private RequestSecurityTokenResponse Issue(RequestSecurityToken rst)
{
// If rst is null, we're toast
if (rst == null)
{
throw new ArgumentNullException("rst");
}
// Create an RSTR object
RequestSecurityTokenResponse rstr = new RequestSecurityTokenResponse();
string tokenType = rst.TokenType;
Console.WriteLine("Issue: Request for token type {0}", tokenType);
if (tokenType != null && tokenType != "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")
{
throw new NotSupportedException("Unsupported token type " + tokenType);
}
SecurityKey signingKey = issuerToken.SecurityKeys[0];
SecurityKeyIdentifier signingKeyIdentifier = new SecurityKeyIdentifier(issuerToken.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>());
SecurityKeyIdentifier proofKeyIdentifier = null;
if (rst.IsProofKeyAsymmetric())
{
throw new NotSupportedException("Public key issuance is not supported");
}
// Symmetric proof key
Console.WriteLine("Constructing Symmetric Proof Key");
// Construct session key. This is the symmetric key that the client and the service will share.
// It actually appears twice in the response message; once for the service and
// once for the client. In the former case, it is typically embedded in the issued token,
// in the latter case, it is returned in a wst:RequestedProofToken element.
byte[] sessionKey = GetSessionKey(rst, rstr);
// Get token to use when encrypting key material for the service
SecurityToken encryptingToken = DetermineEncryptingToken(rst);
// Encrypt the session key for the service
GetEncryptedKey(encryptingToken, sessionKey, out proofKeyIdentifier);
// Issued tokens are valid for 12 hours by default
DateTime effectiveTime = DateTime.Now;
DateTime expirationTime = DateTime.Now + new TimeSpan(12, 0, 0);
SecurityToken samlToken = CreateSAMLToken(effectiveTime, expirationTime, signingKey, signingKeyIdentifier, proofKeyIdentifier);
rstr.RequestedSecurityToken = samlToken;
rstr.Context = rst.Context;
rstr.TokenType = tokenType;
SecurityKeyIdentifierClause samlReference = samlToken.CreateKeyIdentifierClause <SamlAssertionKeyIdentifierClause>();
rstr.RequestedAttachedReference = samlReference;
rstr.RequestedUnattachedReference = samlReference;
return(rstr);
}
private RequestSecurityTokenResponse Issue(RequestSecurityToken rst)
{
// If rst is null, we're toast
if (rst == null)
throw new ArgumentNullException("rst");
// Create an RSTR object
RequestSecurityTokenResponse rstr = new RequestSecurityTokenResponse();
string tokenType = rst.TokenType;
Console.WriteLine("Issue: Request for token type {0}", tokenType);
if (tokenType != null && tokenType != "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")
{
throw new NotSupportedException("Unsupported token type " + tokenType);
}
SecurityKey signingKey = issuerToken.SecurityKeys[0];
SecurityKeyIdentifier signingKeyIdentifier = new SecurityKeyIdentifier(issuerToken.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>());
SecurityKeyIdentifier proofKeyIdentifier = null;
if (rst.IsProofKeyAsymmetric())
{
throw new NotSupportedException("Public key issuance is not supported");
}
// Symmetric proof key
Console.WriteLine("Constructing Symmetric Proof Key");
// Construct session key. This is the symmetric key that the client and the service will share.
// It actually appears twice in the response message; once for the service and
// once for the client. In the former case, it is typically embedded in the issued token,
// in the latter case, it is returned in a wst:RequestedProofToken element.
byte[] sessionKey = GetSessionKey(rst, rstr);
// Get token to use when encrypting key material for the service
SecurityToken encryptingToken = DetermineEncryptingToken(rst);
// Encrypt the session key for the service
GetEncryptedKey(encryptingToken, sessionKey, out proofKeyIdentifier);
// Issued tokens are valid for 12 hours by default
DateTime effectiveTime = DateTime.Now;
DateTime expirationTime = DateTime.Now + new TimeSpan(12, 0, 0);
SecurityToken samlToken = CreateSAMLToken(effectiveTime, expirationTime, signingKey, signingKeyIdentifier, proofKeyIdentifier);
rstr.RequestedSecurityToken = samlToken;
rstr.Context = rst.Context;
rstr.TokenType = tokenType;
SecurityKeyIdentifierClause samlReference = samlToken.CreateKeyIdentifierClause<SamlAssertionKeyIdentifierClause>();
rstr.RequestedAttachedReference = samlReference;
rstr.RequestedUnattachedReference = samlReference;
return rstr;
}
