private void ShowClaims(IClaimsPrincipal principal)
{
foreach (IClaimsIdentity identity in principal.Identities)
{
var identityInfo = new HtmlGenericControl("dl");
AddListItem(identityInfo, "BootstrapToken",
null != identity.BootstrapToken ? identity.BootstrapToken.ToString() : String.Empty);
AddListItem(identityInfo, "Label", identity.Label);
AddListItem(identityInfo, "NameClaimType", identity.NameClaimType);
AddListItem(identityInfo, "RoleClaimType", identity.RoleClaimType);
var claimsInfo = new HtmlGenericControl("dl");
identityInfo.Controls.Add(new HtmlGenericControl("dt") { InnerText = "Claims" });
var claims = new HtmlGenericControl("dd");
claims.Controls.Add(claimsInfo);
identityInfo.Controls.Add(claims);
foreach (Claim claim in identity.Claims)
{
AddListItem(claimsInfo, "ClaimType", claim.ClaimType);
AddListItem(claimsInfo, "Issuer", claim.Issuer);
AddListItem(claimsInfo, "OriginalIssuer", claim.OriginalIssuer);
AddListItem(claimsInfo, "Value", claim.Value);
AddListItem(claimsInfo, "ValueType", claim.ValueType);
}
claimsList.Controls.Add(identityInfo);
}
}
/// <summary>
/// This method returns the configuration for the token issuance request. The configuration
/// is represented by the Scope class. In our case, we are only capable of issuing a token for a
/// single RP identity represented by the EncryptingCertificateName.
/// </summary>
/// <param name="principal">The caller's principal.</param>
/// <param name="request">The incoming RST.</param>
/// <returns>The scope information to be used for the token issuance.</returns>
protected override Scope GetScope(IClaimsPrincipal principal, RequestSecurityToken request)
{
ValidateAppliesTo(request.AppliesTo);
//
// Note: The signing certificate used by default has a Distinguished name of "CN=STSTestCert",
// and is located in the Personal certificate store of the Local Computer. Before going into production,
// ensure that you change this certificate to a valid CA-issued certificate as appropriate.
//
Scope scope = new Scope(request.AppliesTo.Uri.OriginalString, SecurityTokenServiceConfiguration.SigningCredentials);
string encryptingCertificateName = WebConfigurationManager.AppSettings["EncryptingCertificateName"];
if (!string.IsNullOrEmpty(encryptingCertificateName))
{
// Important note on setting the encrypting credentials.
// In a production deployment, you would need to select a certificate that is specific to the RP that is requesting the token.
// You can examine the 'request' to obtain information to determine the certificate to use.
scope.EncryptingCredentials = new X509EncryptingCredentials(CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, encryptingCertificateName));
}
else
{
// If there is no encryption certificate specified, the STS will not perform encryption.
// This will succeed for tokens that are created without keys (BearerTokens) or asymmetric keys.
scope.TokenEncryptionRequired = false;
}
// Set the ReplyTo address for the WS-Federation passive protocol (wreply). This is the address to which responses will be directed.
// In this template, we have chosen to set this to the AppliesToAddress.
scope.ReplyToAddress = scope.AppliesToAddress;
return(scope);
}
/// <summary>
/// Returns the configuration for the token issuance request.
/// </summary>
/// <param name="principal">The caller's principal.</param>
/// <param name="request">The incoming request security token.</param>
/// <returns>The scope information to be used for the token issuance.</returns>
protected override Scope GetScope(IClaimsPrincipal principal, RequestSecurityToken request)
{
// Verify the request, i.e. the requesting realm. The reply address does not need to be
// checked since it is being hardcoded within this security token service and does not
// depend on the request hence.
var appliesTo = request.AppliesTo.Uri.AbsoluteUri;
if(appliesTo != "http://www.silkveil.net/")
{
throw new SecurityException(string.Format(CultureInfo.CurrentUICulture,
"The uri '{0}' is not supported.", appliesTo));
}
// Create the scope.
var scope = new Scope(
request.AppliesTo.Uri.OriginalString,
this.SecurityTokenServiceConfiguration.SigningCredentials,
new X509EncryptingCredentials(new CertificateManager().GetEncryptingCertificate()));
// Get the navigation service.
var navigationService = this._container.Resolve<INavigationService>();
// Set the reply to address.
scope.ReplyToAddress = navigationService.GetUIPath();
// Return the scope to the caller.
return scope;
}
protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
if (null == principal)
{
throw new ArgumentNullException("principal");
}
var name = principal.FindClaims(ClaimTypes.Name).First().Value;
var nameId = new Claim(ClaimTypes.NameIdentifier, name);
var userClaims = new List <Claim>
{
new Claim(ClaimTypes.Name, name),
nameId,
new Claim(ClaimTypes.AuthenticationMethod, principal.FindClaims(ClaimTypes.AuthenticationMethod).First().Value),
new Claim(ClaimTypes.AuthenticationInstant, XmlConvert.ToString(DateTime.UtcNow, "yyyy-MM-ddTHH:mm:ss.fffZ"), ClaimValueTypes.Datetime),
new Claim(ClaimTypes.Upn, principal.FindClaims(ClaimTypes.Upn).First().Value),
new Claim(ClaimTypes.Sid, principal.FindClaims(ClaimTypes.Sid).First().Value),
};
userClaims.AddRange(principal.FindClaims(ClaimTypes.GroupSid));
var outputIdentity = new ClaimsIdentity(userClaims);
return(outputIdentity);
}
public bool TryIssueToken(EndpointAddress appliesTo, IClaimsPrincipal principal, string tokenType, out TokenResponse response)
{
SecurityToken token = null;
response = new TokenResponse {
TokenType = tokenType
};
var result = TryIssueToken(appliesTo, principal, tokenType, out token);
if (result == false)
{
return(false);
}
var swt = token as SimpleWebToken;
if (swt != null)
{
response.TokenString = swt.RawToken;
response.ContentType = "text";
}
else
{
var handler = FederatedAuthentication.ServiceConfiguration.SecurityTokenHandlers;
var sb = new StringBuilder(128);
handler.WriteToken(new XmlTextWriter(new StringWriter(sb)), token);
response.ContentType = "text/xml";
response.TokenString = sb.ToString();
}
return(result);
}
public static string GetUsedEmail(IClaimsPrincipal claimsPrincipal)
{
if (claimsPrincipal == null)
{
return(GenerateFakeEmail());
}
var claimsIdentity = (IClaimsIdentity)claimsPrincipal.Identity;
if (claimsIdentity.Name.Contains('@'))
{
// parse a claim identity to pull out a user's name
var nameSplit = claimsIdentity.Name.Split('|');
if (nameSplit.Length == 3)
{
return(nameSplit[2]);
}
return(claimsIdentity.Name);
}
var possibleUpn = LookForClaim(claimsIdentity.Claims, Constants.ClaimUpnSts);
if (possibleUpn != null)
{
return(possibleUpn);
}
possibleUpn = LookForClaim(claimsIdentity.Claims, Constants.ClaimUpnSp);
if (possibleUpn != null)
{
return(possibleUpn);
}
return(GenerateFakeEmail());
}
protected override Scope GetScope(IClaimsPrincipal principal, RequestSecurityToken request)
{
this.scopeModel = this.ValidateAppliesTo(request.AppliesTo);
var scope = new Scope(request.AppliesTo.Uri.OriginalString, SecurityTokenServiceConfiguration.SigningCredentials);
scope.TokenEncryptionRequired = false;
string replyTo;
if (!string.IsNullOrEmpty(request.ReplyTo))
{
replyTo = request.ReplyTo;
}
else if (this.scopeModel.Url != null)
{
replyTo = this.scopeModel.Url.ToString();
}
else
{
replyTo = scope.AppliesToAddress;
}
scope.ReplyToAddress = replyTo;
return scope;
}
protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
if (principal == null)
{
throw new ArgumentNullException("incomingPrincipal");
}
// We should have only one Identity.
if (principal.Identities.Count != 1)
{
throw new ArgumentException("incomingPrincipal");
}
IClaimsIdentity identity = principal.Identities[0];
string experienceClass = "Beginner";
experienceClassMap.TryGetValue(identity.Name, out experienceClass);
return(new ClaimsIdentity(
new Claim[]
{
new Claim(WSIdentityConstants.ClaimTypes.Name, identity.Name),
new Claim(PetShopClaimTypes.ExperienceClass, experienceClass)
}));
}
protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
if (null == principal)
{
throw new ArgumentNullException("principal");
}
var outputIdentity = new ClaimsIdentity();
IEnumerable <Claim> outputClaims;
if (this.scopeModel.UseClaimsPolicyEngine)
{
IClaimsPolicyEvaluator evaluator = new ClaimsPolicyEvaluator(PolicyStoreFactory.Instance);
outputClaims = evaluator.Evaluate(new Uri(scope.AppliesToAddress), ((IClaimsIdentity)principal.Identity).Claims);
}
else
{
outputClaims = ((IClaimsIdentity)principal.Identity).Claims;
}
outputIdentity.Claims.AddRange(outputClaims);
if (outputIdentity.Name == null && outputIdentity.Claims.SingleOrDefault(c => c.ClaimType == ClaimTypes.NameIdentifier) != null)
{
outputIdentity.Claims.Add(new Claim(ClaimTypes.Name, outputIdentity.Claims.SingleOrDefault(c => c.ClaimType == ClaimTypes.NameIdentifier).Value));
}
return(outputIdentity);
}
/// <summary>
/// This method returns the claims to be issued in the token.
/// </summary>
/// <param name="principal">The caller's principal.</param>
/// <param name="request">The incoming RST, can be used to obtain addtional information.</param>
/// <param name="scope">The scope information corresponding to this request.</param>
/// <exception cref="ArgumentNullException">If 'principal' parameter is null.</exception>
/// <returns>The outgoing claimsIdentity to be included in the issued token.</returns>
protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
if (null == principal)
{
throw new ArgumentNullException("principal");
}
ClaimsIdentity outputIdentity = new ClaimsIdentity();
// Issue custom claims.
// TODO: Change the claims below to issue custom claims required by your application.
// Update the application's configuration file too to reflect new claims requirement.
outputIdentity.Claims.Add(new Claim(System.IdentityModel.Claims.ClaimTypes.Name, principal.Identity.Name));
outputIdentity.Claims.Add(new Claim(ClaimTypes.Role, "Manager"));
// Gunnar: my custom claim
outputIdentity.Claims.Add(new Claim(ClaimTypes.Email, "*****@*****.**"));
outputIdentity.Claims.Add(new Claim(ClaimTypes.Gender, "Male"));
outputIdentity.Claims.Add(new Claim(ClaimTypes.HomePhone, "12345"));
outputIdentity.Claims.Add(new Claim(ClaimTypes.Webpage, "carter.was.here"));
return(outputIdentity);
}
private void AuthorizeCall(IClaimsPrincipal principal)
{
string action = OperationContext.Current.RequestContext.RequestMessage.Headers.Action;
ClaimsPrincipalPermission p = null;
switch (action)
{
case "http://www.thatindigogirl.com/samples/2006/06/ICrudService/CreateSomething":
p = new ClaimsPrincipalPermission(true, new DefaultClaimSet(ClaimsAuthorizationPolicy.CreateIssuerClaimSet(), ClaimsAuthorizationPolicy.CreateApplicationCreateClaim()));
p.CheckClaims(principal);
break;
case "http://www.thatindigogirl.com/samples/2006/06/ICrudService/ReadSomething":
p = new ClaimsPrincipalPermission(true, new DefaultClaimSet(ClaimsAuthorizationPolicy.CreateIssuerClaimSet(), ClaimsAuthorizationPolicy.CreateApplicationReadClaim()));
p.CheckClaims(principal);
break;
case "http://www.thatindigogirl.com/samples/2006/06/ICrudService/UpdateSomething":
p = new ClaimsPrincipalPermission(true, new DefaultClaimSet(ClaimsAuthorizationPolicy.CreateIssuerClaimSet(), ClaimsAuthorizationPolicy.CreateApplicationUpdateClaim()));
p.CheckClaims(principal);
break;
case "http://www.thatindigogirl.com/samples/2006/06/ICrudService/DeleteSomething":
p = new ClaimsPrincipalPermission(true, new DefaultClaimSet(ClaimsAuthorizationPolicy.CreateIssuerClaimSet(), ClaimsAuthorizationPolicy.CreateApplicationDeleteClaim()));
p.CheckClaims(principal);
break;
}
}
/// <summary>
/// Gets the output claims identity.
/// </summary>
/// <param name="principal">The principal.</param>
/// <param name="request">The request.</param>
/// <param name="scope">The scope.</param>
/// <returns>Returns output claims identity.</returns>
protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
if (null == principal)
{
throw new ArgumentNullException("principal");
}
const string ContainerName = "defaultContainer";
UnityConfigurationSection section = ConfigurationManager.GetSection("unity") as UnityConfigurationSection;
if (!section.Containers.Any(container => container.Name == ContainerName))
{
throw new ArgumentException("No defaultContainer in unity configuration section.");
}
UnityContainer unityContainer = new UnityContainer();
section.Configure(unityContainer, ContainerName);
IClaimProvider claimProvider = unityContainer.Resolve <IClaimProvider>();
ClaimsIdentity outputIdentity = new ClaimsIdentity(principal.Identity);
string[] canHandleTypes = claimProvider.CanHandle(new[] { System.IdentityModel.Claims.ClaimTypes.Name }, outputIdentity);
outputIdentity = claimProvider.UpdateIdentity(canHandleTypes, outputIdentity) as ClaimsIdentity;
Logger.Write("Created claims identity: " + outputIdentity.Name);
return(outputIdentity);
}
/// <summary>
/// This method returns the configuration for the token issuance request. The configuration
/// is represented by the Scope class. In our case, we are only capable of issuing a token for a
/// single RP identity represented by the EncryptingCertificateName.
/// </summary>
/// <param name="principal">The caller's principal.</param>
/// <param name="request">The incoming RST.</param>
/// <returns>The scope information to be used for the token issuance.</returns>
protected override Scope GetScope(IClaimsPrincipal principal, RequestSecurityToken request)
{
ValidateAppliesTo(request.AppliesTo);
//
// Note: The signing certificate used by default has a Distinguished name of "CN=STSTestCert",
// and is located in the Personal certificate store of the Local Computer. Before going into production,
// ensure that you change this certificate to a valid CA-issued certificate as appropriate.
//
Scope scope = new Scope(request.AppliesTo.Uri.OriginalString, SecurityTokenServiceConfiguration.SigningCredentials);
string encryptingCertificateName = WebConfigurationManager.AppSettings["EncryptingCertificateName"];
if (!string.IsNullOrEmpty(encryptingCertificateName))
{
// Important note on setting the encrypting credentials.
// In a production deployment, you would need to select a certificate that is specific to the RP that is requesting the token.
// You can examine the 'request' to obtain information to determine the certificate to use.
scope.EncryptingCredentials = new X509EncryptingCredentials(CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, encryptingCertificateName));
}
else
{
// If there is no encryption certificate specified, the STS will not perform encryption.
// This will succeed for tokens that are created without keys (BearerTokens) or asymmetric keys. Symmetric keys are
// required to be 'wrapped' and the STS will throw.
scope.TokenEncryptionRequired = false;
// Symmetric keys are required to be 'wrapped' or the STS will throw, uncomment the code below to turn off proof key encryption.
// Turning off proof key encryption is not secure and should not be used in a deployment scenario.
scope.SymmetricKeyEncryptionRequired = false;
}
return(scope);
}
public override IClaimsPrincipal Authenticate(string endpointUri, IClaimsPrincipal incomingPrincipal)
{
Console.WriteLine("\n--ClaimsAuthenticationManager.Authenticate");
string issuer = "ClaimsAuthenticationManager";
var identity = incomingPrincipal.First();
ClaimsIdentity id = new ClaimsIdentity(new List <Claim>
{
new Claim(WSIdentityConstants.ClaimTypes.Name,
identity.Name,
ClaimValueTypes.String,
issuer),
new Claim("http://www.thinktecture.com/claims/clearance",
"Secret",
ClaimValueTypes.String,
issuer),
identity.FindClaims(ClaimTypes.AuthenticationMethod).First(),
identity.FindClaims(ClaimTypes.AuthenticationInstant).First()
});
return(new ClaimsPrincipal(new List <IClaimsIdentity> {
id
}));
}
/// <summary>
/// Analyzes the token request
/// </summary>
/// <param name="principal">The principal.</param>
/// <param name="request">The request.</param>
/// <returns>A PolicyScope that describes the relying party and policy options</returns>
protected override Scope GetScope(IClaimsPrincipal principal, RequestSecurityToken rst)
{
if (rst.AppliesTo == null)
{
Tracing.Error(string.Format("token request from {0} - but no realm specified.",
principal.Identity.Name));
throw new MissingAppliesToException();
}
Tracing.Information(string.Format("Starting token request from {0} for {1}",
principal.Identity.Name,
rst.AppliesTo.Uri.AbsoluteUri));
Tracing.Information("Authentication method: " + principal.Identities.First().GetClaimValue(ClaimTypes.AuthenticationMethod));
// analyze request
var request = new Request(GlobalConfiguration);
var details = request.Analyze(rst, principal);
// validate against policy
request.Validate(details);
// create scope
var scope = new RequestDetailsScope(
details,
SecurityTokenServiceConfiguration.SigningCredentials,
GlobalConfiguration.RequireEncryption);
return scope;
}
/// <summary>
/// This method returns the claims to be issued in the token.
/// </summary>
/// <param name="principal">The caller's principal.</param>
/// <param name="request">The incoming RST, can be used to obtain addtional information.</param>
/// <param name="scope">The scope information corresponding to this request.</param>
/// <exception cref="ArgumentNullException">If 'principal' parameter is null.</exception>
/// <returns>The outgoing claimsIdentity to be included in the issued token.</returns>
protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
if (null == principal)
{
throw new ArgumentNullException("principal");
}
ClaimsIdentity outputIdentity = new ClaimsIdentity();
// Issue custom claims.
// TODO: Change the claims below to issue custom claims required by your application.
// Update the application's configuration file too to reflect new claims requirement.
//outputIdentity.Claims.Add( new Claim( System.IdentityModel.Claims.ClaimTypes.Name, principal.Identity.Name ) );
//outputIdentity.Claims.Add( new Claim( ClaimTypes.Role, "Manager" ) );
//Wingtip implementation
string username = principal.Identity.Name;
List <Claim> claims = UserInfo.GetClaimsForUser(username);
foreach (Claim claim in claims)
{
outputIdentity.Claims.Add(claim);
}
return(outputIdentity);
}
public override IClaimsPrincipal Authenticate(string resourceName, IClaimsPrincipal incomingPrincipal)
{
// do nothing if anonymous request
if (!incomingPrincipal.Identity.IsAuthenticated)
{
return base.Authenticate(resourceName, incomingPrincipal);
}
var userRepo = (System.Web.Mvc.DependencyResolver.Current.GetService(typeof(Blog.Dal.UserRepo)) as Blog.Dal.UserRepo);
string uniqueId = GetUniqueId(incomingPrincipal);
// check if user is registered
var user = userRepo.GetUserByIdentity(uniqueId);
if (user == null)
{
//user = userRepo.CreateUser(uniqueId);
//user.Claims.AddRange(ToSimpleClaim(uniqueId, incomingPrincipal.Identities[0].Claims));
}
else
{
// sync claims
}
//return CreateUserPrincipal(uniqueId, data);
//// authenticated by ACS, but not registered
//// create unique id claim
//incomingPrincipal.Identities[0].Claims.Add(new Claim(Constants.ClaimTypes.Id, uniqueId));
//return incomingPrincipal;
return base.Authenticate(resourceName, incomingPrincipal);
}
public override bool CheckAccess(AuthorizationContext context)
{
Claim actionClaim = context.Action.Where(x => x.ClaimType == ClaimTypes.Name).FirstOrDefault();
Claim resourceClaim = context.Resource.Where(x => x.ClaimType == ClaimTypes.Name).FirstOrDefault();
IClaimsPrincipal principal = context.Principal;
var resource = new Uri(resourceClaim.Value);
string action = actionClaim.Value;
if (action == "GET" && resource.PathAndQuery.Contains("/frommyorganization"))
{
if (!principal.IsInRole("Sales"))
{
return(false);
}
}
if (action == "GET" && resource.PathAndQuery.Contains("/all"))
{
if (!principal.IsInRole("Sales Manager"))
{
return(false);
}
}
return(true);
}
/// <summary>
/// Gets the scope.
/// </summary>
/// <param name="principal">The principal.</param>
/// <param name="request">The request.</param>
/// <returns>Returns scope.</returns>
protected override Scope GetScope(IClaimsPrincipal principal, RequestSecurityToken request)
{
ValidateAppliesTo(request.AppliesTo);
Scope scope = new Scope(request.AppliesTo.Uri.OriginalString, SecurityTokenServiceConfiguration.SigningCredentials)
{
AppliesToAddress = request.AppliesTo.Uri.AbsoluteUri
};
string encryptingCertificateName = GetEncryptingCertificateName(request.AppliesTo.Uri.ToString());
if (!string.IsNullOrEmpty(encryptingCertificateName))
{
scope.EncryptingCredentials = new X509EncryptingCredentials(CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, encryptingCertificateName));
}
else
{
scope.TokenEncryptionRequired = false;
}
if (Uri.IsWellFormedUriString(request.ReplyTo, UriKind.Absolute))
{
scope.ReplyToAddress = request.AppliesTo.Uri.Host != new Uri(request.ReplyTo).Host ? request.AppliesTo.Uri.AbsoluteUri : request.ReplyTo;
}
else
{
Uri resultUri = null;
scope.ReplyToAddress = Uri.TryCreate(request.AppliesTo.Uri, request.ReplyTo, out resultUri) ? resultUri.AbsoluteUri : request.AppliesTo.Uri.ToString();
}
return(scope);
}
protected override Scope GetScope(IClaimsPrincipal principal, RequestSecurityToken request)
{
this.scopeModel = this.ValidateAppliesTo(request.AppliesTo);
var scope = new Scope(request.AppliesTo.Uri.OriginalString, SecurityTokenServiceConfiguration.SigningCredentials);
scope.TokenEncryptionRequired = false;
string replyTo;
if (!string.IsNullOrEmpty(request.ReplyTo))
{
replyTo = request.ReplyTo;
}
else if (this.scopeModel.Url != null)
{
replyTo = this.scopeModel.Url.ToString();
}
else
{
replyTo = scope.AppliesToAddress;
}
scope.ReplyToAddress = replyTo;
return(scope);
}
/*internal void UpdateProfile(string ProfileAttribute, string Value)
* {
* uP[ProfileAttribute].Value = Value;
* needProfileUpdate = true;
* }*/
internal Dictionary <string, string> GetClaimsForUser()
{
Dictionary <string, string> claims = new Dictionary <string, string>();
IClaimsPrincipal cp = (IClaimsPrincipal)Thread.CurrentPrincipal;
foreach (var c in cp.Identities[0].Claims)
{
string type = c.ClaimType.Substring(c.ClaimType.LastIndexOf('/') + 1);
try
{
if (!String.IsNullOrEmpty(c.Value))
{
if (c.Value.ToUpper() != "NA_NULL")
{
claims.Add(type, c.Value.Replace(" ", "_"));
}
}
}
catch (ArgumentException)
{
//duplicated claimtype from acs and sharepoint
}
}
return(claims);
}
protected override Scope GetScope(IClaimsPrincipal principal, RequestSecurityToken request)
{
Scope scope = new Scope(request.AppliesTo.Uri.AbsoluteUri, SecurityTokenServiceConfiguration.SigningCredentials);
string encryptingCertificateName = WebConfigurationManager.AppSettings[ApplicationSettingsNames.EncryptingCertificateName];
if (!string.IsNullOrEmpty(encryptingCertificateName))
{
scope.EncryptingCredentials = new X509EncryptingCredentials(CertificateUtilities.GetCertificate(StoreName.My, StoreLocation.LocalMachine, encryptingCertificateName));
}
else
{
scope.TokenEncryptionRequired = false;
}
if (!string.IsNullOrEmpty(request.ReplyTo))
{
scope.ReplyToAddress = request.ReplyTo;
}
else
{
scope.ReplyToAddress = scope.AppliesToAddress;
}
return scope;
}
/// <summary>
/// This method returns the claims to be included in the issued token.
/// </summary>
/// <param name="scope">The scope that was previously returned by GetScope method</param>
/// <param name="principal">The caller's principal</param>
/// <param name="request">The incoming RST</param>
/// <returns>The claims to be included in the issued token.</returns>
protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
IClaimsIdentity callerIdentity = (IClaimsIdentity)principal.Identity;
Console.WriteLine("\nRequest from: " + callerIdentity.Name + "\n");
IClaimsIdentity outputIdentity = new ClaimsIdentity();
// Create a name claim from the incoming identity.
Claim nameClaim = new Claim(ClaimTypes.Name, callerIdentity.Name);
// Create an 'Age' claim with a value of 25. In a real scenario, this may likely be looked up from a database.
Claim ageClaim = new Claim("http://WindowsIdentityFoundationSamples/2008/05/AgeClaim", "25", ClaimValueTypes.Integer);
outputIdentity.Claims.Add(nameClaim);
Console.WriteLine("ClaimType : " + nameClaim.ClaimType);
Console.WriteLine("ClaimValue : " + nameClaim.Value);
Console.WriteLine();
Console.WriteLine("ClaimType : " + ageClaim.ClaimType);
Console.WriteLine("ClaimValue : " + ageClaim.Value);
Console.WriteLine("===========================");
outputIdentity.Claims.Add(ageClaim);
return(outputIdentity);
}
public IEnumerable<Claim> GetClaims(IClaimsPrincipal principal, RequestDetails requestDetails)
{
var userName = principal.Identity.Name;
var claims = new List<Claim>();
// email address
string email = Membership.FindUsersByName(userName)[userName].Email;
if (!String.IsNullOrEmpty(email))
{
claims.Add(new Claim(ClaimTypes.Email, email));
}
// roles
GetRoles(userName, RoleTypes.Client).ToList().ForEach(role => claims.Add(new Claim(ClaimTypes.Role, role)));
// profile claims
if (ProfileManager.Enabled)
{
var profile = ProfileBase.Create(userName, true);
if (profile != null)
{
foreach (SettingsProperty prop in ProfileBase.Properties)
{
string value = profile.GetPropertyValue(prop.Name).ToString();
if (!String.IsNullOrWhiteSpace(value))
{
claims.Add(new Claim(ProfileClaimPrefix + prop.Name.ToLowerInvariant(), value));
}
}
}
}
return claims;
}
public bool TryIssueToken(EndpointAddress appliesTo, IClaimsPrincipal principal, string tokenType, out SecurityToken token)
{
token = null;
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
AppliesTo = appliesTo,
KeyType = KeyTypes.Bearer,
TokenType = tokenType
};
var sts = TokenServiceConfiguration.Current.CreateSecurityTokenService();
try
{
var rstr = sts.Issue(principal, rst);
token = rstr.RequestedSecurityToken.SecurityToken;
return(true);
}
catch
{
return(false);
}
}
/// <summary>
/// Sets Windows Identify Foundation Claims
/// </summary>
internal static void SetClaims()
{
if (HttpContext.Current.ApplicationInstance.IsSTSaware())
{
//Set Claims
IClaimsPrincipal principal = (IClaimsPrincipal)Thread.CurrentPrincipal;
IClaimsIdentity identity = (IClaimsIdentity)principal.Identity;
UserProfile Profile = GetCurrentConnectionToken().Profile;
if (!string.IsNullOrEmpty(Profile.DateOfBirth))
{
identity.Claims.Add(new Claim(ClaimTypes.DateOfBirth.ToString(), Profile.DateOfBirth, "string", "SocialAuth.NET", Profile.Provider.ToString()));
}
if (!string.IsNullOrEmpty(Profile.FirstName))
{
identity.Claims.Add(new Claim(ClaimTypes.GivenName.ToString(), Profile.FirstName, "string", "SocialAuth.NET", Profile.Provider.ToString()));
}
if (!string.IsNullOrEmpty(Profile.LastName))
{
identity.Claims.Add(new Claim(ClaimTypes.Surname.ToString(), Profile.LastName, "string", "SocialAuth.NET", Profile.Provider.ToString()));
}
if (!string.IsNullOrEmpty(Profile.Email))
{
identity.Claims.Add(new Claim(ClaimTypes.Email.ToString(), Profile.Email, "string", "SocialAuth.NET", Profile.Provider.ToString()));
}
if (!string.IsNullOrEmpty(Profile.Gender))
{
identity.Claims.Add(new Claim(ClaimTypes.Gender.ToString(), Profile.Gender, "string", "SocialAuth.NET", Profile.Provider.ToString()));
}
if (!string.IsNullOrEmpty(Profile.Country))
{
identity.Claims.Add(new Claim(ClaimTypes.Country.ToString(), Profile.Country, "string", "SocialAuth.NET", Profile.Provider.ToString()));
}
}
}
/// <summary>
/// This method returns the configuration for the token issuance request. The configuration
/// is represented by the Scope class. In our case, we are only capable of issuing a token for a
/// single RP identity represented by the EncryptingCertificateName.
/// </summary>
/// <param name="principal">The caller's principal.</param>
/// <param name="request">The incoming RST.</param>
/// <returns>The scope information to be used for the token issuance.</returns>
protected override Scope GetScope(IClaimsPrincipal principal, RequestSecurityToken request)
{
ValidateAppliesTo(request.AppliesTo);
//
// Note: The signing certificate used by default has a Distinguished name of "CN=STSTestCert",
// and is located in the Personal certificate store of the Local Computer. Before going into production,
// ensure that you change this certificate to a valid CA-issued certificate as appropriate.
//
Scope scope = new Scope(request.AppliesTo.Uri.OriginalString, SecurityTokenServiceConfiguration.SigningCredentials);
if (!string.IsNullOrEmpty(_encryptingCertificateName))
{
// Important note on setting the encrypting credentials.
// In a production deployment, you would need to select a certificate that is specific to the RP that is requesting the token.
// You can examine the 'request' to obtain information to determine the certificate to use.
scope.EncryptingCredentials = new X509EncryptingCredentials(CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, _encryptingCertificateName));
}
else
{
// If there is no encryption certificate specified, the STS will not perform encryption.
// This will succeed for tokens that are created without keys (BearerTokens) or asymmetric keys.
scope.TokenEncryptionRequired = false;
}
// Set the ReplyTo address for the WS-Federation passive protocol (wreply). This is the address to which responses will be directed.
// In this template, we have chosen to set this to the AppliesToAddress.
scope.ReplyToAddress = scope.AppliesToAddress;
return scope;
}
/// <summary>
/// This overriden method returns a collection of output subjects to be included in the issued token.
/// </summary>
/// <param name="scope">The scope information about the Relying Party.</param>
/// <param name="principal">The IClaimsPrincipal that represents the identity of the requestor.</param>
/// <param name="request">The token request parameters that arrived in the call.</param>
/// <returns>The claims collection that will be placed inside the issued token.</returns>
protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
string clientName = ServiceSecurityContext.Current.PrimaryIdentity.Name;
if (string.IsNullOrEmpty(clientName))
{
throw new FaultException("The client name was not specified.");
}
// Create Name and PurchaseLimit claims
List <Claim> claims = new List <Claim>();
//
// Purchase limit claim
//
double purchaseLimit = GetPurchaseLimit();
Claim plClaim = new Claim(ScenarioConstants.PurchaseLimitClaim, purchaseLimit.ToString());
claims.Add(plClaim);
//
// Name claim
//
Claim nameClaim = new Claim(ClaimTypes.Name, clientName);
claims.Add(nameClaim);
return(new ClaimsIdentity(claims));
}
public override IClaimsPrincipal Authenticate(string resourceName, IClaimsPrincipal incomingPrincipal)
{
if (incomingPrincipal.Identity.IsAuthenticated)
{
var identity = incomingPrincipal.Identity as IClaimsIdentity;
var user = EnsureApplicationUser(identity);
if (user != null)
{
if (identity.Claims.FirstOrDefault(c => c.ClaimType == ClaimTypes.Name) == null)
{
identity.Claims.Add(new Claim(ClaimTypes.Name, user.Name, user.Name.GetType().Name, ClaimIssuerName));
}
if (identity.Claims.FirstOrDefault(c => c.ClaimType == ClaimTypes.Email) == null)
{
identity.Claims.Add(new Claim(ClaimTypes.Email, user.Email, user.Email.GetType().Name, ClaimIssuerName));
}
foreach (var role in user.Roles)
{
identity.Claims.Add(new Claim(ClaimTypes.Role, role.RoleName, role.RoleName.GetType().Name, ClaimIssuerName));
}
}
}
return incomingPrincipal;
}
public IEnumerable <Claim> GetClaims(IClaimsPrincipal principal, RequestDetails requestDetails)
{
var userName = principal.Identity.Name;
var claims = new List <Claim>();
// email address
string email = Membership.FindUsersByName(userName)[userName].Email;
if (!String.IsNullOrEmpty(email))
{
claims.Add(new Claim(ClaimTypes.Email, email));
}
// roles
GetRolesForToken(userName).ToList().ForEach(role => claims.Add(new Claim(ClaimTypes.Role, role)));
// profile claims
if (ProfileManager.Enabled)
{
var profile = ProfileBase.Create(userName, true);
if (profile != null)
{
foreach (SettingsProperty prop in ProfileBase.Properties)
{
string value = profile.GetPropertyValue(prop.Name).ToString();
if (!String.IsNullOrWhiteSpace(value))
{
claims.Add(new Claim(ProfileClaimPrefix + prop.Name.ToLowerInvariant(), value));
}
}
}
}
return(claims);
}
/// <summary>
/// This method returns the configuration for the token issuance request. The configuration
/// is represented by the Scope class. In our case, we are only capable of issuing a token to a
/// single RP identity represented by the EncryptingCertificateName.
/// </summary>
/// <param name="principal">The caller's principal</param>
/// <param name="request">The incoming RST</param>
/// <returns>The scope information to be used for the token-issuance.</returns>
protected override Scope GetScope(IClaimsPrincipal principal, RequestSecurityToken request)
{
ValidateAppliesTo(request.AppliesTo);
Scope scope = new Scope(request.AppliesTo.Uri.AbsoluteUri, SecurityTokenServiceConfiguration.SigningCredentials);
// Setting the encrypting credentials
// Note: In this sample app, the same certificate (localhost) is used to encrypt the token for both
// PassiveRedirectBasedClaimsAwareWebApp and WebControlBasedClaimsAwareWebAppAddress
// In a production deployment, you would need to select the certificate that is specific to the RP that is requesting the token.
scope.EncryptingCredentials = new X509EncryptingCredentials(CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, EncryptingCertificateName));
// Set the ReplyTo address for the WS-Federation passive protocol (wreply). This is the address to which responses will be directed.
if (request.ReplyTo != null && request.ReplyTo.ToString().StartsWith(request.AppliesTo.Uri.ToString()))
{
// A valid ReplyTo address was provided. We use it to send the response.
scope.ReplyToAddress = request.ReplyTo.ToString();
}
else
{
// If the ReplyTo address is not provided or does not match the AppliesTo,
// we set this to the Default.aspx page on the Relying Party. Note that this is not used in the WS-Trust active case.
scope.ReplyToAddress = scope.AppliesToAddress + "/Default.aspx";
}
return(scope);
}
/// <summary>
/// Analyzes the token request
/// </summary>
/// <param name="principal">The principal.</param>
/// <param name="request">The request.</param>
/// <returns>A PolicyScope that describes the relying party and policy options</returns>
protected override Scope GetScope(IClaimsPrincipal principal, RequestSecurityToken rst)
{
if (rst.AppliesTo == null)
{
Tracing.Error(string.Format("token request from {0} - but no realm specified.",
principal.Identity.Name));
throw new MissingAppliesToException();
}
Tracing.Information(string.Format("Starting token request from {0} for {1}",
principal.Identity.Name,
rst.AppliesTo.Uri.AbsoluteUri));
Tracing.Information("Authentication method: " + principal.Identities.First().GetClaimValue(ClaimTypes.AuthenticationMethod));
// analyze request
var request = new Request(GlobalConfiguration);
var details = request.Analyze(rst, principal);
// validate against policy
request.Validate(details);
// create scope
var scope = new RequestDetailsScope(
details,
SecurityTokenServiceConfiguration.SigningCredentials,
GlobalConfiguration.RequireEncryption);
return(scope);
}
public override IClaimsPrincipal Authenticate(string resourceName, IClaimsPrincipal incomingPrincipal)
{
if (!incomingPrincipal.Identity.IsAuthenticated)
{
return(base.Authenticate(resourceName, incomingPrincipal));
}
//Add permission claimes to identity
if (SessionManager.User != null)
{
using (ConfigurationCoordinator coordinator = new ConfigurationCoordinator(false, false))
{
//SessionManager.VolatileElements.ClientCommand = "GetConfiguration";
var profile = coordinator.GetConfiguration("permissions.profiles." + SessionManager.User.PermissionProfile);
foreach (var permission in profile.Root.Element("configValue").Element("profile").Element("permissions").Elements("permission"))
{
var claim = new Claim(FractusClaimTypes.Permission, permission.Attribute("key").Value);
incomingPrincipal.Identities[0].Claims.Add(claim);
}
}
}
return(incomingPrincipal);
}
protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
var outputIdentity = new ClaimsIdentity();
if (null == principal)
{
throw new InvalidRequestException("The caller's principal is null.");
}
switch (principal.Identity.Name.ToUpperInvariant())
{
// In a production environment, all the information that will be added
// as claims should be read from the authenticated Windows Principal.
// The following lines are hardcoded because windows integrated
// authentication is disabled.
case "ADATUM\\JOHNDOE":
outputIdentity.Claims.AddRange(new List <Claim>
{
new Claim(System.IdentityModel.Claims.ClaimTypes.Name, "ADATUM\\johndoe"),
new Claim(AllOrganizations.ClaimTypes.Group, Adatum.Groups.DomainUsers),
new Claim(AllOrganizations.ClaimTypes.Group, Adatum.Groups.MarketingManagers)
});
break;
}
return(outputIdentity);
}
protected override Scope GetScope(IClaimsPrincipal principal, RequestSecurityToken request)
{
Scope scope = new Scope(request.AppliesTo.Uri.AbsoluteUri, SecurityTokenServiceConfiguration.SigningCredentials);
string encryptingCertificateName = WebConfigurationManager.AppSettings[ApplicationSettingsNames.EncryptingCertificateName];
if (!string.IsNullOrEmpty(encryptingCertificateName))
{
scope.EncryptingCredentials = new X509EncryptingCredentials(CertificateUtilities.GetCertificate(StoreName.My, StoreLocation.LocalMachine, encryptingCertificateName));
}
else
{
scope.TokenEncryptionRequired = false;
}
if (!string.IsNullOrEmpty(request.ReplyTo))
{
scope.ReplyToAddress = request.ReplyTo;
}
else
{
scope.ReplyToAddress = scope.AppliesToAddress;
}
return(scope);
}
protected override Scope GetScope(IClaimsPrincipal principal, RequestSecurityToken request)
{
throw new NotImplementedException();
var scope = new Scope();
return scope;
}
/// <summary>
/// This method returns the claims to be issued in the token.
/// </summary>
/// <param name="scope">The scope information corresponding to this request.</param>
/// <param name="principal">The caller's principal</param>
/// <param name="request">The incoming RST, we don't use this in our implementation</param>
/// <returns>The outgoing claimsIdentity to be included in the issued token.</returns>
protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
ClaimsIdentity outputIdentity = new ClaimsIdentity();
if (null == principal)
{
throw new InvalidRequestException("The caller's principal is null.");
}
// Issue the common claims
// NOTE: In this sample, these claims must match the claims actually generated in Common.GetFederationMetadata.
// In a production system, there would be some common data store that both use
outputIdentity.Claims.Add(new Claim(ClaimTypes.Name, principal.Identity.Name));
outputIdentity.Claims.Add(new Claim(ClaimTypes.Role, "Manager"));
// Issue a custom claim if requested
IEnumerable <RequestClaim> claimCollection = (from c in request.SecondaryParameters.Claims
where c.ClaimType == Common.QuotationClassClaimType
select c);
if (claimCollection.Count <RequestClaim>() > 0)
{
outputIdentity.Claims.Add(GetRandomQuoteClassClaim());
}
return(outputIdentity);
}
protected void Page_Load(object sender, EventArgs e)
{
// Convert to an IClaimPrincipal so we can access Claims properties
IClaimsPrincipal claimsPrincipal = (IClaimsPrincipal)this.User;
// Get collection of claims
ClaimCollection claims = claimsPrincipal.Identities[0].Claims;
StringBuilder sbClaims = new StringBuilder();
// Iterate through claims, build list for rendering to UI
foreach (Claim claim in claims)
{
if (claim.ClaimType.Contains("identityprovider"))
{
lblIdP.Text = claim.Value;
}
sbClaims.AppendLine(claim.ClaimType + ": " + claim.Value);
}
lblClaims.Text = sbClaims.ToString();
// check to see if the user is in the admin role
if (User.IsInRole("admin"))
{
EnableAdminAccess();
}
}
protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
var output = new ClaimsIdentity();
if (null == principal)
{
throw new InvalidRequestException("The caller's principal is null.");
}
var input = (ClaimsIdentity)principal.Identity;
var issuer = input.Claims.First().Issuer.ToUpperInvariant();
switch (issuer)
{
case "LITWARE":
CopyClaims(input, new[] { WSIdentityConstants.ClaimTypes.Name }, output);
TransformClaims(input, AllOrganizations.ClaimTypes.Group, Litware.Groups.Sales, ClaimTypes.Role, Adatum.Roles.OrderTracker, output);
output.Claims.Add(new Claim(Adatum.ClaimTypes.Organization, Litware.OrganizationName));
break;
default:
throw new InvalidOperationException("Issuer not trusted.");
}
return(output);
}
public override IClaimsPrincipal Authenticate(string resourceName, IClaimsPrincipal incomingPrincipal)
{
if (incomingPrincipal != null && incomingPrincipal.Identity.IsAuthenticated)
{
ClaimsIdentityCollection x509Ids = GetIdentitiesFromClaim(incomingPrincipal,
ClaimTypes.AuthenticationMethod, AuthenticationMethods.X509);
foreach(IClaimsIdentity x509Identity in x509Ids)
{
// this is the main identity, get the entity attributes in the Trust Fabric from the X509 thumbprint
string x509Thumbprint = GetClaimValue(x509Identity, "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint");
if (!string.IsNullOrEmpty(x509Thumbprint))
{
string x509HexThumbprint = Base64Util.FromBase64ToHex(x509Thumbprint);
List<EntityAttribute> entityAttributes = _trustFabric.GetWscEntityAttributesFromX509Thumprint(x509HexThumbprint);
// now add the antity attributes to the identity
foreach (EntityAttribute entityAttribute in entityAttributes)
{
x509Identity.Claims.Add(new Claim(entityAttribute.AttributeType, entityAttribute.AttributeValue));
}
}
}
}
return incomingPrincipal;
}
protected override Scope GetScope(IClaimsPrincipal principal, RequestSecurityToken request)
{
ValidateAppliesTo(request.AppliesTo);
Scope scope = new Scope(request.AppliesTo.Uri.OriginalString,
SecurityTokenServiceConfiguration.SigningCredentials);
var settings = ServiceLocator.Current.GetInstance<IEncryptionSettings>();
if (settings.Encrypt)
{
// Important note on setting the encrypting credentials.
// In a production deployment, you would need to select a certificate that is specific to the RP that is requesting the token.
// You can examine the 'request' to obtain information to determine the certificate to use.
scope.EncryptingCredentials = new X509EncryptingCredentials(settings.Certificate);
}
else
{
// If there is no encryption certificate specified, the STS will not perform encryption.
// This will succeed for tokens that are created without keys (BearerTokens) or asymmetric keys.
scope.TokenEncryptionRequired = false;
}
// Set the ReplyTo address for the WS-Federation passive protocol (wreply). This is the address to which responses will be directed.
// In this template, we have chosen to set this to the AppliesToAddress.
scope.ReplyToAddress = scope.AppliesToAddress;
return scope;
}
/// <summary>
/// This method returns the configuration for the token issuance request. The configuration
/// is represented by the Scope class.
/// </summary>
/// <param name="principal">The caller's principal.</param>
/// <param name="request">The incoming RST.</param>
/// <returns>The scope information to be used for the token issuance.</returns>
protected override Scope GetScope(IClaimsPrincipal principal, RequestSecurityToken request)
{
var plugin = IdentityProviderPlugin.Plugin;
if (plugin == null)
{
return(null);
}
var scope = new Scope(request.AppliesTo.Uri.OriginalString, SecurityTokenServiceConfiguration.SigningCredentials);
var encryptingCertificateName = plugin.Configuration.GetString(IdentityProviderPlugin.PropertyId.EncryptingCertificateName);
if (!string.IsNullOrEmpty(encryptingCertificateName))
{
scope.EncryptingCredentials = new X509EncryptingCredentials(CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, encryptingCertificateName));
}
else
{
scope.TokenEncryptionRequired = false;
}
// Set the ReplyTo address for the WS-Federation passive protocol (wreply). This is the address to which responses will be directed.
scope.ReplyToAddress = scope.AppliesToAddress;
return(scope);
}
public override IClaimsPrincipal Authenticate(string resourceName, IClaimsPrincipal incomingPrincipal)
{
if (incomingPrincipal.Identity.IsAuthenticated)
{
incomingPrincipal.Identities.First().Claims.Add(new Claim("http://claims/localtest", DateTime.Now.ToLongTimeString()));
}
return incomingPrincipal;
}
public override IClaimsPrincipal Authenticate(string resourceName, IClaimsPrincipal incomingPrincipal)
{
if (!incomingPrincipal.Identity.IsAuthenticated)
{
return base.Authenticate(resourceName, incomingPrincipal);
}
return CreateClientIdentity(incomingPrincipal.Identity as ClaimsIdentity);
}
public IEnumerable<Claim> GetClaims(IClaimsPrincipal principal, RequestDetails requestDetails)
{
var claims = from c in NewContext.UserClaims
where c.PartitionKey == principal.Identity.Name.ToLower() &&
c.Kind == UserClaimEntity.EntityKind
select new Claim(c.ClaimType, c.Value);
return claims.ToList();
}
public static bool CheckAccess(IClaimsPrincipal principal, string action, string resource, params string[] additionalResources)
{
var context = CreateAuthorizationContext(
principal,
action,
resource,
additionalResources);
return ClaimsAuthorization.CheckAccess(context);
}
protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
if (null == claimSet)
return principal.Identity as IClaimsIdentity;
ClaimsIdentity identity = new ClaimsIdentity();
identity.Claims.AddRange(claimSet);
return identity;
}
/// <summary>
/// Processes a WS-Federation request.
/// </summary>
/// <param name="request">The WS-Federation request message.</param>
/// <param name="principal">The client principal.</param>
/// <param name="configuration">The token service configuration.</param>
public static void ProcessRequest(WSFederationMessage request, IClaimsPrincipal principal, SecurityTokenServiceConfiguration configuration)
{
Contract.Requires(request != null);
Contract.Requires(principal != null);
Contract.Requires(configuration != null);
HttpContext context = HttpContext.Current;
if (request.Action == WSFederationConstants.Actions.SignIn)
{
var response = ProcessSignInRequest(
(SignInRequestMessage)request,
principal,
configuration);
response.Write(context.Response.Output);
context.Response.Flush();
context.Response.End();
}
else if (request.Action == WSFederationConstants.Actions.SignOut)
{
var signOut = (SignOutRequestMessage)request;
ProcessSignOutRequest();
if (!String.IsNullOrEmpty(signOut.Reply))
{
context.Response.Redirect(signOut.Reply);
}
else
{
context.Response.Redirect("~/");
}
}
else if (request.Action == WSFederationConstants.Actions.SignOutCleanup)
{
var signOut = (SignOutCleanupRequestMessage)request;
ProcessSignOutRequest();
if (!String.IsNullOrEmpty(signOut.Reply))
{
context.Response.Redirect(signOut.Reply);
}
else
{
context.Response.Redirect("~/");
}
}
else
{
throw new InvalidOperationException(String.Format(
CultureInfo.InvariantCulture,
"Unsupported Action: {0}", request.Action));
}
}
/// <summary>
/// Authenticates a specified resource by its name.
/// </summary>
/// <param name="resourceName">
/// Name of the resource.
/// </param>
/// <param name="claimsPrincipal">
/// The claims principal.
/// </param>
/// <returns>
/// Returns claims principal for given resource
/// </returns>
public override IClaimsPrincipal Authenticate( string resourceName, IClaimsPrincipal claimsPrincipal )
{
if ( claimsPrincipal.Identity.IsAuthenticated )
{
var sessionFactory = GetSessionFactory ();
using ( var session = sessionFactory.GetCurrentSession () )
using ( var trans = session.BeginTransaction () )
{
var identity = claimsPrincipal.Identity as IClaimsIdentity;
if ( identity != null )
{
var nameIdentifier = identity.Claims.First ( c => c.ClaimType == Microsoft.IdentityModel.Claims.ClaimTypes.NameIdentifier ).Value;
Logger.Debug("Name identifier for authenticated principal ({0}): {1}.", identity.Name, nameIdentifier);
Logger.Debug("Resolving dependency on {0}.", typeof(ISystemAccountRepository).Name);
var systemAccountRepository = IoC.CurrentContainer.Resolve<ISystemAccountRepository>();
Logger.Debug("Resolved dependency on {0}.", typeof(ISystemAccountRepository).Name);
var systemAccount = systemAccountRepository.GetByIdentifier ( nameIdentifier );
if ( systemAccount != null )
{
Logger.Debug("Resolving dependency on {0}.", typeof(IPermissionClaimsManager).Name);
var permissionClaimsManager = IoC.CurrentContainer.Resolve<IPermissionClaimsManager>();
Logger.Debug("Resolved dependency on {0}.", typeof(IPermissionClaimsManager).Name);
Logger.Debug("Issue more claims for ({0} ({1}))", systemAccount.DisplayName, systemAccount.EmailAddress.Address);
permissionClaimsManager.IssueSystemPermissionClaims ( claimsPrincipal, systemAccount );
permissionClaimsManager.IssueAccountKeyClaims ( claimsPrincipal, systemAccount );
}
else
{
var errorMessage = string.Format (
"Authenticated principal ({0}) with identifier ({1}) does not have a system account in REM.", identity.Name, nameIdentifier );
Logger.Debug(errorMessage);
}
}
trans.Commit ();
}
}
else
{
Logger.Debug("Resolving dependency on {0}.", typeof(IFederatedAuthenticationProvider).Name);
var federatedAuthenticationProvider = IoC.CurrentContainer.Resolve<IFederatedAuthenticationProvider>();
Logger.Debug("Resolved dependency on {0}.", typeof(IFederatedAuthenticationProvider).Name);
var federationAuthenticationModule = federatedAuthenticationProvider.GetFederationAuthenticationModule ();
Logger.Debug("Incoming IClaimsPrincipal was not authenticated. WIF will will redirect the request to the identity server {0}.", federationAuthenticationModule.Issuer);
}
return claimsPrincipal;
}
/// <summary>
/// Checks the authorization policy.
/// </summary>
/// <param name="resource">The resource.</param>
/// <param name="action">The action.</param>
/// <param name="principal">The principal.</param>
/// <returns>true when authorized, otherwise false</returns>
public static bool CheckAccess(string resource, string action, IClaimsPrincipal principal)
{
Contract.Requires(!String.IsNullOrEmpty(resource));
Contract.Requires(!String.IsNullOrEmpty(action));
Contract.Requires(principal != null);
var context = new AuthorizationContext(principal, resource, action);
return AuthorizationManager.CheckAccess(context);
}
protected override Scope GetScope(
IClaimsPrincipal principal,
RequestSecurityToken request)
{
var scope = new Scope { AppliesToAddress = request.AppliesTo.Uri.AbsoluteUri };
scope.TokenEncryptionRequired = false;
scope.SymmetricKeyEncryptionRequired = false;
scope.SigningCredentials = new SymmetricSigningCredentials("Sapm9PPZZHly7a9319mksllija112suapoqc321jvso=");
return scope;
}
public override IClaimsPrincipal Authenticate(string resourceName, IClaimsPrincipal incomingPrincipal)
{
if (!incomingPrincipal.Identity.IsAuthenticated)
{
return base.Authenticate(resourceName, incomingPrincipal);
}
UserRepository.GetRoles(incomingPrincipal.Identity.Name, RoleTypes.IdentityServer).ToList().ForEach(role =>
incomingPrincipal.Identities[0].Claims.Add(new Claim(ClaimTypes.Role, role)));
return incomingPrincipal;
}
/// <summary>
/// Override this method to provide scope specific encrypting credentials.
/// </summary>
/// <param name="principal">The principal.</param>
/// <param name="request">The request.</param>
/// <returns></returns>
protected override Scope GetScope( IClaimsPrincipal principal, RequestSecurityToken request )
{
ValidateAppliesTo( request.AppliesTo );
Scope scope = new Scope( request.AppliesTo.Uri.AbsoluteUri );
scope.SigningCredentials = new X509SigningCredentials(X509Helper.GetX509Certificate2(RealmSTSServiceConfig.CertStoreName,
RealmSTSServiceConfig.CertStoreLocation,
RealmSTSServiceConfig.CertDistinguishedName));
scope.EncryptingCredentials = new X509EncryptingCredentials(X509Helper.GetX509Certificate2(RealmSTSServiceConfig.CertStoreName,
RealmSTSServiceConfig.CertStoreLocation,
RealmSTSServiceConfig.TargetDistinguishedName));
return scope;
}
public override IClaimsPrincipal Authenticate(string resourceName, IClaimsPrincipal incomingPrincipal)
{
var identity = incomingPrincipal.Identity as IClaimsIdentity;
if (identity == null)
throw new ArgumentException("Principal must have an identity of type IClaimsIdentity");
//Only process if the identity is authenticated, otherwise, we want the pipeline to redirect to the STS
if (identity.IsAuthenticated)
return base.Authenticate(resourceName, ClaimsAuthenticationManagerProvider.Get(resourceName, incomingPrincipal));
return base.Authenticate(resourceName, incomingPrincipal);
}
/// <summary>
/// Need to implement Certificate with Signing Credentials
/// </summary>
protected override Scope GetScope(IClaimsPrincipal principal, RequestSecurityToken request)
{
var scope = new Scope(request.AppliesTo.ToString())
{
EncryptingCredentials = GetCredentialsForAppliesTo(request.AppliesTo),
SymmetricKeyEncryptionRequired = false,
// SigningCredentials = new X509SigningCredentials(GetCertificate(StoreName.My, StoreLocation.LocalMachine, "CN=IdentityProvider")),
ReplyToAddress = request.AppliesTo.ToString()
};
return scope;
}
protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
var callerIdentity = (IClaimsIdentity)principal.Identity;
// Create new identity and copy content of the caller's identity into it (including the existing delegate chain)
var result = new ClaimsIdentity();
CopyClaims(callerIdentity, result);
// If there is an ActAs token in the RST, add and return the claims from it as the top-most identity
// and put the caller's identity into the Delegate property of this identity.
if (request.ActAs != null)
{
var actAsIdentity = new ClaimsIdentity();
var actAsSubject = request.ActAs.GetSubject()[0];
CopyClaims(actAsSubject, actAsIdentity);
// Find the last delegate in the actAs identity
var lastActingVia = actAsIdentity as IClaimsIdentity;
while (lastActingVia.Actor != null)
{
lastActingVia = lastActingVia.Actor;
}
// Put the caller's identity as the last delegate to the ActAs identity
lastActingVia.Actor = result;
// Return the actAsIdentity instead of the caller's identity in this case
result = actAsIdentity;
}
return result;
}
protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
if (null == principal)
{
throw new ArgumentNullException("principal");
}
var outputIdentity = new ClaimsIdentity();
IEnumerable<Claim> outputClaims;
if (this.scopeModel.UseClaimsPolicyEngine)
{
IClaimsPolicyEvaluator evaluator = new ClaimsPolicyEvaluator(PolicyStoreFactory.Instance);
outputClaims = evaluator.Evaluate(new Uri(scope.AppliesToAddress), ((IClaimsIdentity)principal.Identity).Claims);
}
else
{
outputClaims = ((IClaimsIdentity)principal.Identity).Claims;
}
outputIdentity.Claims.AddRange(outputClaims);
if (outputIdentity.Name == null && outputIdentity.Claims.SingleOrDefault(c => c.ClaimType == ClaimTypes.NameIdentifier) != null)
outputIdentity.Claims.Add(new Claim(ClaimTypes.Name, outputIdentity.Claims.SingleOrDefault(c => c.ClaimType == ClaimTypes.NameIdentifier).Value));
return outputIdentity;
}
protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal,
RequestSecurityToken request, Scope scope)
{
if (null == principal)
{
throw new ArgumentNullException("principal");
}
var outputIdentity = new ClaimsIdentity();
var userName = principal.Identity.Name;
using (var db = new StsContext())
{
var webUser = db.WebUsers.Single(w => w.Username == userName);
foreach (var requestClaim in request.Claims)
{
var value = GetValueForClaimRequest(requestClaim, webUser);
if (value != null)
{
outputIdentity.Claims.Add(new Claim(requestClaim.ClaimType, value));
}
}
if (outputIdentity.Claims.All(c => c.ClaimType != Security.ClaimTypes.Name))
{
outputIdentity.Claims.Add(new Claim(Security.ClaimTypes.Name, webUser.Username));
}
if (outputIdentity.Claims.All(c => c.ClaimType != Security.ClaimTypes.Role))
{
outputIdentity.Claims.Add(new Claim(Security.ClaimTypes.Role, webUser.Role));
}
}
return outputIdentity;
}
protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
var outputIdentity = new ClaimsIdentity();
if (null == principal)
{
throw new InvalidRequestException("The caller's principal is null.");
}
switch (principal.Identity.Name.ToUpperInvariant())
{
// In a production environment, all the information that will be added
// as claims should be read from the authenticated Windows Principal.
// The following lines are hardcoded because windows integrated
// authentication is disabled.
case "ADATUM\\JOHNDOE":
outputIdentity.Claims.AddRange(new List<Claim>
{
new Claim(System.IdentityModel.Claims.ClaimTypes.Name, "ADATUM\\johndoe"),
new Claim(AllOrganizations.ClaimTypes.Group, Adatum.Groups.DomainUsers),
new Claim(AllOrganizations.ClaimTypes.Group, Adatum.Groups.MarketingManagers)
});
break;
}
return outputIdentity;
}
/// <summary>
/// This method returns the claims to be issued in the token.
/// </summary>
/// <param name="principal">The caller's principal.</param>
/// <param name="request">The incoming RST, can be used to obtain addtional information.</param>
/// <param name="scope">The scope information corresponding to this request.</param>
/// <exception cref="ArgumentNullException">If 'principal' parameter is null.</exception>
/// <returns>The outgoing claimsIdentity to be included in the issued token.</returns>
protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
if (null == principal)
{
throw new ArgumentNullException("principal");
}
var outputIdentity = new ClaimsIdentity();
var attributes = (UserAttribute[])HttpContext.Current.Session["Attributes"];
foreach (var attribute in attributes)
{
if (attribute.Name == "Email")
{
outputIdentity.Claims.Add(new Claim(System.IdentityModel.Claims.ClaimTypes.Email, attribute.Value));
}
else if (attribute.Name == "Group")
{
outputIdentity.Claims.Add(new Claim(ClaimTypes.Role, attribute.Value));
}
}
outputIdentity.Claims.Add(new Claim(System.IdentityModel.Claims.ClaimTypes.Name, principal.Identity.Name));
return outputIdentity;
}
