private HttpResponseMessage CreateTokenResponse(GenericXmlSecurityToken token, string scope)
{
var response = new TokenResponse();
if (ConfigurationRepository.AdfsIntegration.PassThruAuthenticationToken)
{
response.AccessToken = token.TokenXml.OuterXml;
response.ExpiresIn = (int)(token.ValidTo.Subtract(DateTime.UtcNow).TotalSeconds);
}
else
{
var bridge = new AdfsBridge(ConfigurationRepository);
if (ConfigurationRepository.Keys.DecryptionCertificate != null)
{
var configuration = new SecurityTokenHandlerConfiguration
{
AudienceRestriction = { AudienceMode = AudienceUriMode.Never },
CertificateValidationMode = X509CertificateValidationMode.None,
RevocationMode = X509RevocationMode.NoCheck,
CertificateValidator = X509CertificateValidator.None,
ServiceTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
new ReadOnlyCollection <SecurityToken>(new SecurityToken[] { new X509SecurityToken(ConfigurationRepository.Keys.DecryptionCertificate) }), false)
};
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(configuration);
response = bridge.ConvertSamlToJwt(token.ToSecurityToken(handler), scope);
}
else
{
response = bridge.ConvertSamlToJwt(token.ToSecurityToken(), scope);
}
}
return(Request.CreateResponse <TokenResponse>(HttpStatusCode.OK, response));
}
/// <summary>Turns a supported generic XML security token into a security token.</summary>
/// <param name="token">The generic XML security token.</param>
/// <returns>A SecurityToken</returns>
public static SecurityToken ToSecurityToken(this GenericXmlSecurityToken token)
{
SecurityTokenHandlerCollection handlerCollection =
SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
return(token.ToSecurityToken(handlerCollection));
}
private static void TestCompressedToken(SecurityToken token)
{
var handlers = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
handlers.Add(new AccessSecurityTokenHandler());
handlers.Add(new CompressedSecurityTokenHandler());
ConfigureHandler(handlers.Configuration);
var compressedToken = new CompressedSecurityToken(token);
var sb = new StringBuilder();
using (var writer = new XmlTextWriter(new StringWriter(sb)))
{
handlers.WriteToken(writer, compressedToken);
}
SecurityToken readToken;
using (var reader = sb.ToString().AsXmlReader(true))
{
readToken = handlers.ReadToken(reader);
}
handlers.ValidateToken(readToken);
}
internal override void WriteTo(XmlWriter writer)
{
writer.WriteStartElement(ElementName);
writer.WriteAttributeString(DiagnosticStrings.NamespaceTag, EventId);
writer.WriteStartElement("SecurityToken");
writer.WriteAttributeString("Type", _securityToken.GetType().ToString());
if (_securityToken is SessionSecurityToken)
{
WriteSessionToken(writer, _securityToken as SessionSecurityToken);
}
else
{
SecurityTokenHandlerCollection sthc = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
if (sthc.CanWriteToken(_securityToken))
{
{
sthc.WriteToken(writer, _securityToken);
}
}
else
{
writer.WriteElementString("Warning", SR.GetString(SR.TraceUnableToWriteToken, _securityToken.GetType().ToString()));
}
}
writer.WriteEndElement();
}
/// <summary>
/// Validate the assertion
/// </summary>
/// <param name="assertion"></param>
/// <returns></returns>
protected ClaimsIdentity ValidateSamlToken(SecurityToken assertion)
{
Saml2PropertiesRemoval(assertion);
var configuration = new SecurityTokenHandlerConfiguration();
configuration.RevocationMode = X509RevocationMode.NoCheck;
// You can flip this switch if you don't want to make sure that IDP certificate
// is in the trusted root store of the Local Machine
// configuration.CertificateValidator = X509CertificateValidator.None;
configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
configuration.CertificateValidationMode = X509CertificateValidationMode.None;
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(_config.CertificateThumbprint, _config.Name);
configuration.IssuerNameRegistry = registry;
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(configuration);
try
{
var identity = handler.ValidateToken(assertion).First();
return(identity);
}
catch (Exception ex)
{
throw ex;
}
}
public ActionResult MyToken()
{
var config = ConfigurationRepository.Configuration;
var samlHandler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection()[config.DefaultTokenType];
var descriptor = new SecurityTokenDescriptor
{
AppliesToAddress = "http://self",
Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddHours(config.DefaultTokenLifetime)),
SigningCredentials = new X509SigningCredentials(ConfigurationRepository.SigningCertificate.Certificate),
TokenIssuerName = config.IssuerUri,
Subject = new ClaimsIdentity(GetClaims())
};
var token = samlHandler.CreateToken(descriptor);
var sb = new StringBuilder(1024);
samlHandler.WriteToken(XmlWriter.Create(new StringWriter(sb)), token);
return(new ContentResult
{
ContentType = "text/xml",
Content = sb.ToString()
});
}
private ClaimsPrincipal ParseToken(GenericXmlSecurityToken genericToken)
{
using (XmlReader samlReader = XmlReader.Create(new StringReader(genericToken.TokenXml.OuterXml)))
{
SecurityTokenHandlerCollection tokenHandlers = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
SecurityTokenHandlerConfiguration config = tokenHandlers.Configuration;
var securityTokens = new List <SecurityToken>
{
new X509SecurityToken(CertificateHelper.GetCertificate(_tokenClientOptions.StoreName, _tokenClientOptions.StoreLocation, _tokenClientOptions.SubjectDistinguishedName))
};
config.ServiceTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(securityTokens.AsReadOnly(), false);
config.CertificateValidator = X509CertificateValidator.PeerOrChainTrust;
config.IssuerTokenResolver = new X509CertificateStoreTokenResolver(_tokenClientOptions.StoreName, _tokenClientOptions.StoreLocation);
config.IssuerNameRegistry = _nameRegistry;
config.AudienceRestriction.AllowedAudienceUris.Add(_tokenClientOptions.AudienceUri);
SecurityToken samlToken = tokenHandlers.ReadToken(samlReader);
ClaimsIdentity tokenIdentity = tokenHandlers.ValidateToken(samlToken).FirstOrDefault();
return(new ClaimsPrincipal(tokenIdentity));
}
}
private ClaimsPrincipal GetClaimsPrincipal(SignInResponseMessage signInResponse)
{
try
{
//configure the certificate and some service token handler configuration properties (these basically match the web.config settings for MVC 4/5 app).
SecurityTokenHandlerConfiguration config = new SecurityTokenHandlerConfiguration();
config.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Options.Realm));
config.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None; //we have dodgy certs in dev
ConfigurationBasedIssuerNameRegistry inr = new ConfigurationBasedIssuerNameRegistry();
inr.AddTrustedIssuer(Options.SigningCertThumbprint, Options.ClaimsIssuer);
config.IssuerNameRegistry = inr;
config.CertificateValidator = System.IdentityModel.Selectors.X509CertificateValidator.None; //we have dodgy certs in dev
//Load up an XmlDocument with the result. Have to use XmlDocument so we can generate a valid reader unfortunately.
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.LoadXml(signInResponse.Result);
//Add the namespaces and search for Assertion or EncryptedAssertion
XmlNamespaceManager nsMan = new XmlNamespaceManager(xmlDoc.NameTable);
nsMan.AddNamespace("trust", "http://docs.oasis-open.org/ws-sx/ws-trust/200512");
nsMan.AddNamespace("saml2", "urn:oasis:names:tc:SAML:2.0:assertion");
var parentNodes = "trust:RequestSecurityTokenResponseCollection/trust:RequestSecurityTokenResponse/trust:RequestedSecurityToken/";
var assertionNode = xmlDoc.SelectSingleNode(parentNodes + "saml2:EncryptedAssertion", nsMan);
if (assertionNode == null)
{
assertionNode = xmlDoc.SelectSingleNode(parentNodes + "saml2:Assertion", nsMan);
}
else
{
//this is an encrypted response so add a ServiceTokenResolver of X509CertificateStoreTokenResolver so the assertion can be decrypted. Hard codes LocalMachine - could be configured as well.
config.ServiceTokenResolver = new X509CertificateStoreTokenResolver(Options.EncryptionCertStoreName, StoreLocation.LocalMachine);
}
if (assertionNode == null)
{
throw new Exception("No assertion element found in Response.");
}
using (var reader = new XmlNodeReader(assertionNode))
{
//Get the token and convert it to a Claims Principal for return
SecurityTokenHandlerCollection collection = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(config);
var securityToken = collection.ReadToken(reader);
var claimsIdentities = collection.ValidateToken(securityToken);
ClaimsPrincipal principal = new ClaimsPrincipal(claimsIdentities);
return(principal);
}
}
catch (Exception ex)
{
//TODO: Add some logging
var err = ex;
}
return(null);
}
private static SecurityTokenHandlerCollection CreateDefaultHandlerCollection(
this SecurityTokenHandlerConfiguration configuration)
{
var handlerCollection =
SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(configuration);
handlerCollection.AddOrReplace(new CustomSaml2SecurityTokenHandler());
return(handlerCollection);
}
public static void tokenTest()
{
string relyingPartyId = "https://shadfs.sanfordhealth.org/adfs/ls/ldpinitiatedsignon.aspx";
WSTrustChannelFactory factory = null;
try
{
// use a UserName Trust Binding for username authentication
factory = new WSTrustChannelFactory(
new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
new EndpointAddress("https://secure.genomenext.net/app/services/trust/13/usernamemixed"));
/////I'll change this endpoint this later////////
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.UserName.UserName = "******";
factory.Credentials.UserName.Password = "******";
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
AppliesTo = new EndpointReference(relyingPartyId),
KeyType = KeyTypes.Bearer
};
IWSTrustChannelContract channel = factory.CreateChannel();
GenericXmlSecurityToken genericToken = channel.Issue(rst) as GenericXmlSecurityToken; //MessageSecurityException -> PW falsch
var _handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
var tokenString = genericToken.ToTokenXmlString();
var samlToken2 = _handler.ReadToken(new XmlTextReader(new StringReader(tokenString)));
ValidateSamlToken(samlToken2);
X509Certificate2 certificate = null;
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
certificate = store.Certificates.Find(X509FindType.FindByThumbprint, "thumb", false)[0];
// var jwt = ConvertSamlToJwt(samlToken2, "https://party.mycomp.com", certificate);
}
finally
{
if (factory != null)
{
try
{
factory.Close();
}
catch (CommunicationObjectFaultedException)
{
factory.Abort();
}
}
}
/// <summary>Turns a supported generic XML security token to a security token.</summary>
/// <param name="token">The token.</param>
/// <param name="decryptionCertificate">The decryption certificate.</param>
/// <returns>A SecurityToken</returns>
public static SecurityToken ToSecurityToken(this GenericXmlSecurityToken token, X509Certificate2 decryptionCertificate)
{
var configuration = new SecurityTokenHandlerConfiguration();
configuration.ServiceTokenResolver = decryptionCertificate.CreateSecurityTokenResolver();
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(configuration);
return(token.ToSecurityToken(handler));
}
private ClaimsIdentity ValidateSamlToken(SecurityToken securityToken)
{
var configuration = new SecurityTokenHandlerConfiguration();
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(configuration);
handler.AddOrReplace(new CustomSaml2SecurityTokenHandler());
var identity = handler.ValidateToken(securityToken).First();
return(identity);
}
/// <summary>
/// Deserialize the Assertion
/// </summary>
/// <param name="rawAssertion"></param>
/// <returns></returns>
protected Saml2SecurityToken DeserializeAssertion(string rawAssertion)
{
Saml2SecurityToken assertion;
using (var reader = XmlReader.Create(new StringReader(rawAssertion)))
{
reader.ReadToFollowing("Assertion", AssertionURN);
SecurityTokenHandlerCollection thc = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
assertion = (Saml2SecurityToken)thc.ReadToken(reader.ReadSubtree());
}
return(assertion);
}
/// <summary>
/// Converts a supported token to an XML string.
/// </summary>
/// <param name="token">The token.</param>
/// <returns>
/// The token XML string.
/// </returns>
public static string ToTokenXmlString(this SecurityToken token)
{
var token1 = token as GenericXmlSecurityToken;
if (token1 != null)
{
return(ToTokenXmlString(token1));
}
var handlerCollection =
SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
return(ToTokenXmlString(token, handlerCollection));
}
private static SessionSecurityTokenHandler GetOrCreateSessionSecurityTokenHandler()
{
SecurityTokenHandlerCollection defaultHandlers = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
SessionSecurityTokenHandler ssth = defaultHandlers[typeof(SessionSecurityToken)] as SessionSecurityTokenHandler;
if (ssth == null)
{
ssth = new SessionSecurityTokenHandler();
defaultHandlers.AddOrReplace(ssth);
}
return(ssth);
}
/// <summary>Converts a supported token to an XML string.</summary>
/// <param name="token">The token.</param>
/// <returns>The token XML string.</returns>
public static string ToTokenXmlString(this SecurityToken token)
{
var genericToken = token as GenericXmlSecurityToken;
if (genericToken != null)
{
return(genericToken.ToTokenXmlString());
}
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
return(token.ToTokenXmlString(handler));
}
private static void TestHandlerCollection(StringBuilder tokenString)
{
var handlers = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
handlers.Add(new AccessSecurityTokenHandler());
ConfigureHandler(handlers.Configuration);
using (var reader = new XmlTextReader(new StringReader(tokenString.ToString())))
{
reader.MoveToContent();
var readToken = handlers.ReadToken(reader);
handlers.ValidateToken(readToken);
}
}
public ClaimsPrincipal Validate(string userName, string password)
{
var binding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential);
var credentials = new ClientCredentials();
credentials.UserName.UserName = userName;
credentials.UserName.Password = password;
GenericXmlSecurityToken genericToken;
try
{
genericToken = WSTrustClient.Issue(
new EndpointAddress(_address),
new EndpointAddress(_realm),
binding,
credentials) as GenericXmlSecurityToken;
}
catch (MessageSecurityException ex)
{
Tracing.Error("WSTrustResourceOwnerCredentialValidation failed: " + ex.ToString());
return(null);
}
var config = new SecurityTokenHandlerConfiguration();
config.AudienceRestriction.AllowedAudienceUris.Add(new Uri(_realm));
config.CertificateValidationMode = X509CertificateValidationMode.None;
config.CertificateValidator = X509CertificateValidator.None;
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(_issuerThumbprint, _address);
config.IssuerNameRegistry = registry;
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(config);
ClaimsPrincipal principal;
var token = genericToken.ToSecurityToken();
principal = new ClaimsPrincipal(handler.ValidateToken(token));
Tracing.Information("Successfully requested token for user via WS-Trust");
return(FederatedAuthentication.FederationConfiguration.IdentityConfiguration.ClaimsAuthenticationManager.Authenticate("ResourceOwnerPasswordValidation", principal));
}
public static ClaimsIdentity ValidateSamlToken(SecurityToken securityToken)
{
var configuration = new SecurityTokenHandlerConfiguration();
configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
configuration.CertificateValidationMode = X509CertificateValidationMode.None;
configuration.RevocationMode = X509RevocationMode.NoCheck;
configuration.CertificateValidator = X509CertificateValidator.None;
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer("thumb", "ADFS Signing - mycomp.com");
configuration.IssuerNameRegistry = registry;
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(configuration);
var identity = handler.ValidateToken(securityToken).First();
return(identity);
}
/// <summary>
/// Parses the suppied token string to a Claims Principal, not performing validation of the issuer/signature
/// This is useful for clients desiring to read claims from tokens not issued to themselves, for personalization purposes.
/// </summary>
/// <param name="samlTokenString">SAML token string to parse</param>
/// <returns>ClaimsPrincipal with the identities and claims contained in the token</returns>
public ClaimsPrincipal ReadUnvalidated(string samlTokenString)
{
var configuration = new SecurityTokenHandlerConfiguration
{
AudienceRestriction = new AudienceRestriction(AudienceUriMode.Never),
CertificateValidationMode = X509CertificateValidationMode.None,
CertificateValidator = new NoneX509CertificateValidator(),
DetectReplayedTokens = false,
IssuerNameRegistry = new AcceptAnyIssuerNameRegistry(),
MaxClockSkew = TimeSpan.MaxValue,
};
var handlers = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(configuration);
var securityToken = ReadSecurityToken(samlTokenString, handlers);
return(new ClaimsPrincipal(handlers.ValidateToken(securityToken)));
}
public SecurityToken GetToken()
{
// Need this because the server has a self-signed certificate that doesn't pass validation
ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, errors) => true;
var factory = new WSTrustChannelFactory(
new UserNameWsTrustBinding(),
StsWsTrustEndpoint)
{
TrustVersion = TrustVersion.WSTrust13
};
factory.Credentials.UserName.UserName = UserName;
factory.Credentials.UserName.Password = Password;
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Bearer,
TokenType = "urn:oasis:names:tc:SAML:2.0:assertion",
AppliesTo = new EndpointReference(Realm)
};
var genericToken = factory.CreateChannel().Issue(rst) as GenericXmlSecurityToken;
var tokenXml = genericToken.TokenXml.OuterXml;
var tokenHandlers = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
var config = tokenHandlers.Configuration;
config.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Realm));
config.CertificateValidator = X509CertificateValidator.None;
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer("CB317A2E635B47310D50A67C7B40081F7B4BD280", "http://platformservices.spikesco.com/devsts");
config.IssuerNameRegistry = registry;
var token = tokenHandlers.ReadToken(new XmlTextReader(new StringReader(tokenXml)));
var identity = tokenHandlers.ValidateToken(token);
Thread.CurrentPrincipal = new ClaimsPrincipal(identity);
TokenHelpers.TokenHelpers.Print(tokenXml);
TokenHelpers.TokenHelpers.PrintCurrentPrincipal();
return(token);
}
private ClaimsPrincipal ValidateToken(SecurityToken token)
{
var config = new SecurityTokenHandlerConfiguration();
config.AudienceRestriction.AudienceMode = AudienceUriMode.Always;
config.AudienceRestriction.AllowedAudienceUris.Add(new Uri(ConfigurationRepository.Global.IssuerUri));
var registry = new IdentityProviderIssuerNameRegistry(GetEnabledWSIdentityProviders());
config.IssuerNameRegistry = registry;
config.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;
config.CertificateValidator = X509CertificateValidator.None;
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(config);
var identity = handler.ValidateToken(token).First();
return(new ClaimsPrincipal(identity));
}
public static ClaimsIdentity ValidateSamlToken(SecurityToken securityToken)
{
var configuration = new SecurityTokenHandlerConfiguration();
configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Always;
configuration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(_relyingPartyIdentifier));
configuration.CertificateValidationMode = X509CertificateValidationMode.ChainTrust;
configuration.RevocationMode = X509RevocationMode.Online;
configuration.CertificateValidator = X509CertificateValidator.ChainTrust;
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(_signingCertificateThumbprint, _signingCertificateCommonName);
configuration.IssuerNameRegistry = registry;
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(configuration);
var identity = handler.ValidateToken(securityToken).First();
return(identity);
}
private ClaimsPrincipal ValidateToken(SecurityToken token)
{
var config = new SecurityTokenHandlerConfiguration();
config.AudienceRestriction.AudienceMode = AudienceUriMode.Always;
config.AudienceRestriction.AllowedAudienceUris.Add(new Uri(ConfigurationManager.AppSettings["acsAppliesToAddress"]));
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(ConfigurationManager.AppSettings["acsTrustedIssuerThumbprint"], "ACS");
config.IssuerNameRegistry = registry;
config.CertificateValidator = X509CertificateValidator.None;
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(config);
var identity = handler.ValidateToken(token).First();
return(new ClaimsPrincipal(identity));
}
public ClaimsIdentity ValidateSamlToken(SecurityToken securityToken)
{
StripSaml2ProtocolProperties(securityToken);
var configuration = new SecurityTokenHandlerConfiguration();
configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
configuration.CertificateValidationMode = X509CertificateValidationMode.None;
configuration.RevocationMode = X509RevocationMode.NoCheck;
configuration.CertificateValidator = X509CertificateValidator.None;
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(_configuration.AdfsIntegration.IssuerThumbprint, "ADFS");
configuration.IssuerNameRegistry = registry;
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(configuration);
var identity = handler.ValidateToken(securityToken).First();
return(identity);
}
static string _signingCertificateCommonName = "ADFS Signing - adfs.example.local"; // Put the common name of the ADFS Token Signing Certificate here.
static void Main(string[] args)
{
Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannelFactory factory = null;
try
{
_relyingPartyIdentifier = _relyingPartyIdentifier.EndsWith("/") ? _relyingPartyIdentifier : _relyingPartyIdentifier + "/";
_adfsServerAddress = _adfsServerAddress.EndsWith("/") ? _adfsServerAddress : _adfsServerAddress + "/";
factory = new Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannelFactory(new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential), new EndpointAddress(_adfsServerAddress + "adfs/services/trust/13/usernamemixed"));
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.UserName.UserName = _username;
factory.Credentials.UserName.Password = _password;
var rst = new Microsoft.IdentityModel.Protocols.WSTrust.RequestSecurityToken
{
RequestType = WSTrust13Constants.RequestTypes.Issue,
AppliesTo = new EndpointAddress(_relyingPartyIdentifier),
KeyType = WSTrust13Constants.KeyTypes.Bearer
};
var channel = factory.CreateChannel();
var genericToken = channel.Issue(rst) as GenericXmlSecurityToken;
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
var tokenString = genericToken.TokenXml.OuterXml;
var samlToken = handler.ReadToken(new XmlTextReader(new StringReader(tokenString)));
ValidateSamlToken(samlToken);
}
finally
{
if (factory != null)
{
try
{
factory.Close();
}
catch (CommunicationObjectFaultedException)
{
factory.Abort();
}
}
}
}
public static SecurityToken GetBootstrapTokenFromContext()
{
var identity = ClaimsPrincipal.Current.Identities.FirstOrDefault();
var context = identity?.BootstrapContext as BootstrapContext;
if (context == null)
{
return(null);
}
SecurityToken token = null;
if (context.SecurityToken != null)
{
token = context.SecurityToken;
}
else if (!string.IsNullOrWhiteSpace(context.Token))
{
var handlers = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
token = handlers.ReadToken(new XmlTextReader(new StringReader(context.Token)));
}
return(token);
}
private static Saml2SecurityToken ReadSecurityToken(string samlXml, IFederatedAuthenticationSettings settings)
{
var sr = new StringReader(samlXml);
using (var reader = XmlReader.Create(sr))
{
try
{
if (!reader.ReadToFollowing("Assertion", "urn:oasis:names:tc:SAML:2.0:assertion"))
{
return(null);
}
}
catch (Exception ex)
{
throw new FederatedAuthenticationException("Cannot read token", FederatedAuthenticationErrorCode.WrongFormat, ex);
}
// Deserialize the token so that data can be taken from it and plugged into the RSTR
var collection = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
ConfigureHandler(collection.Configuration, settings);
var tokenString = reader.ReadSubtree();
return(collection.ReadToken(tokenString) as Saml2SecurityToken);
}
}
private static SecurityTokenHandlerCollection CreateDefaultHandlerCollection(this SecurityTokenHandlerConfiguration configuration)
{
return(SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(configuration));
}
protected void ConfigureService()
{
base.ApplyConfiguration();
var config = ServiceContract.SecurityTokenServiceConfiguration;
config.SigningCredentials = new X509SigningCredentials(TestHost.CertificateFromFriendlyName(StoreName.My, StoreLocation.LocalMachine, "WCF Bridge - STSMetaData"));
config.ServiceCertificate = TestHost.CertificateFromFriendlyName(StoreName.My, StoreLocation.LocalMachine, "WCF Bridge - Machine certificate generated by the CertificateManager");
config.SecurityTokenService = typeof(SelfHostSecurityTokenService);
config.TokenIssuerName = "SelfHostSTS";
config.SecurityTokenHandlerCollectionManager[SecurityTokenHandlerCollectionManager.Usage.ActAs] = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
config.SecurityTokenHandlerCollectionManager[SecurityTokenHandlerCollectionManager.Usage.OnBehalfOf] = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
config.CertificateValidationMode = X509CertificateValidationMode.ChainTrust;
config.IssuerNameRegistry = new ReturnX509SubjectNameOrRSAIssuerNameRegistry();
config.SecurityTokenHandlers.AddOrReplace(new AcceptAnyUsernameSecurityTokenHandler());
Credentials.ServiceCertificate.Certificate = config.ServiceCertificate;
//Credentials.UseIdentityConfiguration = true;
Credentials.UserNameAuthentication.UserNamePasswordValidationMode = UserNamePasswordValidationMode.Custom;
Credentials.UserNameAuthentication.CustomUserNamePasswordValidator = new AcceptAnyUsernamePasswordValidator();
}