protected override Saml2Conditions ReadConditions(XmlReader reader) { CustomTextTraceSource ts = new CustomTextTraceSource("CommercialVehicleCollisionWebservice.CustomSaml2SecurityTokenHandler.ReadConditions", "MyTraceSource", SourceLevels.Information); Saml2Conditions conditions2 = null; if (reader == null) { throw new ArgumentNullException("reader"); } if (!reader.IsStartElement("Conditions", "urn:oasis:names:tc:SAML:2.0:assertion")) { reader.ReadStartElement("Conditions", "urn:oasis:names:tc:SAML:2.0:assertion"); } try { Saml2ConditionsDelegateWrapper conditions = new Saml2ConditionsDelegateWrapper(); bool isEmptyElement = reader.IsEmptyElement; XmlUtil.ValidateXsiType(reader, "ConditionsType", "urn:oasis:names:tc:SAML:2.0:assertion", false); string attribute = reader.GetAttribute("NotBefore"); if (!string.IsNullOrEmpty(attribute)) { conditions.NotBefore = new DateTime?(XmlConvert.ToDateTime(attribute, DateTimeFormats.Accepted)); } attribute = reader.GetAttribute("NotOnOrAfter"); if (!string.IsNullOrEmpty(attribute)) { conditions.NotOnOrAfter = new DateTime?(XmlConvert.ToDateTime(attribute, DateTimeFormats.Accepted)); } reader.ReadStartElement(); if (!isEmptyElement) { while (reader.IsStartElement()) { if (reader.IsStartElement("Condition", "urn:oasis:names:tc:SAML:2.0:assertion")) { XmlQualifiedName xsiType = XmlUtil.GetXsiType(reader); if ((null == xsiType) || XmlUtil.EqualsQName(xsiType, "ConditionAbstractType", "urn:oasis:names:tc:SAML:2.0:assertion")) { string errorMsg = string.Format("An abstract element was encountered which does not specify its concrete type. " + "Element name: '{0}' Element namespace: '{1}'", reader.LocalName, reader.NamespaceURI); throw DiagnosticUtil.ThrowHelperXml(reader, errorMsg); } reader.ReadStartElement("Condition", "urn:oasis:names:tc:SAML:2.0:assertion"); conditions.Delegates = ReadDelegates(reader); reader.ReadEndElement(); ///////////////////////////////// // Need to investigate why this is disabled!!!!! // This looks like it is invalid here //if (EqualsQName(xsiType, "AudienceRestrictionType", "urn:oasis:names:tc:SAML:2.0:assertion")) //{ // conditions.AudienceRestrictions.Add(this.ReadAudienceRestriction(reader)); //} //else if (EqualsQName(xsiType, "OneTimeUseType", "urn:oasis:names:tc:SAML:2.0:assertion")) //{ // if (conditions.OneTimeUse) // { // throw new InvalidOperationException("ID4115: OneTimeUse"); // } // ReadEmptyContentElement(reader); // conditions.OneTimeUse = true; //} //else //{ // if (!EqualsQName(xsiType, "ProxyRestrictionType", "urn:oasis:names:tc:SAML:2.0:assertion")) // { // throw new InvalidOperationException("ID4113"); // } // if (conditions.ProxyRestriction != null) // { // throw new InvalidOperationException("ID4115: ProxyRestriction"); // } // conditions.ProxyRestriction = this.ReadProxyRestriction(reader); //} //////////////////////////////////// } else if (reader.IsStartElement("AudienceRestriction", "urn:oasis:names:tc:SAML:2.0:assertion")) { XmlQualifiedName xsiType = XmlUtil.GetXsiType(reader); conditions.AudienceRestrictions.Add(this.ReadAudienceRestriction(reader)); } else { //if (reader.IsStartElement("OneTimeUse", "urn:oasis:names:tc:SAML:2.0:assertion")) //{ // if (conditions.OneTimeUse) // { // throw DiagnosticUtil.ExceptionUtil.ThrowHelperXml(reader, "A <saml:Conditions> element contained more than one OneTimeUse condition."); // } // ReadEmptyContentElement(reader); // conditions.OneTimeUse = true; // continue; //} if (!reader.IsStartElement("ProxyRestriction", "urn:oasis:names:tc:SAML:2.0:assertion")) { break; } if (conditions.ProxyRestriction != null) { throw DiagnosticUtil.ThrowHelperXml(reader, "A <saml:Conditions> element contained more than one ProxyRestriction condition."); } conditions.ProxyRestriction = this.ReadProxyRestriction(reader); } } reader.ReadEndElement(); } conditions2 = conditions; } catch (Exception exception) { Exception exception2 = DiagnosticUtil.TryWrapReadException(reader, exception); if (exception2 == null) { throw; } throw exception2; } return conditions2; }
protected override Saml2Conditions CreateConditions(Microsoft.IdentityModel.Protocols.WSTrust.Lifetime tokenLifetime, string relyingPartyAddress, SecurityTokenDescriptor tokenDescriptor) { if (null == tokenLifetime && !string.IsNullOrEmpty(relyingPartyAddress)) { return null; } Saml2ConditionsDelegateWrapper conditions = new Saml2ConditionsDelegateWrapper(); conditions.NotBefore = tokenLifetime.Created; conditions.NotOnOrAfter = tokenLifetime.Expires; // GFIPM S2S 8.8.2.6.a string relyingPartyEntityID = _trustFabric.GetWspEntityIdFromEndpointAddress(relyingPartyAddress); // Make sure that the entity id is present in the <microsoft.identityModel><service><audienceUris> collection in the // WSP configuration file conditions.AudienceRestrictions.Add(new Saml2AudienceRestriction(new Uri(relyingPartyEntityID, UriKind.RelativeOrAbsolute))); // check if the actors are set in the subject and create the delegates from the actors IClaimsIdentity currentDelegate = tokenDescriptor.Subject.Actor; List<DelegateType> delegates = new List<DelegateType>(); while (currentDelegate != null) { DelegateType delegateType = CreateDelegate(currentDelegate.Claims[0].Value, currentDelegate.Claims[1].Value); delegates.Add(delegateType); // most recent delegate, synchronize token creation and delegationInstant if (currentDelegate.Actor == null) { if (conditions.NotBefore.HasValue) { delegateType.DelegationInstant = conditions.NotBefore.Value; } } currentDelegate = currentDelegate.Actor; } DelegationRestrictionType delegate1 = new DelegationRestrictionType(); delegate1.Delegate = delegates.ToArray(); conditions.Delegates = delegate1; return conditions; }