private IEnumerable <ClaimsIdentity> CreateClaims(IOptions options)
{
Validate(options);
if (status != Saml2StatusCode.Success)
{
throw new UnsuccessfulSamlOperationException(string.Format("The Saml2Response must have status success to extract claims. Status: {0}.{1}"
, status.ToString(), statusMessage != null ? " Message: " + statusMessage + "." : string.Empty),
status, statusMessage, secondLevelStatus);
}
foreach (XmlElement assertionNode in GetAllAssertionElementNodes(options))
{
using (var reader = new FilteringXmlNodeReader(SignedXml.XmlDsigNamespaceUrl, "Signature", assertionNode))
{
var handler = options.SPOptions.Saml2PSecurityTokenHandler;
var token = (Saml2SecurityToken)handler.ReadToken(reader);
handler.DetectReplayedToken(token);
var validateAudience = options.SPOptions
.Saml2PSecurityTokenHandler
.SamlSecurityTokenRequirement
.ShouldEnforceAudienceRestriction(options.SPOptions
.SystemIdentityModelIdentityConfiguration
.AudienceRestriction.AudienceMode, token);
handler.ValidateConditions(token.Assertion.Conditions, validateAudience);
yield return(handler.CreateClaims(token));
}
}
}
private IEnumerable <ClaimsIdentity> CreateClaims(SAML2AuthenticationOptions options)
{
Validate(options);
if (status != Saml2StatusCode.Success)
{
throw new InvalidOperationException(string.Format("The Saml2Response must have status success to extract claims. Status: {0}.{1}"
, status.ToString(), statusMessage != null ? " Message: " + statusMessage + "." : string.Empty));
}
foreach (XmlElement assertionNode in AllAssertionElementNodes)
{
using (var reader = new FilteringXmlNodeReader(SignedXml.XmlDsigNamespaceUrl, "Signature", assertionNode))
{
var handler = options.Saml2PSecurityTokenHandler;
var token = (Saml2SecurityToken)handler.ReadToken(reader);
handler.DetectReplayedToken(token);
var validateAudience = token.Assertion.Conditions.AudienceRestrictions.Count > 0;
handler.ValidateConditions(token.Assertion.Conditions, validateAudience);
yield return(handler.CreateClaims(token));
}
}
}
private IEnumerable <ClaimsIdentity> CreateClaims(IOptions options)
{
Validate(options);
if (status != Saml2StatusCode.Success)
{
throw new UnsuccessfulSamlOperationException(string.Format("The Saml2Response must have status success to extract claims. Status: {0}.{1}"
, status.ToString(), statusMessage != null ? " Message: " + statusMessage + "." : string.Empty),
status, statusMessage, secondLevelStatus);
}
foreach (XmlElement assertionNode in GetAllAssertionElementNodes(options))
{
using (var reader = new FilteringXmlNodeReader(SignedXml.XmlDsigNamespaceUrl, "Signature", assertionNode))
{
var handler = options.SPOptions.Saml2PSecurityTokenHandler;
var token = (Saml2SecurityToken)handler.ReadToken(reader);
options.SPOptions.Logger.WriteVerbose("Extracted SAML assertion " + token.Id);
handler.DetectReplayedToken(token);
var validateAudience = options.SPOptions
.Saml2PSecurityTokenHandler
.SamlSecurityTokenRequirement
.ShouldEnforceAudienceRestriction(options.SPOptions
.SystemIdentityModelIdentityConfiguration
.AudienceRestriction.AudienceMode, token);
handler.ValidateConditions(token.Assertion.Conditions, validateAudience);
options.SPOptions.Logger.WriteVerbose("Validated conditions for SAML2 Response " + Id);
sessionNotOnOrAfter = DateTimeHelper.EarliestTime(sessionNotOnOrAfter,
token.Assertion.Statements.OfType <Saml2AuthenticationStatement>()
.SingleOrDefault()?.SessionNotOnOrAfter);
yield return(handler.CreateClaims(token));
}
}
}
