdentityProvider(new EntityId("http://example.com"), StubFactory.CreateSPOptions());
var url = new Uri("http://some.url.example.com/logout-response");
subject.SingleLogoutServiceResponseUrl = url;
subject.SingleLogoutServiceResponseUrl.OriginalString.Should().Be(url.OriginalString);
}
public void IdentityProvider_ReadMetadata_Nullcheck()
{
var subject = new IdentityProvider(
new EntityId("http://idp.example.com"),
StubFactory.CreateSPOptions());
Action a = () => subject.ReadMetadata(null);
a.Should().Throw <ArgumentNullException>().And.ParamName.Should().Be("metadata");
}
public void SPOptionsExtensions_CreateMetadata_IncludesOrganization()
{
var subject = StubFactory
.CreateSPOptions()
.CreateMetadata(StubFactory.CreateAuthServicesUrls())
.Organization;
subject.Should().NotBeNull();
subject.Names.First().Name.Should().Be("Kentor.AuthServices");
}
public void Saml2PSecurityTokenHandler_SaveBoostrapContextFromConfig()
{
var spOptions = StubFactory.CreateSPOptions();
spOptions.SystemIdentityModelIdentityConfiguration.SaveBootstrapContext = true;
var subject = new Saml2PSecurityTokenHandler(spOptions);
subject.Configuration.SaveBootstrapContext.Should().BeTrue();
}
public void IdentityProvider_Ctor_DisableOutboundLogoutRequest()
{
var config = CreateConfig();
config.DisableOutboundLogoutRequests = true;
var subject = new IdentityProvider(config, StubFactory.CreateSPOptions());
subject.DisableOutboundLogoutRequests.Should().BeTrue();
}
public void SPOptions_Saml2PSecurityTokenHandler_Setter()
{
var subject = StubFactory.CreateSPOptions();
var handler = new Saml2PSecurityTokenHandler(subject);
subject.Saml2PSecurityTokenHandler = handler;
subject.Saml2PSecurityTokenHandler.Should().BeSameAs(handler);
}
public void SPOptionsExtensions_CreateMetadata_IncludesOrganization()
{
var subject = StubFactory
.CreateSPOptions()
.CreateMetadata(StubFactory.CreateSaml2Urls())
.Organization;
subject.Should().NotBeNull();
subject.Names.First().Name.Should().Be("Sustainsys.Saml2");
}
public void IdentityProviderDictionary_Add()
{
var subject = new IdentityProviderDictionary();
var entityId = new EntityId("http://idp.example.com");
var idp = new IdentityProvider(entityId, StubFactory.CreateSPOptions());
subject.Add(idp);
subject[entityId].Should().BeSameAs(idp);
}
public void IdentityProvider_ConfigFromMetadata_LogoutResponse_DefaultsToSingleLogoutServiceUrl()
{
var entityId = new EntityId("http://localhost:13428/idpMetadataNoCertificate");
var subject = new IdentityProvider(entityId, StubFactory.CreateSPOptions());
subject.SigningKeys.AddConfiguredKey(SignedXmlHelper.TestCert);
subject.LoadMetadata = true;
subject.SingleLogoutServiceResponseUrl.OriginalString.Should().Be("http://localhost:13428/logout");
subject.SingleLogoutServiceBinding.Should().Be(Saml2BindingType.HttpRedirect);
}
public void Saml2PSecurityTokenHandler_ShouldHaveDefaultAudienceRestrictionOfEntityId()
{
var spOptions = StubFactory.CreateSPOptions();
spOptions.SystemIdentityModelIdentityConfiguration.AudienceRestriction.AudienceMode
= AudienceUriMode.Always;
spOptions.EntityId.Id = "http://testuri/";
var subject = new Saml2PSecurityTokenHandler(spOptions);
subject.Configuration.AudienceRestriction.AllowedAudienceUris.First().AbsoluteUri.Should().Be("http://testuri/");
}
public void IdentityProvider_MetadataLocation_UnpacksEntitiesDescriptor_if_configured()
{
var spOptions = StubFactory.CreateSPOptions();
spOptions.Compatibility.UnpackEntitiesDescriptorInIdentityProviderMetadata = true;
var subject = new IdentityProvider(
new EntityId("http://idp.federation.example.com/metadata"),
spOptions);
Action a = () => subject.MetadataLocation = "~/Metadata/SingleIdpInEntitiesDescriptor.xml";
a.Should().NotThrow();
}
public void IdentityProvider_MetadataLocation_ThrowsWhenEntitiesDescriptorFoundAndNotAllowedByConfig()
{
var spOptions = StubFactory.CreateSPOptions();
spOptions.Compatibility.UnpackEntitiesDescriptorInIdentityProviderMetadata.Should().BeFalse();
var subject = new IdentityProvider(
new EntityId("http://idp.example.com"),
spOptions);
Action a = () => subject.MetadataLocation = "~/Metadata/SingleIdpInEntitiesDescriptor.xml";
a.Should().Throw <InvalidOperationException>();
}
IdentityProvider CreateSubjectForMetadataRefresh(bool setLoggerToNull = false)
{
var config = CreateConfig();
config.LoadMetadata = true;
config.EntityId = "http://localhost:13428/idpMetadataVeryShortCacheDuration";
var spOptions = Options.FromConfiguration.SPOptions;
if (setLoggerToNull)
{
spOptions = StubFactory.CreateSPOptions();
spOptions.Logger = null;
}
return(new IdentityProvider(config, spOptions));
}
public void IdentityProvider_SingleSignOnService_DoesntReloadMetadataIfStillValid()
{
var subject = new IdentityProvider(
new EntityId("http://localhost:13428/idpMetadata"),
StubFactory.CreateSPOptions())
{
LoadMetadata = true
};
subject.SingleSignOnServiceUrl.Port.Should().Be(13428);
StubServer.IdpMetadataSsoPort = 147;
// Metadata shouldn't be reloaded so port shouldn't be changed.
subject.SingleSignOnServiceUrl.Port.Should().Be(13428);
}
public void Saml2PSecurityTokenHandler_ShouldReadAudienceUrisFromIdentityModelConfig()
{
var spOptions = StubFactory.CreateSPOptions();
spOptions.SystemIdentityModelIdentityConfiguration.AudienceRestriction =
new AudienceRestriction
{
AllowedAudienceUris = { new Uri("http://firsturi/"), new Uri("http://seconduri/") }
};
var subject = new Saml2PSecurityTokenHandler(spOptions);
subject.Configuration.AudienceRestriction.AllowedAudienceUris.Should().Contain(new Uri("http://firsturi/"));
subject.Configuration.AudienceRestriction.AllowedAudienceUris.Should().Contain(new Uri("http://seconduri/"));
}
public void SustainsysSaml2Section_Contacts_LoadedFromConfig()
{
var subject = SustainsysSaml2Section.Current.Contacts;
var expected = StubFactory.CreateSPOptions().Contacts;
// The config file only supports one phone number and one e-mail for each
// contact, so let's remove the other ones that are added by the stub factory.
expected.First().TelephoneNumbers.Remove(expected.First().TelephoneNumbers.First());
expected.First().EmailAddresses.Remove(expected.First().EmailAddresses.First());
var secondTech = new ContactPerson(ContactType.Technical);
secondTech.EmailAddresses.Add("*****@*****.**");
expected.Add(secondTech);
subject.ShouldBeEquivalentTo(expected);
}
public void SPOPtionsExtensions_CreateMetadata_RequiredFields()
{
var metadata = StubFactory.CreateSPOptions().CreateMetadata(StubFactory.CreateAuthServicesUrls());
metadata.CacheDuration.Should().Be(new TimeSpan(0, 0, 42));
metadata.EntityId.Id.Should().Be("https://github.com/KentorIT/authservices");
var spMetadata = metadata.RoleDescriptors.OfType <ServiceProviderSingleSignOnDescriptor>().Single();
spMetadata.Should().NotBeNull();
spMetadata.Keys.Count.Should().Be(0);
var acs = spMetadata.AssertionConsumerServices.First().Value;
acs.Index.Should().Be(0);
acs.IsDefault.Should().HaveValue();
acs.Binding.ToString().Should().Be("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
acs.Location.ToString().Should().Be("http://localhost/AuthServices/Acs");
}
public void SPOptionsExtensions_CreateMetadata_IncludeAttributeConsumingService()
{
var spOptions = StubFactory.CreateSPOptions();
var urls = StubFactory.CreateAuthServicesUrls();
var attributeConsumingService = new AttributeConsumingService("Name");
spOptions.AttributeConsumingServices.Clear();
spOptions.AttributeConsumingServices.Add(attributeConsumingService);
attributeConsumingService.RequestedAttributes.Add(new RequestedAttribute("AttributeName"));
var subject = spOptions
.CreateMetadata(urls)
.RoleDescriptors
.Cast <ExtendedServiceProviderSingleSignOnDescriptor>()
.First();
subject.AttributeConsumingServices.First().Should().BeSameAs(attributeConsumingService);
}
public void SPOptionsExtensions_CreateMetadata_IncludeDiscoveryServiceResponse()
{
var spOptions = StubFactory.CreateSPOptions();
var urls = StubFactory.CreateAuthServicesUrls();
spOptions.DiscoveryServiceUrl = new Uri("http://ds.example.com");
var subject = spOptions.CreateMetadata(urls).Extensions.DiscoveryResponse;
var expected = new IndexedProtocolEndpoint
{
Binding = Saml2Binding.DiscoveryResponseUri,
Index = 0,
IsDefault = true,
Location = urls.SignInUrl
};
subject.ShouldBeEquivalentTo(expected);
}
public void SPOptionsExtensions_CreateMetadata_IncludeDiscoveryServiceResponse()
{
var spOptions = StubFactory.CreateSPOptions();
var urls = StubFactory.CreateSaml2Urls();
spOptions.DiscoveryServiceUrl = new Uri("http://ds.example.com");
var subject = spOptions.CreateMetadata(urls).RoleDescriptors
.Single().As <SpSsoDescriptor>()
.DiscoveryResponses.Values.Single();
var expected = new DiscoveryResponse
{
Binding = Saml2Binding.DiscoveryResponseUri,
Index = 0,
IsDefault = true,
Location = urls.SignInUrl
};
subject.Should().BeEquivalentTo(expected);
}
public void SPOptionsExtensions_CreateMetadata_IncludeAttributeConsumingService()
{
var spOptions = StubFactory.CreateSPOptions();
var urls = StubFactory.CreateSaml2Urls();
var attributeConsumingService = new AttributeConsumingService();
attributeConsumingService.ServiceNames.Add(
new LocalizedName("Name", "en"));
spOptions.AttributeConsumingServices.Clear();
spOptions.AttributeConsumingServices.Add(attributeConsumingService);
attributeConsumingService.RequestedAttributes.Add(new RequestedAttribute("AttributeName"));
var subject = spOptions
.CreateMetadata(urls)
.RoleDescriptors
.Cast <SpSsoDescriptor>()
.First();
subject.AttributeConsumingServices.Values.First().Should().BeSameAs(attributeConsumingService);
}
public void SPOPtionsExtensions_CreateMetadata_RequiredFields()
{
var metadata = StubFactory.CreateSPOptions().CreateMetadata(StubFactory.CreateSaml2Urls());
metadata.CacheDuration.Should().Be(new XsdDuration(seconds: 42));
metadata.EntityId.Id.Should().Be("https://github.com/Sustainsys/Saml2");
var spMetadata = metadata.RoleDescriptors.OfType <SpSsoDescriptor>().Single();
spMetadata.Should().NotBeNull();
spMetadata.Keys.Count.Should().Be(0);
var acs = spMetadata.AssertionConsumerServices.First().Value;
acs.Index.Should().Be(0);
acs.IsDefault.Should().HaveValue();
acs.Binding.ToString().Should().Be("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
acs.Location.ToString().Should().Be("http://localhost/Saml2/Acs");
// No service certificate configured, so no SLO endpoint should be
// exposed in metadata.
spMetadata.SingleLogoutServices.Should().BeEmpty();
}
public void IdentityProvider_ConfigFromMetadata()
{
var entityId = new EntityId("http://localhost:13428/idpMetadata");
var subject = new IdentityProvider(entityId, StubFactory.CreateSPOptions());
// Add one that will be removed by loading.
subject.ArtifactResolutionServiceUrls.Add(234, new Uri("http://example.com"));
subject.LoadMetadata = true;
subject.EntityId.Id.Should().Be(entityId.Id);
subject.Binding.Should().Be(Saml2BindingType.HttpPost);
subject.SingleSignOnServiceUrl.Should().Be(new Uri("http://localhost:13428/acs"));
subject.SigningKeys.Single().Should().BeEquivalentTo(new X509RawDataKeyIdentifierClause(SignedXmlHelper.TestCert));
subject.ArtifactResolutionServiceUrls.Count.Should().Be(2);
subject.ArtifactResolutionServiceUrls[0x1234].OriginalString
.Should().Be("http://localhost:13428/ars");
subject.ArtifactResolutionServiceUrls[117].OriginalString
.Should().Be("http://localhost:13428/ars2");
subject.SingleLogoutServiceUrl.OriginalString.Should().Be("http://localhost:13428/logout");
subject.SingleLogoutServiceResponseUrl.OriginalString.Should().Be("http://localhost:13428/logoutResponse");
subject.SingleLogoutServiceBinding.Should().Be(Saml2BindingType.HttpRedirect);
}
public void IdentityProvider_ConstructedFromEntityDescriptor_DoesntScheduleMedataRefresh()
{
MetadataRefreshScheduler.minInterval = new TimeSpan(0, 0, 0, 0, 1);
var ed = new EntityDescriptor
{
ValidUntil = DateTime.UtcNow.AddYears(-1),
EntityId = new EntityId("http://localhost:13428/idpMetadata")
};
var idpSsoDescriptor = new IdpSsoDescriptor();
idpSsoDescriptor.ProtocolsSupported.Add(new Uri("urn:oasis:names:tc:SAML:2.0:protocol"));
ed.RoleDescriptors.Add(idpSsoDescriptor);
var pe = new SingleSignOnService()
{
Binding = Saml2Binding.HttpRedirectUri,
Location = new Uri("http://idp.example.com/sso")
};
idpSsoDescriptor.SingleSignOnServices.Add(pe);
idpSsoDescriptor.Keys.Add(SignedXmlHelper.TestKeyDescriptor);
var subject = new IdentityProvider(ed.EntityId, StubFactory.CreateSPOptions());
subject.ReadMetadata(ed);
// Ugly, but have to wait and see that nothing happened. Have tried
// some different timeouts but need 100 to ensure fail before bug
// is fixed :-(
Thread.Sleep(100);
// Would be changed if metadata was reloaded.
subject.SingleSignOnServiceUrl.Should().Be(pe.Location);
}