public void Validation ()
{
Authenticator a = new Authenticator (
new SecurityTokenAuthenticator [] {
new CustomUserNameSecurityTokenAuthenticator (UserNamePasswordValidator.None),
new X509SecurityTokenAuthenticator (X509CertificateValidator.None),
});
PolicyCollection pl = a.ValidateToken (GetSamlToken ());
Assert.AreEqual (1, pl.Count, "#1");
IAuthorizationPolicy p = pl [0];
Assert.AreEqual (ClaimSet.System, p.Issuer, "#2");
TestEvaluationContext ec = new TestEvaluationContext ();
object o = null;
Assert.IsTrue (p.Evaluate (ec, ref o), "#3");
Assert.AreEqual (DateTime.MaxValue.AddDays (-1), ec.ExpirationTime, "#4");
IList<IIdentity> identities = ec.Properties ["Identities"] as IList<IIdentity>;
Assert.IsNotNull (identities, "#5");
Assert.AreEqual (1, identities.Count, "#6");
IIdentity ident = identities [0];
Assert.AreEqual (true, ident.IsAuthenticated, "#6-2");
// it's implementation details.
//Assert.AreEqual ("NoneUserNamePasswordValidator", ident.AuthenticationType, "#6-3");
Assert.AreEqual ("mono", ident.Name, "#6-4");
Assert.AreEqual (1, ec.ClaimSets.Count, "#7");
Assert.IsTrue (p.Evaluate (ec, ref o), "#8");
identities = ec.Properties ["Identities"] as IList<IIdentity>;
Assert.AreEqual (2, identities.Count, "#9");
Assert.AreEqual (2, ec.ClaimSets.Count, "#10");
}
public void Validation()
{
Authenticator a = new Authenticator(
new SecurityTokenAuthenticator [] {
new CustomUserNameSecurityTokenAuthenticator(UserNamePasswordValidator.None),
new X509SecurityTokenAuthenticator(X509CertificateValidator.None),
});
PolicyCollection pl = a.ValidateToken(GetSamlToken());
Assert.AreEqual(1, pl.Count, "#1");
IAuthorizationPolicy p = pl [0];
Assert.AreEqual(ClaimSet.System, p.Issuer, "#2");
TestEvaluationContext ec = new TestEvaluationContext();
object o = null;
Assert.IsTrue(p.Evaluate(ec, ref o), "#3");
Assert.AreEqual(DateTime.MaxValue.AddDays(-1), ec.ExpirationTime, "#4");
IList <IIdentity> identities = ec.Properties ["Identities"] as IList <IIdentity>;
Assert.IsNotNull(identities, "#5");
Assert.AreEqual(1, identities.Count, "#6");
IIdentity ident = identities [0];
Assert.AreEqual(true, ident.IsAuthenticated, "#6-2");
// it's implementation details.
//Assert.AreEqual ("NoneUserNamePasswordValidator", ident.AuthenticationType, "#6-3");
Assert.AreEqual("mono", ident.Name, "#6-4");
Assert.AreEqual(1, ec.ClaimSets.Count, "#7");
Assert.IsTrue(p.Evaluate(ec, ref o), "#8");
identities = ec.Properties ["Identities"] as IList <IIdentity>;
Assert.AreEqual(2, identities.Count, "#9");
Assert.AreEqual(2, ec.ClaimSets.Count, "#10");
}
/// <summary>
/// Token Constructor
/// </summary>
/// <param name="xmlToken">Encrypted xml token</param>
public Token(String xmlToken)
{
byte[] decryptedData = decryptToken(xmlToken);
XmlReader reader = new XmlTextReader(new StreamReader(new MemoryStream(decryptedData), Encoding.UTF8));
m_token = (SamlSecurityToken)WSSecurityTokenSerializer.DefaultInstance.ReadToken(reader, null);
SamlSecurityTokenAuthenticator authenticator = new SamlSecurityTokenAuthenticator(new List<SecurityTokenAuthenticator>(
new SecurityTokenAuthenticator[]{
new RsaSecurityTokenAuthenticator(),
new X509SecurityTokenAuthenticator() }), MaximumTokenSkew);
if (authenticator.CanValidateToken(m_token))
{
ReadOnlyCollection<IAuthorizationPolicy> policies = authenticator.ValidateToken(m_token);
m_authorizationContext = AuthorizationContext.CreateDefaultAuthorizationContext(policies);
FindIdentityClaims();
}
else
{
throw new Exception("Unable to validate the token.");
}
}
/// <summary>
/// Token Authentication. Translates the decrypted data into a AuthContext.
/// </summary>
/// <param name="reader">The token XML reader.</param>
/// <param name="audience">The audience that the token must be scoped for.
/// Use <c>null</c> to indicate any audience is acceptable.</param>
/// <returns>
/// The authorization context carried by the token.
/// </returns>
internal static AuthorizationContext AuthenticateToken(XmlReader reader, Uri audience) {
Contract.Ensures(Contract.Result<AuthorizationContext>() != null);
// Extensibility Point:
// in order to accept different token types, you would need to add additional
// code to create an authenticationcontext from the security token.
// This code only supports SamlSecurityToken objects.
SamlSecurityToken token = WSSecurityTokenSerializer.DefaultInstance.ReadToken(reader, null) as SamlSecurityToken;
if (null == token) {
throw new InformationCardException("Unable to read security token");
}
if (null != token.SecurityKeys && token.SecurityKeys.Count > 0) {
throw new InformationCardException("Token Security Keys Exist");
}
if (audience == null) {
Logger.InfoCard.Warn("SAML token Audience checking will be skipped.");
} else {
if (token.Assertion.Conditions != null &&
token.Assertion.Conditions.Conditions != null) {
foreach (SamlCondition condition in token.Assertion.Conditions.Conditions) {
SamlAudienceRestrictionCondition audienceCondition = condition as SamlAudienceRestrictionCondition;
if (audienceCondition != null) {
Logger.InfoCard.DebugFormat("SAML token audience(s): {0}", audienceCondition.Audiences.ToStringDeferred());
bool match = audienceCondition.Audiences.Contains(audience);
if (!match && Logger.InfoCard.IsErrorEnabled) {
Logger.InfoCard.ErrorFormat("Expected SAML token audience of {0} but found {1}.", audience.AbsoluteUri, audienceCondition.Audiences.Select(aud => aud.AbsoluteUri).ToStringDeferred());
}
// The token is invalid if any condition is not valid.
// An audience restriction condition is valid if any audience
// matches the Relying Party.
InfoCardErrorUtilities.VerifyInfoCard(match, InfoCardStrings.AudienceMismatch);
}
}
}
}
var samlAuthenticator = new SamlSecurityTokenAuthenticator(
new List<SecurityTokenAuthenticator>(
new SecurityTokenAuthenticator[] {
new RsaSecurityTokenAuthenticator(),
new X509SecurityTokenAuthenticator(),
}),
MaximumClockSkew);
return AuthorizationContext.CreateDefaultAuthorizationContext(samlAuthenticator.ValidateToken(token));
}
private void ParseToken(string xmlToken, X509Certificate2 cert)
{
int skew = 300; // default to 5 minutes
string tokenskew = System.Configuration.ConfigurationManager.AppSettings["MaximumClockSkew"];
if (!string.IsNullOrEmpty(tokenskew))
skew = Int32.Parse(tokenskew);
XmlReader tokenReader = new XmlTextReader(new StringReader(xmlToken));
EncryptedData enc = new EncryptedData();
enc.TokenSerializer = WSSecurityTokenSerializer.DefaultInstance;
enc.ReadFrom(tokenReader);
List<SecurityToken> tokens = new List<SecurityToken>();
SecurityToken encryptingToken = new X509SecurityToken(cert);
tokens.Add(encryptingToken);
SecurityTokenResolver tokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(tokens.AsReadOnly(), false);
SymmetricSecurityKey encryptingCrypto;
// an error here usually means that you have selected the wrong key.
encryptingCrypto = (SymmetricSecurityKey)tokenResolver.ResolveSecurityKey(enc.KeyIdentifier[0]);
SymmetricAlgorithm algorithm = encryptingCrypto.GetSymmetricAlgorithm(enc.EncryptionMethod);
byte[] decryptedData = enc.GetDecryptedBuffer(algorithm);
SecurityTokenSerializer tokenSerializer = WSSecurityTokenSerializer.DefaultInstance;
XmlReader reader = new XmlTextReader(new StreamReader(new MemoryStream(decryptedData), Encoding.UTF8));
m_token = (SamlSecurityToken)tokenSerializer.ReadToken(reader, tokenResolver);
SamlSecurityTokenAuthenticator authenticator = new SamlSecurityTokenAuthenticator(new List<SecurityTokenAuthenticator>(
new SecurityTokenAuthenticator[]{
new RsaSecurityTokenAuthenticator(),
new X509SecurityTokenAuthenticator() }), new TimeSpan(0, 0, skew));
if (authenticator.CanValidateToken(m_token))
{
ReadOnlyCollection<IAuthorizationPolicy> policies = authenticator.ValidateToken(m_token);
m_authorizationContext = AuthorizationContext.CreateDefaultAuthorizationContext(policies);
m_identityClaims = FindIdentityClaims(m_authorizationContext);
}
else
{
throw new Exception("Unable to validate the token.");
}
}
/// <summary>
/// Token Authentication. Translates the decrypted data into a AuthContext
///
/// This method makes a strong assumption that the decrypted token in in UTF-8 format.
/// </summary>
/// <param name="decryptedTokenData">Decrypted token</param>
public static AuthorizationContext AuthenticateToken(byte[] decryptedTokenData)
{
string t = Encoding.UTF8.GetString(decryptedTokenData);
XmlReader reader = new XmlTextReader(new StreamReader(new MemoryStream(decryptedTokenData), Encoding.UTF8));
// Extensibility Point:
// in order to accept different token types, you would need to add additional
// code to create an authenticationcontext from the security token.
// This code only supports SamlSecurityToken objects.
SamlSecurityToken token = WSSecurityTokenSerializer.DefaultInstance.ReadToken(reader, null) as SamlSecurityToken;
if( null == token )
throw new InformationCardException("Unable to read security token");
if (null != token.SecurityKeys && token.SecurityKeys.Count > 0)
throw new InformationCardException("Token Security Keys Exist");
if (null != _audience &&
null != token.Assertion.Conditions &&
null != token.Assertion.Conditions.Conditions)
{
foreach (SamlCondition condition in token.Assertion.Conditions.Conditions)
{
SamlAudienceRestrictionCondition audienceCondition = condition as SamlAudienceRestrictionCondition;
if (null != audienceCondition)
{
bool match = false;
foreach (Uri audience in audienceCondition.Audiences)
{
match = audience.Equals(_audience);
if (match) break;
}
//
// The token is invalid if any condition is not valid.
// An audience restriction condition is valid if any audience
// matches the Relying Party.
//
if (!match)
{
throw new InformationCardException("The token is invalid: The audience restrictions does not match the Relying Party.");
}
}
}
}
/*SamlSecurityTokenAuthenticator SamlAuthenticator = new SamlSecurityTokenAuthenticator(new List<SecurityTokenAuthenticator>(
new SecurityTokenAuthenticator[]{
new RsaSecurityTokenAuthenticator(),
new X509SecurityTokenAuthenticator() }), MaximumTokenSkew);*/
SamlSecurityTokenAuthenticator SamlAuthenticator = new SamlSecurityTokenAuthenticator(new List<SecurityTokenAuthenticator>(
new SecurityTokenAuthenticator[]{
new RsaSecurityTokenAuthenticator(),
new X509SecurityTokenAuthenticator(X509CertificateValidator.None) }), MaximumTokenSkew);
return AuthorizationContext.CreateDefaultAuthorizationContext(SamlAuthenticator.ValidateToken(token));
}
