public void Saml2AuthenticationRequest_ToXElement_RootNode() { var x = new Saml2AuthenticationRequest().ToXElement(); x.Should().NotBeNull().And.Subject.Name.Should().Be( Saml2Namespaces.Saml2P + "AuthnRequest"); }
public void Saml2AuthenticationRequest_Read_ShouldReturnNullOnNullXml() { string xmlData = null; var subject = Saml2AuthenticationRequest.Read(xmlData, null); subject.Should().BeNull(); }
public void Saml2AuthenticationRequest_ForceAuthentication_OmittedIfFalse() { var subject = new Saml2AuthenticationRequest() { ForceAuthentication = false }.ToXElement(); subject.Should().NotBeNull().And.Subject.Attribute("ForceAuthn").Should().BeNull(); }
public void Saml2AuthenticationRequest_ToXElement_AddsAttributeConsumingServiceIndex() { var subject = new Saml2AuthenticationRequest() { AttributeConsumingServiceIndex = 17 }.ToXElement(); subject.Attribute("AttributeConsumingServiceIndex").Value.Should().Be("17"); }
public void SignInCommand_Run_Calls_Notifications() { var options = StubFactory.CreateOptions(); var idp = options.IdentityProviders.Default; var relayData = new Dictionary <string, string>(); options.SPOptions.DiscoveryServiceUrl = null; var request = new HttpRequestData("GET", new Uri("http://sp.example.com")); var selectedIdpCalled = false; options.Notifications.SelectIdentityProvider = (ei, r) => { ei.Should().BeSameAs(idp.EntityId); r.Should().BeSameAs(relayData); selectedIdpCalled = true; return(null); }; Saml2AuthenticationRequest saml2AuthenticationRequest = null; options.Notifications.AuthenticationRequestCreated = (a, i, r) => { a.Should().NotBeNull(); i.Should().BeSameAs(idp); r.Should().BeSameAs(relayData); saml2AuthenticationRequest = a; }; CommandResult notifiedCommandResult = null; options.Notifications.SignInCommandResultCreated = (cr, r) => { notifiedCommandResult = cr; r.Should().BeSameAs(relayData); }; bool authenticationRequestXmlCreatedCalled = false; options.Notifications.AuthenticationRequestXmlCreated = (ar, xd, bt) => { authenticationRequestXmlCreatedCalled = true; ar.Should().BeSameAs(saml2AuthenticationRequest); bt.Should().Be(Saml2BindingType.HttpRedirect); }; SignInCommand.Run(idp.EntityId, null, request, options, relayData) .Should().BeSameAs(notifiedCommandResult); saml2AuthenticationRequest.Should().NotBeNull("the AuthenticationRequestCreated notification should have been called"); selectedIdpCalled.Should().BeTrue("the SelectIdentityProvider notification should have been called."); authenticationRequestXmlCreatedCalled.Should().BeTrue("the AuthenticationedRequestXmlCreated should have been called."); }
public async Task <ActionResult> Index(HomePageModel model) { if (ModelState.IsValid) { var LDAPEndpoint = ConfigurationManager.AppSettings["LDAP.Endpoint"]; if (String.IsNullOrEmpty(LDAPEndpoint)) { throw new ConfigurationErrorsException("ConfigurationManager.AppSettings[\"LDAP.Endpoint\"] should not be null."); } var client = new HttpClient(); var result = await client.PostAsJsonAsync(LDAPEndpoint, new { Username = model.Username, Password = model.Password }); if (!result.IsSuccessStatusCode) { if (result.StatusCode == HttpStatusCode.Unauthorized) { ModelState.AddModelError("LDAP.Endpoint", "Username or Password not valid."); } else { ModelState.AddModelError("LDAP.Endpoint", "An error has ocurred. Please contact administrator."); } return(View(model)); } var assertionModel = AssertionModel.Create(nameId: model.Username); var requestData = Request.ToHttpRequestData(true); if (requestData.QueryString["SAMLRequest"].Any()) { var extractedMessage = Saml2Binding.Get(Saml2BindingType.HttpRedirect) .Unbind(requestData, null); var request = new Saml2AuthenticationRequest( extractedMessage.Data, extractedMessage.RelayState); assertionModel.InResponseTo = request.Id.Value; assertionModel.AssertionConsumerServiceUrl = request.AssertionConsumerServiceUrl.ToString(); assertionModel.RelayState = extractedMessage.RelayState; assertionModel.Audience = request.Issuer.Id; assertionModel.AuthnRequestXml = extractedMessage.Data.PrettyPrint(); var response = assertionModel.ToSaml2Response(); return(Saml2Binding.Get(assertionModel.ResponseBinding) .Bind(response).ToActionResult()); } } return(View(model)); }
public void Saml2AuthenticationRequest_ToXElement_ShouldHandleNullAcsUri() { var subject = new Saml2AuthenticationRequest() { AssertionConsumerServiceUrl = null }.ToXElement(); subject.Should().NotBeNull().And.Subject.Attribute("AssertionConsumerServiceURL") .Should().BeNull(); }
public void Saml2AuthenticationRequest_ToXElement_OmitsRequestedAuthnContext_OnNullClassRef() { var subject = new Saml2AuthenticationRequest() { AssertionConsumerServiceUrl = new Uri("http://destination.example.com"), RequestedAuthnContext = new Saml2RequestedAuthnContext(null, AuthnContextComparisonType.Exact) }.ToXElement(); subject.Element(Saml2Namespaces.Saml2P + "RequestedAuthnContext").Should().BeNull(); }
public void Saml2AuthenticationRequest_ForceAuthentication() { var subject = new Saml2AuthenticationRequest() { ForceAuthentication = true }.ToXElement(); subject.Should().NotBeNull().And.Subject.Attribute("ForceAuthn") .Should().NotBeNull().And.Subject.Value.Should().Be("true"); }
public void Saml2AuthenticationRequest_ToXElement_AddsRequestBaseFields() { // Just checking for the id field and assuming that means that the // base fields are added. The details of the fields are tested // by Saml2RequestBaseTests. var x = new Saml2AuthenticationRequest().ToXElement(); x.Should().NotBeNull().And.Subject.Attribute("ID").Should().NotBeNull(); }
public void Saml2AuthenticationRequest_IsPassive() { var subject = new Saml2AuthenticationRequest() { IsPassive = true }.ToXElement(); subject.Should().NotBeNull().And.Subject.Attribute("IsPassive") .Should().NotBeNull().And.Subject.Value.Should().Be("true"); }
private void Saml2AuthenticationRequest_ToXElement_AddsProtocolBinding(AuthServices.WebSso.Saml2BindingType protocolBinding, string expectedProtocolBinding) { var subject = new Saml2AuthenticationRequest() { AssertionConsumerServiceUrl = new Uri("http://destination.example.com"), Binding = protocolBinding }.ToXElement(); subject.Attribute("ProtocolBinding").Value.Should().Equals(expectedProtocolBinding); }
public void Saml2AuthenticationRequest_AssertionConsumerServiceUrl() { string url = "http://some.example.com/Saml2AuthenticationModule/acs"; var x = new Saml2AuthenticationRequest() { AssertionConsumerServiceUrl = new Uri(url) }.ToXElement(); x.Should().NotBeNull().And.Subject.Attribute("AssertionConsumerServiceURL") .Should().NotBeNull().And.Subject.Value.Should().Be(url); }
public void Saml2AuthenticationRequest_AssertionConsumerServiceUrl() { string url = "http://some.example.com/Saml2AuthenticationModule/acs"; var subject = new Saml2AuthenticationRequest() { AssertionConsumerServiceUrl = new Uri(url) }.ToXElement(); subject.Should().NotBeNull().And.Subject.Attribute("AssertionConsumerServiceURL") .Should().NotBeNull().And.Subject.Value.Should().Be(url); }
public void Saml2AuthenticationRequest_ToXElement_ShouldCorrectSerializeAcsUri() { var url = "http://some.example.com/Saml2AuthenticationModule/acs?RelayState=https%3A%2F%2Fmy.relaystate.nl"; var subject = new Saml2AuthenticationRequest() { AssertionConsumerServiceUrl = new Uri(url) }.ToXElement(); subject.Should().NotBeNull().And.Subject.Attribute("AssertionConsumerServiceURL") .Should().NotBeNull().And.Subject.Value.Should().Be(url); }
public void Saml2AuthenticationRequest_ToXElement_NameFormatTransientForbidsAllowCreate() { var subject = new Saml2AuthenticationRequest() { AssertionConsumerServiceUrl = new Uri("http://destination.example.com"), NameIdPolicy = new Saml2NameIdPolicy(true, NameIdFormat.Transient) }; subject.Invoking(s => s.ToXElement()) .ShouldThrow <InvalidOperationException>() .And.Message.Should().Be("When NameIdPolicy/Format is set to Transient, it is not permitted to specify AllowCreate. Change Format or leave AllowCreate as null."); }
public void Saml2AuthenticationRequest_Extensions() { var request = new Saml2AuthenticationRequest(); request.ExtensionContents.Add(new XElement(XNamespace.Get("test") + "aditional")); var subject = request.ToXElement(); subject.Should().NotBeNull().And.Subject .Element(Saml2Namespaces.Saml2P + "Extensions").Should().NotBeNull().And.Subject .Elements().Should().HaveCount(1).And.Subject .First().Name.LocalName.Should().Be("aditional"); }
public void Saml2AuthenticationRequest_ToXml_PreservesCustomChanges() { var subject = new Saml2AuthenticationRequest(); subject.XmlCreated += (s, e) => { e.Add(new XAttribute("CustomAttribute", "CustomValue")); }; var xml = subject.ToXml(); xml.Should().Contain("CustomAttribute=\"CustomValue\""); }
public ActionResult Index() { var model = AssertionModel.CreateFromConfiguration(); var request = Saml2AuthenticationRequest.Read(Saml2Binding.Get(Saml2BindingType.HttpRedirect).Unbind(Request)); if (request != null) { model.InResponseTo = request.Id; model.AssertionConsumerServiceUrl = request.AssertionConsumerServiceUrl.ToString(); } return(View(model)); }
public void Saml2AuthenticationRequest_ToXElement_Scoping_NullContents_EmptyScoping() { var subject = new Saml2AuthenticationRequest() { AssertionConsumerServiceUrl = new Uri("http://destination.example.com"), Scoping = new Saml2Scoping() }.ToXElement().Element(Saml2Namespaces.Saml2P + "Scoping"); var expected = new XElement(Saml2Namespaces.Saml2P + "root", new XAttribute(XNamespace.Xmlns + "saml2p", Saml2Namespaces.Saml2P), new XElement(Saml2Namespaces.Saml2P + "Scoping")) .Elements().Single(); subject.Should().BeEquivalentTo(expected); }
public void Saml2AuthenticationRequest_ToXElement_AddsElementSaml2NameIdPolicy() { var subject = new Saml2AuthenticationRequest() { AssertionConsumerServiceUrl = new Uri("http://destination.example.com"), NameIdPolicy = new Saml2NameIdPolicy { AllowCreate = false, Format = NameIdFormat.EmailAddress } }.ToXElement(); XNamespace ns = "urn:oasis:names:tc:SAML:2.0:protocol"; subject.Attribute("AttributeConsumingServiceIndex").Should().BeNull(); subject.Should().NotBeNull().And.Subject.Element(ns + "NameIDPolicy").Should().NotBeNull(); }
public ActionResult Index(Guid?idpId) { var model = new HomePageModel { AssertionModel = AssertionModel.CreateFromConfiguration(), }; if (idpId.HasValue) { var fileData = GetCachedConfiguration(idpId.Value); if (fileData != null) { if (!string.IsNullOrEmpty(fileData.DefaultAssertionConsumerServiceUrl)) { // Override default StubIdp Acs with Acs from IdpConfiguration model.AssertionModel.AssertionConsumerServiceUrl = fileData.DefaultAssertionConsumerServiceUrl; } if (!string.IsNullOrEmpty(fileData.DefaultAssertionConsumerServiceUrl)) { model.AssertionModel.Audience = fileData.DefaultAudience; } model.CustomDescription = fileData.IdpDescription; model.AssertionModel.NameId = null; model.HideDetails = fileData.HideDetails; } } var requestData = Request.ToHttpRequestData(false); if (requestData.QueryString["SAMLRequest"].Any()) { var extractedMessage = Saml2Binding.Get(Saml2BindingType.HttpRedirect) .Unbind(requestData, null); var request = new Saml2AuthenticationRequest( extractedMessage.Data, extractedMessage.RelayState); model.AssertionModel.InResponseTo = request.Id.Value; model.AssertionModel.AssertionConsumerServiceUrl = request.AssertionConsumerServiceUrl.ToString(); model.AssertionModel.RelayState = extractedMessage.RelayState; model.AssertionModel.Audience = request.Issuer.Id; model.AssertionModel.AuthnRequestXml = extractedMessage.Data.PrettyPrint(); } return(View(model)); }
public void Saml2AuthenticationRequest_ToXElement_AddsElementSaml2NameIdPolicy_ForNameIdFormat() { var subject = new Saml2AuthenticationRequest() { AssertionConsumerServiceUrl = new Uri("http://destination.example.com"), NameIdPolicy = new Saml2NameIdPolicy(null, NameIdFormat.EmailAddress) }.ToXElement(); var expected = new XElement(Saml2Namespaces.Saml2P + "root", new XAttribute(XNamespace.Xmlns + "saml2p", Saml2Namespaces.Saml2P), new XElement(Saml2Namespaces.Saml2P + "NameIDPolicy", new XAttribute("Format", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"))) .Elements().Single(); subject.Element(Saml2Namespaces.Saml2P + "NameIDPolicy") .Should().BeEquivalentTo(expected); }
public void Saml2AuthenticationRequest_ToXElement_AddsElementSaml2NameIdPolicy_ForAllowCreate() { var subject = new Saml2AuthenticationRequest() { AssertionConsumerServiceUrl = new Uri("http://destination.example.com"), NameIdPolicy = new Saml2NameIdPolicy(false, NameIdFormat.NotConfigured) }.ToXElement(); var expected = new XElement(Saml2Namespaces.Saml2P + "root", new XAttribute(XNamespace.Xmlns + "saml2p", Saml2Namespaces.Saml2P), new XElement(Saml2Namespaces.Saml2P + "NameIDPolicy", new XAttribute("AllowCreate", false))) .Elements().Single(); subject.Attribute("AttributeConsumingServiceIndex").Should().BeNull(); subject.Element(Saml2Namespaces.Saml2P + "NameIDPolicy") .Should().BeEquivalentTo(expected); }
public void IdentityProvider_CreateAuthenticateRequest_BasicInfo() { var options = Options.FromConfiguration; var idp = options.IdentityProviders.Default; var urls = StubFactory.CreateAuthServicesUrls(); var subject = idp.CreateAuthenticateRequest(null, urls); var expected = new Saml2AuthenticationRequest() { AssertionConsumerServiceUrl = urls.AssertionConsumerServiceUrl, DestinationUrl = idp.SingleSignOnServiceUrl, Issuer = options.SPOptions.EntityId, AttributeConsumingServiceIndex = 0, }; subject.ShouldBeEquivalentTo(expected, opt => opt.Excluding(au => au.Id)); }
public ActionResult Index() { var model = AssertionModel.CreateFromConfiguration(); var requestData = Request.ToHttpRequestData(); if (requestData.QueryString["SAMLRequest"].Any()) { var decodedXmlData = Saml2Binding.Get(Saml2BindingType.HttpRedirect) .Unbind(requestData); var request = Saml2AuthenticationRequest.Read(decodedXmlData); model.InResponseTo = request.Id; model.AssertionConsumerServiceUrl = request.AssertionConsumerServiceUrl.ToString(); model.AuthnRequestXml = decodedXmlData; } return(View(model)); }
public void Saml2AuthenticationRequest_Read_NoACS() { var xmlData = @"<?xml version=""1.0"" encoding=""UTF-8""?> <samlp:AuthnRequest xmlns:samlp=""urn:oasis:names:tc:SAML:2.0:protocol"" xmlns:saml=""urn:oasis:names:tc:SAML:2.0:assertion"" ID=""Saml2AuthenticationRequest_Read_NoACS"" Version=""2.0"" Destination=""http://destination.example.com"" IssueInstant=""2004-12-05T09:21:59Z""> <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer> /> </samlp:AuthnRequest> "; var subject = Saml2AuthenticationRequest.Read(xmlData, null); subject.Id.Should().Be(new Saml2Id("Saml2AuthenticationRequest_Read_NoACS")); subject.AssertionConsumerServiceUrl.Should().Be(null); }
public void Saml2AuthenticationRequest_Read_NoFormat() { var xmlData = @"<?xml version=""1.0"" encoding=""UTF-8""?> <saml2p:AuthnRequest xmlns:saml2p=""urn:oasis:names:tc:SAML:2.0:protocol"" xmlns:saml2 =""urn:oasis:names:tc:SAML:2.0:assertion"" ID=""ide3c2f1c88255463ab4eb1b158fa6f616"" Version=""2.0"" IssueInstant=""2016-01-25T13:01:09Z"" Destination=""http://destination.example.com"" AssertionConsumerServiceURL=""https://sp.example.com/SAML2/Acs"" > <saml2:Issuer>https://sp.example.com/SAML2</saml2:Issuer> <saml2p:NameIDPolicy AllowCreate = ""false""/> </saml2p:AuthnRequest>"; var subject = Saml2AuthenticationRequest.Read(xmlData, null); subject.NameIdPolicy.AllowCreate.Should().Be(false); subject.NameIdPolicy.Format.Should().Be(NameIdFormat.NotConfigured); }
private void Saml2AuthenticationRequest_ToXElement_AddsRequestedAuthnContextUtil(AuthnContextComparisonType comparisonType, string expectedComparisonType) { var classRef = "http://www.kentor.se"; var subject = new Saml2AuthenticationRequest() { AssertionConsumerServiceUrl = new Uri("http://destination.example.com"), RequestedAuthnContext = new Saml2RequestedAuthnContext(new Uri(classRef), comparisonType) }.ToXElement(); var expected = new XElement(Saml2Namespaces.Saml2P + "root", new XAttribute(XNamespace.Xmlns + "saml2p", Saml2Namespaces.Saml2P), new XAttribute(XNamespace.Xmlns + "saml2", Saml2Namespaces.Saml2), new XElement(Saml2Namespaces.Saml2P + "RequestedAuthnContext", new XAttribute("Comparison", expectedComparisonType), new XElement(Saml2Namespaces.Saml2 + "AuthnContextClassRef", classRef))) .Elements().Single(); var actual = subject.Element(Saml2Namespaces.Saml2P + "RequestedAuthnContext"); actual.Should().BeEquivalentTo(expected); }
public void Saml2AuthenticationRequest_Read_ShouldThrowOnInvalidMessageName() { var xmlData = @"<?xml version=""1.0"" encoding=""UTF-8""?> <samlp:NotAuthnRequest xmlns:samlp=""urn:oasis:names:tc:SAML:2.0:protocol"" xmlns:saml=""urn:oasis:names:tc:SAML:2.0:assertion"" ID=""Saml2AuthenticationRequest_Read_ShouldThrowOnInvalidMessageName"" Version=""2.0"" Destination=""http://destination.example.com"" AssertionConsumerServiceURL=""https://sp.example.com/SAML2/Acs"" IssueInstant=""2004-12-05T09:21:59Z"" InResponseTo=""111222333""> <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer> /> </samlp:NotAuthnRequest> "; Action a = () => Saml2AuthenticationRequest.Read(xmlData, null); a.ShouldThrow <XmlException>().WithMessage("Expected a SAML2 authentication request document"); }
public void Saml2AuthenticationRequest_ToXElement_Scoping_ZeroProxyCount_AttributeAdded() { var subject = new Saml2AuthenticationRequest() { AssertionConsumerServiceUrl = new Uri("http://destination.example.com"), Scoping = new Saml2Scoping() { ProxyCount = 0 } }; var actual = subject.ToXElement().Element(Saml2Namespaces.Saml2P + "Scoping"); var expected = new XElement(Saml2Namespaces.Saml2P + "root", new XAttribute(XNamespace.Xmlns + "saml2p", Saml2Namespaces.Saml2P), new XElement(Saml2Namespaces.Saml2P + "Scoping", new XAttribute("ProxyCount", "0"))) .Elements().Single(); actual.Should().BeEquivalentTo(expected); }
public ActionResult Index(Guid?idpId) { var requestData = Request.ToHttpRequestData(); if (requestData.QueryString["SAMLRequest"].Any()) { var decodedXmlData = Saml2Binding.Get(Saml2BindingType.HttpRedirect) .Unbind(requestData); var request = Saml2AuthenticationRequest.Read(decodedXmlData); var model = new AssertionModel(); model.InResponseTo = request.Id; model.AssertionConsumerServiceUrl = request.AssertionConsumerServiceUrl.ToString(); model.AuthnRequestXml = decodedXmlData; model.NameId = ((ClaimsIdentity)User.Identity).Name; var manager = SessionManager.Instance; var response = model.ToSaml2Response(); manager.AddSession(model.NameId, new Session() { Id = Guid.Parse(request.Id.Substring(2)), Ip = Request.UserHostAddress, UserAgent = Request.UserAgent, LogoutUrl = request.Issuer.Id, Issuer = response.Issuer.Id }); var commandResult = Saml2Binding.Get(Saml2BindingType.HttpPost) .Bind(response); return(commandResult.ToActionResult()); } throw new InvalidOperationException(); }
/// <summary> /// Create an authenticate request aimed for this idp. /// </summary> /// <param name="returnUrl">The return url where the browser should be sent after /// successful authentication.</param> /// <param name="authServicesUrls">Urls for AuthServices, used to populate fields /// in the created AuthnRequest</param> /// <param name="relayData">Aux data that should be preserved across the authentication</param> /// <returns>AuthnRequest</returns> public Saml2AuthenticationRequest CreateAuthenticateRequest( Uri returnUrl, AuthServicesUrls authServicesUrls, object relayData) { if (authServicesUrls == null) { throw new ArgumentNullException("authServicesUrls"); } var authnRequest = new Saml2AuthenticationRequest() { DestinationUrl = SingleSignOnServiceUrl, AssertionConsumerServiceUrl = authServicesUrls.AssertionConsumerServiceUrl, Issuer = spOptions.EntityId, // For now we only support one attribute consuming service. AttributeConsumingServiceIndex = spOptions.AttributeConsumingServices.Any() ? 0 : (int?)null }; var responseData = new StoredRequestState(EntityId, returnUrl, relayData); PendingAuthnRequests.Add(new Saml2Id(authnRequest.Id), responseData); return authnRequest; }
public Saml2AuthenticationRequest CreateAuthenticateRequest( Uri returnUrl, AuthServicesUrls authServicesUrls, object relayData) { if (authServicesUrls == null) { throw new ArgumentNullException(nameof(authServicesUrls)); } var authnRequest = new Saml2AuthenticationRequest() { DestinationUrl = SingleSignOnServiceUrl, AssertionConsumerServiceUrl = authServicesUrls.AssertionConsumerServiceUrl, Issuer = spOptions.EntityId, // For now we only support one attribute consuming service. AttributeConsumingServiceIndex = spOptions.AttributeConsumingServices.Any() ? 0 : (int?)null, }; if(spOptions.AuthenticateRequestSigningBehavior == SigningBehavior.Always) { if(spOptions.SigningServiceCertificate == null) { throw new ConfigurationErrorsException( string.Format( CultureInfo.InvariantCulture, "Idp \"{0}\" is configured for signed AuthenticateRequests, but ServiceCertificates configuration contains no certificate with usage \"Signing\" or \"Both\".", EntityId.Id)); } authnRequest.SigningCertificate = spOptions.SigningServiceCertificate; } var responseData = new StoredRequestState(EntityId, returnUrl, authnRequest.Id, relayData); PendingAuthnRequests.Add(authnRequest.RelayState, responseData); return authnRequest; }
public Saml2AuthenticationRequest CreateAuthenticateRequest( AuthServicesUrls authServicesUrls) { if (authServicesUrls == null) { throw new ArgumentNullException(nameof(authServicesUrls)); } var authnRequest = new Saml2AuthenticationRequest() { DestinationUrl = SingleSignOnServiceUrl, AssertionConsumerServiceUrl = authServicesUrls.AssertionConsumerServiceUrl, Issuer = spOptions.EntityId, // For now we only support one attribute consuming service. AttributeConsumingServiceIndex = spOptions.AttributeConsumingServices.Any() ? 0 : (int?)null, NameIdPolicy = spOptions.NameIdPolicy, RequestedAuthnContext = spOptions.RequestedAuthnContext }; if (spOptions.AuthenticateRequestSigningBehavior == SigningBehavior.Always || (spOptions.AuthenticateRequestSigningBehavior == SigningBehavior.IfIdpWantAuthnRequestsSigned && WantAuthnRequestsSigned)) { if (spOptions.SigningServiceCertificate == null) { throw new ConfigurationErrorsException( string.Format( CultureInfo.InvariantCulture, "Idp \"{0}\" is configured for signed AuthenticateRequests, but ServiceCertificates configuration contains no certificate with usage \"Signing\" or \"Both\". To resolve this issue you can a) add a service certificate with usage \"Signing\" or \"Both\" (default if not specified is \"Both\") or b) Set the AuthenticateRequestSigningBehavior configuration property to \"Never\".", EntityId.Id)); } authnRequest.SigningCertificate = spOptions.SigningServiceCertificate; } return authnRequest; }