public static ClaimsPrincipal GetClaimsPrincipal(this WSFederationAuthenticationModule fam, HttpContext context)
{
var token = fam.GetSecurityToken(context.Request);
var identities = fam.ServiceConfiguration.SecurityTokenHandlers.ValidateToken(token);
var principal = new ClaimsPrincipal(identities);
return(principal);
}
public ActionResult IssueResponse()
{
var fam = new WSFederationAuthenticationModule();
fam.FederationConfiguration = new FederationConfiguration();
if (fam.CanReadSignInResponse(Request))
{
var responseMessage = fam.GetSignInResponseMessage(Request);
return ProcessSignInResponse(responseMessage, fam.GetSecurityToken(Request));
}
return View("Error");
}
private ClaimsPrincipal ValidateToken(SignInResponseMessage signInResponse)
{
var serviceConfig = new FederationConfiguration();
var fam = new WSFederationAuthenticationModule
{
FederationConfiguration = serviceConfig
};
var tokenFromAcs = fam.GetSecurityToken(signInResponse);
var icp = ValidateToken(tokenFromAcs);
return(icp);
}
public ActionResult IssueResponse()
{
var fam = new WSFederationAuthenticationModule();
fam.FederationConfiguration = new FederationConfiguration();
if (fam.CanReadSignInResponse(Request))
{
var responseMessage = fam.GetSignInResponseMessage(Request);
return(ProcessSignInResponse(responseMessage, fam.GetSecurityToken(Request)));
}
return(View("Error"));
}
public ActionResult ProcessWSFedResponse()
{
var fam = new WSFederationAuthenticationModule();
fam.FederationConfiguration = new FederationConfiguration();
if (ConfigurationRepository.Keys.DecryptionCertificate != null)
{
var idConfig = new IdentityConfiguration();
idConfig.ServiceTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
new ReadOnlyCollection <SecurityToken>(new SecurityToken[] { new X509SecurityToken(ConfigurationRepository.Keys.DecryptionCertificate) }), false);
fam.FederationConfiguration.IdentityConfiguration = idConfig;
}
if (fam.CanReadSignInResponse(Request))
{
var token = fam.GetSecurityToken(Request);
return(ProcessWSFedSignInResponse(fam.GetSignInResponseMessage(Request), token));
}
return(View("Error"));
}
public ActionResult ProcessWSFedResponse()
{
var fam = new WSFederationAuthenticationModule();
fam.FederationConfiguration = new FederationConfiguration();
if (ConfigurationRepository.Keys.DecryptionCertificate != null)
{
var idConfig = new IdentityConfiguration();
idConfig.ServiceTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
new ReadOnlyCollection<SecurityToken>(new SecurityToken[] { new X509SecurityToken(ConfigurationRepository.Keys.DecryptionCertificate) }), false);
fam.FederationConfiguration.IdentityConfiguration = idConfig;
}
if (fam.CanReadSignInResponse(Request))
{
var token = fam.GetSecurityToken(Request);
return ProcessWSFedSignInResponse(fam.GetSignInResponseMessage(Request), token);
}
return View("Error");
}
/// <summary>
/// Executed when the authentication should be done.
/// </summary>
/// <param name="sender">The sender.</param>
/// <param name="e">The event args.</param>
private void context_AuthenticateRequest(object sender, EventArgs e)
{
// Get the request.
var request = ((HttpApplication)sender).Request;
// The redirect back from the security token service is done using a POST method. Hence
// abort processing of the current request, if it was not sent using POST.
if (request.HttpMethod != "POST")
{
return;
}
// Check whether the request contains sign in data.
if (request.Form["wa"] != WSFederationConstants.Actions.SignIn ||
request.Form["wresult"].IsNullOrEmpty())
{
return;
}
// Otherwise, get the security token which is attached to the request, process it and
// convert it to a principal. First, set up the federatec authentication module.
var fam =
new WSFederationAuthenticationModule
{
ServiceConfiguration =
new ServiceConfiguration
{
AudienceRestriction = { AudienceMode = AudienceUriMode.Never },
CertificateValidationMode =
X509CertificateValidationMode.Custom,
CertificateValidator = new CertificateValidator(c => true),
IssuerNameRegistry = new X509CertificateIssuerNameRegistry()
}
};
// Prepare the decryption by injecting the certificate to the service token resolver.
var certificates =
new List<SecurityToken>
{
new X509SecurityToken(
this.Container.Resolve<ICertificateManager>().GetEncryptingCertificate())
};
var encryptedSecurityTokenHandler =
(from handler in fam.ServiceConfiguration.SecurityTokenHandlers
where handler is EncryptedSecurityTokenHandler
select handler).First() as EncryptedSecurityTokenHandler;
encryptedSecurityTokenHandler.Configuration.ServiceTokenResolver =
SecurityTokenResolver.CreateDefaultSecurityTokenResolver(certificates.AsReadOnly(), false);
// Get the security token from the request.
var securityToken = fam.GetSecurityToken(request);
// Validate the token and convert it to a collection of claims.
var claims = fam.ServiceConfiguration.SecurityTokenHandlers.ValidateToken(securityToken);
// Create a principal from the claims.
IClaimsPrincipal principal = new ClaimsPrincipal(claims);
// Set the current principal.
HttpContext.Current.User = principal;
Thread.CurrentPrincipal = principal;
}
private ClaimsPrincipal ValidateToken(SignInResponseMessage signInResponse)
{
var serviceConfig = new FederationConfiguration();
var fam = new WSFederationAuthenticationModule
{
FederationConfiguration = serviceConfig
};
var tokenFromAcs = fam.GetSecurityToken(signInResponse);
var icp = ValidateToken(tokenFromAcs);
return icp;
}
/// <summary>
/// Executed when the authentication should be done.
/// </summary>
/// <param name="sender">The sender.</param>
/// <param name="e">The event args.</param>
private void context_AuthenticateRequest(object sender, EventArgs e)
{
// Get the request.
var request = ((HttpApplication)sender).Request;
// The redirect back from the security token service is done using a POST method. Hence
// abort processing of the current request, if it was not sent using POST.
if (request.HttpMethod != "POST")
{
return;
}
// Check whether the request contains sign in data.
if (request.Form["wa"] != WSFederationConstants.Actions.SignIn ||
request.Form["wresult"].IsNullOrEmpty())
{
return;
}
// Otherwise, get the security token which is attached to the request, process it and
// convert it to a principal. First, set up the federatec authentication module.
var fam =
new WSFederationAuthenticationModule
{
ServiceConfiguration =
new ServiceConfiguration
{
AudienceRestriction = { AudienceMode = AudienceUriMode.Never },
CertificateValidationMode =
X509CertificateValidationMode.Custom,
CertificateValidator = new CertificateValidator(c => true),
IssuerNameRegistry = new X509CertificateIssuerNameRegistry()
}
};
// Prepare the decryption by injecting the certificate to the service token resolver.
var certificates =
new List <SecurityToken>
{
new X509SecurityToken(
this.Container.Resolve <ICertificateManager>().GetEncryptingCertificate())
};
var encryptedSecurityTokenHandler =
(from handler in fam.ServiceConfiguration.SecurityTokenHandlers
where handler is EncryptedSecurityTokenHandler
select handler).First() as EncryptedSecurityTokenHandler;
encryptedSecurityTokenHandler.Configuration.ServiceTokenResolver =
SecurityTokenResolver.CreateDefaultSecurityTokenResolver(certificates.AsReadOnly(), false);
// Get the security token from the request.
var securityToken = fam.GetSecurityToken(request);
// Validate the token and convert it to a collection of claims.
var claims = fam.ServiceConfiguration.SecurityTokenHandlers.ValidateToken(securityToken);
// Create a principal from the claims.
IClaimsPrincipal principal = new ClaimsPrincipal(claims);
// Set the current principal.
HttpContext.Current.User = principal;
Thread.CurrentPrincipal = principal;
}
public ActionResult IssueResponse()
{
if (Request.Form.HasKeys())
{
if (Request.Form["SAMLResponse"] != null)
{
var samlResponse = Request.Form["SAMLResponse"];
var responseDecoded = Encoding.UTF8.GetString(Convert.FromBase64String(HttpUtility.HtmlDecode(samlResponse)));
Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityToken token;
using (var sr = new StringReader(responseDecoded))
{
using (var reader = XmlReader.Create(sr))
{
reader.ReadToFollowing("Assertion", "urn:oasis:names:tc:SAML:2.0:assertion");
var coll = Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
token = (Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityToken)coll.ReadToken(reader.ReadSubtree());
}
}
var realm = token.Assertion.Conditions.AudienceRestrictions[0].Audiences[0].ToString();
var issuer = token.Assertion.Issuer.Value;
var rstr = new RequestSecurityTokenResponse
{
TokenType = Constants.TokenKeys.TokenType,
RequestType = Constants.TokenKeys.RequestType,
KeyType = Constants.TokenKeys.KeyType,
Lifetime = new Lifetime(token.Assertion.IssueInstant, token.Assertion.Conditions.NotOnOrAfter),
AppliesTo = new System.ServiceModel.EndpointAddress(new Uri(realm)),
RequestedSecurityToken = new RequestedSecurityToken(GetElement(responseDecoded))
};
var principal = GetClaimsIdentity(rstr);
if (principal != null)
{
var claimsPrinciple = Microsoft.IdentityModel.Claims.ClaimsPrincipal.CreateFromPrincipal(principal);
var requestMessage = new Microsoft.IdentityModel.Protocols.WSFederation.SignInRequestMessage(new Uri("http://foo"), realm);
var ipc = new SamlTokenServiceConfiguration(issuer);
SecurityTokenService identityProvider = new SamlTokenService(ipc);
var responseMessage = Microsoft.IdentityModel.Web.FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(requestMessage, claimsPrinciple, identityProvider);
new SignInSessionsManager(HttpContext, _cookieName, ConfigurationRepository.Global.MaximumTokenLifetime).AddEndpoint(responseMessage.BaseUri.AbsoluteUri);
Microsoft.IdentityModel.Web.FederatedPassiveSecurityTokenServiceOperations.ProcessSignInResponse(responseMessage, System.Web.HttpContext.Current.Response);
}
//return new EmptyResult();
}
var fam = new WSFederationAuthenticationModule { FederationConfiguration = new FederationConfiguration() };
if (fam.CanReadSignInResponse(Request))
{
var responseMessage = fam.GetSignInResponseMessage(Request);
return ProcessSignInResponse(responseMessage, fam.GetSecurityToken(Request));
}
}
return View("Error");
}
public ActionResult IssueResponse()
{
if (Request.Form.HasKeys())
{
if (Request.Form["SAMLResponse"] != null)
{
var samlResponse = Request.Form["SAMLResponse"];
var responseDecoded = Encoding.UTF8.GetString(Convert.FromBase64String(HttpUtility.HtmlDecode(samlResponse)));
Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityToken token;
using (var sr = new StringReader(responseDecoded))
{
using (var reader = XmlReader.Create(sr))
{
reader.ReadToFollowing("Assertion", "urn:oasis:names:tc:SAML:2.0:assertion");
var coll = Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
token = (Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityToken)coll.ReadToken(reader.ReadSubtree());
}
}
var realm = token.Assertion.Conditions.AudienceRestrictions[0].Audiences[0].ToString();
var issuer = token.Assertion.Issuer.Value;
var rstr = new RequestSecurityTokenResponse
{
TokenType = Constants.TokenKeys.TokenType,
RequestType = Constants.TokenKeys.RequestType,
KeyType = Constants.TokenKeys.KeyType,
Lifetime = new Lifetime(token.Assertion.IssueInstant, token.Assertion.Conditions.NotOnOrAfter),
AppliesTo = new System.ServiceModel.EndpointAddress(new Uri(realm)),
RequestedSecurityToken = new RequestedSecurityToken(GetElement(responseDecoded))
};
var principal = GetClaimsIdentity(rstr);
if (principal != null)
{
var claimsPrinciple = Microsoft.IdentityModel.Claims.ClaimsPrincipal.CreateFromPrincipal(principal);
var requestMessage = new Microsoft.IdentityModel.Protocols.WSFederation.SignInRequestMessage(new Uri("http://foo"), realm);
var ipc = new SamlTokenServiceConfiguration(issuer);
SecurityTokenService identityProvider = new SamlTokenService(ipc);
var responseMessage = Microsoft.IdentityModel.Web.FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(requestMessage, claimsPrinciple, identityProvider);
new SignInSessionsManager(HttpContext, _cookieName, ConfigurationRepository.Global.MaximumTokenLifetime).AddEndpoint(responseMessage.BaseUri.AbsoluteUri);
Microsoft.IdentityModel.Web.FederatedPassiveSecurityTokenServiceOperations.ProcessSignInResponse(responseMessage, System.Web.HttpContext.Current.Response);
}
//return new EmptyResult();
}
var fam = new WSFederationAuthenticationModule {
FederationConfiguration = new FederationConfiguration()
};
if (fam.CanReadSignInResponse(Request))
{
var responseMessage = fam.GetSignInResponseMessage(Request);
return(ProcessSignInResponse(responseMessage, fam.GetSecurityToken(Request)));
}
}
return(View("Error"));
}
