/// <summary>
/// Loads the settings for the IdentityConfiguration from the application or web configuration file.
/// </summary>
/// <remarks>
/// If there is no configuration file, or the named section does not exist, then no exception is thrown,
/// instead the class is loaded with a set of default values.
/// </remarks>
protected void LoadConfiguration(IdentityConfigurationElement element)
{
if (element != null)
{
//
// Load the claims authentication manager
//
if (element.ClaimsAuthenticationManager.IsConfigured)
{
_claimsAuthenticationManager = GetClaimsAuthenticationManager(element);
}
//
// Load the claims authorization manager.
//
if (element.ClaimsAuthorizationManager.IsConfigured)
{
_claimsAuthorizationManager = CustomTypeElement.Resolve <ClaimsAuthorizationManager>(element.ClaimsAuthorizationManager);
}
//
// Load the service level Security Token Handler configuration
//
_serviceHandlerConfiguration = LoadHandlerConfiguration(element);
}
//
// Reads handler configuration via LoadConfiguredHandlers. Do this last.
//
_securityTokenHandlerCollectionManager = LoadHandlers(element);
}
public void Validate(Saml2SecurityToken token, SecurityTokenHandlerConfiguration configuration)
{
if (token == null || token.RawResponse == null ||
configuration == null)
{
throw new ArgumentNullException();
}
// search for signatures (possibly multiple)
var signatureNodes = token.RawResponse.GetElementsByTagName("Signature", Namespaces.XMLDSIG);
foreach (XmlElement signatureNode in signatureNodes)
{
var signedXml = new SignedXml(signatureNode.ParentNode as XmlElement);
signedXml.LoadXml(signatureNode);
signedXml.SafeCanonicalizationMethods.Add("http://www.w3.org/TR/1999/REC-xpath-19991116");
var result = signedXml.CheckSignature();
if (!result)
{
throw new ValidationException("Token's signature validation failed");
}
}
}
private static AuthenticationHandler GetDefaultAuthenticationHandler()
{
var authConfig = new AuthenticationConfiguration
{
RequireSsl = false,
InheritHostClientIdentity = false
};
#region Basic Authentication
authConfig.AddBasicAuthentication((userName, password) => { return(userName == password); });
#endregion
//#region SWT
//authConfig.Handler.AddSimpleWebToken(
// "SWT",
// Constants.Issuer,
// Constants.Realm,
// "Dc9Mpi3jbooUpBQpB/4R7XtUsa3D/ALSjTVvK8IUZbg=");
//#endregion
#region SAML2 tokens
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer("D263DDCF598E716F0037380796A4A62DF017ADB8", "TEST");
var saml2Config = new SecurityTokenHandlerConfiguration();
saml2Config.AudienceRestriction.AllowedAudienceUris.Add(new Uri("https://test"));
saml2Config.IssuerNameRegistry = registry;
saml2Config.CertificateValidator = X509CertificateValidator.None;
authConfig.AddSaml2(saml2Config, AuthenticationOptions.ForAuthorizationHeader("Saml2"), null);
#endregion
var authHandler = new AuthenticationHandler(authConfig);
return(authHandler);
}
public Saml2Serializer()
{
Configuration = new SecurityTokenHandlerConfiguration()
{
};
}
public void AddJsonWebToken(string issuer, string audience, string signingKey, AuthenticationOptions options)
{
var config = new SecurityTokenHandlerConfiguration();
var registry = new WebTokenIssuerNameRegistry();
registry.AddTrustedIssuer(issuer, issuer);
config.IssuerNameRegistry = registry;
var issuerResolver = new WebTokenIssuerTokenResolver();
issuerResolver.AddSigningKey(issuer, signingKey);
config.IssuerTokenResolver = issuerResolver;
config.AudienceRestriction.AllowedAudienceUris.Add(new Uri(audience));
var handler = new JsonWebTokenHandler();
handler.Configuration = config;
AddMapping(new AuthenticationOptionMapping
{
TokenHandler = new SecurityTokenHandlerCollection {
handler
},
Options = options
});
}
/// <summary>
/// Validate the assertion
/// </summary>
/// <param name="assertion"></param>
/// <returns></returns>
protected ClaimsIdentity ValidateSamlToken(SecurityToken assertion)
{
Saml2PropertiesRemoval(assertion);
var configuration = new SecurityTokenHandlerConfiguration();
configuration.RevocationMode = X509RevocationMode.NoCheck;
// You can flip this switch if you don't want to make sure that IDP certificate
// is in the trusted root store of the Local Machine
// configuration.CertificateValidator = X509CertificateValidator.None;
configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
configuration.CertificateValidationMode = X509CertificateValidationMode.None;
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(_config.CertificateThumbprint, _config.Name);
configuration.IssuerNameRegistry = registry;
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(configuration);
try
{
var identity = handler.ValidateToken(assertion).First();
return(identity);
}
catch (Exception ex)
{
throw ex;
}
}
private static TokenValidationParameters LoadFromConfig(
SecurityTokenHandlerConfiguration securityTokenHandlerConfiguration)
{
var wsFederationAuthenticationIssuer = FederatedAuthentication.FederationConfiguration.WsFederationConfiguration.Issuer;
var tokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = !string.IsNullOrEmpty(wsFederationAuthenticationIssuer),
ValidIssuer = wsFederationAuthenticationIssuer,
SaveSigninToken = securityTokenHandlerConfiguration.SaveBootstrapContext,
ClockSkew = securityTokenHandlerConfiguration.MaxClockSkew,
CertificateValidator = securityTokenHandlerConfiguration.CertificateValidator
};
if (securityTokenHandlerConfiguration.AudienceRestriction.AudienceMode == AudienceUriMode.Always && securityTokenHandlerConfiguration.AudienceRestriction.AllowedAudienceUris.Any())
{
tokenValidationParameters.ValidateAudience = true;
tokenValidationParameters.ValidAudiences =
securityTokenHandlerConfiguration.AudienceRestriction.AllowedAudienceUris.Select(x => x.AbsoluteUri);
}
else
{
tokenValidationParameters.ValidateAudience = false;
}
return(tokenValidationParameters);
}
public static SecurityToken DeSerializeSecurityToken(string tokenString, string issuerThumbPrint, string issuerThumbprintName)
{
XmlTextReader xmlTextReader = new XmlTextReader(new StringReader(tokenString));
SecurityTokenHandlerConfiguration conf = new SecurityTokenHandlerConfiguration()
{
SaveBootstrapContext = true
};
conf.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
ConfigurationBasedIssuerNameRegistry actAsRegistry = new ConfigurationBasedIssuerNameRegistry();
actAsRegistry.AddTrustedIssuer(issuerThumbPrint, issuerThumbPrint);
conf.IssuerNameRegistry = actAsRegistry;
List <SecurityToken> tokens = new List <SecurityToken>()
{
new X509SecurityToken(Constants.DefaultCertificate)
};
conf.IssuerTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection <SecurityToken>(tokens), true);
SecurityTokenHandlerCollection handlers = new SecurityTokenHandlerCollection(conf)
{
new X509CertificateSessionSecurityTokenHandler(Constants.DefaultCertificate),
new UserNameTokenHandler(),
new SamlTokenHandler(),
new EncryptedSecurityTokenHandler()
};
return(handlers.ReadToken(xmlTextReader));
}
private HttpResponseMessage CreateTokenResponse(GenericXmlSecurityToken token, string scope)
{
var response = new TokenResponse();
if (ConfigurationRepository.AdfsIntegration.PassThruAuthenticationToken)
{
response.AccessToken = token.TokenXml.OuterXml;
response.ExpiresIn = (int)(token.ValidTo.Subtract(DateTime.UtcNow).TotalSeconds);
}
else
{
var bridge = new AdfsBridge(ConfigurationRepository);
if (ConfigurationRepository.Keys.DecryptionCertificate != null)
{
var configuration = new SecurityTokenHandlerConfiguration
{
AudienceRestriction = { AudienceMode = AudienceUriMode.Never },
CertificateValidationMode = X509CertificateValidationMode.None,
RevocationMode = X509RevocationMode.NoCheck,
CertificateValidator = X509CertificateValidator.None,
ServiceTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
new ReadOnlyCollection <SecurityToken>(new SecurityToken[] { new X509SecurityToken(ConfigurationRepository.Keys.DecryptionCertificate) }), false)
};
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(configuration);
response = bridge.ConvertSamlToJwt(token.ToSecurityToken(handler), scope);
}
else
{
response = bridge.ConvertSamlToJwt(token.ToSecurityToken(), scope);
}
}
return(Request.CreateResponse <TokenResponse>(HttpStatusCode.OK, response));
}
/// <summary>Converts a SecurityToken to an IClaimsPrincipal.</summary>
/// <param name="token">The token.</param>
/// <param name="signingCertificate">The signing certificate.</param>
/// <returns>An IClaimsPrincipal</returns>
public static ClaimsPrincipal ToClaimsPrincipal(this SecurityToken token, X509Certificate2 signingCertificate)
{
SecurityTokenHandlerConfiguration standardConfiguration = CreateStandardConfiguration(signingCertificate);
return(ToClaimsPrincipal(token,
CreateDefaultHandlerCollection(standardConfiguration)));
}
public static IEnumerable <Claim> ValidateIdentityToken(string token, string issuer, string audience, X509Certificate2 signingCertificate, X509CertificateValidator certificateValidator = null)
{
if (certificateValidator == null)
{
certificateValidator = X509CertificateValidator.None;
}
var configuration = new SecurityTokenHandlerConfiguration
{
CertificateValidator = certificateValidator
};
var handler = new JwtSecurityTokenHandler
{
Configuration = configuration
};
var parameters = new TokenValidationParameters
{
ValidIssuer = issuer,
ValidAudience = audience,
IssuerSigningToken = new X509SecurityToken(signingCertificate)
};
SecurityToken wat = null;
return(handler.ValidateToken(token, parameters, out wat).Claims);
}
public void Validate(Saml2SecurityToken token, SecurityTokenHandlerConfiguration configuration)
{
if (token == null || token.Response == null || configuration == null)
{
throw new ArgumentNullException();
}
if (token.Response.Assertions != null)
{
foreach (var assertion in token.Response.Assertions)
{
if (assertion.Conditions != null)
{
ValidateNotBefore(assertion.Conditions.NotBefore, configuration.MaxClockSkew);
ValidateNotOnOrAfter(assertion.Conditions.NotOnOrAfter, configuration.MaxClockSkew);
}
if (
assertion.Subject != null &&
assertion.Subject.SubjectConfirmation != null &&
assertion.Subject.SubjectConfirmation.SubjectConfirmationData != null
)
{
ValidateNotBefore(assertion.Subject.SubjectConfirmation.SubjectConfirmationData.NotBefore, configuration.MaxClockSkew);
ValidateNotOnOrAfter(assertion.Subject.SubjectConfirmation.SubjectConfirmationData.NotOnOrAfter, configuration.MaxClockSkew);
}
}
}
}
private static void ValidateSwtToken(string tokenString)
{
var configuration = new SecurityTokenHandlerConfiguration();
var validationKey = new InMemorySymmetricSecurityKey(Convert.FromBase64String(signingKey));
// audience validation
configuration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(realm));
// signature & issuer validation
var resolverTable = new Dictionary <string, IList <SecurityKey> >
{
{ issuerUri, new SecurityKey[] { validationKey } }
};
configuration.IssuerTokenResolver = new NamedKeyIssuerTokenResolver(resolverTable);
var handler = new SimpleWebTokenHandler();
handler.Configuration = configuration;
var token = handler.ReadToken(tokenString);
var ids = handler.ValidateToken(token);
"\n\nValidated Claims:".ConsoleYellow();
foreach (var claim in ids.First().Claims)
{
Console.WriteLine("{0}\n {1}\n", claim.Type, claim.Value);
}
}
private ClaimsPrincipal ParseToken(GenericXmlSecurityToken genericToken)
{
using (XmlReader samlReader = XmlReader.Create(new StringReader(genericToken.TokenXml.OuterXml)))
{
SecurityTokenHandlerCollection tokenHandlers = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
SecurityTokenHandlerConfiguration config = tokenHandlers.Configuration;
var securityTokens = new List <SecurityToken>
{
new X509SecurityToken(CertificateHelper.GetCertificate(_tokenClientOptions.StoreName, _tokenClientOptions.StoreLocation, _tokenClientOptions.SubjectDistinguishedName))
};
config.ServiceTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(securityTokens.AsReadOnly(), false);
config.CertificateValidator = X509CertificateValidator.PeerOrChainTrust;
config.IssuerTokenResolver = new X509CertificateStoreTokenResolver(_tokenClientOptions.StoreName, _tokenClientOptions.StoreLocation);
config.IssuerNameRegistry = _nameRegistry;
config.AudienceRestriction.AllowedAudienceUris.Add(_tokenClientOptions.AudienceUri);
SecurityToken samlToken = tokenHandlers.ReadToken(samlReader);
ClaimsIdentity tokenIdentity = tokenHandlers.ValidateToken(samlToken).FirstOrDefault();
return(new ClaimsPrincipal(tokenIdentity));
}
}
public void Validate(Saml2SecurityToken token, SecurityTokenHandlerConfiguration configuration)
{
if (token == null || token.Response == null ||
configuration == null)
{
throw new ArgumentNullException();
}
if (configuration.IssuerNameRegistry == null)
{
throw new ArgumentNullException("configuration", "Issuer name registry cannot empty in the configuration");
}
if (token.Response.Assertions != null)
{
foreach (var assertion in token.Response.Assertions)
{
var securityToken = assertion.GetX509SecurityToken();
if (securityToken != null)
{
var issuer = configuration.IssuerNameRegistry.GetIssuerName(securityToken);
if (string.IsNullOrEmpty(issuer))
{
throw new ValidationException("Issuer name registry doesn't recognize token's certificate");
}
}
}
}
}
private ClaimsPrincipal GetClaimsPrincipal(SignInResponseMessage signInResponse)
{
try
{
//configure the certificate and some service token handler configuration properties (these basically match the web.config settings for MVC 4/5 app).
SecurityTokenHandlerConfiguration config = new SecurityTokenHandlerConfiguration();
config.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Options.Realm));
config.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None; //we have dodgy certs in dev
ConfigurationBasedIssuerNameRegistry inr = new ConfigurationBasedIssuerNameRegistry();
inr.AddTrustedIssuer(Options.SigningCertThumbprint, Options.ClaimsIssuer);
config.IssuerNameRegistry = inr;
config.CertificateValidator = System.IdentityModel.Selectors.X509CertificateValidator.None; //we have dodgy certs in dev
//Load up an XmlDocument with the result. Have to use XmlDocument so we can generate a valid reader unfortunately.
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.LoadXml(signInResponse.Result);
//Add the namespaces and search for Assertion or EncryptedAssertion
XmlNamespaceManager nsMan = new XmlNamespaceManager(xmlDoc.NameTable);
nsMan.AddNamespace("trust", "http://docs.oasis-open.org/ws-sx/ws-trust/200512");
nsMan.AddNamespace("saml2", "urn:oasis:names:tc:SAML:2.0:assertion");
var parentNodes = "trust:RequestSecurityTokenResponseCollection/trust:RequestSecurityTokenResponse/trust:RequestedSecurityToken/";
var assertionNode = xmlDoc.SelectSingleNode(parentNodes + "saml2:EncryptedAssertion", nsMan);
if (assertionNode == null)
{
assertionNode = xmlDoc.SelectSingleNode(parentNodes + "saml2:Assertion", nsMan);
}
else
{
//this is an encrypted response so add a ServiceTokenResolver of X509CertificateStoreTokenResolver so the assertion can be decrypted. Hard codes LocalMachine - could be configured as well.
config.ServiceTokenResolver = new X509CertificateStoreTokenResolver(Options.EncryptionCertStoreName, StoreLocation.LocalMachine);
}
if (assertionNode == null)
{
throw new Exception("No assertion element found in Response.");
}
using (var reader = new XmlNodeReader(assertionNode))
{
//Get the token and convert it to a Claims Principal for return
SecurityTokenHandlerCollection collection = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(config);
var securityToken = collection.ReadToken(reader);
var claimsIdentities = collection.ValidateToken(securityToken);
ClaimsPrincipal principal = new ClaimsPrincipal(claimsIdentities);
return(principal);
}
}
catch (Exception ex)
{
//TODO: Add some logging
var err = ex;
}
return(null);
}
public HttpsSecurityTokenHandler()
: base(X509CertificateValidator.None)
{
Configuration = new SecurityTokenHandlerConfiguration
{
IssuerNameRegistry = new HttpsIssuerNameRegistry()
};
}
private static SecurityTokenHandlerCollection CreateDefaultHandlerCollection(
this SecurityTokenHandlerConfiguration configuration)
{
var handlerCollection =
SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(configuration);
handlerCollection.AddOrReplace(new CustomSaml2SecurityTokenHandler());
return(handlerCollection);
}
private ClaimsIdentity ValidateSamlToken(SecurityToken securityToken)
{
var configuration = new SecurityTokenHandlerConfiguration();
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(configuration);
handler.AddOrReplace(new CustomSaml2SecurityTokenHandler());
var identity = handler.ValidateToken(securityToken).First();
return(identity);
}
/// <summary>Turns a supported generic XML security token to a security token.</summary>
/// <param name="token">The token.</param>
/// <param name="decryptionCertificate">The decryption certificate.</param>
/// <returns>A SecurityToken</returns>
public static SecurityToken ToSecurityToken(this GenericXmlSecurityToken token, X509Certificate2 decryptionCertificate)
{
var configuration = new SecurityTokenHandlerConfiguration();
configuration.ServiceTokenResolver = decryptionCertificate.CreateSecurityTokenResolver();
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(configuration);
return(token.ToSecurityToken(handler));
}
/// <summary>Converts a SecurityToken to an IClaimsPrincipal.</summary>
/// <param name="token">The token.</param>
/// <param name="signingCertificate">The signing certificate.</param>
/// <param name="audienceUri">The audience URI.</param>
/// <returns>An IClaimsPrincipal</returns>
public static ClaimsPrincipal ToClaimsPrincipal(this SecurityToken token, X509Certificate2 signingCertificate,
string audienceUri)
{
SecurityTokenHandlerConfiguration standardConfiguration = CreateStandardConfiguration(signingCertificate);
standardConfiguration.AudienceRestriction.AudienceMode = AudienceUriMode.Always;
standardConfiguration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(audienceUri));
return(ToClaimsPrincipal(token,
CreateDefaultHandlerCollection(standardConfiguration)));
}
private static SecurityTokenHandlerConfiguration CreateStandardConfiguration(X509Certificate2 signingCertificate)
{
var configuration = new SecurityTokenHandlerConfiguration();
configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
configuration.IssuerNameRegistry = signingCertificate.CreateIssuerNameRegistry();
configuration.IssuerTokenResolver = signingCertificate.CreateSecurityTokenResolver();
configuration.SaveBootstrapContext = true;
return(configuration);
}
public static void AddSaml11(this AuthenticationConfiguration configuration, SecurityTokenHandlerConfiguration handlerConfiguration, AuthenticationOptions options)
{
var handler = new HttpSamlSecurityTokenHandler();
handler.Configuration = handlerConfiguration;
configuration.AddMapping(new AuthenticationOptionMapping
{
TokenHandler = new SecurityTokenHandlerCollection { handler },
Options = options
});
}
protected virtual SecurityTokenHandler GetSecurityTokenHandler()
{
var authPlugin = PluginManager.GetSingleton <SamlOAuthClient>();
//var config = System.IdentityModel.Services.Configuration..FederationConfiguration..;
SecurityTokenHandler handler = null;
var securityRequirements = new SamlSecurityTokenRequirement();
var securityTokenHandlerConfig = new SecurityTokenHandlerConfiguration();
switch (authPlugin.IdpBindingType)
{
case SamlBinding.SAML11_POST:
handler = new SamlSecurityTokenHandler(securityRequirements)
{
Configuration = securityTokenHandlerConfig
};
break;
case SamlBinding.SAML20_POST:
handler = new SubjectConfirmationDataSaml2SecurityTokenHandler(securityRequirements, authPlugin.SubjectRecipientValidationMode)
{
Configuration = securityTokenHandlerConfig
};
break;
}
if (handler == null)
{
throw new InvalidOperationException(
string.Format("No suitable token handler was loaded for the SAML binding type : {0}",
tokenProcessorConfiguration.IdpBindingType));
}
handler.Configuration.IssuerNameRegistry = new CodeBasedIssuerNameRegistry(tokenProcessorConfiguration.TrustedIssuerThumbprint.Split(','));
handler.Configuration.CertificateValidationMode = tokenProcessorConfiguration.CertificateValidationMode;
if (typeof(SamlSecurityTokenHandler).IsAssignableFrom(handler.GetType()))
{
((SamlSecurityTokenHandler)handler).CertificateValidator = GetCertificateValidator(handler.Configuration.CertificateValidationMode);
}
if (typeof(Saml2SecurityTokenHandler).IsAssignableFrom(handler.GetType()))
{
((Saml2SecurityTokenHandler)handler).CertificateValidator = GetCertificateValidator(handler.Configuration.CertificateValidationMode);
}
handler.Configuration.AudienceRestriction.AudienceMode = System.IdentityModel.Selectors.AudienceUriMode.Never;
return(handler);
}
private static SecurityTokenHandlerConfiguration CreateSaml2SecurityTokenHandlerConfiguration(string issuerThumbprint, string issuerName, string audienceUri, X509CertificateValidator certificateValidator)
{
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(issuerThumbprint, issuerName);
var handlerConfig = new SecurityTokenHandlerConfiguration();
handlerConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(audienceUri));
handlerConfig.IssuerNameRegistry = registry;
handlerConfig.CertificateValidator = certificateValidator;
return handlerConfig;
}
public static void AddSaml2(this AuthenticationConfiguration configuration, string issuerThumbprint, string issuerName, string audienceUri, X509CertificateValidator certificateValidator, AuthenticationOptions options, AuthenticationScheme scheme)
{
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(issuerThumbprint, issuerName);
var handlerConfig = new SecurityTokenHandlerConfiguration();
handlerConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(audienceUri));
handlerConfig.IssuerNameRegistry = registry;
handlerConfig.CertificateValidator = certificateValidator;
configuration.AddSaml2(handlerConfig, options, scheme);
}
private WebSecurityTokenHandlerCollectionManager SetupSecurityTokenHandler()
{
var manager = new WebSecurityTokenHandlerCollectionManager();
#region Basic Authentication
// basic authentication
manager.AddBasicAuthenticationHandler((username, password) => username == password);
// sample to use membership provider
//manager.AddBasicAuthenticationHandler((username, password) => Membership.ValidateUser(username, password));
#endregion
#region SAML
// SAML via ADFS
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer("d1 c5 b1 25 97 d0 36 94 65 1c e2 64 fe 48 06 01 35 f7 bd db", "ADFS");
var adfsConfig = new SecurityTokenHandlerConfiguration();
adfsConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri("https://" + Constants.WebHost + "/webservicesecurity/rest/"));
adfsConfig.IssuerNameRegistry = registry;
adfsConfig.CertificateValidator = X509CertificateValidator.None;
// token decryption (read from config)
adfsConfig.ServiceTokenResolver = IdentityModelConfiguration.ServiceConfiguration.CreateAggregateTokenResolver();
manager.AddSaml11SecurityTokenHandler("SAML", adfsConfig);
//manager.AddSaml2SecurityTokenHandler("SAML", adfsConfig);
#endregion
#region ACS SWT
manager.AddSimpleWebTokenHandler(
"ACS",
"https://" + Constants.ACS + "/",
"https://" + Constants.WebHost + "/webservicesecurity/rest/",
"ds9t7JPEsprLRxWvnFjGr+xOhWOy5H8ZHEr5z/rJbi8=");
#endregion
#region IdSrv SWT
manager.AddSimpleWebTokenHandler(
"IdSrv",
"http://identity.thinktecture.com/trust",
"https://" + Constants.WebHost + "/webservicesecurity/rest/",
"yM7+ti12DiFWcg8t5EfdQbOIgdZCchkETYSXxmvTY0s=");
#endregion
#region Allow ASP.NET based authentication
manager.AddDefaultHandler();
#endregion
return manager;
}
public Saml2PSecurityTokenHandler(SPOptions spOptions)
{
if (spOptions == null)
{
throw new ArgumentNullException(nameof(spOptions));
}
Configuration = new SecurityTokenHandlerConfiguration
{
IssuerNameRegistry = new ReturnRequestedIssuerNameRegistry(),
AudienceRestriction = GetAudienceRestriction(spOptions),
SaveBootstrapContext = spOptions.SystemIdentityModelIdentityConfiguration.SaveBootstrapContext
};
}
private static SecurityTokenHandlerConfiguration CreateStandardConfiguration(string thumbprint)
{
var configuration = new SecurityTokenHandlerConfiguration();
configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(thumbprint, thumbprint);
configuration.IssuerNameRegistry = registry;
configuration.SaveBootstrapTokens = true;
return(configuration);
}
public void AddSaml2(SecurityTokenHandlerConfiguration configuration, AuthenticationOptions options)
{
var handler = new HttpSaml2SecurityTokenHandler();
handler.Configuration = configuration;
AddMapping(new AuthenticationOptionMapping
{
TokenHandler = new SecurityTokenHandlerCollection {
handler
},
Options = options
});
}
public SecurityTokenHandlerConfiguration GetConfiguration()
{
var inner = new X509CertificateStoreTokenResolver("testCertStore", StoreLocation.LocalMachine);
var tokenResolver = new IssuerTokenResolver(inner);
var configuration = new SecurityTokenHandlerConfiguration
{
IssuerTokenResolver = tokenResolver,
ServiceTokenResolver = inner,
AudienceRestriction = new AudienceRestriction(AudienceUriMode.Always),
CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.Custom,
};
return(configuration);
}
public ClientCertificateHandler(ClientCertificateMode mode, params string[] values)
{
X509CertificateValidator validator;
ClientCertificateIssuerNameRegistry registry;
// set validator and registry
if (mode == ClientCertificateMode.ChainValidation)
{
validator = X509CertificateValidator.ChainTrust;
registry = new ClientCertificateIssuerNameRegistry(false, mode);
}
if (mode == ClientCertificateMode.ChainValidationWithIssuerSubjectName ||
mode == ClientCertificateMode.ChainValidationWithIssuerThumbprint)
{
validator = X509CertificateValidator.ChainTrust;
registry = new ClientCertificateIssuerNameRegistry(true, mode, values);
}
else if (mode == ClientCertificateMode.PeerValidation)
{
validator = X509CertificateValidator.PeerTrust;
registry = new ClientCertificateIssuerNameRegistry(false, mode);
}
else if (mode == ClientCertificateMode.IssuerThumbprint)
{
validator = X509CertificateValidator.None;
registry = new ClientCertificateIssuerNameRegistry(true, mode, values);
}
else
{
throw new ArgumentException("mode");
}
Configuration = new SecurityTokenHandlerConfiguration
{
//CertificateValidationMode = X509CertificateValidationMode.Custom,
CertificateValidator = validator,
IssuerNameRegistry = registry
};
}
public void AddSimpleWebToken(string issuer, string audience, string signingKey, AuthenticationOptions options)
{
var config = new SecurityTokenHandlerConfiguration();
var registry = new WebTokenIssuerNameRegistry();
registry.AddTrustedIssuer(issuer, issuer);
config.IssuerNameRegistry = registry;
var issuerResolver = new WebTokenIssuerTokenResolver();
issuerResolver.AddSigningKey(issuer, signingKey);
config.IssuerTokenResolver = issuerResolver;
config.AudienceRestriction.AllowedAudienceUris.Add(new Uri(audience));
var handler = new SimpleWebTokenHandler();
handler.Configuration = config;
AddMapping(new AuthenticationOptionMapping
{
TokenHandler = new SecurityTokenHandlerCollection { handler },
Options = options
});
}
public void AddSaml11(SecurityTokenHandlerConfiguration configuration, AuthenticationOptions options)
{
var handler = new HttpSamlSecurityTokenHandler();
handler.Configuration = configuration;
AddMapping(new AuthenticationOptionMapping
{
TokenHandler = new SecurityTokenHandlerCollection { handler },
Options = options
});
}
public void ManualWriteRoundtripDuplicateClaimTypes()
{
var signinKey = SymmetricKeyGenerator.Create(32);
var jwt = new JsonWebToken
{
Header = new JwtHeader
{
SignatureAlgorithm = JwtConstants.SignatureAlgorithms.HMACSHA256,
SigningCredentials = new HmacSigningCredentials(signinKey)
},
Audience = new Uri("http://foo.com"),
Issuer = "dominick",
ExpirationTime = 50000000000,
};
jwt.AddClaim(ClaimTypes.Name, "dominick");
jwt.AddClaim(ClaimTypes.Email, "*****@*****.**");
jwt.AddClaim(ClaimTypes.Role, "bar");
jwt.AddClaim(ClaimTypes.Role, "foo");
var handler = new JsonWebTokenHandler();
var token = handler.WriteToken(jwt);
Trace.WriteLine(token);
// token should not be empty
Assert.IsTrue(!string.IsNullOrWhiteSpace(token));
// token with signature needs to be 3 parts
var parts = token.Split('.');
Assert.IsTrue(parts.Length == 3, "JWT should have excactly 3 parts");
// signature must be 256 bits
var sig = Base64Url.Decode(parts[2]);
Assert.IsTrue(sig.Length == 32, "Signature is not 32 bits");
var jwtToken = handler.ReadToken(token);
var config = new SecurityTokenHandlerConfiguration();
var registry = new WebTokenIssuerNameRegistry();
registry.AddTrustedIssuer("dominick", "dominick");
config.IssuerNameRegistry = registry;
var issuerResolver = new WebTokenIssuerTokenResolver();
issuerResolver.AddSigningKey("dominick", Convert.ToBase64String(signinKey));
config.IssuerTokenResolver = issuerResolver;
config.AudienceRestriction.AllowedAudienceUris.Add(new Uri("http://foo.com"));
handler.Configuration = config;
var identity = handler.ValidateToken(jwtToken).First();
Assert.IsTrue(identity.Claims.Count() == 4);
Assert.IsTrue(identity.Claims.First().Issuer == "dominick");
}
private AuthenticationConfiguration ConfigureAuthentication()
{
var config = new AuthenticationConfiguration
{
// sample claims transformation for consultants sample, comment out to see raw claims
ClaimsAuthenticationManager = new ConsultantsClaimsTransformer(),
// value of the www-authenticate header, if not set, the first scheme added to the handler collection is used
DefaultAuthenticationScheme = "Basic"
};
#region Basic Authentication
config.Handler.AddBasicAuthenticationHandler((username, password) => username == password);
#endregion
#region IdSrv Simple Web Tokens
config.Handler.AddSimpleWebTokenHandler(
"IdSrv",
"http://identity.thinktecture.com/trust",
Constants.Realm,
"Dc9Mpi3jbooUpBQpB/4R7XtUsa3D/ALSjTVvK8IUZbg=");
#endregion
#region ACS Simple Web Tokens
config.Handler.AddSimpleWebTokenHandler(
"ACS",
"https://" + Constants.ACS + "/",
Constants.Realm,
"yFvxu8Xkmo/xBSSPrzqZLSAiB4lgjR4PIi0Bn1RsUDI=");
#endregion
#region ADFS SAML tokens
// SAML via ADFS
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer("d1 c5 b1 25 97 d0 36 94 65 1c e2 64 fe 48 06 01 35 f7 bd db", "ADFS");
var adfsConfig = new SecurityTokenHandlerConfiguration();
adfsConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
adfsConfig.IssuerNameRegistry = registry;
adfsConfig.CertificateValidator = X509CertificateValidator.None;
// token decryption (read from configuration section)
adfsConfig.ServiceTokenResolver = FederatedAuthentication.ServiceConfiguration.CreateAggregateTokenResolver();
config.Handler.AddSaml11SecurityTokenHandler("AdfsSaml", adfsConfig);
//manager.AddSaml2SecurityTokenHandler("AdfsSaml", adfsConfig);
#endregion
#region IdSrv SAML tokens
// SAML via IdSrv
var idsrvRegistry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer("A1EED7897E55388FCE60FEF1A1EED81FF1CBAEC6", "Thinktecture IdSrv");
var idsrvConfig = new SecurityTokenHandlerConfiguration();
adfsConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
adfsConfig.IssuerNameRegistry = registry;
adfsConfig.CertificateValidator = X509CertificateValidator.None;
// token decryption (read from configuration section)
adfsConfig.ServiceTokenResolver = FederatedAuthentication.ServiceConfiguration.CreateAggregateTokenResolver();
config.Handler.AddSaml2SecurityTokenHandler("IdSrvSaml", adfsConfig);
#endregion
return config;
}
public HttpSaml2SecurityTokenHandler(SecurityTokenHandlerConfiguration configuration)
: base()
{
Configuration = configuration;
}
private static AuthenticationConfiguration ConfigureAuthentication()
{
var config = new AuthenticationConfiguration();
config.ClaimsAuthenticationManager = new ConsultantsClaimsTransformer();
#region Basic Authentication
config.Handler.AddBasicAuthenticationHandler((username, password) => username == password);
#endregion
#region IdSrv Simple Web Tokens
config.Handler.AddSimpleWebTokenHandler(
"IdSrv",
"http://identity.thinktecture.com/trust",
Thinktecture.Samples.Constants.Realm,
"Dc9Mpi3jbooUpBQpB/4R7XtUsa3D/ALSjTVvK8IUZbg=");
#endregion
#region ACS Simple Web Tokens
config.Handler.AddSimpleWebTokenHandler(
"ACS",
"https://" + Thinktecture.Samples.Constants.ACS + "/",
Thinktecture.Samples.Constants.Realm,
"yFvxu8Xkmo/xBSSPrzqZLSAiB4lgjR4PIi0Bn1RsUDI=");
#endregion
#region ADFS SAML tokens
// SAML via ADFS
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer("d1 c5 b1 25 97 d0 36 94 65 1c e2 64 fe 48 06 01 35 f7 bd db", "ADFS");
var adfsConfig = new SecurityTokenHandlerConfiguration();
adfsConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Thinktecture.Samples.Constants.Realm));
adfsConfig.IssuerNameRegistry = registry;
adfsConfig.CertificateValidator = X509CertificateValidator.None;
// token decryption (read from configuration section)
adfsConfig.ServiceTokenResolver = FederatedAuthentication.ServiceConfiguration.CreateAggregateTokenResolver();
config.Handler.AddSaml11SecurityTokenHandler("AdfsSaml", adfsConfig);
//manager.AddSaml2SecurityTokenHandler("AdfsSaml", adfsConfig);
#endregion
#region IdSrv SAML tokens
// SAML via IdSrv
var idsrvRegistry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer("CD638612A35CD2F9232ECE36226B731FC666EF07", "Thinktecture IdSrv");
var idsrvConfig = new SecurityTokenHandlerConfiguration();
adfsConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Thinktecture.Samples.Constants.Realm));
adfsConfig.IssuerNameRegistry = registry;
adfsConfig.CertificateValidator = X509CertificateValidator.None;
// token decryption (read from configuration section)
adfsConfig.ServiceTokenResolver = FederatedAuthentication.ServiceConfiguration.CreateAggregateTokenResolver();
config.Handler.AddSaml2SecurityTokenHandler("IdSrvSaml", adfsConfig);
#endregion
return config;
}
public WebSaml11SecurityTokenHandler(SecurityTokenHandlerConfiguration configuration)
: base()
{
Configuration = configuration;
}
public void HandlerCreateRoundtripSingleClaimTypes()
{
var signinKey = SymmetricKeyGenerator.Create(32);
var identity = new ClaimsIdentity(new List<Claim>
{
new Claim(ClaimTypes.Name, "dominick"),
new Claim(ClaimTypes.Email, "*****@*****.**"),
}, "Custom");
var descriptor = new SecurityTokenDescriptor
{
Subject = identity,
SigningCredentials = new HmacSigningCredentials(signinKey),
TokenIssuerName = "dominick",
Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddHours(8)),
AppliesToAddress = "http://foo.com"
};
var handler = new JsonWebTokenHandler();
var token = handler.CreateToken(descriptor);
var tokenString = handler.WriteToken(token);
Trace.WriteLine(tokenString);
// token should not be empty
Assert.IsTrue(!string.IsNullOrWhiteSpace(tokenString));
// token with signature needs to be 3 parts
var parts = tokenString.Split('.');
Assert.IsTrue(parts.Length == 3, "JWT should have excactly 3 parts");
// signature must be 256 bits
var sig = Base64Url.Decode(parts[2]);
Assert.IsTrue(sig.Length == 32, "Signature is not 32 bits");
var jwtToken = handler.ReadToken(tokenString);
var config = new SecurityTokenHandlerConfiguration();
var registry = new WebTokenIssuerNameRegistry();
registry.AddTrustedIssuer("dominick", "dominick");
config.IssuerNameRegistry = registry;
var issuerResolver = new WebTokenIssuerTokenResolver();
issuerResolver.AddSigningKey("dominick", Convert.ToBase64String(signinKey));
config.IssuerTokenResolver = issuerResolver;
config.AudienceRestriction.AllowedAudienceUris.Add(new Uri("http://foo.com"));
handler.Configuration = config;
var identity2 = handler.ValidateToken(jwtToken).First();
Assert.IsTrue(identity.Claims.Count() == 2);
//Assert.IsTrue(identity.Claims.First().Issuer == "dominick");
}
