public void EntityDescriptorExtensions_ToXElement_Nodes()
{
EntityId entityId = new EntityId("http://dummyentityid.com");
var entityDescriptor = new EntityDescriptor(entityId);
var spsso = new ServiceProviderSingleSignOnDescriptor();
string sampleAcsUri = "https://some.uri.example.com/acs";
var acs = new IndexedProtocolEndpoint()
{
IsDefault = false,
Index = 17,
Binding = Saml2Binding.HttpPostUri,
Location = new Uri(sampleAcsUri)
};
spsso.AssertionConsumerServices.Add(1, acs);
entityDescriptor.RoleDescriptors.Add(spsso);
var rootName = Saml2Namespaces.Saml2Metadata + "EntityDescriptor";
var elementName = Saml2Namespaces.Saml2Metadata + "SPSSODescriptor";
var subject = entityDescriptor.ToXElement();
subject.Name.Should().Be(rootName);
subject.Elements().Single().Name.Should().Be(elementName);
subject.Attribute("entityId").Value.Should().Be("http://dummyentityid.com");
}
public EntityDescriptor Generate(string wsfedEndpoint)
{
var tokenServiceDescriptor = GetTokenServiceDescriptor(wsfedEndpoint);
var id = new EntityId(_options.IssuerUri);
var entity = new EntityDescriptor(id);
entity.SigningCredentials = new X509SigningCredentials(_options.SigningCertificate);
entity.RoleDescriptors.Add(tokenServiceDescriptor);
return entity;
}
public string Generate()
{
var tokenServiceDescriptor = GetTokenServiceDescriptor();
var id = new EntityId(ConfigurationRepository.Global.IssuerUri);
var entity = new EntityDescriptor(id);
entity.SigningCredentials = new X509SigningCredentials(ConfigurationRepository.Keys.SigningCertificate);
entity.RoleDescriptors.Add(tokenServiceDescriptor);
var ser = new MetadataSerializer();
var sb = new StringBuilder(512);
ser.WriteMetadata(XmlWriter.Create(new StringWriter(sb), new XmlWriterSettings { OmitXmlDeclaration = true }), entity);
return sb.ToString();
}
private string GenerateMetadata(params RoleDescriptor[] roles)
{
var id = new EntityId(ConfigurationRepository.Global.IssuerUri);
var entity = new EntityDescriptor(id);
entity.SigningCredentials = new X509SigningCredentials(ConfigurationRepository.Keys.SigningCertificate);
foreach (var roleDescriptor in roles)
{
entity.RoleDescriptors.Add(roleDescriptor);
}
var ser = new MetadataSerializer();
var sb = new StringBuilder(512);
ser.WriteMetadata(XmlWriter.Create(new StringWriter(sb), new XmlWriterSettings { OmitXmlDeclaration = true }), entity);
return sb.ToString();
}
public string GetFederationMetadata(Uri endpoint)
{
// hostname
var passiveEndpoint = new EndpointReference(endpoint.AbsoluteUri);
var activeEndpoint = new EndpointReference(endpoint.AbsoluteUri);
// metadata document
var entity = new EntityDescriptor(new EntityId(TwitterClaims.IssuerName));
var sts = new SecurityTokenServiceDescriptor();
entity.RoleDescriptors.Add(sts);
// signing key
var signingKey = new KeyDescriptor(SigningCredentials.SigningKeyIdentifier) { Use = KeyType.Signing };
sts.Keys.Add(signingKey);
// claim types
sts.ClaimTypesOffered.Add(new DisplayClaim(ClaimTypes.Name, "Name", "User name"));
sts.ClaimTypesOffered.Add(new DisplayClaim(ClaimTypes.NameIdentifier, "Name Identifier", "User name identifier"));
sts.ClaimTypesOffered.Add(new DisplayClaim(TwitterClaims.TwitterToken, "Token", "Service token"));
sts.ClaimTypesOffered.Add(new DisplayClaim(TwitterClaims.TwitterTokenSecret, "Token Secret", "Service token secret"));
// passive federation endpoint
sts.PassiveRequestorEndpoints.Add(passiveEndpoint);
// supported protocols
//Inaccessable due to protection level
//sts.ProtocolsSupported.Add(new Uri(WSFederationConstants.Namespace));
sts.ProtocolsSupported.Add(new Uri("http://docs.oasis-open.org/wsfed/federation/200706"));
// add passive STS endpoint
sts.SecurityTokenServiceEndpoints.Add(activeEndpoint);
// metadata signing
entity.SigningCredentials = SigningCredentials;
// serialize
var serializer = new MetadataSerializer();
using (var memoryStream = new MemoryStream())
{
serializer.WriteMetadata(memoryStream, entity);
return Encoding.UTF8.GetString(memoryStream.ToArray());
}
}
private EntityDescriptor GenerateEntities()
{
if (_entity != null)
return _entity;
var sts = new SecurityTokenServiceDescriptor();
//FillOfferedClaimTypes(sts.ClaimTypesOffered);
FillEndpoints(sts);
FillSupportedProtocols(sts);
FillSigningKey(sts);
_entity = new EntityDescriptor(new EntityId(Host))
{
SigningCredentials = SigningCredentials
};
_entity.RoleDescriptors.Add(sts);
return _entity;
}
public byte[] GetFederationMetadata(Uri passiveSignInUrl, Uri identifier, X509Certificate2 signingCertificate)
{
var credentials = new X509SigningCredentials(signingCertificate);
// Figure out the hostname exposed from Azure and what port the service is listening on
var realm = new EndpointAddress(identifier);
var passiveEndpoint = new EndpointReference(passiveSignInUrl.AbsoluteUri);
// Create metadata document for relying party
EntityDescriptor entity = new EntityDescriptor(new EntityId(realm.Uri.AbsoluteUri));
SecurityTokenServiceDescriptor sts = new SecurityTokenServiceDescriptor();
entity.RoleDescriptors.Add(sts);
// Add STS's signing key
KeyDescriptor signingKey = new KeyDescriptor(credentials.SigningKeyIdentifier);
signingKey.Use = KeyType.Signing;
sts.Keys.Add(signingKey);
// Add offered claim types
sts.ClaimTypesOffered.Add(new DisplayClaim(ClaimTypes.AuthenticationMethod));
sts.ClaimTypesOffered.Add(new DisplayClaim(ClaimTypes.AuthenticationInstant));
sts.ClaimTypesOffered.Add(new DisplayClaim(ClaimTypes.Name));
// Add passive federation endpoint
sts.PassiveRequestorEndpoints.Add(passiveEndpoint);
// Add supported protocols
sts.ProtocolsSupported.Add(new Uri(WSFederationConstants.Namespace));
// Add passive STS endpoint
sts.SecurityTokenServiceEndpoints.Add(passiveEndpoint);
// Set credentials with which to sign the metadata
entity.SigningCredentials = credentials;
// Serialize the metadata and convert it to an XElement
MetadataSerializer serializer = new MetadataSerializer();
MemoryStream stream = new MemoryStream();
serializer.WriteMetadata(stream, entity);
stream.Flush();
return stream.ToArray();
}
// Helpers
private string Generate()
{
var tokenServiceDescriptor = GetTokenServiceDescriptor();
var id = new EntityId("https://tugberk.me");
var entity = new EntityDescriptor(id);
var certificate = GetSigningCertificate();
entity.SigningCredentials = new X509SigningCredentials(certificate);
entity.RoleDescriptors.Add(tokenServiceDescriptor);
var ser = new MetadataSerializer();
var sb = new StringBuilder(512);
using (var sr = new StringWriter(sb))
using (var xmlWriter = XmlWriter.Create(sr, new XmlWriterSettings { OmitXmlDeclaration = true }))
{
ser.WriteMetadata(xmlWriter, entity);
return sb.ToString();
}
}
public ActionResult FederationMetadata()
{
var endpoint = Request.Url.Scheme + "://" + Request.Url.Host + ":" + Request.Url.Port;
var entityDescriptor = new EntityDescriptor(new EntityId(ConfigurationManager.AppSettings["stsName"]))
{
SigningCredentials = CertificateFactory.GetSigningCredentials()
};
var roleDescriptor = new SecurityTokenServiceDescriptor();
roleDescriptor.Contacts.Add(new ContactPerson(ContactType.Administrative));
var clause = new X509RawDataKeyIdentifierClause(CertificateFactory.GetCertificate());
var securityKeyIdentifier = new SecurityKeyIdentifier(clause);
var signingKey = new KeyDescriptor(securityKeyIdentifier) {Use = KeyType.Signing};
roleDescriptor.Keys.Add(signingKey);
var endpointAddress =
new System.IdentityModel.Protocols.WSTrust.EndpointReference(endpoint + "/Security/Authorize");
roleDescriptor.PassiveRequestorEndpoints.Add(endpointAddress);
roleDescriptor.SecurityTokenServiceEndpoints.Add(endpointAddress);
roleDescriptor.ProtocolsSupported.Add(new Uri("http://docs.oasis-open.org/wsfed/federation/200706"));
entityDescriptor.RoleDescriptors.Add(roleDescriptor);
var serializer = new MetadataSerializer();
var settings = new XmlWriterSettings {Encoding = Encoding.UTF8};
var memoryStream = new MemoryStream();
var writer = XmlWriter.Create(memoryStream, settings);
serializer.WriteMetadata(writer,entityDescriptor);
writer.Flush();
var content = Content(Encoding.UTF8.GetString(memoryStream.GetBuffer()), "text/xml");
writer.Dispose();
return content;
}
public MetadataResult(EntityDescriptor entity)
{
_entity = entity;
}
static List<X509SecurityToken> ReadSigningCertsFromMetadata(EntityDescriptor entityDescriptor)
{
List<X509SecurityToken> stsSigningTokens = new List<X509SecurityToken>();
SecurityTokenServiceDescriptor stsd = entityDescriptor.RoleDescriptors.OfType<SecurityTokenServiceDescriptor>().First();
if (stsd != null && stsd.Keys != null)
{
IEnumerable<X509RawDataKeyIdentifierClause> x509DataClauses = stsd.Keys.Where(key => key.KeyInfo != null && (key.Use == KeyType.Signing || key.Use == KeyType.Unspecified)).
Select(key => key.KeyInfo.OfType<X509RawDataKeyIdentifierClause>().First());
stsSigningTokens.AddRange(x509DataClauses.Select(clause => new X509SecurityToken(new X509Certificate2(clause.GetX509RawData()))));
}
else
{
throw new InvalidOperationException("There is no RoleDescriptor of type SecurityTokenServiceType in the metadata");
}
return stsSigningTokens;
}
