private static Options LoadOptionsFromConfiguration()
{
var spOptions = new SPOptions(KentorAuthServicesSection.Current);
var options = new Options(spOptions);
KentorAuthServicesSection.Current.IdentityProviders.RegisterIdentityProviders(options);
KentorAuthServicesSection.Current.Federations.RegisterFederations(options);
return options;
}
public void SignInCommand_Run_ReturnsRedirectToDiscoveryService()
{
var dsUrl = new Uri("http://ds.example.com");
var options = new Options(new SPOptions
{
DiscoveryServiceUrl = dsUrl,
EntityId = new EntityId("https://github.com/KentorIT/authservices")
});
var request = new HttpRequestData("GET", new Uri("http://localhost/signin?ReturnUrl=%2FReturn%2FPath"));
var result = new SignInCommand().Run(request, options);
result.HttpStatusCode.Should().Be(HttpStatusCode.SeeOther);
var queryString = string.Format("?entityID={0}&return={1}&returnIDParam=idp",
Uri.EscapeDataString(options.SPOptions.EntityId.Id),
Uri.EscapeDataString(
"http://localhost/AuthServices/SignIn?ReturnUrl="
+ Uri.EscapeDataString("/Return/Path")));
var expectedLocation = new Uri(dsUrl + queryString);
result.Location.Should().Be(expectedLocation);
}
public void MetadataCommand_Run_MinimalMetadata()
{
var spOptions = new SPOptions()
{
EntityId = new EntityId("http://localhost/AuthServices"),
};
var options = new Options(spOptions);
var result = new MetadataCommand().Run(request, options);
XDocument subject = XDocument.Parse(result.Content);
// Ignore the ID attribute, it is just filled with a GUID that can't be easily tested.
subject.Root.Attribute("ID").Remove();
var expectedXml = new XDocument(new XElement(Saml2Namespaces.Saml2Metadata + "EntityDescriptor",
new XAttribute("entityID", "http://localhost/AuthServices"),
new XAttribute("cacheDuration", "PT1H"),
// Have to manually add the xmlns attribute here, as it will be present in the subject
// data and the xml tree comparison will fail if it is not present in both. Just setting the
// namespace of the elements does not inject the xmlns attribute into the node tree. It is
// only done when outputting a string.
// See http://stackoverflow.com/questions/24156689/xnode-deepequals-unexpectedly-returns-false
new XAttribute(XNamespace.Xmlns + "saml2", Saml2Namespaces.Saml2),
new XAttribute("xmlns", Saml2Namespaces.Saml2MetadataName),
new XElement(Saml2Namespaces.Saml2Metadata + "SPSSODescriptor",
new XAttribute("protocolSupportEnumeration", "urn:oasis:names:tc:SAML:2.0:protocol"),
new XElement(Saml2Namespaces.Saml2Metadata + "AssertionConsumerService",
new XAttribute("Binding", Saml2Binding.HttpPostUri),
new XAttribute("Location", "http://localhost/AuthServices/Acs"),
new XAttribute("index", 0),
new XAttribute("isDefault", true)),
new XElement(Saml2Namespaces.Saml2Metadata + "AssertionConsumerService",
new XAttribute("Binding", Saml2Binding.HttpArtifactUri),
new XAttribute("Location", "http://localhost/AuthServices/Acs"),
new XAttribute("index", 1),
new XAttribute("isDefault", false)))));
subject.Should().BeEquivalentTo(expectedXml);
}
public void Saml2Response_GetClaims_ChecksSha256WhenEnabled()
{
Options.GlobalEnableSha256XmlSignatures();
var signedResponse =
@"<saml2p:Response xmlns:saml2p=""urn:oasis:names:tc:SAML:2.0:protocol""
xmlns:saml2=""urn:oasis:names:tc:SAML:2.0:assertion""
ID = """ + MethodBase.GetCurrentMethod().Name + @"_Response"" Version=""2.0"" IssueInstant=""2013-01-01T00:00:00Z"">
<saml2:Issuer>https://idp.example.com</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value=""urn:oasis:names:tc:SAML:2.0:status:Success"" />
</saml2p:Status>
<Assertion ID=""" + MethodBase.GetCurrentMethod().Name + @""" IssueInstant=""2015-03-13T20:43:33.466Z"" Version=""2.0"" xmlns=""urn:oasis:names:tc:SAML:2.0:assertion""><Issuer>https://idp.example.com</Issuer><Signature xmlns=""http://www.w3.org/2000/09/xmldsig#""><SignedInfo><CanonicalizationMethod Algorithm=""http://www.w3.org/2001/10/xml-exc-c14n#"" /><SignatureMethod Algorithm=""http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"" /><Reference URI=""#Saml2Response_GetClaims_ChecksSha256WhenEnabled""><Transforms><Transform Algorithm=""http://www.w3.org/2000/09/xmldsig#enveloped-signature"" /><Transform Algorithm=""http://www.w3.org/2001/10/xml-exc-c14n#"" /></Transforms><DigestMethod Algorithm=""http://www.w3.org/2001/04/xmlenc#sha256"" /><DigestValue>8s5HDYeicqbNwESGyrvYYXinJeJJgl4t6O27KGE0ejc=</DigestValue></Reference></SignedInfo><SignatureValue>mS2TFErenJHyvUbyIDUItOvH6AavUNGg5zL3hVueWDGjhaft2mlWSlQIFm9ajVQKrZq2Q/V4oZYGTQ8muTfrhdCL3fyu453nEWcNgQ+gm1H1e89N75XWonfL+UQDl73O95SX0dD4DjqQAC4MlSwMOkwOR7GakhjPbSzRct7lFbRx/3k+TUZNj9rfV4uzlf79ebkw9EaaSfu0tR6bAfGyrefFaNTZs2NeRICfD/GKn7HRo9zSdVPBHfEW2UUy0x/aWREG4GgUs7qObWL4uhDZ6oyy5FbsRcrUJMiXCFNXA8dr9EtZ2VafHz3d4kJFLiq63xjqpjGk/ng2gP+47F/9Rw==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIDIzCCAg+gAwIBAgIQg7mOjTf994NAVxZu4jqXpzAJBgUrDgMCHQUAMCQxIjAgBgNVBAMTGUtlbnRvci5BdXRoU2VydmljZXMuVGVzdHMwHhcNMTMwOTI1MTMzNTQ0WhcNMzkxMjMxMjM1OTU5WjAkMSIwIAYDVQQDExlLZW50b3IuQXV0aFNlcnZpY2VzLlRlc3RzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwVGpfvK9N//MnA5Jo1q2liyPR24406Dp25gv7LB3HK4DWgqsb7xXM6KIV/WVOyCV2g/O1ErBlB+HLhVZ4XUJvbqBbgAJqFO+TZwcCIe8u4nTEXeU660FdtkKClA17sbtMrAGdDfOPwVBHSuavdHeD7jHNI4RUDGKnEW13/0EvnHDilIetwODRxrX/+41R24sJThFbMczByS3OAL2dcIxoAynaGeM90gXsVYow1QhJUy21+cictikb7jW4mW6dvFCBrWIceom9J295DcQIHoxJy5NoZwMir/JV00qs1wDVoN20Ve1DC5ImwcG46XPF7efQ44yLh2j5Yexw+xloA81dwIDAQABo1kwVzBVBgNVHQEETjBMgBAWIahoZhXVUogbAqkS7zwfoSYwJDEiMCAGA1UEAxMZS2VudG9yLkF1dGhTZXJ2aWNlcy5UZXN0c4IQg7mOjTf994NAVxZu4jqXpzAJBgUrDgMCHQUAA4IBAQA2aGzmuKw4AYXWMhrGj5+i8vyAoifUn1QVOFsUukEA77CrqhqqaWFoeagfJp/45vlvrfrEwtF0QcWfmO9w1VvHwm7sk1G/cdYyJ71sU+llDsdPZm7LxQvWZYkK+xELcinQpSwt4ExavS+jLcHoOYHYwIZMBn3U8wZw7Kq29oGnoFQz7HLCEl/G9i3QRyvFITNlWTjoScaqMjHTzq6HCMaRsL09DLcY3KB+cedfpC0/MBlzaxZv0DctTulyaDfM9DCYOyokGN/rQ6qkAR0DDm8fVwknbJY7kURXNGoUetulTb5ow8BvD1gncOaYHSD0kbHZG+bLsUZDFatEr2KW8jbG</X509Certificate></X509Data></KeyInfo></Signature><Subject><NameID>SomeUser</NameID><SubjectConfirmation Method=""urn:oasis:names:tc:SAML:2.0:cm:bearer"" /></Subject><Conditions NotOnOrAfter=""2100-01-01T05:00:00.000Z"" /></Assertion>
</saml2p:Response>";
var spOptions = StubFactory.CreateSPOptions();
var options = new Options(spOptions);
var idp = new IdentityProvider(new EntityId("https://idp.example.com"), spOptions) { AllowUnsolicitedAuthnResponse = true };
idp.SigningKeys.AddConfiguredKey(SignedXmlHelper.TestKeySignOnly);
options.IdentityProviders.Add(idp);
Action a = () => Saml2Response.Read(signedResponse).GetClaims(options);
a.ShouldNotThrow();
}
