private void ReadMetadataIdpDescriptor(ExtendedEntityDescriptor metadata)
{
var idpDescriptor = metadata.RoleDescriptors
.OfType <IdentityProviderSingleSignOnDescriptor>().Single();
// Prefer an endpoint with a redirect binding, then check for POST which
// is the other supported by AuthServices.
var ssoService = idpDescriptor.SingleSignOnServices
.FirstOrDefault(s => s.Binding == Saml2Binding.HttpRedirectUri) ??
idpDescriptor.SingleSignOnServices
.First(s => s.Binding == Saml2Binding.HttpPostUri);
binding = Saml2Binding.UriToSaml2BindingType(ssoService.Binding);
singleSignOnServiceUrl = ssoService.Location;
var keys = idpDescriptor.Keys.Where(k => k.Use == KeyType.Unspecified || k.Use == KeyType.Signing);
signingKeys.SetLoadedItems(keys.Select(k => ((AsymmetricSecurityKey)k.KeyInfo.CreateKey())
.GetAsymmetricAlgorithm(SignedXml.XmlDsigRSASHA1Url, false)).ToList());
}
private void ReadMetadataIdpDescriptor(ExtendedEntityDescriptor metadata)
{
var idpDescriptor = metadata.RoleDescriptors
.OfType <IdentityProviderSingleSignOnDescriptor>().Single();
WantAuthnRequestsSigned = idpDescriptor.WantAuthenticationRequestsSigned;
var ssoService = GetPreferredEndpoint(idpDescriptor.SingleSignOnServices);
if (ssoService != null)
{
binding = Saml2Binding.UriToSaml2BindingType(ssoService.Binding);
singleSignOnServiceUrl = ssoService.Location;
}
var sloService = GetPreferredEndpoint(idpDescriptor.SingleLogoutServices);
if (sloService != null)
{
SingleLogoutServiceUrl = sloService.Location;
SingleLogoutServiceBinding = Saml2Binding.UriToSaml2BindingType(sloService.Binding);
singleLogoutServiceResponseUrl = sloService.ResponseLocation;
}
foreach (var ars in idpDescriptor.ArtifactResolutionServices)
{
artifactResolutionServiceUrls[ars.Value.Index] = ars.Value.Location;
}
foreach (var ars in artifactResolutionServiceUrls.Keys
.Where(k => !idpDescriptor.ArtifactResolutionServices.Keys.Contains(k)))
{
artifactResolutionServiceUrls.Remove(ars);
}
var keys = idpDescriptor.Keys.Where(k => k.Use == KeyType.Unspecified || k.Use == KeyType.Signing);
signingKeys.SetLoadedItems(keys.Select(k => k.KeyInfo.First(c => c.CanCreateKey)).ToList());
}
public CommandResult Run(HttpRequestBase request)
{
var binding = Saml2Binding.Get(request);
if (binding != null)
{
try
{
var samlResponse = binding.Unbind(request);
samlResponse.Validate(GetSigningCert(samlResponse.Issuer));
var principal = new ClaimsPrincipal(samlResponse.GetClaims());
FederatedAuthentication.FederationConfiguration.IdentityConfiguration
.ClaimsAuthenticationManager.Authenticate(null, principal);
return(new CommandResult()
{
HttpStatusCode = HttpStatusCode.SeeOther,
Location = KentorAuthServicesSection.Current.ReturnUri,
Principal = principal
});
}
catch (FormatException ex)
{
throw new BadFormatSamlResponseException(
"The SAML Response did not contain valid BASE64 encoded data.", ex);
}
catch (XmlException ex)
{
throw new BadFormatSamlResponseException(
"The SAML response contains incorrect XML", ex);
}
}
throw new NoSamlResponseFoundException();
}
/// <summary>
/// Bind a Saml2AuthenticateRequest using the active binding of the idp,
/// producing a CommandResult with the result of the binding.
/// </summary>
/// <param name="request">The AuthnRequest to bind.</param>
/// <returns>CommandResult with the bound request.</returns>
public CommandResult Bind(ISaml2Message request)
{
return(Saml2Binding.Get(Binding).Bind(request));
}
public CommandResult Bind(Saml2AuthenticationRequest request)
{
return(Saml2Binding.Get(Binding).Bind(request));
}