public OAuthData ProcessLogin(HttpContextBase context)
{
if (!Enabled)
{
return(null);
}
//should have a SamlOAuthClient.oauthTokeyQuerystringKey which corresponds to the current cookie to decrypt
string tokenKey = HttpContext.Current.Request[oauthTokeyQuerystringKey];
if (!string.IsNullOrEmpty(tokenKey))
{
var samlTokenData = SamlTokenData.GetTokenDataFromDatabase(tokenKey);
if (samlTokenData == null)
{
throw new ArgumentException("The SAML token was not found in the HttpContext.Current.Request, or could not be extracted. Please ensure cookies are enabled and try again");
}
//Store our token key so we can retrieve it later to raise the SamlUserCreated and SamlAuthenticated events and delete it
var afterAuthenticatedCookie = new HttpCookie(clientType, tokenKey)
{
HttpOnly = true, Expires = DateTime.Now.AddHours(8)
};
CookieHelper.AddCookie(afterAuthenticatedCookie);
//this object is stored in temporary storage by the oauth handler, its guid is placed into the return url into the "TOKEN" placeholder.
//the expectation of this processing is the return url at this time is to the login page, and that any login based return url should be double encoded
return(samlTokenData.GetOAuthData());
}
//if this is not a sign-in response, we should probably redirect to login.aspx
throw new ArgumentException("The SAML token was not found in the HttpContext.Current.Request, please check the configuration and try again");
}
private Dictionary <string, string> GetSamlTokenProfileData(SamlTokenData samlTokenData)
{
var extractedProfileData = new Dictionary <string, string>();
foreach (var claim in samlTokenData.Attributes)
{
try
{
var key = string.Concat(ProfileFieldPrefix, Regex.Replace(claim.ClaimType, @"[^\w\-]", string.Empty)).ToLower();
if (!extractedProfileData.ContainsKey(key))
{
extractedProfileData.Add(key, claim.Value);
}
else
{
extractedProfileData[key] = extractedProfileData[key] + "," + claim.Value;
}
}
catch (Exception ex)
{
_eventLogApi.Write("ProfileAttributeManager Error GetSamlTokenProfileData: " + ex.Message + " : " + ex.StackTrace, new EventLogEntryWriteOptions()
{
Category = "SAML", EventId = 1, EventType = "Error"
});
}
}
return(extractedProfileData);
}
private void Events_AfterUserCreate(UserAfterCreateEventArgs e)
{
var afterCreatedCookie = CookieHelper.GetCookie(SamlCookieName);
if (afterCreatedCookie == null)
{
return;
}
var samlTokenData = SamlTokenData.GetTokenDataFromDatabase(afterCreatedCookie.Value);
if (samlTokenData == null)
{
return;
}
//destroy secure cookie for new user if cookie is still present
CookieHelper.DeleteCookie(afterCreatedCookie.Value);
//also cleanup our afterCreatedCookie
CookieHelper.DeleteCookie(afterCreatedCookie.Name);
//update the samlTokenData now that we know the user ID and cleanup the cookie used by the login
samlTokenData.UserId = e.Id.Value;
//Update the cookie SAMLToken Data to have the UserId now that its an existing user to fire the after authenticated events (which also removes the cookie)
var tokenKey = samlTokenData.SaveTokenDataToDatabase();
var afterAuthenticatedCookie = new HttpCookie(clientType, tokenKey)
{
Expires = DateTime.Now.AddHours(8),
HttpOnly = true
};
CookieHelper.AddCookie(afterAuthenticatedCookie);
if (PersistClaims)
{
SqlData.SaveSamlToken(samlTokenData);
}
var apiUser = _usersApi.Get(new UsersGetOptions()
{
Id = e.Id.Value
});
//raise new SamlUserCreated Event
try
{
SamlEvents.Instance.OnAfterUserCreate(apiUser, samlTokenData);
}
catch (Exception ex)
{
_eventLogApi.Write("SamlOAuthClient Error OnAfterUserCreate: " + ex.Message + " : " + ex.StackTrace, new EventLogEntryWriteOptions()
{
Category = "SAML", EventId = 1, EventType = "Error"
});
}
}
private void ManageUserRoles(User user, SamlTokenData samlTokenData)
{
var usersSamlTokenRoles = GetSamlTokenRoles(samlTokenData);
Apis.Get <IUsers>().RunAsUser("admin", () =>
{
CreateMissingRoles(usersSamlTokenRoles);
AddRemoveUserFromManagedRoles(user, usersSamlTokenRoles);
});
}
public SamlTokenData GenerateDisplayName(SamlTokenData samlTokenData)
{
if (samlTokenData == null)
{
return(null);
}
if (!string.IsNullOrWhiteSpace(samlTokenData.CommonName) && !Override)
{
return(samlTokenData);
}
var displayName = string.Empty;
if (DisplayNameAttribute.Contains("}"))
{
var displayNameParts = DisplayNameAttribute.Split('{', '}');
bool foundAttribute = false;
string templatedDisplayName = string.Empty;
foreach (var displayNamePart in displayNameParts)
{
if (DisplayNameAttribute.Contains(string.Concat("{", displayNamePart, "}")))
{
var attribute = samlTokenData.GetAttribute(displayNamePart);
if (!string.IsNullOrEmpty(attribute))
{
foundAttribute = true;
templatedDisplayName = templatedDisplayName + attribute;
}
}
else
{
templatedDisplayName = templatedDisplayName + displayNamePart;
}
}
if (foundAttribute) //only use this display name if we managed to find at least one saml attribute
{
displayName = templatedDisplayName;
}
}
else
{
displayName = samlTokenData.GetAttribute(DisplayNameAttribute);
}
if (!string.IsNullOrEmpty(displayName))
{
samlTokenData.CommonName = displayName;
}
return(samlTokenData);
}
public void OnAfterUserCreate(PublicEntity user, SamlTokenData samlTokenData)
{
SamlAfterUserCreateEventArgs args = null;
Execute <SamlAfterUserCreateEventHandler>(AfterAuthenticateEvent, h =>
{
if (args == null)
{
args = new SamlAfterUserCreateEventArgs(user, samlTokenData);
}
h(args);
}, false);
}
private List <String> GetSamlTokenRoles(SamlTokenData samlTokenData)
{
var samlUserRoles = new List <string>();
foreach (var roleName in samlTokenData.GetAttributes(RoleClaim))
{
var samlRoleName = RoleNamePrefix + Regex.Replace(roleName, @"[^\w\-]", string.Empty);
if (!samlUserRoles.Contains(samlRoleName))
{
samlUserRoles.Add(samlRoleName);
}
}
return(samlUserRoles);
}
private void ManageUserProfileFields(User user, SamlTokenData samlTokenData)
{
_usersApi.RunAsUser("admin", () =>
{
var usersSamlTokenProfileData = GetSamlTokenProfileData(samlTokenData);
CreateMissingProfileFields(usersSamlTokenProfileData.Keys);
var updatedProfileFields = UpdatedProfileFields(usersSamlTokenProfileData, ConvertTitlesToNames(user.ProfileFields));
if (updatedProfileFields != null)
{
UpdateProfileFields(user.Id.Value, updatedProfileFields);
}
});
}
public static void SaveSamlToken(SamlTokenData samlTokenData)
{
if (!samlTokenData.IsExistingUser())
{
throw new InvalidOperationException("The User Id must be greater than zero.");
}
if (GetSamlTokenStoreData(samlTokenData.UserId) == null)
{
InsertSamlToken(samlTokenData);
}
else
{
UpdateSamlToken(samlTokenData);
}
}
private void ManageUser(User user, SamlTokenData samlTokenData)
{
_usersApi.RunAsUser("admin", () =>
{
if (user.PrivateEmail.ToLower() != samlTokenData.Email.ToLower())
{
try
{
_usersApi.Update(new UsersUpdateOptions {
PrivateEmail = samlTokenData.Email, Id = user.Id
});
}
catch (Exception ex)
{
_eventLogApi.Write("UserEmailManager Error ManageUser: "******" : " + ex.StackTrace, new EventLogEntryWriteOptions()
{
Category = "SAML", EventId = 1, EventType = "Error"
});
}
}
});
}
internal SamlAfterUserCreateEventArgs(PublicEntity user, SamlTokenData samlTokenData)
{
User = user;
SamlTokenData = samlTokenData;
}
void Events_AfterIdentify(UserAfterIdentifyEventArgs e)
{
var context = HttpContext.Current;
if (context == null)
{
return;
}
if (context.Request == null)
{
return;
}
if (!context.Request.IsAuthenticated)
{
return;
}
//filter some requests basic non UI requests
if (context.Request.RawUrl.ToLower().StartsWith("/socket.ashx"))
{
return;
}
if (context.Request.RawUrl.ToLower().StartsWith("/webresource.axd"))
{
return;
}
if (context.Request.RawUrl.ToLower().StartsWith("/api.ashx"))
{
return;
}
if (context.Request.RawUrl.ToLower().StartsWith("/utility/"))
{
return;
}
if (context.Request.RawUrl.ToLower().StartsWith("/cfs-filesystemfile/"))
{
return;
}
if (context.Request.RawUrl.ToLower().StartsWith("/dynamic-style"))
{
return;
}
if (context.Request.RawUrl.ToLower().StartsWith("/favicon.ico"))
{
return;
}
if (context.Request.RawUrl.ToLower().EndsWith(".css"))
{
return;
}
//check to see if our Oauth ProcessLogin() cookie exists
try
{
var afterAuthenticatedCookie = CookieHelper.GetCookie(clientType);
if (afterAuthenticatedCookie == null)
{
return;
}
var samlTokenData = SamlTokenData.GetTokenDataFromDatabase(afterAuthenticatedCookie.Value);
if (samlTokenData == null)
{
return;
}
if (!samlTokenData.IsExistingUser())
{
return;
}
if (samlTokenData.UserId != e.Id.Value)
{
return; //check to see that the logged in user and ProcessLogin() user have the same ID;
}
if (Guid.TryParse(afterAuthenticatedCookie.Value, out var tokenKey))
{
SamlTokenData.DeleteTokenDataFromDatabase(afterAuthenticatedCookie.Value);
}
CookieHelper.DeleteCookie(afterAuthenticatedCookie.Value);
CookieHelper.DeleteCookie(afterAuthenticatedCookie.Name);
//Get the API user and the last SAML token to keep things API friendly
var apiUser = _usersApi.Get(new UsersGetOptions()
{
Id = e.Id.Value
});
SamlEvents.Instance.OnAfterAuthenticate(apiUser, samlTokenData);
}
catch (Exception ex)
{
_eventLogApi.Write("SamlOAuthClient Error OnAfterAuthenticate: " + ex.Message + " : " + ex.StackTrace, new EventLogEntryWriteOptions()
{
Category = "SAML", EventId = 1, EventType = "Error"
});
}
}
private static void UpdateSamlToken(SamlTokenData oAuthData)
{
var oAuthDataXml = SamlHelpers.ConvertToString(oAuthData);
UpdateSamlToken(oAuthData.UserId, oAuthDataXml, oAuthData.ResponseDate, oAuthData.Email, oAuthData.NameId);
}
internal SamlBeforeAuthenticateEventArgs(PublicEntity user, SamlTokenData samlTokenData)
{
User = user;
SamlTokenData = samlTokenData;
}
