/// <summary>
/// The the purposes of this method are:
/// 1. To enable layers above to get to the bootstrap tokens
/// 2. To ensure an ClaimsPrincipal is inside the SCT authorization policies. This is needed so that
/// a CustomPrincipal will be created and can be set. This is required as we set the principal permission mode to custom
/// 3. To set the IAuthorizationPolicy collection on the SCT to be one of IDFx's Authpolicy.
/// This allows SCT cookie and SCT cached to be treated the same, futher up the stack.
///
/// This method is call AFTER the final SCT has been created and the bootstrap tokens are around. Itis not called during the SP/TLS nego bootstrap.
/// </summary>
/// <param name="sct"></param>
internal void SetPrincipalBootstrapTokensAndBindIdfxAuthPolicy(SecurityContextSecurityToken sct)
{
if (sct == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sct");
}
List <IAuthorizationPolicy> iaps = new List <IAuthorizationPolicy>();
//
// The SecurityContextToken is cached first before the OnTokenIssued is called. So in the Session SCT
// case the AuthorizationPolicies will have already been updated. So check the sct.AuthorizationPolicies
// policy to see if the first is a AuthorizationPolicy.
//
if ((sct.AuthorizationPolicies != null) &&
(sct.AuthorizationPolicies.Count > 0) &&
(ContainsEndpointAuthPolicy(sct.AuthorizationPolicies)))
{
// We have already seen this sct and have fixed up the AuthorizationPolicy
// collection. Just return.
return;
}
//
// Nego SCT just has a cookie, there are no IAuthorizationPolicy. In this case,
// we want to add the EndpointAuthorizationPolicy alone to the SCT.
//
if ((sct.AuthorizationPolicies != null) &&
(sct.AuthorizationPolicies.Count > 0))
{
//
// Create a principal with known policies.
//
AuthorizationPolicy sctAp = IdentityModelServiceAuthorizationManager.TransformAuthorizationPolicies(sct.AuthorizationPolicies,
_securityTokenHandlerCollection,
false);
// Replace the WCF authorization policies with our IDFx policies.
// The principal is needed later on to set the custom principal by WCF runtime.
iaps.Add(sctAp);
//
// Convert the claim from WCF unconditional policy to an SctAuthorizationPolicy. The SctAuthorizationPolicy simply
// captures the primary identity claim from the WCF unconditional policy which IdFX will eventually throw away.
// If we don't capture that claim, then in a token renewal scenario WCF will fail due to identities being different
// for the issuedToken and the renewedToken.
//
SysClaim claim = GetPrimaryIdentityClaim(SystemAuthorizationContext.CreateDefaultAuthorizationContext(sct.AuthorizationPolicies));
SctAuthorizationPolicy sctAuthPolicy = new SctAuthorizationPolicy(claim);
iaps.Add(sctAuthPolicy);
}
iaps.Add(new EndpointAuthorizationPolicy(_endpointId));
sct.AuthorizationPolicies = iaps.AsReadOnly();
}
static void AssignClaimFromStringResourceSysClaim(System.IdentityModel.Claims.Claim claim, out string claimType, out string claimValue)
{
claimType = claim.ClaimType;
claimValue = (string)claim.Resource;
if (StringComparer.Ordinal.Equals(claim.ClaimType, ClaimTypes.Sid))
{
if (claim.Right == System.IdentityModel.Claims.Rights.Identity)
{
claimType = ClaimTypes.PrimarySid;
}
else
{
claimType = ClaimTypes.GroupSid;
}
}
}
public static System.Security.Claims.Claim CreateClaimFromWcfClaim(System.IdentityModel.Claims.Claim wcfClaim, string issuer)
{
string claimType = null;
string value = null;
string valueType = ClaimValueTypes.String;
string originalIssuer = issuer;
string samlNameIdentifierFormat = null;
string samlNameIdentifierNameQualifier = null;
if (wcfClaim == null)
{
throw new ArgumentNullException("claim");
}
if (wcfClaim.Resource == null)
{
throw new InvalidOperationException();
}
if (string.IsNullOrEmpty(issuer))
{
issuer = ClaimsIdentity.DefaultIssuer;
}
if (wcfClaim.Resource is string)
{
AssignClaimFromStringResourceSysClaim(wcfClaim, out claimType, out value);
}
else
{
AssignClaimFromSysClaim(wcfClaim, out claimType, out value, out valueType, out samlNameIdentifierFormat, out samlNameIdentifierNameQualifier);
}
if (value == null)
{
throw new InvalidOperationException();
}
System.Security.Claims.Claim newClaim = new System.Security.Claims.Claim(claimType, value, valueType, issuer, originalIssuer);
newClaim.Properties[ClaimProperties.SamlNameIdentifierFormat] = samlNameIdentifierFormat;
newClaim.Properties[ClaimProperties.SamlNameIdentifierNameQualifier] = samlNameIdentifierNameQualifier;
return(newClaim);
}
public UpnEndpointIdentity(System.IdentityModel.Claims.Claim identity)
{
}
public static System.ServiceModel.EndpointIdentity CreateIdentity(System.IdentityModel.Claims.Claim identity)
{
Contract.Ensures(Contract.Result <System.ServiceModel.EndpointIdentity>() != null);
return(default(System.ServiceModel.EndpointIdentity));
}
protected void Initialize(System.IdentityModel.Claims.Claim identityClaim, IEqualityComparer <System.IdentityModel.Claims.Claim> claimComparer)
{
}
protected void Initialize(System.IdentityModel.Claims.Claim identityClaim)
{
}
public static System.Security.Claims.Claim CreateClaimFromWcfClaim(System.IdentityModel.Claims.Claim wcfClaim)
{
return(CreateClaimFromWcfClaim(wcfClaim, null));
}
static void AssignClaimFromSysClaim(System.IdentityModel.Claims.Claim claim, out string _type, out string _value, out string _valueType, out string samlNameIdentifierFormat, out string samlNameIdentifierNameQualifier)
{
samlNameIdentifierFormat = null;
samlNameIdentifierNameQualifier = null;
_type = null;
_value = null;
_valueType = null;
if (StringComparer.Ordinal.Equals(claim.ClaimType, ClaimTypes.Sid) && claim.Resource is SecurityIdentifier)
{
if (claim.Right == System.IdentityModel.Claims.Rights.Identity)
{
_type = ClaimTypes.PrimarySid;
}
else
{
_type = ClaimTypes.GroupSid;
}
_value = ((SecurityIdentifier)claim.Resource).Value;
}
else if (StringComparer.Ordinal.Equals(claim.ClaimType, ClaimTypes.Email) && claim.Resource is MailAddress)
{
_type = claim.ClaimType;
_value = ((MailAddress)claim.Resource).Address;
}
else if (StringComparer.Ordinal.Equals(claim.ClaimType, ClaimTypes.Thumbprint) && claim.Resource is byte[])
{
_type = claim.ClaimType;
_value = Convert.ToBase64String(((byte[])claim.Resource));
_valueType = ClaimValueTypes.Base64Binary;
}
else if (StringComparer.Ordinal.Equals(claim.ClaimType, ClaimTypes.Hash) && claim.Resource is byte[])
{
_type = claim.ClaimType;
_value = Convert.ToBase64String(((byte[])claim.Resource));
_valueType = ClaimValueTypes.Base64Binary;
}
else if (StringComparer.Ordinal.Equals(claim.ClaimType, ClaimTypes.NameIdentifier) && claim.Resource is SamlNameIdentifierClaimResource)
{
_type = claim.ClaimType;
_value = ((SamlNameIdentifierClaimResource)claim.Resource).Name;
if (((SamlNameIdentifierClaimResource)claim.Resource).Format != null)
{
samlNameIdentifierFormat = ((SamlNameIdentifierClaimResource)claim.Resource).Format;
}
if (((SamlNameIdentifierClaimResource)claim.Resource).NameQualifier != null)
{
samlNameIdentifierNameQualifier = ((SamlNameIdentifierClaimResource)claim.Resource).NameQualifier;
}
}
else if (StringComparer.Ordinal.Equals(claim.ClaimType, ClaimTypes.X500DistinguishedName) && claim.Resource is X500DistinguishedName)
{
_type = claim.ClaimType;
_value = ((X500DistinguishedName)claim.Resource).Name;
_valueType = ClaimValueTypes.X500Name;
}
else if (StringComparer.Ordinal.Equals(claim.ClaimType, ClaimTypes.Uri) && claim.Resource is Uri)
{
_type = claim.ClaimType;
_value = ((Uri)claim.Resource).ToString();
}
else if (StringComparer.Ordinal.Equals(claim.ClaimType, ClaimTypes.Rsa) && claim.Resource is RSA)
{
_type = claim.ClaimType;
_value = ((RSA)claim.Resource).ToXmlString(false);
_valueType = ClaimValueTypes.RsaKeyValue;
}
else if (StringComparer.Ordinal.Equals(claim.ClaimType, ClaimTypes.DenyOnlySid) && claim.Resource is SecurityIdentifier)
{
_type = claim.ClaimType;
_value = ((SecurityIdentifier)claim.Resource).Value;
}
}
