public void AutomapperConfigurationIsValidToEntity()
        {
            var encryptingCertificate = Cert.LoadEncryptingCertificate();

            var relyingParty = new IdentityServer3.WsFederation.Models.RelyingParty
            {
                Realm                         = "urn:identityserver",
                Name                          = "Test Relying Party",
                Enabled                       = true,
                ReplyUrl                      = "https://www.google.com/",
                TokenType                     = "urn:oasis:names:tc:SAML:1.0:assertion",
                TokenLifeTime                 = 1000,
                IncludeAllClaimsForUser       = false,
                DefaultClaimTypeMappingPrefix = "https://schema.org/",
                SamlNameIdentifierFormat      = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
                SignatureAlgorithm            = SecurityAlgorithms.RsaSha256Signature,
                DigestAlgorithm               = SecurityAlgorithms.Sha256Digest,
                ClaimMappings                 = new Dictionary <string, string>
                {
                    { "name", ClaimTypes.Name },
                    { "email", ClaimTypes.Email }
                },
                EncryptingCertificate  = encryptingCertificate,
                PostLogoutRedirectUris = new List <string>
                {
                    "https://www.google.com/post",
                    "https://www.google.com/post2"
                }
            };

            var entity = relyingParty.ToEntity();

            Assert.NotNull(entity);
            Assert.True(entity.Realm == relyingParty.Realm);
            Assert.True(entity.Name == relyingParty.Name);
            Assert.True(entity.Enabled == relyingParty.Enabled);
            Assert.True(entity.ReplyUrl == relyingParty.ReplyUrl);
            Assert.True(entity.TokenType == relyingParty.TokenType);
            Assert.True(entity.TokenLifeTime == relyingParty.TokenLifeTime);
            Assert.True(entity.IncludeAllClaimsForUser == relyingParty.IncludeAllClaimsForUser);
            Assert.True(entity.DefaultClaimTypeMappingPrefix == relyingParty.DefaultClaimTypeMappingPrefix);
            Assert.True(entity.SamlNameIdentifierFormat == relyingParty.SamlNameIdentifierFormat);
            Assert.True(entity.DigestAlgorithm == relyingParty.DigestAlgorithm);

            Assert.NotNull(entity.ClaimMappings);
            Assert.True(entity.ClaimMappings.Any());
            Assert.True(entity.ClaimMappings.First(x => x.InboundClaim == "name").OutboundClaim == ClaimTypes.Name);

            Assert.NotNull(entity.EncryptingCertificate);
            var loadedCertificate = new X509Certificate2(entity.EncryptingCertificate);

            Assert.True(loadedCertificate.Subject == encryptingCertificate.Subject);
            Assert.True(loadedCertificate.Issuer == encryptingCertificate.Issuer);
            Assert.True(loadedCertificate.Thumbprint == encryptingCertificate.Thumbprint);

            Assert.NotNull(entity.PostLogoutRedirectUris);
            Assert.NotEmpty(entity.PostLogoutRedirectUris);

            ModelsMap.Mapper.ConfigurationProvider.AssertConfigurationIsValid();
        }
        public void AutomapperConfigurationIsValidToModel()
        {
            var encryptingCertificate = Cert.LoadEncryptingCertificate();

            var relyingParty = new RelyingParty
            {
                Realm                         = "urn:identityserver",
                Name                          = "Test Relying Party",
                Enabled                       = true,
                ReplyUrl                      = "https://www.google.com/",
                TokenType                     = "urn:oasis:names:tc:SAML:1.0:assertion",
                TokenLifeTime                 = 1000,
                IncludeAllClaimsForUser       = false,
                DefaultClaimTypeMappingPrefix = "https://schema.org/",
                SamlNameIdentifierFormat      = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
                SignatureAlgorithm            = SecurityAlgorithms.RsaSha256Signature,
                DigestAlgorithm               = SecurityAlgorithms.Sha256Digest,
                ClaimMappings                 = new List <ClaimMap>
                {
                    new ClaimMap {
                        InboundClaim = "name", OutboundClaim = ClaimTypes.Name
                    },
                    new ClaimMap {
                        InboundClaim = "email", OutboundClaim = ClaimTypes.Email
                    }
                },
                EncryptingCertificate  = encryptingCertificate.RawData,
                PostLogoutRedirectUris = new List <RelyingPartyPostLogoutUri>
                {
                    new RelyingPartyPostLogoutUri {
                        Uri = "https://www.google.com/post"
                    },
                    new RelyingPartyPostLogoutUri {
                        Uri = "https://www.google.com/post2"
                    }
                }
            };

            var model = relyingParty.ToModel();

            Assert.NotNull(model);
            Assert.True(model.Realm == relyingParty.Realm);
            Assert.True(model.Name == relyingParty.Name);
            Assert.True(model.Enabled == relyingParty.Enabled);
            Assert.True(model.ReplyUrl == relyingParty.ReplyUrl);
            Assert.True(model.TokenType == relyingParty.TokenType);
            Assert.True(model.TokenLifeTime == relyingParty.TokenLifeTime);
            Assert.True(model.IncludeAllClaimsForUser == relyingParty.IncludeAllClaimsForUser);
            Assert.True(model.DefaultClaimTypeMappingPrefix == relyingParty.DefaultClaimTypeMappingPrefix);
            Assert.True(model.SamlNameIdentifierFormat == relyingParty.SamlNameIdentifierFormat);
            Assert.True(model.DigestAlgorithm == relyingParty.DigestAlgorithm);

            Assert.NotNull(model.ClaimMappings);
            Assert.True(model.ClaimMappings.Any());
            Assert.True(model.ClaimMappings.First(x => x.Key == "name").Value == ClaimTypes.Name);

            Assert.NotNull(model.EncryptingCertificate);
            Assert.True(model.EncryptingCertificate.Subject == encryptingCertificate.Subject);
            Assert.True(model.EncryptingCertificate.Issuer == encryptingCertificate.Issuer);
            Assert.True(model.EncryptingCertificate.Thumbprint == encryptingCertificate.Thumbprint);

            Assert.NotNull(model.PostLogoutRedirectUris);
            Assert.NotEmpty(model.PostLogoutRedirectUris);

            EntitiesMap.Mapper.ConfigurationProvider.AssertConfigurationIsValid();
        }
Example #3
0
        public void CanAddRelyingPartyWithClaimMappings()
        {
            var encryptingCertificate = Cert.LoadEncryptingCertificate();

            var relyingParty = new RelyingParty
            {
                Realm                         = "urn:identityserver:encrypt",
                Name                          = "Test Relying Party",
                Enabled                       = true,
                ReplyUrl                      = "https://www.google.com/",
                TokenType                     = "urn:oasis:names:tc:SAML:1.0:assertion",
                TokenLifeTime                 = 1000,
                IncludeAllClaimsForUser       = false,
                DefaultClaimTypeMappingPrefix = "https://schema.org/",
                SamlNameIdentifierFormat      = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
                SignatureAlgorithm            = SecurityAlgorithms.RsaSha256Signature,
                DigestAlgorithm               = SecurityAlgorithms.Sha256Digest,
                ClaimMappings                 = new List <ClaimMap>
                {
                    new ClaimMap {
                        InboundClaim = "name", OutboundClaim = ClaimTypes.Name
                    },
                    new ClaimMap {
                        InboundClaim = "email", OutboundClaim = ClaimTypes.Email
                    }
                },
                EncryptingCertificate = encryptingCertificate.RawData
            };

            using (var context = new RelyingPartyConfigurationDbContext(ConfigConnectionStringName))
            {
                context.RelyingParties.Add(relyingParty);
                context.SaveChanges();
            }

            RelyingParty persistedRelyingParty;

            using (var context = new RelyingPartyConfigurationDbContext(ConfigConnectionStringName))
            {
                persistedRelyingParty =
                    context.RelyingParties.Include(x => x.ClaimMappings)
                    .FirstOrDefault(x => x.Realm == relyingParty.Realm);
            }

            Assert.NotNull(persistedRelyingParty);
            Assert.True(relyingParty.Realm == persistedRelyingParty.Realm);
            Assert.True(persistedRelyingParty.ClaimMappings.Any());
            Assert.True(relyingParty.ClaimMappings.Count == persistedRelyingParty.ClaimMappings.Count);
            Assert.True(relyingParty.DefaultClaimTypeMappingPrefix ==
                        persistedRelyingParty.DefaultClaimTypeMappingPrefix);
            Assert.True(relyingParty.DigestAlgorithm == persistedRelyingParty.DigestAlgorithm);
            Assert.True(relyingParty.Enabled == persistedRelyingParty.Enabled);
            Assert.True(relyingParty.Id == persistedRelyingParty.Id);
            Assert.True(relyingParty.IncludeAllClaimsForUser == persistedRelyingParty.IncludeAllClaimsForUser);
            Assert.True(relyingParty.Name == persistedRelyingParty.Name);
            Assert.True(relyingParty.ReplyUrl == persistedRelyingParty.ReplyUrl);
            Assert.True(relyingParty.SamlNameIdentifierFormat == persistedRelyingParty.SamlNameIdentifierFormat);
            Assert.True(relyingParty.SignatureAlgorithm == persistedRelyingParty.SignatureAlgorithm);
            Assert.True(relyingParty.TokenLifeTime == persistedRelyingParty.TokenLifeTime);
            Assert.True(relyingParty.TokenType == persistedRelyingParty.TokenType);

            Assert.NotNull(relyingParty.EncryptingCertificate);
            var readEncryptionCertificate = new X509Certificate2(relyingParty.EncryptingCertificate);

            Assert.True(readEncryptionCertificate.SubjectName.Name == encryptingCertificate.SubjectName.Name);
            Assert.True(readEncryptionCertificate.IssuerName.Name == encryptingCertificate.IssuerName.Name);
            Assert.True(readEncryptionCertificate.Thumbprint == encryptingCertificate.Thumbprint);

            // assert token encrypted using saved cert can be decrypted
            var testClaim = new Claim(ClaimTypes.NameIdentifier, "69307727-D2F7-4ED3-A7DF-08EEE8F8C624");
            var securityTokenDescriptor = new SecurityTokenDescriptor
            {
                AppliesToAddress   = relyingParty.Realm,
                Lifetime           = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddMinutes(relyingParty.TokenLifeTime)),
                ReplyToAddress     = relyingParty.ReplyUrl,
                SigningCredentials = new X509SigningCredentials(Cert.LoadDecryptingCertificate(), relyingParty.SignatureAlgorithm, relyingParty.DigestAlgorithm),
                Subject            = new ClaimsIdentity(new List <Claim> {
                    testClaim
                }),
                TokenIssuerName       = "https://domain.test",
                TokenType             = "urn:oasis:names:tc:SAML:2.0:assertion",
                EncryptingCredentials = new EncryptedKeyEncryptingCredentials(readEncryptionCertificate)
            };

            var handler       = new Saml2SecurityTokenHandler();
            var securityToken = handler.CreateToken(securityTokenDescriptor);

            var stringBuilder = new StringBuilder();

            using (var writer = XmlWriter.Create(stringBuilder))
            {
                handler.WriteToken(writer, securityToken);
            }

            var token = stringBuilder.ToString();

            SecurityToken validatedToken;
            var           claimsPrincipal = handler.ValidateToken(
                token,
                new TokenValidationParameters
            {
                IssuerSigningKey         = new X509SecurityKey(Cert.LoadDecryptingCertificate()),
                ValidateIssuer           = false,
                ValidateIssuerSigningKey = false,
                ValidateAudience         = false,
                ClientDecryptionTokens   =
                    new ReadOnlyCollection <SecurityToken>(new List <SecurityToken>
                {
                    new X509SecurityToken(Cert.LoadDecryptingCertificate())
                })
            },
                out validatedToken);

            Assert.NotNull(validatedToken);
            Assert.NotNull(claimsPrincipal);
            Assert.True(claimsPrincipal.HasClaim(testClaim.Type, testClaim.Value));
        }