protected override Saml2Subject CreateSubject(SecurityTokenDescriptor tokenDescriptor) { var subject = base.CreateSubject(tokenDescriptor); if (subject.NameId != null && subject.NameId.Format == null) { subject.NameId.Format = Saml2Constants.NameIdentifierFormats.Unspecified; } if (tokenDescriptor is RequestedSecurityTokenDescriptor requestedTokenDescriptor) { var keyInfo = CreateProofKeyInfo(requestedTokenDescriptor); if (keyInfo != null) { var data = new Saml2SubjectConfirmationData { }; data.KeyInfos.Add(keyInfo); var holderOfKey = new Saml2SubjectConfirmation(Saml2Constants.ConfirmationMethods.HolderOfKey, data); var bearer = subject.SubjectConfirmations.FirstOrDefault(c => c.Method == Saml2Constants.ConfirmationMethods.Bearer); if (bearer != null) { subject.SubjectConfirmations.Remove(bearer); } subject.SubjectConfirmations.Add(holderOfKey); } } return(subject); }
public void Saml2SubjectExtensions_ToXElement_SubjectConfirmation() { var saml2SubjectConfirmation = new Saml2SubjectConfirmation(new Uri("urn:oasis:names:tc:SAML:2.0:cm:bearer")); var confirmation = saml2SubjectConfirmation.ToXElement(); confirmation.Attribute("Method").Value.Should().Be("urn:oasis:names:tc:SAML:2.0:cm:bearer"); }
public void Saml2SubjectExtensions_ToXElement_SubjectConfirmation_CheckNull() { Saml2SubjectConfirmation saml2SubjectConfirmation = null; Action a = () => saml2SubjectConfirmation.ToXElement(); a.ShouldThrow <ArgumentNullException>().And.ParamName.Should().Be("subjectConfirmation"); }
/// <summary> /// Writes out the subject confirmation as an XElement. /// </summary> /// <param name="subjectConfirmation"></param> /// <returns></returns> /// <exception cref="ArgumentNullException"></exception> public static XElement ToXElement(this Saml2SubjectConfirmation subjectConfirmation) { if (subjectConfirmation == null) { throw new ArgumentNullException(nameof(subjectConfirmation)); } var element = new XElement(Saml2Namespaces.Saml2 + "SubjectConfirmation", new XAttribute("Method", subjectConfirmation.Method.OriginalString)); if (subjectConfirmation.SubjectConfirmationData != null) { element.Add(subjectConfirmation.SubjectConfirmationData.ToXElement()); } return(element); }
private static Saml2Assertion CreateAssertion(SigningCredentials samlpTokenSigningCredentials) { var assertion = new Saml2Assertion(new Saml2NameIdentifier("https://mojeid.regtest.nic.cz/saml/idp.xml", new Uri("urn:oasis:names:tc:SAML:2.0:nameid-format:entity"))) { InclusiveNamespacesPrefixList = "ns1 ns2", IssueInstant = DateTime.Parse("2019-04-08T10:30:49Z"), SigningCredentials = samlpTokenSigningCredentials, Id = new Saml2Id("id-2bMsOPOKIqeVIDLqJ") }; var saml2SubjectConfirmationData = new Saml2SubjectConfirmationData { InResponseTo = new Saml2Id("ida5714d006fcc430c92aacf34ab30b166"), NotOnOrAfter = DateTime.Parse("2019-04-08T10:45:49Z"), Recipient = new Uri("https://tnia.eidentita.cz/fpsts/processRequest.aspx") }; var saml2SubjectConfirmation = new Saml2SubjectConfirmation(new Uri("urn:oasis:names:tc:SAML:2.0:cm:bearer"), saml2SubjectConfirmationData); var saml2Subject = new Saml2Subject(new Saml2NameIdentifier("6dfe0399103d11411b1fa00772b6a13e0858605b80c20ea845769c57b41479ed", new Uri("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"))); saml2Subject.SubjectConfirmations.Add(saml2SubjectConfirmation); assertion.Subject = saml2Subject; var saml2AudienceRestrictions = new Saml2AudienceRestriction("urn:microsoft: cgg2010: fpsts"); var saml2Conditions = new Saml2Conditions(); saml2Conditions.AudienceRestrictions.Add(saml2AudienceRestrictions); saml2Conditions.NotBefore = DateTime.Parse("2019-04-08T10:30:49Z"); saml2Conditions.NotOnOrAfter = DateTime.Parse("2019-04-08T10:45:49Z"); assertion.Conditions = saml2Conditions; var saml2AuthenticationContext = new Saml2AuthenticationContext(new Uri("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")); var saml2Statement = new Saml2AuthenticationStatement(saml2AuthenticationContext) { AuthenticationInstant = DateTime.Parse("2019-04-08T10:30:49Z"), SessionIndex = "id-oTnhrqWtcTTEntvMy" }; assertion.Statements.Add(saml2Statement); return(assertion); }
internal ReadOnlyCollection <SecurityKey> ResolveSecurityKeys(Saml2Assertion assertion, SecurityTokenResolver resolver) { Saml2Subject subject = assertion.Subject; Saml2SubjectConfirmation confirmation = subject.SubjectConfirmations[0]; if (confirmation.SubjectConfirmationData != null) { this.ValidateConfirmationData(confirmation.SubjectConfirmationData); } List <SecurityKey> list = new List <SecurityKey>(); foreach (SecurityKeyIdentifier identifier in confirmation.SubjectConfirmationData.KeyIdentifiers) { SecurityKey key = null; foreach (SecurityKeyIdentifierClause clause in identifier) { if ((resolver != null) && resolver.TryResolveSecurityKey(clause, out key)) { list.Add(key); break; } } if (key == null) { if (identifier.CanCreateKey) { key = identifier.CreateKey(); list.Add(key); continue; } list.Add(new SecurityKeyElement(identifier, resolver)); } } return(list.AsReadOnly()); }
private void AddSubjectConfirmation(Saml2SubjectConfirmation subjectConfirmation) { Saml2SecurityToken.Assertion.Subject.SubjectConfirmations.Clear(); Saml2SecurityToken.Assertion.Subject.SubjectConfirmations.Add(subjectConfirmation); }
/// <summary> /// Creates the Security Token and add it to the response. /// </summary> /// <param name="tokenDescriptor">This is a place holder for all the attributes related to the issued token.</param> /// <param name="authenticationStatement">Represents the AuthnStatement element specified in [Saml2Core, 2.7.2].</param> /// <param name="subjectConfirmation">Represents the SubjectConfirmation element specified in [Saml2Core, 2.4.1.1].</param> /// <returns>The SAML 2.0 Security Token.</returns> public Saml2SecurityToken CreateSecurityToken(SecurityTokenDescriptor tokenDescriptor, Saml2AuthenticationStatement authenticationStatement, Saml2SubjectConfirmation subjectConfirmation) { if (tokenDescriptor == null) { throw new ArgumentNullException(nameof(tokenDescriptor)); } if (authenticationStatement == null) { throw new ArgumentNullException(nameof(authenticationStatement)); } if (subjectConfirmation == null) { throw new ArgumentNullException(nameof(subjectConfirmation)); } Saml2SecurityToken = Saml2SecurityTokenHandler.CreateToken(tokenDescriptor) as Saml2SecurityToken; AddNameIdFormat(); AddAuthenticationStatement(authenticationStatement); AddSubjectConfirmation(subjectConfirmation); return(Saml2SecurityToken); }
public Task CreateSecurityTokenAsync(SecurityTokenDescriptor tokenDescriptor, Saml2AuthenticationStatement authenticationStatement, Saml2SubjectConfirmation subjectConfirmation) { return(Task.FromResult(CreateSecurityToken(tokenDescriptor, authenticationStatement, subjectConfirmation))); }
private async Task <Saml2SecurityToken> CreateSecurityTokenAsync(SignInRequest request, RelyingParty rp, ClaimsIdentity outgoingSubject) { var now = DateTime.Now; var outgoingNameId = outgoingSubject.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier); if (outgoingNameId == null) { _logger.LogError("The user profile does not have a name id"); throw new SignInException("The user profile does not have a name id"); } var issuer = new Saml2NameIdentifier(_options.IssuerName); var nameId = new Saml2NameIdentifier(outgoingNameId.Value); var subjectConfirmationData = new Saml2SubjectConfirmationData(); subjectConfirmationData.NotOnOrAfter = now.AddMinutes( rp.TokenLifetimeInMinutes.GetValueOrDefault(_options.DefaultNotOnOrAfterInMinutes)); if (request.Parameters.ContainsKey("Recipient")) { subjectConfirmationData.Recipient = new Uri(request.Parameters["Recipient"]); } else { subjectConfirmationData.Recipient = new Uri(rp.ReplyUrl); } var subjectConfirmation = new Saml2SubjectConfirmation(new Uri("urn:oasis:names:tc:SAML:2.0:cm:bearer"), subjectConfirmationData); subjectConfirmation.NameIdentifier = nameId; var subject = new Saml2Subject(subjectConfirmation); var conditions = new Saml2Conditions(new Saml2AudienceRestriction[] { new Saml2AudienceRestriction(request.Realm) }); conditions.NotOnOrAfter = now.AddMinutes( rp.TokenLifetimeInMinutes.GetValueOrDefault(_options.DefaultNotOnOrAfterInMinutes)); conditions.NotBefore = now.Subtract(TimeSpan.FromMinutes(_options.DefaultNotBeforeInMinutes)); var authContext = new Saml2AuthenticationContext(new Uri("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")); var authStatement = new Saml2AuthenticationStatement(authContext, now); authStatement.SessionIndex = (request.Parameters.ContainsKey("SessionIndex")) ? request.Parameters["SessionIndex"] : null; var attributeStament = new Saml2AttributeStatement(); foreach (var claim in outgoingSubject.Claims) { _logger.LogDebug("Adding attribute in SAML token '{0} - {1}'", claim.Type, claim.Value); attributeStament.Attributes.Add(new Saml2Attribute(claim.Type, claim.Value)); } var assertion = new Saml2Assertion(issuer); assertion.Id = new Saml2Id(); assertion.Subject = subject; assertion.Conditions = conditions; assertion.Statements.Add(attributeStament); assertion.Statements.Add(authStatement); assertion.IssueInstant = now; assertion.SigningCredentials = await _keyService.GetSigningCredentialsAsync(); var token = new Saml2SecurityToken(assertion); token.SigningKey = assertion.SigningCredentials.Key; return(token); }