static void Main(string[] args) {
string idpAddress = "https://idp.contoso.com/SecurityTokenService/Issue.svc/mixed/username";
string fedAddress = "https://sts.contoso.com/adfs/services/trust/13/IssuedTokenMixedSymmetricBasic256";
string svcAddress = "https://internalcrm.contoso.com";
var idpBinding = new UserNameWSTrustBinding() {
SecurityMode = SecurityMode.TransportWithMessageCredential
};
var fedBinding = new IssuedTokenWSTrustBinding(idpBinding, new EndpointAddress(idpAddress)) {
SecurityMode = SecurityMode.TransportWithMessageCredential,
//KeyType = SecurityKeyType.SymmetricKey
};
var channelFactory = new WSTrustChannelFactory(fedBinding, fedAddress);
channelFactory.Credentials.UserName.UserName = "******";
channelFactory.Credentials.UserName.Password = "******";
var request = new RequestSecurityToken {
RequestType = RequestTypes.Issue,
AppliesTo = new EndpointReference(svcAddress),
//TokenType = Microsoft.IdentityModel.Tokens.SecurityTokenTypes.Saml2TokenProfile11,
//TokenType = SecurityTokenTypes.Saml,
};
var token = channelFactory.CreateChannel().Issue(request);
//return token;
}
private static SecurityToken GetIdentityProviderToken(string tokenType)
{
var binding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential);
var factory = new WSTrustChannelFactory(binding, ConfigurationManager.AppSettings["usernamemixedEP"].ToString())
{
TrustVersion = TrustVersion.WSTrust13
};
factory.Credentials.UserName.Password = ConfigurationManager.AppSettings["password"].ToString();
factory.Credentials.UserName.UserName = ConfigurationManager.AppSettings["username"].ToString();
factory.Credentials.SupportInteractive = false;
factory.Credentials.UseIdentityConfiguration = true;
var rst = new RequestSecurityToken
{
RequestType = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue",
AppliesTo = new EndpointReference(ConfigurationManager.AppSettings["usernamemixedAppliesTo"].ToString()),
KeyType = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey",
TokenType = tokenType
};
var channel = factory.CreateChannel();
return(channel.Issue(rst));
}
public HttpResponseMessage GetToken(string username, string password)
{
string relyingPartyId = System.Configuration.ConfigurationManager.AppSettings["AudianceUri"];
string identityServerEndpoint = System.Configuration.ConfigurationManager.AppSettings["SecurityEndPoint"];
var binding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential);
var credentials = new ClientCredentials();
credentials.UserName.UserName = username;
credentials.UserName.Password = password;
try
{
var token = WSTrustClient.Issue(
new EndpointAddress(identityServerEndpoint),
new EndpointAddress(relyingPartyId),
binding,
credentials) as GenericXmlSecurityToken;
return(new HttpResponseMessage()
{
Content = new StringContent(token.TokenXml.OuterXml, Encoding.UTF8, "application/xml")
});
}
catch (Exception)
{
throw new PMSSecurityIdentityException();
}
}
public string AuthenticateUser(string username, string password)
{
var binding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential)
{
ClientCredentialType = HttpClientCredentialType.None
};
var trustChannelFactory = new WSTrustChannelFactory(binding, new EndpointAddress(stsEndpointAddress))
{
TrustVersion = TrustVersion.WSTrust13
};
var channelCredentials = trustChannelFactory.Credentials;
channelCredentials.UserName.UserName = username;
channelCredentials.UserName.Password = password;
channelCredentials.SupportInteractive = false;
var tokenClient = (WSTrustChannel)trustChannelFactory.CreateChannel();
var rst = new RequestSecurityToken(RequestTypes.Issue, KeyTypes.Bearer)
{
AppliesTo = new EndpointReference(relyingPartyAddress),
ReplyTo = relyingPartyAddress,
TokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
};
// to some token-related stuff (like transformations etc...)
}
//https://leastprivilege.com/2010/10/28/wif-adfs-2-and-wcfpart-6-chaining-multiple-token-services/
//https://msdn.microsoft.com/en-us/library/ee517297.aspx
public SecurityToken GetToken(string idpEndpoint, string rstsRealm, string userName, string password)
{
var binding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential);
var factory = new System.ServiceModel.Security.WSTrustChannelFactory(binding, new EndpointAddress(new Uri(idpEndpoint)));
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.SupportInteractive = false;
factory.Credentials.UserName.UserName = userName;
factory.Credentials.UserName.Password = password;
var rst = new System.IdentityModel.Protocols.WSTrust.RequestSecurityToken
{
RequestType = RequestTypes.Issue,
AppliesTo = new System.IdentityModel.Protocols.WSTrust.EndpointReference(rstsRealm),
KeyType = KeyTypes.Bearer,
TokenType = "urn:oasis:names:tc:SAML:2.0:assertion"
};
var channel = factory.CreateChannel();
var securityToken = channel.Issue(rst);
return(securityToken);
}
private static GenericXmlSecurityToken GetSecurityToken(Uri spSiteUrl, string username, string password)
{
var binding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential)
{
TrustVersion = TrustVersion.WSTrustFeb2005
};
var address = new EndpointAddress(_stsUrl);
using (var factory = new Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannelFactory(binding, address))
{
factory.Credentials.UserName.UserName = username;
factory.Credentials.UserName.Password = password;
var channel = factory.CreateChannel();
var rst = new RequestSecurityToken
{
RequestType = WSTrustFeb2005Constants.RequestTypes.Issue,
KeyType = WSTrustFeb2005Constants.KeyTypes.Bearer,
TokenType = Microsoft.IdentityModel.Tokens.SecurityTokenTypes.Saml11TokenProfile11,
AppliesTo = new EndpointAddress(spSiteUrl),
};
var genericToken = channel.Issue(rst) as GenericXmlSecurityToken;
return(genericToken);
}
}
private SecurityToken GetActAsToken()
{
// Retrieve the token that was saved during initial user login
BootstrapContext bootstrapContext = ClaimsPrincipal.Current.Identities.First().BootstrapContext as BootstrapContext;
// Use the Thinktecture-implementation of the UserNameWSBinding to setup the channel factory to ADFS
var binding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential);
var factory = new WSTrustChannelFactory(binding, new EndpointAddress("https://[ADFS]/adfs/services/trust/13/usernamemixed"));
// For demo purposes, we're authenticating to ADFS using a user name and password representing the web application
// If the web server is domain-joined, you can use Windows Authentication instead
factory.Credentials.UserName.UserName = "******";
factory.Credentials.UserName.Password = "******";
factory.TrustVersion = TrustVersion.WSTrust13;
// Setup the request details to ask for a token for the backend service, acting as the logged in user
var request = new RequestSecurityToken();
request.RequestType = Thinktecture.IdentityModel.Constants.WSTrust13Constants.RequestTypes.Issue;
request.AppliesTo = new EndpointReference("https://[BackendService]/Service.svc");
request.ActAs = new SecurityTokenElement(bootstrapContext.SecurityToken);
// Create the channel
var channel = factory.CreateChannel();
RequestSecurityTokenResponse response = null;
SecurityToken delegatedToken = channel.Issue(request, out response);
// Return the acquired token
return(delegatedToken);
}
private static SecurityToken RequestToken()
{
var binding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential);
var credentials = new ClientCredentials();
credentials.UserName.UserName = "******";
credentials.UserName.Password = "******";
return(WSTrustClient.Issue(
new EndpointAddress(_idsrvEndpoint),
new EndpointAddress(_realm),
binding,
credentials));
}
public ClaimsPrincipal Validate(string userName, string password)
{
var binding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential);
var credentials = new ClientCredentials();
credentials.UserName.UserName = userName;
credentials.UserName.Password = password;
GenericXmlSecurityToken genericToken;
try
{
genericToken = WSTrustClient.Issue(
new EndpointAddress(_address),
new EndpointAddress(_realm),
binding,
credentials) as GenericXmlSecurityToken;
}
catch (MessageSecurityException ex)
{
Tracing.Error("WSTrustResourceOwnerCredentialValidation failed: " + ex.ToString());
return(null);
}
var config = new SecurityTokenHandlerConfiguration();
config.AudienceRestriction.AllowedAudienceUris.Add(new Uri(_realm));
config.CertificateValidationMode = X509CertificateValidationMode.None;
config.CertificateValidator = X509CertificateValidator.None;
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(_issuerThumbprint, _address);
config.IssuerNameRegistry = registry;
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(config);
ClaimsPrincipal principal;
var token = genericToken.ToSecurityToken();
principal = new ClaimsPrincipal(handler.ValidateToken(token));
Tracing.Information("Successfully requested token for user via WS-Trust");
return(FederatedAuthentication.FederationConfiguration.IdentityConfiguration.ClaimsAuthenticationManager.Authenticate("ResourceOwnerPasswordValidation", principal));
}
protected virtual WSTrustChannelFactory CreateUsernameWSTrustChannelFactory(string serviceUsername, string servicePassword)
{
var binding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential);
if (ProxyAddress != null)
{
binding.ProxyAddress = ProxyAddress;
}
var factory = new WSTrustChannelFactory(binding, _usernameMixedEndpoint)
{
TrustVersion = TrustVersion.WSTrust13
};
factory.Credentials.UserName.UserName = serviceUsername;
factory.Credentials.UserName.Password = servicePassword;
return(factory);
}
public virtual string AuthenticateUser(string username, string password, string stsEndpoint, string relyingPartyAddress)
{
if (string.IsNullOrEmpty(stsEndpoint) || string.IsNullOrEmpty(relyingPartyAddress) ||
string.IsNullOrEmpty(username) || string.IsNullOrEmpty(password))
{
throw new NullReferenceException(
"AuthenticationTokenFactory received a null/empty argument for: username || password || stsEndpoint || relyingPartyAddress ");
}
var binding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential)
{
ClientCredentialType = HttpClientCredentialType.None
};
var trustChannelFactory = new WSTrustChannelFactory(binding, new EndpointAddress(stsEndpoint))
{
TrustVersion = TrustVersion.WSTrust13
};
var channelCredentials = trustChannelFactory.Credentials;
channelCredentials.UserName.UserName = username;
channelCredentials.UserName.Password = password;
channelCredentials.SupportInteractive = false;
var tokenClient = (WSTrustChannel)trustChannelFactory.CreateChannel();
var rst = new RequestSecurityToken(WSTrust13Constants.RequestTypes.Issue, WSTrust13Constants.KeyTypes.Bearer)
{
AppliesTo = new System.ServiceModel.EndpointAddress(relyingPartyAddress),
ReplyTo = relyingPartyAddress,
TokenType = "urn:ietf:params:oauth:token-type:jwt"
};
var token = tokenClient.Issue(rst);
var innerXml = ((GenericXmlSecurityToken)token).TokenXml.InnerXml;
byte[] data = Convert.FromBase64String(innerXml);
string decodedString = Encoding.UTF8.GetString(data);
return(decodedString);
}
