/// <summary> /// Creates a SAML Token with the input parameters /// </summary> /// <param name="stsName">Name of the STS issuing the SAML Token</param> /// <param name="proofToken">Associated Proof Token</param> /// <param name="issuerToken">Associated Issuer Token</param> /// <param name="proofKeyEncryptionToken">Token to encrypt the proof key with</param> /// <param name="samlConditions">The Saml Conditions to be used in the construction of the SAML Token</param> /// <param name="samlAttributes">The Saml Attributes to be used in the construction of the SAML Token</param> /// <returns>A SAML Token</returns> public static SamlSecurityToken CreateSamlToken(string stsName, BinarySecretSecurityToken proofToken, SecurityToken issuerToken, SecurityToken proofKeyEncryptionToken, SamlConditions samlConditions, IEnumerable<SamlAttribute> samlAttributes) { // Create a security token reference to the issuer certificate SecurityKeyIdentifierClause skic = issuerToken.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>(); SecurityKeyIdentifier issuerKeyIdentifier = new SecurityKeyIdentifier(skic); // Create an encrypted key clause containing the encrypted proof key byte[] wrappedKey = proofKeyEncryptionToken.SecurityKeys[0].EncryptKey(SecurityAlgorithms.RsaOaepKeyWrap, proofToken.GetKeyBytes()); SecurityKeyIdentifierClause encryptingTokenClause = proofKeyEncryptionToken.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>(); EncryptedKeyIdentifierClause encryptedKeyClause = new EncryptedKeyIdentifierClause(wrappedKey, SecurityAlgorithms.RsaOaepKeyWrap, new SecurityKeyIdentifier(encryptingTokenClause) ); SecurityKeyIdentifier proofKeyIdentifier = new SecurityKeyIdentifier(encryptedKeyClause); // Create a comfirmationMethod for HolderOfKey List<string> confirmationMethods = new List<string>(1); confirmationMethods.Add(SamlConstants.HolderOfKey); // Create a SamlSubject with proof key and confirmation method from above SamlSubject samlSubject = new SamlSubject(null, null, null, confirmationMethods, null, proofKeyIdentifier); // Create a SamlAttributeStatement from the passed in SamlAttribute collection and the SamlSubject from above SamlAttributeStatement samlAttributeStatement = new SamlAttributeStatement(samlSubject, samlAttributes); // Put the SamlAttributeStatement into a list of SamlStatements List<SamlStatement> samlSubjectStatements = new List<SamlStatement>(); samlSubjectStatements.Add(samlAttributeStatement); // Create a SigningCredentials instance from the key associated with the issuerToken. SigningCredentials signingCredentials = new SigningCredentials(issuerToken.SecurityKeys[0], SecurityAlgorithms.RsaSha1Signature, SecurityAlgorithms.Sha1Digest, issuerKeyIdentifier); // Create a SamlAssertion from the list of SamlStatements created above and the passed in // SamlConditions. SamlAssertion samlAssertion = new SamlAssertion("_" + Guid.NewGuid().ToString(), stsName, DateTime.UtcNow, samlConditions, new SamlAdvice(), samlSubjectStatements ); // Set the SigningCredentials for the SamlAssertion samlAssertion.SigningCredentials = signingCredentials; // Create a SamlSecurityToken from the SamlAssertion and return it return new SamlSecurityToken(samlAssertion); }
/// <summary> /// Creates a SAML assertion based on a symmetric proof key /// </summary> /// <param name="claims">A ClaimSet containing the claims to be placed into the SAML assertion</param> /// <param name="signatureToken">An X509SecurityToken that will be used to sign the SAML assertion</param> /// <param name="encryptionToken">An X509SecurityToken that will be used to encrypt the proof key</param> /// <param name="proofToken">A BinarySecretSecurityToken containing the proof key</param> /// <param name="algoSuite">The algorithm suite to use when performing cryptographic operations</param> /// <returns>A SAML assertion containing the passed in claims and proof key, signed by the provided signature token</returns> public static SamlAssertion CreateSymmetricKeyBasedAssertion(ClaimSet claims, X509SecurityToken signatureToken, X509SecurityToken encryptionToken, BinarySecretSecurityToken proofToken, SecurityAlgorithmSuite algoSuite) { // Check various input parameters if (claims == null) throw new ArgumentNullException("claims"); if (claims.Count == 0) throw new ArgumentException("Provided ClaimSet must contain at least one claim"); if (proofToken == null) throw new ArgumentNullException("proofToken"); if (signatureToken == null) throw new ArgumentNullException("signatureToken"); if (encryptionToken == null) throw new ArgumentNullException("encryptionToken"); if (proofToken == null) throw new ArgumentNullException("proofToken"); if (algoSuite == null) throw new ArgumentNullException("algoSuite"); // Get signing key and a key identifier for same SecurityKey signatureKey = signatureToken.SecurityKeys[0]; SecurityKeyIdentifierClause signatureSkic = signatureToken.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>(); SecurityKeyIdentifier signatureKeyIdentifier = new SecurityKeyIdentifier(signatureSkic); // Get encryption key and a key identifier for same SecurityKey encryptionKey = encryptionToken.SecurityKeys[0]; SecurityKeyIdentifierClause encryptionSkic = encryptionToken.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>(); SecurityKeyIdentifier encryptionKeyIdentifier = new SecurityKeyIdentifier(encryptionSkic); // Encrypt the proof key and create a key identifier for same byte[] proofKey = proofToken.GetKeyBytes(); byte[] encryptedSecret = new byte[proofKey.Length]; encryptedSecret = encryptionKey.EncryptKey(algoSuite.DefaultAsymmetricKeyWrapAlgorithm, proofKey); SecurityKeyIdentifier proofKeyIdentifier = new SecurityKeyIdentifier(new EncryptedKeyIdentifierClause(encryptedSecret, algoSuite.DefaultAsymmetricKeyWrapAlgorithm, encryptionKeyIdentifier)); // Create the assertion return CreateAssertion(claims, signatureKey, signatureKeyIdentifier, proofKeyIdentifier, algoSuite); }
protected virtual JwtSecurityToken CreateTokenFromClaims(IEnumerable<Claim> claims, string secretKey, string audience, string issuer) { var signingKey = this.GetSigningKey(secretKey); var signingToken = new BinarySecretSecurityToken(signingKey); var signingCredentials = new SigningCredentials(new InMemorySymmetricSecurityKey(signingToken.GetKeyBytes()), "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256", "http://www.w3.org/2001/04/xmlenc#sha256"); var tokenDescriptor = new SecurityTokenDescriptor { AppliesToAddress = audience, TokenIssuerName = issuer, SigningCredentials = signingCredentials, Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow + TimeSpan.FromDays(1)), Subject = new ClaimsIdentity(claims), }; var tokenHandler = new JwtSecurityTokenHandler(); var token = tokenHandler.CreateToken(tokenDescriptor) as JwtSecurityToken; return token; }
void WriteBinarySecretSecurityToken (XmlWriter w, BinarySecretSecurityToken token) { w.WriteStartElement ("t", "BinarySecret", Constants.WstNamespace); w.WriteAttributeString ("u", "Id", Constants.WsuNamespace, token.Id); w.WriteString (Convert.ToBase64String (token.GetKeyBytes ())); w.WriteEndElement (); }
public static void WriteBinarySecretSecurityToken(XmlWriter writer, BinarySecretSecurityToken token, WSTrustConstantsAdapter trustConstants) { if (writer == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("writer"); } if (token == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token"); } if (trustConstants == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("trustConstants"); } byte[] keyBytes = token.GetKeyBytes(); writer.WriteStartElement(trustConstants.Elements.BinarySecret, trustConstants.NamespaceURI); writer.WriteBase64(keyBytes, 0, keyBytes.Length); writer.WriteEndElement(); }
public static TokenInfo CreateTokenFromClaims(IEnumerable<Claim> claims, string secretKey, string audience, string issuer, TimeSpan? lifetime) { byte[] signingKey = GetSigningKey(secretKey); BinarySecretSecurityToken signingToken = new BinarySecretSecurityToken(signingKey); SigningCredentials signingCredentials = new SigningCredentials(new InMemorySymmetricSecurityKey(signingToken.GetKeyBytes()), "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256", "http://www.w3.org/2001/04/xmlenc#sha256"); DateTime created = DateTime.UtcNow; // we allow for no expiry (if lifetime is null) DateTime? expiry = (lifetime != null) ? created + lifetime : null; SecurityTokenDescriptor tokenDescriptor = new SecurityTokenDescriptor { AppliesToAddress = audience, TokenIssuerName = issuer, SigningCredentials = signingCredentials, Lifetime = new Lifetime(created, expiry), Subject = new ClaimsIdentity(claims), }; JwtSecurityTokenHandler securityTokenHandler = new JwtSecurityTokenHandler(); JwtSecurityToken token = securityTokenHandler.CreateToken(tokenDescriptor) as JwtSecurityToken; return new TokenInfo { Token = token }; }
private SecurityTokenDescriptor GetTestSecurityTokenDescriptor(DateTime tokenLifetimeStart, DateTime tokenLifetimeEnd) { List<Claim> claims = new List<Claim>() { new Claim("uid", this.credentials.UserId), new Claim("ver", "2"), }; byte[] signingKey = MobileAppTokenHandler.GetSigningKey(TestSecretKey); BinarySecretSecurityToken signingToken = new BinarySecretSecurityToken(signingKey); SigningCredentials signingCredentials = new SigningCredentials(new InMemorySymmetricSecurityKey(signingToken.GetKeyBytes()), "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256", "http://www.w3.org/2001/04/xmlenc#sha256"); SecurityTokenDescriptor tokenDescriptor = new SecurityTokenDescriptor { AppliesToAddress = MobileAppTokenHandler.ZumoAudienceValue, TokenIssuerName = MobileAppTokenHandler.ZumoIssuerValue, SigningCredentials = signingCredentials, Lifetime = new Lifetime(tokenLifetimeStart, tokenLifetimeEnd), Subject = new ClaimsIdentity(claims), }; return tokenDescriptor; }