public async Task<SignInValidationResult> ValidateAsync(SignInRequestMessage message, ClaimsPrincipal subject) { var result = new SignInValidationResult(); // todo: wfresh handling? if (!subject.Identity.IsAuthenticated) { return new SignInValidationResult { IsSignInRequired = true, }; }; var rp = await _relyingParties.GetByRealmAsync(message.Realm); if (rp == null || rp.Enabled == false) { return new SignInValidationResult { IsError = true, Error = "invalid_relying_party" }; } // todo: check wreply against list of allowed reply URLs result.ReplyUrl = rp.ReplyUrl; result.RelyingParty = rp; result.SignInRequestMessage = message; result.Subject = subject; return result; }
public string GetResponseHtml(IDictionary<string, string> parameters, Uri signinUri) { var requestToken = new OAuthRequestToken {Token = parameters["oauth_token"]}; // Exchange the Request Token for an Access Token var service = new TwitterService(Settings.TwitterConsumerKey, Settings.TwitterConsumerSecret); OAuthAccessToken accessToken = service.GetAccessToken(requestToken, parameters["oauth_verifier"]); // Claim values string name = accessToken.ScreenName; string nameIdentifier = string.Format("https://twitter.com/account/redirect_by_id?id={0}", accessToken.UserId); string token = accessToken.Token; string tokenSecret = accessToken.TokenSecret; string wtRealm = _configurationProvider.Get(Settings.TwitterWtRealm); string wReply = _configurationProvider.Get(Settings.TwitterWReply); var requestMessage = new SignInRequestMessage(signinUri, wtRealm, wReply); // Add claims var identity = new ClaimsIdentity(AuthenticationTypes.Federation); identity.AddClaim(new Claim(ClaimTypes.Name, name)); identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, nameIdentifier)); identity.AddClaim(new Claim(TwitterClaims.TwitterToken, token)); identity.AddClaim(new Claim(TwitterClaims.TwitterTokenSecret, tokenSecret)); var principal = new ClaimsPrincipal(identity); // Serialize response message SignInResponseMessage responseMessage = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(requestMessage, principal, this); responseMessage.Context = parameters["context"]; return responseMessage.WriteFormPost(); }
private static void ValidateRequestIsSsl(bool requireSsl, SignInRequestMessage signInRequestMessage) { if (requireSsl && (signInRequestMessage.BaseUri.Scheme != Uri.UriSchemeHttps)) { throw new InvalidRequestException("requests needs to be ssl"); } }
// HACK: metodo/action fica comentado, para esconder a sua existencia de acesso directo externo //public ActionResult LogOnFederated() //{ // //throw new NotImplementedException(); // return View(); //} // // GET: /Account/LogOn public ActionResult LogOn() { // HACK: constante para seleccao do home realm na aplicacao web e nao no ACS // da' erro/nao servem de nada, pois e' necessario .cshtml ou .aspx a servir de intermediario //const string localLoginPageUrl = "~/Account/applocal2LoginPageCode.html"; //const string localLoginPageUrl = "applocal2LoginPageCode.html"; // view em .aspx a servir de intermediario para applocal2LoginPageCode.html //const string localLoginPageUrl = "~/Account/LogOnFederated"; const string localLoginPageIntermediateViewName = "LogOnFederated"; // HACK: em principio, sempre verdadeiro neste metodo (ou com !User.Identity.IsAuthenticated) //if (!Request.IsAuthenticated) //{ //} // HACK: utilizar FederatedAuthentication, como alternativa ao pre-definido return View(); // HACK: try..catch realizado,para caso do web.config ser alterado para nao ter WS-Federation try { /* 1 - tentar utilizar federacao: * se conseguir (wsfam nao e' null, e nao ocorrem erros), faz redirect... */ var wsfam = FederatedAuthentication.WSFederationAuthenticationModule; if (wsfam != null) { var signInRequest = new SignInRequestMessage(new Uri(wsfam.Issuer), wsfam.Realm, wsfam.Reply) { AuthenticationType = wsfam.AuthenticationType, Context = wsfam.Realm, Freshness = wsfam.Freshness, HomeRealm = wsfam.HomeRealm }; // 1.1 - seleccao do home realm no ACS //return Redirect(signInRequest.WriteQueryString()); // 1.2 - seleccao do home realm na aplicacao web //return View("applocal2LoginPageCode"); // da' erro // HACK: action fica comentada, para esconder existencia de acesso directo externo, // logo, redirect's tambem ficam comentados, para nao haver action com acesso externo //return Redirect(localLoginPageUrl); // nao da' erro, se for a action LogOnFederated //return RedirectToAction(localLoginPageIntermediateViewName, "Account"); /* retorna-se a View, e assim, nao ha' acesso externo directo/explicto * a esta view, pois nao existe action que corresponda apenas a esta view */ return View(localLoginPageIntermediateViewName); } } catch (Exception) { // 2 - ...em caso de erro, nao faz nada, pois... //throw; } // 3 - ...caso wsfam seja igual a null, ou em caso de erro, processa normalmente o LogOn return View(); }
public SignInResponseMessage Generate(SignInRequestMessage request, WindowsPrincipal windowsPrincipal) { Logger.Info("Creating WS-Federation signin response"); // create subject var outgoingSubject = SubjectGenerator.Create(windowsPrincipal, _options); // create token for user var token = CreateSecurityToken(outgoingSubject); // return response var rstr = new RequestSecurityTokenResponse { AppliesTo = new EndpointReference(_options.IdpRealm), Context = request.Context, ReplyTo = _options.IdpReplyUrl, RequestedSecurityToken = new RequestedSecurityToken(token) }; var serializer = new WSFederationSerializer( new WSTrust13RequestSerializer(), new WSTrust13ResponseSerializer()); var mgr = SecurityTokenHandlerCollectionManager.CreateEmptySecurityTokenHandlerCollectionManager(); mgr[SecurityTokenHandlerCollectionManager.Usage.Default] = CreateSupportedSecurityTokenHandler(); var responseMessage = new SignInResponseMessage( new Uri(_options.IdpReplyUrl), rstr, serializer, new WSTrustSerializationContext(mgr)); return responseMessage; }
public ActionResult SignIn(SignInRequestMessage message) { var response = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest( message, HttpContext.User, new CustomSecurityTokenService(new CustomSecurityTokenServiceConfiguration())); return new WSFederationResult(response); }
public ActionResult SignIn(string returnUrl) { var fam = FederatedAuthentication.WSFederationAuthenticationModule; fam.SignIn(Guid.NewGuid().ToString()); var signInRequestMessage = new SignInRequestMessage(new Uri(fam.Issuer), fam.Realm, returnUrl); var parameters = HmacHelper.CreateHmacRequestParametersFromConfig(Consts.PermissionHmacSettingsPrefix); parameters.ForEach(signInRequestMessage.Parameters.Add); return new RedirectResult(signInRequestMessage.WriteQueryString()); }
public ActionResult Index() { ViewBag.Message = "Modify this template to jump-start your ASP.NET MVC application."; SignInRequestMessage signInRequestMessage = new SignInRequestMessage(new Uri("https://andras1/idsrv/issue/wsfed"), "http://localhost:2533/"); ViewBag.StsSignInUrl = signInRequestMessage.WriteQueryString(); return View(); }
public async Task<SignInValidationResult> ValidateAsync(SignInRequestMessage message, ClaimsPrincipal subject) { Logger.Info("Start WS-Federation signin request validation"); var result = new SignInValidationResult(); // parse whr if (!String.IsNullOrWhiteSpace(message.HomeRealm)) { result.HomeRealm = message.HomeRealm; } // parse wfed if (!String.IsNullOrWhiteSpace(message.Federation)) { result.Federation = message.Federation; } if (!subject.Identity.IsAuthenticated) { result.IsSignInRequired = true; return result; } // check realm var rp = await _relyingParties.GetByRealmAsync(message.Realm); if (rp == null || rp.Enabled == false) { LogError("Relying party not found: " + message.Realm, result); return new SignInValidationResult { IsError = true, Error = "invalid_relying_party" }; } result.ReplyUrl = rp.ReplyUrl; result.RelyingParty = rp; result.SignInRequestMessage = message; result.Subject = subject; var customResult = await _customValidator.ValidateSignInRequestAsync(result); if (customResult.IsError) { LogError("Error in custom validation: " + customResult.Error, result); return new SignInValidationResult { IsError = true, Error = customResult.Error, ErrorMessage = customResult.ErrorMessage, }; } LogSuccess(result); return result; }
private static void AuthenticateUser(AuthorizationContext context, string realm) { // user is not authenticated and it's entering for the first time var fam = FederatedAuthentication.WSFederationAuthenticationModule; var signIn = new SignInRequestMessage(new Uri(fam.Issuer), realm ?? fam.Realm) { Context = "ru=" + context.HttpContext.Request.Path }; context.Result = new RedirectResult(signIn.WriteQueryString()); }
protected override WSFederationMessage BuildSignInMessage(AuthorizationContext context, Uri replyUrl) { var fam = FederatedAuthentication.WSFederationAuthenticationModule; var signIn = new SignInRequestMessage(new Uri(fam.Issuer), fam.Realm) { Context = AuthenticateAndAuthorizeRoleAttribute.GetReturnUrl(context.RequestContext, RequestAppendAttribute.RawUrl, null).ToString(), HomeRealm = Tailspin.Federation.HomeRealm, Reply = replyUrl.ToString() }; return signIn; }
private void RequestAuthentication(HttpContextBase httpContext, string identityProviderUrl, string realm, string replyUrl) { var signIn = new SignInRequestMessage(new Uri(identityProviderUrl), realm) { Context = replyUrl, Reply = replyUrl }; var redirectUrl = signIn.WriteQueryString(); httpContext.Response.Redirect(redirectUrl, false); httpContext.ApplicationInstance.CompleteRequest(); }
private static void AuthenticateUser(AuthorizationContext filterContext) { var organization = filterContext.RouteData.Values["organization"] as String ?? "mock.issuer.1"; var returnUrl = GetReturnUrl(filterContext.RequestContext); var fam = FederatedAuthentication.WSFederationAuthenticationModule; var signIn = new SignInRequestMessage(new Uri(fam.Issuer), fam.Realm) { Context = returnUrl.ToString(), HomeRealm = GetHomeRealm(organization) }; filterContext.Result = new RedirectResult(signIn.WriteQueryString()); }
private ActionResult ProcessSignIn(SignInRequestMessage signInMsg, ClaimsPrincipal user) { var config = new EmbeddedTokenServiceConfiguration(); var sts = config.CreateSecurityTokenService(); var appPath = Request.ApplicationPath; if (!appPath.EndsWith("/")) appPath += "/"; signInMsg.Reply = new Uri(Request.Url, appPath).AbsoluteUri; var response = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(signInMsg, user, sts); var body = response.WriteFormPost(); return Html(body); }
private ActionResult ProcessWSFederationSignIn(SignInRequestMessage message, IPrincipal principal) { // issue token and create ws-fed response var response = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest( message, principal, TokenServiceConfiguration.Current.CreateSecurityTokenService()); // set cookie for single-sign-out new SignInSessionsManager(HttpContext, ConfigurationRepository.Configuration.MaximumTokenLifetime) .AddRealm(response.BaseUri.AbsoluteUri); return new WSFederationResult(response); }
private ActionResult ProcessWSFederationSignIn(SignInRequestMessage message, ClaimsPrincipal principal) { // issue token and create ws-fed response var response = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest( message, principal as ClaimsPrincipal, TokenServiceConfiguration.Current.CreateSecurityTokenService()); // set cookie for single-sign-out new SignInSessionsManager(HttpContext, _cookieName, ConfigurationRepository.Global.MaximumTokenLifetime) .AddEndpoint(response.BaseUri.AbsoluteUri); return new WSFederationResult(response, requireSsl: ConfigurationRepository.WSFederation.RequireSslForReplyTo); }
private static void AuthenticateUser(AuthorizationContext context) { var returnUrl = GetReturnUrl(context.RequestContext); // user is not authenticated and it's entering for the first time var fam = FederatedAuthentication.WSFederationAuthenticationModule; var signIn = new SignInRequestMessage(new Uri(fam.Issuer), fam.Realm) { Context = returnUrl.ToString(), Reply = returnUrl.ToString() }; context.Result = new RedirectResult(signIn.WriteQueryString()); }
public string GetResponseHtml(IDictionary<string, string> parameters, Uri signinUri) { string code = parameters["code"]; // Exchange the Request Token for an Access Token string appId = _settings.VkApplicationId; string appSecret = _settings.VkApplicationSecret; string scheme = parameters["SERVER_PORT_SECURE"] == "1" ? "https" : "http"; var callbackUri = new UriBuilder(string.Format("{0}://{1}", scheme, parameters["HTTP_HOST"])) { Path = parameters["URL"], Query = string.Format("context={0}", parameters["context"]) }; var service = new VkClient(appId, appSecret); dynamic accessToken = service.GetAccessToken(code, callbackUri.ToString()); dynamic token = accessToken.access_token; service.AuthenticateWith(token.ToString()); // Claims dynamic result = service.Get("users.get", new { fields = "screen_name" }); dynamic user = result.response[0]; string acsNamespace = _settings.AcsNamespace; string wtRealm = string.Format(WtRealm, acsNamespace); string wReply = string.Format(WReply, acsNamespace); var requestMessage = new SignInRequestMessage(signinUri, wtRealm, wReply); // Add extracted claims var identity = new ClaimsIdentity(AuthenticationTypes.Federation); identity.AddClaim(new Claim(ClaimTypes.Name, string.Format("{0} {1}", user.first_name, user.last_name))); identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.uid.ToString())); identity.AddClaim(new Claim(VkClaims.VkToken, token.ToString())); var principal = new ClaimsPrincipal(identity); SignInResponseMessage responseMessage = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(requestMessage, principal, this); responseMessage.Context = parameters["context"]; return responseMessage.WriteFormPost(); }
protected override WSFederationMessage BuildSignInMessage(AuthorizationContext context, Uri replyUrl) { var tenant = (context.Controller as TenantController).Tenant; var fam = FederatedAuthentication.WSFederationAuthenticationModule; var signIn = new SignInRequestMessage(new Uri(fam.Issuer), fam.Realm) { Context = AuthenticateAndAuthorizeRoleAttribute.GetReturnUrl(context.RequestContext, RequestAppendAttribute.RawUrl, null).ToString(), HomeRealm = SubscriptionKind.Premium.Equals(tenant.SubscriptionKind) ? tenant.IssuerIdentifier ?? Tailspin.Federation.HomeRealm + "/" + (context.Controller as TenantController).Tenant.Name : Tailspin.Federation.HomeRealm + "/" + (context.Controller as TenantController).Tenant.Name, Reply = replyUrl.ToString() }; return signIn; }
private ActionResult ProcessSignIn(SignInRequestMessage signInMsg, ClaimsPrincipal user) { var config = new EmbeddedTokenServiceConfiguration(); var sts = config.CreateSecurityTokenService(); var appPath = Request.ApplicationPath; if (!appPath.EndsWith("/")) appPath += "/"; // when the reply querystringparameter has been specified, don't overrule it. if(String.IsNullOrEmpty(signInMsg.Reply)) signInMsg.Reply = new Uri(Request.Url, appPath).AbsoluteUri; var response = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(signInMsg, user, sts); var body = response.WriteFormPost(); return Html(body); }
public static void LogOn(string issuer = null, string realm = null, string homeRealm = null) { WSFederationAuthenticationModule fam = FederatedAuthentication.WSFederationAuthenticationModule; var signInRequest = new SignInRequestMessage(new Uri(issuer ?? fam.Issuer), realm ?? fam.Realm) { AuthenticationType = fam.AuthenticationType, Context = GetReturnUrl(), Freshness = fam.Freshness, HomeRealm = homeRealm ?? fam.HomeRealm, Reply = fam.Reply }; HttpContext.Current.Response.Redirect(signInRequest.WriteQueryString(), false); HttpContext.Current.ApplicationInstance.CompleteRequest(); }
private async Task<IHttpActionResult> ProcessSignInAsync(SignInRequestMessage msg) { var result = await _validator.ValidateAsync(msg, User as ClaimsPrincipal); if (result.IsSignInRequired) { return RedirectToLogin(_settings); } if (result.IsError) { return BadRequest(result.Error); } var responseMessage = await _signInResponseGenerator.GenerateResponseAsync(result); await _cookies.AddValueAsync(result.ReplyUrl); return new SignInResult(responseMessage); }
public string GetResponseHtml(IDictionary<string, string> parameters, Uri signinUri) { var requestToken = new OAuthRequestToken { Token = parameters["oauth_token"] }; // Exchange the Request Token for an Access Token string consumerKey = _settings.TwitterConsumerKey; string consumerSecret = _settings.TwitterConsumerSecret; var service = new TwitterService(consumerKey, consumerSecret); OAuthAccessToken accessToken = service.GetAccessToken(requestToken, parameters["oauth_verifier"]); service.AuthenticateWith(accessToken.Token, accessToken.TokenSecret); TwitterUser user = service.GetUserProfile(new GetUserProfileOptions()); // Claims string name = user != null ? user.Name : accessToken.ScreenName; string nameIdentifier = string.Format(TwitterAccountPage, accessToken.UserId); string token = accessToken.Token; string tokenSecret = accessToken.TokenSecret; string acsNamespace = _settings.AcsNamespace; string wtRealm = string.Format(WtRealm, acsNamespace); string wReply = string.Format(WReply, acsNamespace); var requestMessage = new SignInRequestMessage(signinUri, wtRealm, wReply); // Add extracted claims var identity = new ClaimsIdentity(AuthenticationTypes.Federation); identity.AddClaim(new Claim(ClaimTypes.Name, name)); identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, nameIdentifier)); identity.AddClaim(new Claim(TwitterClaims.TwitterToken, token)); identity.AddClaim(new Claim(TwitterClaims.TwitterTokenSecret, tokenSecret)); var principal = new ClaimsPrincipal(identity); SignInResponseMessage responseMessage = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(requestMessage, principal, this); responseMessage.Context = parameters["context"]; return responseMessage.WriteFormPost(); }
public async Task<SignInResponseMessage> GenerateAsync(SignInRequestMessage request, WindowsPrincipal windowsPrincipal) { Logger.Info("Creating WS-Federation signin response"); // create subject var outgoingSubject = SubjectGenerator.Create(windowsPrincipal, _options); // call custom claims tranformation logic var context = new CustomClaimsProviderContext { WindowsPrincipal = windowsPrincipal, OutgoingSubject = outgoingSubject }; await _options.CustomClaimsProvider.TransformAsync(context); // create token for user var token = CreateSecurityToken(context.OutgoingSubject); // return response var rstr = new RequestSecurityTokenResponse { AppliesTo = new EndpointReference(_options.IdpRealm), Context = request.Context, ReplyTo = _options.IdpReplyUrl, RequestedSecurityToken = new RequestedSecurityToken(token) }; var serializer = new WSFederationSerializer( new WSTrust13RequestSerializer(), new WSTrust13ResponseSerializer()); var mgr = SecurityTokenHandlerCollectionManager.CreateEmptySecurityTokenHandlerCollectionManager(); mgr[SecurityTokenHandlerCollectionManager.Usage.Default] = CreateSupportedSecurityTokenHandler(); var responseMessage = new SignInResponseMessage( new Uri(_options.IdpReplyUrl), rstr, serializer, new WSTrustSerializationContext(mgr)); return responseMessage; }
public async Task<SignInValidationResult> ValidateAsync(SignInRequestMessage message, ClaimsPrincipal subject) { Logger.Info("Validating WS-Federation signin request"); var result = new SignInValidationResult(); if (message.HomeRealm.IsPresent()) { Logger.Info("Setting home realm to: " + message.HomeRealm); result.HomeRealm = message.HomeRealm; } // todo: wfresh handling? if (!subject.Identity.IsAuthenticated) { result.IsSignInRequired = true; return result; }; var rp = await _relyingParties.GetByRealmAsync(message.Realm); if (rp == null || rp.Enabled == false) { Logger.Error("Relying party not found: " + rp.Realm); return new SignInValidationResult { IsError = true, Error = "invalid_relying_party" }; } Logger.InfoFormat("Relying party registration found: {0} / {1}", rp.Realm, rp.Name); result.ReplyUrl = rp.ReplyUrl; Logger.InfoFormat("Reply URL set to: " + result.ReplyUrl); result.RelyingParty = rp; result.SignInRequestMessage = message; result.Subject = subject; return result; }
private SignInResponseMessage CreateSigninReponseMessage(SignInRequestMessage signInRequestMessage) { //get from config... const string SamlTwoTokenType = "urn:oasis:names:tc:SAML:2.0:assertion"; const bool RequireSsl = false; var allowedRpAudiences = GetAuthorisedAudiencesWeCanIssueTokensTo(); var samlTokenSigningCertificate = GetSamlTokenSigningCertificate(); var stsConfiguration = configurationFactory.Create(SamlTwoTokenType, InfrastructureConstants.StsTokenProviderUrl, samlTokenSigningCertificate, allowedRpAudiences); var tokenService = stsConfiguration.CreateSecurityTokenService(); var signInResponseMessage = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(signInRequestMessage, ClaimsPrincipal.Current, tokenService); this.realmTracker.AddNewRealm(signInRequestMessage.Realm); //sanity check ValidateRequestIsSsl(RequireSsl, signInRequestMessage); return signInResponseMessage; }
/// <summary> /// Process Saml2 sigin Request /// </summary> /// <param name="ip"></param> /// <param name="request"></param> /// <returns></returns> private ActionResult ProcessSaml2SignIn(IdentityProvider ip, SignInRequestMessage request) { if (ip.Enabled) { var saml2ProtocolSerializer = new Saml2ProtocolSerializer(); var protocolBinding = ProtocolBindings.HttpRedirect; HttpBindingSerializer httpBindingSerializer = new HttpRedirectBindingSerializer(saml2ProtocolSerializer); var authenticationRequest = new AuthenticationRequest { Issuer = new Microsoft.IdentityModel.Tokens.Saml2.Saml2NameIdentifier(request.Realm.TrimEnd('/'), new Uri(ip.WSFederationEndpoint)), Destination = new Uri(ip.WSFederationEndpoint) }; //Provide Service provider default signin home page - hardcoded for testing purpose var messageContainer = new MessageContainer(authenticationRequest, new ProtocolEndpoint(protocolBinding, new Uri(ip.WSFederationEndpoint + "/signon.ashx"))); var httpMessage = httpBindingSerializer.Serialize(messageContainer); httpBindingSerializer.WriteHttpMessage(new HttpResponseWrapper(System.Web.HttpContext.Current.Response), httpMessage); ControllerContext.HttpContext.ApplicationInstance.CompleteRequest(); } return View("Error"); }
private ActionResult ProcessSignInRequest(SignInRequestMessage message) { if (!string.IsNullOrWhiteSpace(message.HomeRealm)) { return RedirectToIdentityProvider(message); } else { return ShowHomeRealmSelection(); } //// issue token and create ws-fed response //var response = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest( // message, // principal as ClaimsPrincipal, // TokenServiceConfiguration.Current.CreateSecurityTokenService()); //// set cookie for single-sign-out //new SignInSessionsManager(HttpContext, ConfigurationRepository.Configuration.MaximumTokenLifetime) // .AddRealm(response.BaseUri.AbsoluteUri); //return new WSFederationResult(response); }
public async Task <IHttpActionResult> Login(string relyingPartyName) { if (string.IsNullOrWhiteSpace(relyingPartyName)) { return(BadRequest("No relying party id provided")); } string action; NameValueCollection content = null; NameValueCollection qs = Request.RequestUri.ParseQueryString(); action = qs.Get(WSFederationConstants.Parameters.Action); if (string.IsNullOrWhiteSpace(action)) { content = await Request.Content.ReadAsFormDataAsync(); action = content.Get(WSFederationConstants.Parameters.Action); } if (action == WSFederationConstants.Actions.SignIn) { IRelyingParty rp = STSConfiguration <RelyingParty> .Current.RelyingParties.FindByName(relyingPartyName); if (this.User != null && this.User.Identity.IsAuthenticated) { if (content == null) { content = await Request.Content.ReadAsFormDataAsync(); } WSFederationMessage responseMessageFromIssuer = WSFederationMessage.CreateFromNameValueCollection(Request.RequestUri, content); var contextId = responseMessageFromIssuer.Context; var ctxCookie = System.Web.HttpContext.Current.Request.Cookies[contextId]; if (ctxCookie == null) { throw new InvalidOperationException("Context cookie not found"); } var originalRequestUri = new Uri(ctxCookie.Value); HttpCookie cookie = DeleteContextCookie(contextId); System.Web.HttpContext.Current.Response.Cookies.Add(cookie); var requestMessage = (SignInRequestMessage)WSFederationMessage.CreateFromUri(originalRequestUri); var sts = new SimpleSts(rp.GetStsConfiguration()); SignInResponseMessage rm = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(requestMessage, User as ClaimsPrincipal, sts); //WSTrustSerializationContext context = new WSTrustSerializationContext(FederatedAuthentication.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlerCollectionManager); //WSFederationSerializer fedSer = new WSFederationSerializer(); //RequestSecurityTokenResponse token = fedSer.CreateResponse(rm, context); //token.RequestedSecurityToken.SecurityToken. FederatedPassiveSecurityTokenServiceOperations.ProcessSignInResponse(rm, System.Web.HttpContext.Current.Response); return(StatusCode(HttpStatusCode.NoContent)); } else { var contextId = Guid.NewGuid().ToString(); HttpCookie cookie = CreateContextCookie(contextId, HttpUtility.UrlDecode(this.Request.RequestUri.AbsoluteUri)); System.Web.HttpContext.Current.Response.Cookies.Add(cookie); var message = new SignInRequestMessage(new Uri(rp.AuthenticationUrl), FederatedAuthentication.WSFederationAuthenticationModule.Realm) { CurrentTime = DateTime.UtcNow.ToString("s", CultureInfo.InvariantCulture) + "Z", HomeRealm = rp.Realm, Context = contextId, Reply = Url.Link("Login", new { relyingPartyName = relyingPartyName }) }; message.Parameters.Add(new KeyValuePair <string, string>("originalRequest", Request.RequestUri.ToString())); return(Redirect(message.RequestUrl)); } } else { return(BadRequest(String.Format( CultureInfo.InvariantCulture, "The action '{0}' (Request.QueryString['{1}']) is unexpected. Expected actions are: '{2}' or '{3}'.", String.IsNullOrEmpty(action) ? "<EMPTY>" : action, WSFederationConstants.Parameters.Action, WSFederationConstants.Actions.SignIn, WSFederationConstants.Actions.SignOut))); } }
private async Task<IHttpActionResult> ProcessSignInAsync(SignInRequestMessage request, WindowsPrincipal windowsUser) { var generator = new SignInResponseGenerator(_options); var response = await generator.GenerateAsync(request, windowsUser); return new SignInResult(response); }
private async Task<IHttpActionResult> ProcessSignInAsync(SignInRequestMessage msg) { var result = await _validator.ValidateAsync(msg, User as ClaimsPrincipal); if (result.IsSignInRequired) { Logger.Info("Redirecting to login page"); return RedirectToLogin(result); } if (result.IsError) { Logger.Error(result.Error); return BadRequest(result.Error); } var responseMessage = await _signInResponseGenerator.GenerateResponseAsync(result); await _cookies.AddValueAsync(WsFederationPluginOptions.CookieName, result.ReplyUrl); return new SignInResult(responseMessage); }
public async Task <SignInValidationResult> ValidateAsync(SignInRequestMessage message, ClaimsPrincipal subject) { Logger.Info("Start WS-Federation signin request validation"); var result = new SignInValidationResult(); // parse whr if (!String.IsNullOrWhiteSpace(message.HomeRealm)) { result.HomeRealm = message.HomeRealm; } // parse wfed if (!String.IsNullOrWhiteSpace(message.Federation)) { result.Federation = message.Federation; } if (!String.IsNullOrWhiteSpace(message.GetParameter("login_hint"))) { result.LoginHint = message.GetParameter("login_hint"); } if (!subject.Identity.IsAuthenticated) { result.IsSignInRequired = true; return(result); } // check realm var rp = await _relyingParties.GetByRealmAsync(message.Realm); if (rp == null || rp.Enabled == false) { LogError("Relying party not found: " + message.Realm, result); return(new SignInValidationResult { IsError = true, Error = "invalid_relying_party" }); } result.ReplyUrl = rp.ReplyUrl; result.RelyingParty = rp; result.SignInRequestMessage = message; result.Subject = subject; var customResult = await _customValidator.ValidateSignInRequestAsync(result); if (customResult.IsError) { LogError("Error in custom validation: " + customResult.Error, result); return(new SignInValidationResult { IsError = true, Error = customResult.Error, ErrorMessage = customResult.ErrorMessage, }); } LogSuccess(result); return(result); }
private ActionResult ProcessHomeRealmFromCookieValue(SignInRequestMessage message, string pastHRDSelection) { message.HomeRealm = pastHRDSelection; return(ProcessSignInRequest(message)); }
public async Task <SignInValidationResult> ValidateAsync(SignInRequestMessage message, ClaimsPrincipal user) { //Logger.Info("Start WS-Federation signin request validation"); var result = new SignInValidationResult { SignInRequestMessage = message }; // check client var client = await _clients.FindEnabledClientByIdAsync(message.Realm); if (client == null) { LogError("Client not found: " + message.Realm, result); return(new SignInValidationResult { Error = "invalid_relying_party" }); } if (client.ProtocolType != IdentityServerConstants.ProtocolTypes.WsFederation) { LogError("Client is not configured for WS-Federation", result); return(new SignInValidationResult { Error = "invalid_relying_party" }); } result.Client = client; result.ReplyUrl = client.RedirectUris.First(); // check if additional relying party settings exist var rp = await _relyingParties.FindRelyingPartyByRealm(message.Realm); if (rp == null) { rp = new RelyingParty { TokenType = _options.DefaultTokenType, SignatureAlgorithm = _options.DefaultSignatureAlgorithm, DigestAlgorithm = _options.DefaultDigestAlgorithm, SamlNameIdentifierFormat = _options.DefaultSamlNameIdentifierFormat, ClaimMapping = _options.DefaultClaimMapping }; } result.RelyingParty = rp; if (user == null || user.Identity.IsAuthenticated == false) { result.SignInRequired = true; } result.User = user; LogSuccess(result); return(result); }
/// <summary> /// This method validates the Sign in request /// </summary> /// <param name="requestAbsoluteUri">the url of the request</param> /// <param name="message">the sign in request message</param> /// <param name="subject">The sign in subject</param> /// <returns>The validation result</returns> public async Task <SignInValidationResult> ValidateAsync(string requestAbsoluteUri, SignInRequestMessage message, ClaimsPrincipal subject) { Logger.Info("Start SiteFinity signin request validation"); var result = new SignInValidationResult(); if (!String.IsNullOrWhiteSpace(message.Realm)) { result.Realm = message.Realm; } if (message.SignOut) { if (!subject.Identity.IsAuthenticated) { LogError("Signout requested for user not signed in.", result); return(new SignInValidationResult { IsError = true, Error = "signout_requested_when_not_signedin" }); } return(new SignInValidationResult { IsSignout = true, }); } if (!subject.Identity.IsAuthenticated) { result.IsSignInRequired = true; return(result); } var rp = await _siteFinityRelyingPartyService.GetByRealmAsync(message.Realm); if (rp == null || rp.Enabled == false) { LogError("SiteFinity Relying party not found: " + message.Realm, result); return(new SignInValidationResult { IsError = true, Error = "invalid_sitefinity_relying_party" }); } if (string.IsNullOrWhiteSpace(message.RedirectUri)) { if (!string.IsNullOrWhiteSpace(rp.ReplyUrl)) { result.ReplyUrl = rp.ReplyUrl; } else { LogError("Reply url is defined or provided for : " + message.Realm, result); return(new SignInValidationResult { IsError = true, Error = "missing_replyUrl" }); } } else { result.ReplyUrl = message.RedirectUri; } result.Issuer = GetIssuerFromRequestUri(requestAbsoluteUri); result.SiteFinityRelyingParty = rp; result.SignInRequestMessage = message; result.Subject = subject; LogSuccess(result); return(result); }
public string Issue(string relayingPartyName, string realm, string userName, string userId) { if (string.IsNullOrWhiteSpace(relayingPartyName)) { throw new ArgumentNullException("relayingPartyName"); } if (string.IsNullOrWhiteSpace(realm)) { throw new ArgumentNullException("realm"); } if (string.IsNullOrWhiteSpace(userName)) { throw new ArgumentNullException("userName"); } if (string.IsNullOrWhiteSpace(userId)) { throw new ArgumentNullException("userId"); } ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity(new List <Claim> { new Claim(ClaimTypes.Name, userName), new Claim(ClaimTypes.Sid, userId) })); // Signin message for cross service -> issuer realm == home realm == issuer url SignInRequestMessage signInRequestMessage = new SignInRequestMessage(new Uri(realm), realm) { CurrentTime = DateTime.UtcNow.ToString("s", CultureInfo.InvariantCulture) + "Z", HomeRealm = realm }; IRelyingParty rp = STSConfiguration <RelyingParty> .Current.RelyingParties.FindByName(relayingPartyName); if (rp == null) { throw new ConfigurationErrorsException(string.Format("Relying party with name {0} was not found", relayingPartyName)); } if (FederatedAuthentication.WSFederationAuthenticationModule == null) { throw new ConfigurationErrorsException("WSFederationAuthenticationModule was not found"); } var sts = new SimpleSts(rp.GetStsConfiguration()); SignInResponseMessage signInResponseMessage = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(signInRequestMessage, principal, sts); string tokenXml = signInResponseMessage.Result; XmlDocument xml = new XmlDocument(); xml.LoadXml(tokenXml); string xmlSecurityToken = xml.DocumentElement.GetElementsByTagName("trust:RequestedSecurityToken").Item(0).InnerXml; // <Assertion> //WSFederationSerializer ser = new WSFederationSerializer(); //GenericXmlSecurityToken xmlt = new GenericXmlSecurityToken() //string xmlSecurityToken = FederatedAuthentication.WSFederationAuthenticationModule.GetXmlTokenFromMessage(signInResponseMessage); var xmlSecurityTokenBase64Encoded = Convert.ToBase64String(Encoding.UTF8.GetBytes(xmlSecurityToken)); return(xmlSecurityTokenBase64Encoded); }
void WSFederationAuthenticationModule_RedirectingToIdentityProvider(object sender, RedirectingToIdentityProviderEventArgs e) { SignInRequestMessage signInRequestMessage = e.SignInRequestMessage; }
private ActionResult RedirectToWSFedIdentityProvider(IdentityProvider identityProvider, SignInRequestMessage request) { var message = new SignInRequestMessage(new Uri(identityProvider.WSFederationEndpoint), ConfigurationRepository.Global.IssuerUri); SetContextCookie(request.Context, request.Realm, identityProvider.WSFederationEndpoint); return(new RedirectResult(message.WriteQueryString())); }
public async Task <ActionResult> Login(LoginModel login) { if (login.UserName.IndexOf('@') < 0) { //incorrect format Session["Error"] = @"Enter your user ID in the format ""domain\user"" or ""user @domain"". "; return(RedirectToAction("Index", new { Request.Url.Query })); } string domain = login.UserName.Split('@')[1]; InitSTS(domain); ValidationResponse user; try { //validate identity user = await LoginValidate.ValidateAsync(login, HttpRuntime.Cache); if (!user.IsValid) { Session["Error"] = "Incorrect user ID or password. Type the correct user ID and password, and try again."; return(RedirectToAction("Index", new { Request.Url.Query })); } } catch (Exception ex) { Common.Utils.AddLogEntry("Error during user authentication", System.Diagnostics.EventLogEntryType.Error, 0, ex); Session["Error"] = string.Format("An error occured during authentication ({0})", ex.Message); return(RedirectToAction("Index", new { Request.Url.Query })); } //identity validated string fullRequest = String.Format("{0}{1}{2}?{3}", Settings.HttpLocalhost, Settings.Port, Settings.WSFedStsIssue, Request.Url.Query ); //todo: var immutableId = user.UserProperties.MasterGuid; //var immutableId = user.UserProperties.LocalGuid; SignInRequestMessage requestMessage = (SignInRequestMessage)WSFederationMessage.CreateFromUri(new Uri(fullRequest)); //todo: requestMessage.Reply = string.Format("https://login.microsoftonline.com:443/login.srf?client-request-id={0}", Request.QueryString["client-request-id"]); ClaimsIdentity identity = new ClaimsIdentity(AuthenticationTypes.Federation); identity.AddClaim(new Claim("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID", immutableId)); identity.AddClaim(new Claim("http://schemas.xmlsoap.org/claims/UPN", user.UserProperties.Upn)); //TODO: verify the source of this flag in ADFS //identity.AddClaim(new Claim("http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", "true", typeof(bool).ToString())); ClaimsPrincipal principal = new ClaimsPrincipal(identity); SignInResponseMessage responseMessage = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(requestMessage, principal, this.securityTokenService); MemoryStream stream = new MemoryStream(); StreamWriter writer = new StreamWriter(stream, Encoding.UTF8); responseMessage.Write(writer); writer.Flush(); stream.Position = 0; var res = new ContentResult() { ContentType = "text/html", ContentEncoding = Encoding.UTF8, Content = Encoding.UTF8.GetString(stream.ToArray()) }; return(res); }