// Summary: // If interactive support is requested and an IssuedSecurityTokenParameters is specified this method // will return an instance of an InfoCardTokenProvider. // Otherwise this method defers to the base implementation. // // Parameters // parameters - The security token parameters associated with this ChannelFactory. // // Note // The target and issuer information will not be available in this call // public static bool TryCreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, ClientCredentialsSecurityTokenManager clientCredentialsTokenManager, out SecurityTokenProvider provider) { if (tokenRequirement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenRequirement"); } if (clientCredentialsTokenManager == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("clientCredentialsTokenManager"); } provider = null; if (!clientCredentialsTokenManager.ClientCredentials.SupportInteractive || (null != clientCredentialsTokenManager.ClientCredentials.IssuedToken.LocalIssuerAddress && null != clientCredentialsTokenManager.ClientCredentials.IssuedToken.LocalIssuerBinding) || !clientCredentialsTokenManager.IsIssuedSecurityTokenRequirement(tokenRequirement) ) { //IDT.TraceDebug("ICARDTOKPROV: Non Issued SecurityToken requirement submitted to InfoCardClientCredentialsSecurityTokenManager:\n{0}", tokenRequirement); //IDT.TraceDebug("ICARDTOKPROV: Defering to the base class to create the token provider"); } else { ChannelParameterCollection channelParameter; InfoCardChannelParameter infocardChannelParameter = null; if (tokenRequirement.TryGetProperty <ChannelParameterCollection>(ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, out channelParameter)) { foreach (object obj in channelParameter) { if (obj is InfoCardChannelParameter) { infocardChannelParameter = (InfoCardChannelParameter)obj; break; } } } if (null == infocardChannelParameter || !infocardChannelParameter.RequiresInfoCard) { return(false); } EndpointAddress target = tokenRequirement.GetProperty <EndpointAddress>(ServiceModelSecurityTokenRequirement.TargetAddressProperty); IssuedSecurityTokenParameters issuedTokenParameters = tokenRequirement.GetProperty <IssuedSecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty); Uri privacyNoticeLink; if (!tokenRequirement.TryGetProperty <Uri>(ServiceModelSecurityTokenRequirement.PrivacyNoticeUriProperty, out privacyNoticeLink)) { privacyNoticeLink = null; } int privacyNoticeVersion; if (!tokenRequirement.TryGetProperty <int>(ServiceModelSecurityTokenRequirement.PrivacyNoticeVersionProperty, out privacyNoticeVersion)) { privacyNoticeVersion = 0; } // // This analysis of this chain indicates that interactive support will be required // The InternalClientCredentials class handles that. // provider = CreateTokenProviderForNextLeg(tokenRequirement, target, issuedTokenParameters.IssuerAddress, infocardChannelParameter.RelyingPartyIssuer, clientCredentialsTokenManager, infocardChannelParameter); } return(provider != null); }
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, MessageSecurityVersion version) { if ((this.IssuedKeyType == SecurityKeyType.BearerKey) && (version.TrustVersion == TrustVersion.WSTrustFeb2005)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.BearerKeyIncompatibleWithWSFederationHttpBinding))); } if (isReliableSession && !this.EstablishSecurityContext) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.SecureConversationRequiredByReliableSession))); } SecurityBindingElement result; bool emitBspAttributes = true; IssuedSecurityTokenParameters issuedParameters = new IssuedSecurityTokenParameters(this.IssuedTokenType, this.IssuerAddress, this.IssuerBinding); issuedParameters.IssuerMetadataAddress = this.issuerMetadataAddress; issuedParameters.KeyType = this.IssuedKeyType; if (this.IssuedKeyType == SecurityKeyType.SymmetricKey) { issuedParameters.KeySize = this.AlgorithmSuite.DefaultSymmetricKeyLength; } else { issuedParameters.KeySize = 0; } foreach (ClaimTypeRequirement c in this.claimTypeRequirements) { issuedParameters.ClaimTypeRequirements.Add(c); } foreach (XmlElement p in this.TokenRequestParameters) { issuedParameters.AdditionalRequestParameters.Add(p); } WSSecurityTokenSerializer versionSpecificSerializer = new WSSecurityTokenSerializer(version.SecurityVersion, version.TrustVersion, version.SecureConversationVersion, emitBspAttributes, null, null, null); SecurityStandardsManager versionSpecificStandardsManager = new SecurityStandardsManager(version, versionSpecificSerializer); issuedParameters.AddAlgorithmParameters(this.AlgorithmSuite, versionSpecificStandardsManager, this.issuedKeyType); SecurityBindingElement issuedTokenSecurity; if (isSecureTransportMode) { issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(issuedParameters); } else { if (negotiateServiceCredential) { // We should have passed 'true' as RequireCancelation to be consistent with other standard bindings. // However, to limit the change for Orcas, we scope down to just newer version of WSSecurityPolicy. issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(issuedParameters, version.SecurityPolicyVersion != SecurityPolicyVersion.WSSecurityPolicy11); } else { issuedTokenSecurity = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(issuedParameters); } } issuedTokenSecurity.MessageSecurityVersion = version; issuedTokenSecurity.DefaultAlgorithmSuite = this.AlgorithmSuite; if (this.EstablishSecurityContext) { result = SecurityBindingElement.CreateSecureConversationBindingElement(issuedTokenSecurity, true); } else { result = issuedTokenSecurity; } result.MessageSecurityVersion = version; result.DefaultAlgorithmSuite = this.AlgorithmSuite; result.IncludeTimestamp = true; if (!isReliableSession) { result.LocalServiceSettings.ReconnectTransportOnFailure = false; result.LocalClientSettings.ReconnectTransportOnFailure = false; } else { result.LocalServiceSettings.ReconnectTransportOnFailure = true; result.LocalClientSettings.ReconnectTransportOnFailure = true; } if (this.establishSecurityContext) { // issue the transition SCT for a short duration only issuedTokenSecurity.LocalServiceSettings.IssuedCookieLifetime = SpnegoTokenAuthenticator.defaultServerIssuedTransitionTokenLifetime; } return(result); }
private IssuedSecurityTokenProvider CreateIssuedSecurityTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement) { KeyedByTypeCollection <IEndpointBehavior> localIssuerChannelBehaviors; MessageSecurityVersion version; SecurityTokenSerializer serializer; ChannelParameterCollection parameters2; if (initiatorRequirement.TargetAddress == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("TokenRequirementDoesNotSpecifyTargetAddress", new object[] { initiatorRequirement })); } SecurityBindingElement securityBindingElement = initiatorRequirement.SecurityBindingElement; if (securityBindingElement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.ServiceModel.SR.GetString("TokenProviderRequiresSecurityBindingElement", new object[] { initiatorRequirement })); } EndpointAddress issuerAddress = initiatorRequirement.IssuerAddress; Binding issuerBinding = initiatorRequirement.IssuerBinding; bool flag = (issuerAddress == null) || issuerAddress.Equals(EndpointAddress.AnonymousAddress); if (flag) { issuerAddress = this.parent.IssuedToken.LocalIssuerAddress; issuerBinding = this.parent.IssuedToken.LocalIssuerBinding; } if (issuerAddress == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("StsAddressNotSet", new object[] { initiatorRequirement.TargetAddress }))); } if (issuerBinding == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("StsBindingNotSet", new object[] { issuerAddress }))); } Uri uri = issuerAddress.Uri; if (!this.parent.IssuedToken.IssuerChannelBehaviors.TryGetValue(issuerAddress.Uri, out localIssuerChannelBehaviors) && flag) { localIssuerChannelBehaviors = this.parent.IssuedToken.LocalIssuerChannelBehaviors; } IssuedSecurityTokenProvider federationTokenProvider = new IssuedSecurityTokenProvider(this.GetCredentialsHandle(initiatorRequirement)) { TargetAddress = initiatorRequirement.TargetAddress }; this.CopyIssuerChannelBehaviorsAndAddSecurityCredentials(federationTokenProvider, localIssuerChannelBehaviors, issuerAddress); federationTokenProvider.CacheIssuedTokens = this.parent.IssuedToken.CacheIssuedTokens; federationTokenProvider.IdentityVerifier = securityBindingElement.LocalClientSettings.IdentityVerifier; federationTokenProvider.IssuerAddress = issuerAddress; federationTokenProvider.IssuerBinding = issuerBinding; federationTokenProvider.KeyEntropyMode = this.GetIssuerBindingKeyEntropyModeOrDefault(issuerBinding); federationTokenProvider.MaxIssuedTokenCachingTime = this.parent.IssuedToken.MaxIssuedTokenCachingTime; federationTokenProvider.SecurityAlgorithmSuite = initiatorRequirement.SecurityAlgorithmSuite; IssuedSecurityTokenParameters property = initiatorRequirement.GetProperty <IssuedSecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty); this.GetIssuerBindingSecurityVersion(issuerBinding, property.DefaultMessageSecurityVersion, initiatorRequirement.SecurityBindingElement, out version, out serializer); federationTokenProvider.MessageSecurityVersion = version; federationTokenProvider.SecurityTokenSerializer = serializer; federationTokenProvider.IssuedTokenRenewalThresholdPercentage = this.parent.IssuedToken.IssuedTokenRenewalThresholdPercentage; IEnumerable <XmlElement> enumerable = property.CreateRequestParameters(version, serializer); if (enumerable != null) { foreach (XmlElement element2 in enumerable) { federationTokenProvider.TokenRequestParameters.Add(element2); } } if (initiatorRequirement.TryGetProperty <ChannelParameterCollection>(ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, out parameters2)) { federationTokenProvider.ChannelParameters = parameters2; } return(federationTokenProvider); }
internal static bool TryCreate(SecurityBindingElement sbe, bool isReliableSession, BindingElement transportBindingElement, out MessageSecurityOverTcp messageSecurity) { MessageCredentialType userName; SecurityBindingElement element; IssuedSecurityTokenParameters parameters; messageSecurity = null; if (sbe == null) { return(false); } if (!sbe.IncludeTimestamp) { return(false); } if ((sbe.MessageSecurityVersion != MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11) && (sbe.MessageSecurityVersion != MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10)) { return(false); } if (sbe.SecurityHeaderLayout != SecurityHeaderLayout.Strict) { return(false); } if (!SecurityBindingElement.IsSecureConversationBinding(sbe, true, out element)) { return(false); } if (element is TransportSecurityBindingElement) { if (SecurityBindingElement.IsUserNameOverTransportBinding(element)) { userName = MessageCredentialType.UserName; } else if (SecurityBindingElement.IsCertificateOverTransportBinding(element)) { userName = MessageCredentialType.Certificate; } else if (SecurityBindingElement.IsSspiNegotiationOverTransportBinding(element, true)) { userName = MessageCredentialType.Windows; } else { if (!SecurityBindingElement.IsIssuedTokenOverTransportBinding(element, out parameters)) { return(false); } if (!IssuedSecurityTokenParameters.IsInfoCardParameters(parameters, new SecurityStandardsManager(element.MessageSecurityVersion, new WSSecurityTokenSerializer(element.MessageSecurityVersion.SecurityVersion, element.MessageSecurityVersion.TrustVersion, element.MessageSecurityVersion.SecureConversationVersion, true, null, null, null)))) { return(false); } userName = MessageCredentialType.IssuedToken; } } else if (SecurityBindingElement.IsUserNameForSslBinding(element, true)) { userName = MessageCredentialType.UserName; } else if (SecurityBindingElement.IsSslNegotiationBinding(element, true, true)) { userName = MessageCredentialType.Certificate; } else if (SecurityBindingElement.IsSspiNegotiationBinding(element, true)) { userName = MessageCredentialType.Windows; } else if (SecurityBindingElement.IsIssuedTokenForSslBinding(element, true, out parameters)) { if (!IssuedSecurityTokenParameters.IsInfoCardParameters(parameters, new SecurityStandardsManager(element.MessageSecurityVersion, new WSSecurityTokenSerializer(element.MessageSecurityVersion.SecurityVersion, element.MessageSecurityVersion.TrustVersion, element.MessageSecurityVersion.SecureConversationVersion, true, null, null, null)))) { return(false); } userName = MessageCredentialType.IssuedToken; } else if (SecurityBindingElement.IsSslNegotiationBinding(element, false, true)) { userName = MessageCredentialType.None; } else { return(false); } messageSecurity = new MessageSecurityOverTcp(); messageSecurity.ClientCredentialType = userName; if (userName != MessageCredentialType.IssuedToken) { messageSecurity.AlgorithmSuite = element.DefaultAlgorithmSuite; } return(true); }
CreateIssuedTokenForSslBindingElement( IssuedSecurityTokenParameters issuedTokenParameters) { return(CreateIssuedTokenForSslBindingElement( issuedTokenParameters, false)); }
private async ValueTask <BodyWriter> ProcessNegotiationAsync(SspiNegotiationTokenAuthenticatorState negotiationState, Message incomingMessage, BinaryNegotiation incomingNego) { ISspiNegotiation sspiNegotiation = negotiationState.SspiNegotiation; byte[] outgoingBlob = sspiNegotiation.GetOutgoingBlob(incomingNego.GetNegotiationData(), SecurityUtils.GetChannelBindingFromMessage(incomingMessage), ExtendedProtectionPolicy); if (sspiNegotiation.IsValidContext == false) { throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.Format(SR.InvalidSspiNegotiation)), incomingMessage); } // if there is no blob to send back the nego must be complete from the server side if (outgoingBlob == null && sspiNegotiation.IsCompleted == false) { throw TraceUtility.ThrowHelperError(new SecurityNegotiationException(SR.Format(SR.NoBinaryNegoToSend)), incomingMessage); } BinaryNegotiation outgoingBinaryNegotiation; if (outgoingBlob != null) { outgoingBinaryNegotiation = GetOutgoingBinaryNegotiation(sspiNegotiation, outgoingBlob); } else { outgoingBinaryNegotiation = null; } BodyWriter replyBody; if (sspiNegotiation.IsCompleted) { ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = await ValidateSspiNegotiationAsync(sspiNegotiation); SecurityContextSecurityToken serviceToken; WrappedKeySecurityToken proofToken; int issuedKeySize; IssueServiceToken(negotiationState, authorizationPolicies, out serviceToken, out proofToken, out issuedKeySize); negotiationState.SetServiceToken(serviceToken); SecurityKeyIdentifierClause externalTokenReference = IssuedSecurityTokenParameters.CreateKeyIdentifierClause(serviceToken, SecurityTokenReferenceStyle.External); SecurityKeyIdentifierClause internalTokenReference = IssuedSecurityTokenParameters.CreateKeyIdentifierClause(serviceToken, SecurityTokenReferenceStyle.Internal); RequestSecurityTokenResponse dummyRstr = new RequestSecurityTokenResponse(StandardsManager) { Context = negotiationState.Context, KeySize = issuedKeySize, TokenType = SecurityContextTokenUri }; if (outgoingBinaryNegotiation != null) { dummyRstr.SetBinaryNegotiation(outgoingBinaryNegotiation); } dummyRstr.RequestedUnattachedReference = externalTokenReference; dummyRstr.RequestedAttachedReference = internalTokenReference; dummyRstr.SetLifetime(serviceToken.ValidFrom, serviceToken.ValidTo); if (negotiationState.AppliesTo != null) { if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressing10) { dummyRstr.SetAppliesTo <EndpointAddress10>(EndpointAddress10.FromEndpointAddress( negotiationState.AppliesTo), negotiationState.AppliesToSerializer); } else if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressingAugust2004) { dummyRstr.SetAppliesTo <EndpointAddressAugust2004>(EndpointAddressAugust2004.FromEndpointAddress( negotiationState.AppliesTo), negotiationState.AppliesToSerializer); } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new ProtocolException(SR.Format(SR.AddressingVersionNotSupported, incomingMessage.Version.Addressing))); } } dummyRstr.MakeReadOnly(); AddToDigest(negotiationState, dummyRstr, false); RequestSecurityTokenResponse negotiationRstr = new RequestSecurityTokenResponse(StandardsManager) { RequestedSecurityToken = serviceToken, RequestedProofToken = proofToken, Context = negotiationState.Context, KeySize = issuedKeySize, TokenType = SecurityContextTokenUri }; if (outgoingBinaryNegotiation != null) { negotiationRstr.SetBinaryNegotiation(outgoingBinaryNegotiation); } negotiationRstr.RequestedAttachedReference = internalTokenReference; negotiationRstr.RequestedUnattachedReference = externalTokenReference; if (negotiationState.AppliesTo != null) { if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressing10) { negotiationRstr.SetAppliesTo <EndpointAddress10>( EndpointAddress10.FromEndpointAddress(negotiationState.AppliesTo), negotiationState.AppliesToSerializer); } else if (incomingMessage.Version.Addressing == AddressingVersion.WSAddressingAugust2004) { negotiationRstr.SetAppliesTo <EndpointAddressAugust2004>( EndpointAddressAugust2004.FromEndpointAddress(negotiationState.AppliesTo), negotiationState.AppliesToSerializer); } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new ProtocolException(SR.Format(SR.AddressingVersionNotSupported, incomingMessage.Version.Addressing))); } } negotiationRstr.MakeReadOnly(); byte[] authenticator = ComputeAuthenticator(negotiationState, serviceToken.GetKeyBytes()); RequestSecurityTokenResponse authenticatorRstr = new RequestSecurityTokenResponse(StandardsManager) { Context = negotiationState.Context }; authenticatorRstr.SetAuthenticator(authenticator); authenticatorRstr.MakeReadOnly(); List <RequestSecurityTokenResponse> rstrList = new List <RequestSecurityTokenResponse>(2) { negotiationRstr, authenticatorRstr }; replyBody = new RequestSecurityTokenResponseCollection(rstrList, StandardsManager); } else { RequestSecurityTokenResponse rstr = new RequestSecurityTokenResponse(StandardsManager) { Context = negotiationState.Context }; rstr.SetBinaryNegotiation(outgoingBinaryNegotiation); rstr.MakeReadOnly(); AddToDigest(negotiationState, rstr, false); replyBody = rstr; } return(replyBody); }
internal static bool TryCreate(SecurityBindingElement sbe, out MessageSecurityOverMsmq messageSecurity) { messageSecurity = null; if (sbe == null) { return(false); } SymmetricSecurityBindingElement ssbe = sbe as SymmetricSecurityBindingElement; if (ssbe == null) { return(false); } if (sbe.MessageSecurityVersion != MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10 && sbe.MessageSecurityVersion != MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11) { return(false); } // do not check local settings: sbe.LocalServiceSettings and sbe.LocalClientSettings if (ssbe.IncludeTimestamp) { return(false); } bool isKerberosSelected = false; MessageCredentialType clientCredentialType; IssuedSecurityTokenParameters issuedParameters; if (SecurityBindingElement.IsAnonymousForCertificateBinding(sbe)) { clientCredentialType = MessageCredentialType.None; } else if (SecurityBindingElement.IsUserNameForCertificateBinding(sbe)) { clientCredentialType = MessageCredentialType.UserName; } else if (SecurityBindingElement.IsMutualCertificateBinding(sbe)) { clientCredentialType = MessageCredentialType.Certificate; } else if (SecurityBindingElement.IsKerberosBinding(sbe)) { clientCredentialType = MessageCredentialType.Windows; isKerberosSelected = true; } else if (SecurityBindingElement.IsIssuedTokenForCertificateBinding(sbe, out issuedParameters)) { if (!IssuedSecurityTokenParameters.IsInfoCardParameters( issuedParameters, new SecurityStandardsManager( sbe.MessageSecurityVersion, new WSSecurityTokenSerializer( sbe.MessageSecurityVersion.SecurityVersion, sbe.MessageSecurityVersion.TrustVersion, sbe.MessageSecurityVersion.SecureConversationVersion, true, null, null, null)))) { return(false); } clientCredentialType = MessageCredentialType.IssuedToken; } else { return(false); } messageSecurity = new MessageSecurityOverMsmq(); messageSecurity.ClientCredentialType = clientCredentialType; // set the algorithm suite and issued token params if required if (clientCredentialType != MessageCredentialType.IssuedToken && !isKerberosSelected) { messageSecurity.AlgorithmSuite = ssbe.DefaultAlgorithmSuite; } return(true); }
private void AddAlgorithmParameters(SecurityAlgorithmSuite algorithmSuite, TrustVersion trustVersion, SecurityKeyType keyType, ref IssuedSecurityTokenParameters issuedParameters) { issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateEncryptionAlgorithmElement(algorithmSuite.DefaultEncryptionAlgorithm)); issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateCanonicalizationAlgorithmElement(algorithmSuite.DefaultCanonicalizationAlgorithm)); string signatureAlgorithm = null; string encryptionAlgorithm = null; switch (keyType) { case SecurityKeyType.SymmetricKey: signatureAlgorithm = algorithmSuite.DefaultSymmetricSignatureAlgorithm; encryptionAlgorithm = algorithmSuite.DefaultEncryptionAlgorithm; break; case SecurityKeyType.AsymmetricKey: signatureAlgorithm = algorithmSuite.DefaultAsymmetricSignatureAlgorithm; encryptionAlgorithm = algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm; break; case SecurityKeyType.BearerKey: return; default: throw new ArgumentOutOfRangeException("keyType"); } issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateSignWithElement(signatureAlgorithm)); issuedParameters.AdditionalRequestParameters.Insert(0, this.CreateEncryptWithElement(encryptionAlgorithm)); if (trustVersion != TrustVersion.WSTrustFeb2005) { issuedParameters.AdditionalRequestParameters.Insert(0, CreateKeyWrapAlgorithmElement(algorithmSuite.DefaultAsymmetricKeyWrapAlgorithm)); } }
internal static bool TryCreate <TSecurity>(SecurityBindingElement sbe, bool isSecureTransportMode, bool isReliableSession, out TSecurity messageSecurity) where TSecurity : MessageSecurityOverHttp { Fx.Assert(null != sbe, string.Empty); messageSecurity = null; // do not check local settings: sbe.LocalServiceSettings and sbe.LocalClientSettings if (!sbe.IncludeTimestamp) { return(false); } // Do not check MessageSecurityVersion: it maybe changed by the wrapper element and gets checked later in the SecuritySection.AreBindingsMatching() if (sbe.SecurityHeaderLayout != SecurityProtocolFactory.defaultSecurityHeaderLayout) { return(false); } bool negotiateServiceCredential = DefaultNegotiateServiceCredential; MessageCredentialType clientCredentialType; SecurityAlgorithmSuite algorithmSuite = SecurityAlgorithmSuite.Default; bool isSecureConversation; SecurityBindingElement bootstrapSecurity; if (!SecurityBindingElement.IsSecureConversationBinding(sbe, true, out bootstrapSecurity)) { isSecureConversation = false; bootstrapSecurity = sbe; } else { isSecureConversation = true; } if (!isSecureConversation && typeof(TSecurity).Equals(typeof(MessageSecurityOverHttp))) { return(false); } if (!isSecureConversation && isReliableSession) { return(false); } if (isSecureTransportMode && !(bootstrapSecurity is TransportSecurityBindingElement)) { return(false); } IssuedSecurityTokenParameters infocardParameters; if (isSecureTransportMode) { if (SecurityBindingElement.IsUserNameOverTransportBinding(bootstrapSecurity)) { clientCredentialType = MessageCredentialType.UserName; } else if (SecurityBindingElement.IsCertificateOverTransportBinding(bootstrapSecurity)) { clientCredentialType = MessageCredentialType.Certificate; } else if (SecurityBindingElement.IsSspiNegotiationOverTransportBinding(bootstrapSecurity, true)) { clientCredentialType = MessageCredentialType.Windows; } else if (SecurityBindingElement.IsIssuedTokenOverTransportBinding(bootstrapSecurity, out infocardParameters)) { if (!IssuedSecurityTokenParameters.IsInfoCardParameters( infocardParameters, new SecurityStandardsManager( sbe.MessageSecurityVersion, new WSSecurityTokenSerializer( sbe.MessageSecurityVersion.SecurityVersion, sbe.MessageSecurityVersion.TrustVersion, sbe.MessageSecurityVersion.SecureConversationVersion, true, null, null, null)))) { return(false); } clientCredentialType = MessageCredentialType.IssuedToken; } else { // the standard binding does not support None client credential type in mixed mode return(false); } } else { if (SecurityBindingElement.IsSslNegotiationBinding(bootstrapSecurity, false, true)) { negotiateServiceCredential = true; clientCredentialType = MessageCredentialType.None; } else if (SecurityBindingElement.IsUserNameForSslBinding(bootstrapSecurity, true)) { negotiateServiceCredential = true; clientCredentialType = MessageCredentialType.UserName; } else if (SecurityBindingElement.IsSslNegotiationBinding(bootstrapSecurity, true, true)) { negotiateServiceCredential = true; clientCredentialType = MessageCredentialType.Certificate; } else if (SecurityBindingElement.IsSspiNegotiationBinding(bootstrapSecurity, true)) { negotiateServiceCredential = true; clientCredentialType = MessageCredentialType.Windows; } else if (SecurityBindingElement.IsIssuedTokenForSslBinding(bootstrapSecurity, true, out infocardParameters)) { if (!IssuedSecurityTokenParameters.IsInfoCardParameters( infocardParameters, new SecurityStandardsManager( sbe.MessageSecurityVersion, new WSSecurityTokenSerializer( sbe.MessageSecurityVersion.SecurityVersion, sbe.MessageSecurityVersion.TrustVersion, sbe.MessageSecurityVersion.SecureConversationVersion, true, null, null, null)))) { return(false); } negotiateServiceCredential = true; clientCredentialType = MessageCredentialType.IssuedToken; } else if (SecurityBindingElement.IsUserNameForCertificateBinding(bootstrapSecurity)) { negotiateServiceCredential = false; clientCredentialType = MessageCredentialType.UserName; } else if (SecurityBindingElement.IsMutualCertificateBinding(bootstrapSecurity)) { negotiateServiceCredential = false; clientCredentialType = MessageCredentialType.Certificate; } else if (SecurityBindingElement.IsKerberosBinding(bootstrapSecurity)) { negotiateServiceCredential = false; clientCredentialType = MessageCredentialType.Windows; } else if (SecurityBindingElement.IsIssuedTokenForCertificateBinding(bootstrapSecurity, out infocardParameters)) { if (!IssuedSecurityTokenParameters.IsInfoCardParameters( infocardParameters, new SecurityStandardsManager( sbe.MessageSecurityVersion, new WSSecurityTokenSerializer( sbe.MessageSecurityVersion.SecurityVersion, sbe.MessageSecurityVersion.TrustVersion, sbe.MessageSecurityVersion.SecureConversationVersion, true, null, null, null)))) { return(false); } negotiateServiceCredential = false; clientCredentialType = MessageCredentialType.IssuedToken; } else if (SecurityBindingElement.IsAnonymousForCertificateBinding(bootstrapSecurity)) { negotiateServiceCredential = false; clientCredentialType = MessageCredentialType.None; } else { return(false); } } // Do not check any Local* settings // Do not check DefaultAlgorithmSuite: is it often changed after the Security element is created, it will verified by SecuritySectionBase.AreBindingsMatching(). if (typeof(NonDualMessageSecurityOverHttp).Equals(typeof(TSecurity))) { messageSecurity = (TSecurity)(object)new NonDualMessageSecurityOverHttp(); ((NonDualMessageSecurityOverHttp)(object)messageSecurity).EstablishSecurityContext = isSecureConversation; } else { messageSecurity = (TSecurity)(object)new MessageSecurityOverHttp(); } messageSecurity.ClientCredentialType = clientCredentialType; messageSecurity.NegotiateServiceCredential = negotiateServiceCredential; messageSecurity.AlgorithmSuite = sbe.DefaultAlgorithmSuite; return(true); }
protected override SecurityBindingElement CreateMessageSecurity() { if (Security.Mode == SecurityMode.Transport || Security.Mode == SecurityMode.None) { return(null); } SymmetricSecurityBindingElement element = new SymmetricSecurityBindingElement(); element.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10; element.RequireSignatureConfirmation = true; switch (Security.Message.ClientCredentialType) { case MessageCredentialType.Certificate: X509SecurityTokenParameters p = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint); p.RequireDerivedKeys = false; element.EndpointSupportingTokenParameters.Endorsing.Add(p); goto default; case MessageCredentialType.IssuedToken: IssuedSecurityTokenParameters istp = new IssuedSecurityTokenParameters(); // FIXME: issuer binding must be secure. istp.IssuerBinding = new CustomBinding( new TextMessageEncodingBindingElement(), GetTransport()); element.EndpointSupportingTokenParameters.Endorsing.Add(istp); goto default; case MessageCredentialType.UserName: element.EndpointSupportingTokenParameters.SignedEncrypted.Add( new UserNameSecurityTokenParameters()); element.RequireSignatureConfirmation = false; goto default; case MessageCredentialType.Windows: if (Security.Message.NegotiateServiceCredential) { // No SSPI on Linux though... element.ProtectionTokenParameters = // FIXME: fill proper parameters new SspiSecurityTokenParameters(); } else { // and no Kerberos ... element.ProtectionTokenParameters = new KerberosSecurityTokenParameters(); } break; default: // including .None if (Security.Message.NegotiateServiceCredential) { element.ProtectionTokenParameters = // FIXME: fill proper parameters new SslSecurityTokenParameters(false, true); } else { element.ProtectionTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.Never); element.ProtectionTokenParameters.RequireDerivedKeys = true; } break; } if (!Security.Message.EstablishSecurityContext) { return(element); } // SecureConversation enabled ChannelProtectionRequirements reqs = new ChannelProtectionRequirements(); // FIXME: fill the reqs return(SecurityBindingElement.CreateSecureConversationBindingElement( // FIXME: requireCancellation element, true, reqs)); }
/// <summary> /// Creates a custom binding based on an example generated from svcutil.exe /// </summary> /// <param name="exeConfigPath"></param> /// <returns></returns> /// <remarks> /// https://msdn.microsoft.com/en-us/library/ms731690(v=vs.110).aspx /// </remarks> public static List <CustomBinding> GetCustomBindings(string exeConfigPath) { if (string.IsNullOrWhiteSpace(exeConfigPath)) { return(null); } var svcSection = Read.Config.ExeConfig.GetServiceModelSection(exeConfigPath); var configs = new List <CustomBinding>(); foreach (var section in svcSection.Bindings.CustomBinding.ConfiguredBindings.Cast <CustomBindingElement>()) { var binding = new CustomBinding { Name = section.Name, }; var cfgSecurity = section[0] as SecurityElement; if (cfgSecurity == null) { configs.Add(binding); continue; } var mode = cfgSecurity.AuthenticationMode; var msgSecurityVersion = cfgSecurity.MessageSecurityVersion; var issuedTokenParameter = new IssuedSecurityTokenParameters(); if (cfgSecurity.IssuedTokenParameters.AdditionalRequestParameters != null) { foreach (var arp in cfgSecurity.IssuedTokenParameters.AdditionalRequestParameters.Cast <XmlElementElement>()) { issuedTokenParameter.AdditionalRequestParameters.Add(arp.XmlElement); } } if (cfgSecurity.IssuedTokenParameters.Issuer?.Address != null) { var address = cfgSecurity.IssuedTokenParameters.Issuer.Address; var idElem = cfgSecurity.IssuedTokenParameters.Issuer.Identity; issuedTokenParameter.IssuerAddress = GetEnpointAddressWithIdentity(address, idElem); } if (cfgSecurity.IssuedTokenParameters.Issuer?.Binding != null) { issuedTokenParameter.IssuerBinding = GetBindingByName(cfgSecurity.IssuedTokenParameters.Issuer.Binding); } if (cfgSecurity.IssuedTokenParameters.IssuerMetadata?.Address != null) { var address = cfgSecurity.IssuedTokenParameters.IssuerMetadata.Address; var idElem = cfgSecurity.IssuedTokenParameters.IssuerMetadata.Identity; issuedTokenParameter.IssuerMetadataAddress = GetEnpointAddressWithIdentity(address, idElem); } SecurityBindingElement securityElemnt; switch (mode) { case AuthenticationMode.IssuedTokenOverTransport: securityElemnt = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(issuedTokenParameter); break; case AuthenticationMode.AnonymousForCertificate: securityElemnt = SecurityBindingElement.CreateAnonymousForCertificateBindingElement(); break; case AuthenticationMode.AnonymousForSslNegotiated: securityElemnt = SecurityBindingElement.CreateSslNegotiationBindingElement(false); break; case AuthenticationMode.CertificateOverTransport: securityElemnt = SecurityBindingElement.CreateCertificateOverTransportBindingElement(msgSecurityVersion); break; case AuthenticationMode.IssuedToken: securityElemnt = SecurityBindingElement.CreateIssuedTokenBindingElement(issuedTokenParameter); break; case AuthenticationMode.IssuedTokenForCertificate: securityElemnt = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(issuedTokenParameter); break; case AuthenticationMode.IssuedTokenForSslNegotiated: securityElemnt = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(issuedTokenParameter); break; case AuthenticationMode.Kerberos: securityElemnt = SecurityBindingElement.CreateKerberosBindingElement(); break; case AuthenticationMode.KerberosOverTransport: securityElemnt = SecurityBindingElement.CreateKerberosOverTransportBindingElement(); break; case AuthenticationMode.MutualCertificate: securityElemnt = SecurityBindingElement.CreateMutualCertificateBindingElement(msgSecurityVersion); break; case AuthenticationMode.MutualCertificateDuplex: securityElemnt = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(msgSecurityVersion); break; case AuthenticationMode.MutualSslNegotiated: securityElemnt = SecurityBindingElement.CreateSslNegotiationBindingElement(false); break; case AuthenticationMode.SspiNegotiated: securityElemnt = SecurityBindingElement.CreateSspiNegotiationBindingElement(); break; case AuthenticationMode.SspiNegotiatedOverTransport: securityElemnt = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(); break; case AuthenticationMode.UserNameForCertificate: securityElemnt = SecurityBindingElement.CreateUserNameForCertificateBindingElement(); break; case AuthenticationMode.UserNameForSslNegotiated: securityElemnt = SecurityBindingElement.CreateUserNameForSslBindingElement(); break; case AuthenticationMode.UserNameOverTransport: securityElemnt = SecurityBindingElement.CreateUserNameOverTransportBindingElement(); break; default: throw new NotImplementedException(); } securityElemnt.AllowInsecureTransport = cfgSecurity.AllowInsecureTransport; securityElemnt.DefaultAlgorithmSuite = cfgSecurity.DefaultAlgorithmSuite; securityElemnt.EnableUnsecuredResponse = cfgSecurity.EnableUnsecuredResponse; securityElemnt.IncludeTimestamp = cfgSecurity.IncludeTimestamp; securityElemnt.MessageSecurityVersion = cfgSecurity.MessageSecurityVersion; securityElemnt.KeyEntropyMode = cfgSecurity.KeyEntropyMode; securityElemnt.ProtectTokens = cfgSecurity.ProtectTokens; securityElemnt.SecurityHeaderLayout = cfgSecurity.SecurityHeaderLayout; securityElemnt.SetKeyDerivation(cfgSecurity.RequireDerivedKeys); binding.Elements.Add(securityElemnt); configs.Add(binding); } return(configs); }
internal void InitializeFrom(IssuedSecurityTokenParameters source, bool initializeNestedBindings) { if (null == source) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("source"); } SetPropertyValueIfNotDefaultValue(ConfigurationStrings.KeyType, source.KeyType); if (source.KeySize > 0) { SetPropertyValueIfNotDefaultValue(ConfigurationStrings.KeySize, source.KeySize); } SetPropertyValueIfNotDefaultValue(ConfigurationStrings.TokenType, source.TokenType); SetPropertyValueIfNotDefaultValue(ConfigurationStrings.UseStrTransform, source.UseStrTransform); if (source.IssuerAddress != null) { this.Issuer.InitializeFrom(source.IssuerAddress); } if (source.DefaultMessageSecurityVersion != null) { SetPropertyValueIfNotDefaultValue(ConfigurationStrings.DefaultMessageSecurityVersion, source.DefaultMessageSecurityVersion); } if (source.IssuerBinding != null && initializeNestedBindings) { this.Issuer.BindingConfiguration = this.Issuer.Address.ToString(); string bindingSectionName; BindingsSection.TryAdd(this.Issuer.BindingConfiguration, source.IssuerBinding, out bindingSectionName); this.Issuer.Binding = bindingSectionName; } if (source.IssuerMetadataAddress != null) { this.IssuerMetadata.InitializeFrom(source.IssuerMetadataAddress); } foreach (XmlElement element in source.AdditionalRequestParameters) { this.AdditionalRequestParameters.Add(new XmlElementElement(element)); } foreach (ClaimTypeRequirement c in source.ClaimTypeRequirements) { this.ClaimTypeRequirements.Add(new ClaimTypeElement(c.ClaimType, c.IsOptional)); } foreach (IssuedSecurityTokenParameters.AlternativeIssuerEndpoint alternativeIssuer in source.AlternativeIssuerEndpoints) { IssuedTokenParametersElement element = new IssuedTokenParametersElement(); element.Issuer.InitializeFrom(alternativeIssuer.IssuerAddress); if (initializeNestedBindings) { element.Issuer.BindingConfiguration = element.Issuer.Address.ToString(); string bindingSectionName; BindingsSection.TryAdd(element.Issuer.BindingConfiguration, alternativeIssuer.IssuerBinding, out bindingSectionName); element.Issuer.Binding = bindingSectionName; } this.OptionalIssuedTokenParameters.Add(element); } }
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, BindingElement transportBindingElement) { SecurityBindingElement element2; if (!isSecureTransportMode) { switch (this.clientCredentialType) { case MessageCredentialType.None: element2 = SecurityBindingElement.CreateSslNegotiationBindingElement(false, true); goto Label_00FF; case MessageCredentialType.Windows: element2 = SecurityBindingElement.CreateSspiNegotiationBindingElement(true); goto Label_00FF; case MessageCredentialType.UserName: element2 = SecurityBindingElement.CreateUserNameForSslBindingElement(true); goto Label_00FF; case MessageCredentialType.Certificate: element2 = SecurityBindingElement.CreateSslNegotiationBindingElement(true, true); goto Label_00FF; case MessageCredentialType.IssuedToken: element2 = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite), true); goto Label_00FF; } throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } switch (this.clientCredentialType) { case MessageCredentialType.None: throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(System.ServiceModel.SR.GetString("ClientCredentialTypeMustBeSpecifiedForMixedMode"))); case MessageCredentialType.Windows: element2 = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(true); break; case MessageCredentialType.UserName: element2 = SecurityBindingElement.CreateUserNameOverTransportBindingElement(); break; case MessageCredentialType.Certificate: element2 = SecurityBindingElement.CreateCertificateOverTransportBindingElement(); break; case MessageCredentialType.IssuedToken: element2 = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite)); break; default: throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } SecurityBindingElement element = SecurityBindingElement.CreateSecureConversationBindingElement(element2); goto Label_0107; Label_00FF: element = SecurityBindingElement.CreateSecureConversationBindingElement(element2, true); Label_0107: element.DefaultAlgorithmSuite = element2.DefaultAlgorithmSuite = this.AlgorithmSuite; element.IncludeTimestamp = true; if (!isReliableSession) { element.LocalServiceSettings.ReconnectTransportOnFailure = false; element.LocalClientSettings.ReconnectTransportOnFailure = false; } else { element.LocalServiceSettings.ReconnectTransportOnFailure = true; element.LocalClientSettings.ReconnectTransportOnFailure = true; } element2.LocalServiceSettings.IssuedCookieLifetime = NegotiationTokenAuthenticator <SspiNegotiationTokenAuthenticatorState> .defaultServerIssuedTransitionTokenLifetime; element.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11; element2.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11; return(element); }
internal static bool TryCreate(SecurityBindingElement sbe, bool isReliableSession, BindingElement transportBindingElement, out MessageSecurityOverTcp messageSecurity) { messageSecurity = null; if (sbe == null) { return(false); } // do not check local settings: sbe.LocalServiceSettings and sbe.LocalClientSettings if (!sbe.IncludeTimestamp) { return(false); } if (sbe.MessageSecurityVersion != MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11 && sbe.MessageSecurityVersion != MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10) { return(false); } if (sbe.SecurityHeaderLayout != SecurityProtocolFactory.defaultSecurityHeaderLayout) { return(false); } MessageCredentialType clientCredentialType; SecurityBindingElement bootstrapSecurity; if (!SecurityBindingElement.IsSecureConversationBinding(sbe, true, out bootstrapSecurity)) { return(false); } bool isSecureTransportMode = bootstrapSecurity is TransportSecurityBindingElement; IssuedSecurityTokenParameters infocardParameters; if (isSecureTransportMode) { if (SecurityBindingElement.IsUserNameOverTransportBinding(bootstrapSecurity)) { clientCredentialType = MessageCredentialType.UserName; } else if (SecurityBindingElement.IsCertificateOverTransportBinding(bootstrapSecurity)) { clientCredentialType = MessageCredentialType.Certificate; } else if (SecurityBindingElement.IsSspiNegotiationOverTransportBinding(bootstrapSecurity, true)) { clientCredentialType = MessageCredentialType.Windows; } else if (SecurityBindingElement.IsIssuedTokenOverTransportBinding(bootstrapSecurity, out infocardParameters)) { if (!IssuedSecurityTokenParameters.IsInfoCardParameters( infocardParameters, new SecurityStandardsManager( bootstrapSecurity.MessageSecurityVersion, new WSSecurityTokenSerializer( bootstrapSecurity.MessageSecurityVersion.SecurityVersion, bootstrapSecurity.MessageSecurityVersion.TrustVersion, bootstrapSecurity.MessageSecurityVersion.SecureConversationVersion, true, null, null, null)))) { return(false); } clientCredentialType = MessageCredentialType.IssuedToken; } else { // the standard binding does not support None client credential type in mixed mode return(false); } } else { if (SecurityBindingElement.IsUserNameForSslBinding(bootstrapSecurity, true)) { clientCredentialType = MessageCredentialType.UserName; } else if (SecurityBindingElement.IsSslNegotiationBinding(bootstrapSecurity, true, true)) { clientCredentialType = MessageCredentialType.Certificate; } else if (SecurityBindingElement.IsSspiNegotiationBinding(bootstrapSecurity, true)) { clientCredentialType = MessageCredentialType.Windows; } else if (SecurityBindingElement.IsIssuedTokenForSslBinding(bootstrapSecurity, true, out infocardParameters)) { if (!IssuedSecurityTokenParameters.IsInfoCardParameters( infocardParameters, new SecurityStandardsManager( bootstrapSecurity.MessageSecurityVersion, new WSSecurityTokenSerializer( bootstrapSecurity.MessageSecurityVersion.SecurityVersion, bootstrapSecurity.MessageSecurityVersion.TrustVersion, bootstrapSecurity.MessageSecurityVersion.SecureConversationVersion, true, null, null, null)))) { return(false); } clientCredentialType = MessageCredentialType.IssuedToken; } else if (SecurityBindingElement.IsSslNegotiationBinding(bootstrapSecurity, false, true)) { clientCredentialType = MessageCredentialType.None; } else { return(false); } } messageSecurity = new MessageSecurityOverTcp(); messageSecurity.ClientCredentialType = clientCredentialType; // set the algorithm suite and issued token params if required if (clientCredentialType != MessageCredentialType.IssuedToken) { messageSecurity.AlgorithmSuite = bootstrapSecurity.DefaultAlgorithmSuite; } return(true); }
internal SecurityBindingElement CreateSecurityBindingElement() { SymmetricSecurityBindingElement result; bool isKerberosSelected = false; switch (this.clientCredentialType) { case MessageCredentialType.None: result = SecurityBindingElement.CreateAnonymousForCertificateBindingElement(); break; case MessageCredentialType.UserName: result = SecurityBindingElement.CreateUserNameForCertificateBindingElement(); break; case MessageCredentialType.Certificate: result = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(); break; case MessageCredentialType.Windows: result = SecurityBindingElement.CreateKerberosBindingElement(); isKerberosSelected = true; break; case MessageCredentialType.IssuedToken: result = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite)); break; default: Fx.Assert("unknown ClientCredentialType"); throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } result.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11; // set the algorithm suite and issued token params if required if (wasAlgorithmSuiteSet || !isKerberosSelected) { result.DefaultAlgorithmSuite = this.AlgorithmSuite; } else if (isKerberosSelected) { result.DefaultAlgorithmSuite = SecurityAlgorithmSuite.KerberosDefault; } result.IncludeTimestamp = false; result.LocalServiceSettings.DetectReplays = false; result.LocalClientSettings.DetectReplays = false; return(result); }
internal SecurityBindingElement CreateSecurityBindingElement(bool isSecureTransportMode, bool isReliableSession, BindingElement transportBindingElement) { SecurityBindingElement result; SecurityBindingElement oneShotSecurity; if (isSecureTransportMode) { switch (this.clientCredentialType) { case MessageCredentialType.None: throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ClientCredentialTypeMustBeSpecifiedForMixedMode))); case MessageCredentialType.UserName: oneShotSecurity = SecurityBindingElement.CreateUserNameOverTransportBindingElement(); break; case MessageCredentialType.Certificate: oneShotSecurity = SecurityBindingElement.CreateCertificateOverTransportBindingElement(); break; case MessageCredentialType.Windows: oneShotSecurity = SecurityBindingElement.CreateSspiNegotiationOverTransportBindingElement(true); break; case MessageCredentialType.IssuedToken: oneShotSecurity = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite)); break; default: Fx.Assert("unknown ClientCredentialType"); throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } result = SecurityBindingElement.CreateSecureConversationBindingElement(oneShotSecurity); } else { switch (this.clientCredentialType) { case MessageCredentialType.None: oneShotSecurity = SecurityBindingElement.CreateSslNegotiationBindingElement(false, true); break; case MessageCredentialType.UserName: // require cancellation so that impersonation is possible oneShotSecurity = SecurityBindingElement.CreateUserNameForSslBindingElement(true); break; case MessageCredentialType.Certificate: oneShotSecurity = SecurityBindingElement.CreateSslNegotiationBindingElement(true, true); break; case MessageCredentialType.Windows: // require cancellation so that impersonation is possible oneShotSecurity = SecurityBindingElement.CreateSspiNegotiationBindingElement(true); break; case MessageCredentialType.IssuedToken: oneShotSecurity = SecurityBindingElement.CreateIssuedTokenForSslBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite), true); break; default: Fx.Assert("unknown ClientCredentialType"); throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } result = SecurityBindingElement.CreateSecureConversationBindingElement(oneShotSecurity, true); } // set the algorithm suite and issued token params if required result.DefaultAlgorithmSuite = oneShotSecurity.DefaultAlgorithmSuite = this.AlgorithmSuite; result.IncludeTimestamp = true; if (!isReliableSession) { result.LocalServiceSettings.ReconnectTransportOnFailure = false; result.LocalClientSettings.ReconnectTransportOnFailure = false; } else { result.LocalServiceSettings.ReconnectTransportOnFailure = true; result.LocalClientSettings.ReconnectTransportOnFailure = true; } // since a session is always bootstrapped, configure the transition sct to live for a short time only oneShotSecurity.LocalServiceSettings.IssuedCookieLifetime = SpnegoTokenAuthenticator.defaultServerIssuedTransitionTokenLifetime; result.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11; oneShotSecurity.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11; return(result); }
private static PolicyElement[] GetPolicyChain(EndpointAddress target, Binding outerBinding, IssuedSecurityTokenParameters parameters, Uri firstPrivacyNoticeLink, int firstPrivacyNoticeVersion, SecurityTokenManager clientCredentialsTokenManager) { EndpointAddress issuerAddress = target; IssuedSecurityTokenParameters parameters2 = parameters; List <PolicyElement> list = new List <PolicyElement>(); Uri privacyNoticeLink = firstPrivacyNoticeLink; int privacyNoticeVersion = firstPrivacyNoticeVersion; bool isManagedIssuer = false; while (parameters2 != null) { MessageSecurityVersion messageSecurityVersion = null; if (parameters2.IssuerBinding == null) { messageSecurityVersion = GetBindingSecurityVersionOrDefault(outerBinding); } else { messageSecurityVersion = GetBindingSecurityVersionOrDefault(parameters2.IssuerBinding); } list.Add(new PolicyElement(issuerAddress, parameters2.IssuerAddress, parameters2.CreateRequestParameters(messageSecurityVersion, clientCredentialsTokenManager.CreateSecurityTokenSerializer(messageSecurityVersion.SecurityTokenVersion)), privacyNoticeLink, privacyNoticeVersion, isManagedIssuer, parameters2.IssuerBinding)); isManagedIssuer = IsReferralToManagedIssuer(parameters2.IssuerBinding); GetPrivacyNoticeLinkFromIssuerBinding(parameters2.IssuerBinding, out privacyNoticeLink, out privacyNoticeVersion); issuerAddress = parameters2.IssuerAddress; outerBinding = parameters2.IssuerBinding; parameters2 = TryGetNextStsIssuedTokenParameters(parameters2.IssuerBinding); } if (isManagedIssuer) { list.Add(new PolicyElement(issuerAddress, null, null, privacyNoticeLink, privacyNoticeVersion, isManagedIssuer, null)); } return(list.ToArray()); }
// It is problematic, but there is no option to disable establishing security context in this binding unlike WSHttpBinding... SecurityBindingElement CreateMessageSecurity() { if (Security.Mode == SecurityMode.Transport || Security.Mode == SecurityMode.None) { return(null); } // FIXME: this is wrong. Could be Asymmetric, depends on Security.Message.AlgorithmSuite value. SymmetricSecurityBindingElement element = new SymmetricSecurityBindingElement(); element.MessageSecurityVersion = MessageSecurityVersion.Default; element.SetKeyDerivation(false); switch (Security.Message.ClientCredentialType) { case MessageCredentialType.Certificate: element.EndpointSupportingTokenParameters.Endorsing.Add( new X509SecurityTokenParameters()); goto default; case MessageCredentialType.IssuedToken: IssuedSecurityTokenParameters istp = new IssuedSecurityTokenParameters(); // FIXME: issuer binding must be secure. istp.IssuerBinding = new CustomBinding( new TextMessageEncodingBindingElement(), GetTransport()); element.EndpointSupportingTokenParameters.Endorsing.Add(istp); goto default; case MessageCredentialType.UserName: element.EndpointSupportingTokenParameters.SignedEncrypted.Add( new UserNameSecurityTokenParameters()); goto default; case MessageCredentialType.Windows: element.ProtectionTokenParameters = new KerberosSecurityTokenParameters(); break; default: // including .None X509SecurityTokenParameters p = new X509SecurityTokenParameters(); p.X509ReferenceStyle = X509KeyIdentifierClauseType.Thumbprint; element.ProtectionTokenParameters = p; break; } // SecureConversation enabled ChannelProtectionRequirements reqs = new ChannelProtectionRequirements(); // FIXME: fill the reqs return(SecurityBindingElement.CreateSecureConversationBindingElement( // FIXME: requireCancellation element, true, reqs)); }
internal SecurityBindingElement CreateSecurityBindingElement() { SymmetricSecurityBindingElement element; bool flag = false; switch (this.clientCredentialType) { case MessageCredentialType.None: element = SecurityBindingElement.CreateAnonymousForCertificateBindingElement(); break; case MessageCredentialType.Windows: element = SecurityBindingElement.CreateKerberosBindingElement(); flag = true; break; case MessageCredentialType.UserName: element = SecurityBindingElement.CreateUserNameForCertificateBindingElement(); break; case MessageCredentialType.Certificate: element = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(); break; case MessageCredentialType.IssuedToken: element = SecurityBindingElement.CreateIssuedTokenForCertificateBindingElement(IssuedSecurityTokenParameters.CreateInfoCardParameters(new SecurityStandardsManager(), this.algorithmSuite)); break; default: throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException()); } element.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11; if (this.wasAlgorithmSuiteSet || !flag) { element.DefaultAlgorithmSuite = this.AlgorithmSuite; } else if (flag) { element.DefaultAlgorithmSuite = SecurityAlgorithmSuite.KerberosDefault; } element.IncludeTimestamp = false; element.LocalServiceSettings.DetectReplays = false; element.LocalClientSettings.DetectReplays = false; return(element); }
CreateIssuedTokenOverTransportBindingElement( IssuedSecurityTokenParameters issuedTokenParameters) { throw new NotImplementedException(); }
internal static bool TryCreate(SecurityBindingElement sbe, out MessageSecurityOverMsmq messageSecurity) { MessageCredentialType none; messageSecurity = null; if (sbe == null) { return(false); } SymmetricSecurityBindingElement element = sbe as SymmetricSecurityBindingElement; if (element == null) { return(false); } if ((sbe.MessageSecurityVersion != MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10) && (sbe.MessageSecurityVersion != MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11)) { return(false); } if (element.IncludeTimestamp) { return(false); } bool flag = false; if (SecurityBindingElement.IsAnonymousForCertificateBinding(sbe)) { none = MessageCredentialType.None; } else if (SecurityBindingElement.IsUserNameForCertificateBinding(sbe)) { none = MessageCredentialType.UserName; } else if (SecurityBindingElement.IsMutualCertificateBinding(sbe)) { none = MessageCredentialType.Certificate; } else if (SecurityBindingElement.IsKerberosBinding(sbe)) { none = MessageCredentialType.Windows; flag = true; } else { IssuedSecurityTokenParameters parameters; if (!SecurityBindingElement.IsIssuedTokenForCertificateBinding(sbe, out parameters)) { return(false); } if (!IssuedSecurityTokenParameters.IsInfoCardParameters(parameters, new SecurityStandardsManager(sbe.MessageSecurityVersion, new WSSecurityTokenSerializer(sbe.MessageSecurityVersion.SecurityVersion, sbe.MessageSecurityVersion.TrustVersion, sbe.MessageSecurityVersion.SecureConversationVersion, true, null, null, null)))) { return(false); } none = MessageCredentialType.IssuedToken; } messageSecurity = new MessageSecurityOverMsmq(); messageSecurity.ClientCredentialType = none; if ((none != MessageCredentialType.IssuedToken) && !flag) { messageSecurity.AlgorithmSuite = element.DefaultAlgorithmSuite; } return(true); }
/// <summary> /// Extract the Issuer endpoint and configure the appropriate one /// </summary> private ServiceEndpoint FindIssuerEndpoint() { _logger.WriteDebug("FindIssuerEndpoint"); EndpointAddress issuerMetadataAddress = null; EndpointAddress issuerAddress = null; IssuedSecurityTokenParameters protectionTokenParameters = null; if (!_explicitIssuer) { //Based on the scheme dynamically extract the protection token parameters from a Property path string using reflection. //Writing the code requires to much casting. The paths are taken from the powershell scripts if (InfoShareWSBaseUri.Scheme == Uri.UriSchemeHttp) { dynamic binding = _commonBinding; protectionTokenParameters = (IssuedSecurityTokenParameters)binding.Elements[0].ProtectionTokenParameters.BootstrapSecurityBindingElement.ProtectionTokenParameters; } else { dynamic binding = _commonBinding; protectionTokenParameters = (IssuedSecurityTokenParameters)binding.Elements[0].EndpointSupportingTokenParameters.Endorsing[0].BootstrapSecurityBindingElement.EndpointSupportingTokenParameters.Endorsing[0]; } issuerMetadataAddress = protectionTokenParameters.IssuerMetadataAddress; issuerAddress = protectionTokenParameters.IssuerAddress; _logger.WriteDebug($"FindIssuerEndpoint issuerMetadataAddress[{issuerMetadataAddress}] issuerAddress[{issuerAddress}]"); if (_stsInternalAuthentication) { // Enable-ISHIntegrationSTSInternalAuthentication is used directing the web services to a different STS // issuerMetadataAddress = new EndpointAddress(InitializeIssuerMetadataAddress); // [Should] Once connectionconfiguration.xml/issuer/mex offers the metadata exchange address, the dirty derive code should be replaced string issuerWSTrustEndpointUri = InitializeIssuerWSTrustEndpointUri().AbsoluteUri; string issuerWSTrustMetadataEndpointUri = issuerWSTrustEndpointUri.Substring(0, issuerWSTrustEndpointUri.IndexOf("issue/wstrust")) + "issue/wstrust/mex"; issuerMetadataAddress = new EndpointAddress(issuerWSTrustMetadataEndpointUri); issuerAddress = new EndpointAddress(issuerWSTrustEndpointUri); _logger.WriteDebug($"FindIssuerEndpoint issuerMetadataAddress[{issuerMetadataAddress}] issuerAddress[{issuerAddress}]"); } } else { issuerMetadataAddress = new EndpointAddress(_issuerWSTrustMexUri.Value); issuerAddress = new EndpointAddress(_issuerWSTrustEndpointUri.Value); _logger.WriteDebug($"FindIssuerEndpoint issuerMetadataAddress[{issuerMetadataAddress}] issuerAddress[{issuerAddress}]"); } ServiceEndpointCollection serviceEndpointCollection; try { // Start with the mex endpoint var wsdlImporter = GetWsdlImporter(issuerMetadataAddress.Uri); serviceEndpointCollection = wsdlImporter.ImportAllEndpoints(); } catch { // Re-try with the wsdl endpoint var wsdlImporter = GetWsdlImporter(new Uri(issuerMetadataAddress.Uri.AbsoluteUri.Replace("/mex", "?wsdl"))); serviceEndpointCollection = wsdlImporter.ImportAllEndpoints(); } var issuerWSTrustEndpointAbsolutePath = IssuerWSTrustEndpointUri.AbsolutePath; _logger.WriteDebug($"FindIssuerEndpoint issuerWSTrustEndpointAbsolutePath[{issuerWSTrustEndpointAbsolutePath}]"); ServiceEndpoint issuerServiceEndpoint = serviceEndpointCollection.FirstOrDefault( x => x.Address.Uri.AbsolutePath.Equals(issuerWSTrustEndpointAbsolutePath, StringComparison.OrdinalIgnoreCase)); if (issuerServiceEndpoint == null) { throw new InvalidOperationException(String.Format("WSTrust endpoint not configured: '{0}'.", issuerWSTrustEndpointAbsolutePath)); } //Update the original binding as if we would do this manually in the configuration if (!_explicitIssuer) { protectionTokenParameters.IssuerBinding = issuerServiceEndpoint.Binding; protectionTokenParameters.IssuerAddress = issuerServiceEndpoint.Address; } return(issuerServiceEndpoint); }
static PolicyElement[] GetPolicyChain(EndpointAddress target, Binding outerBinding, IssuedSecurityTokenParameters parameters, Uri firstPrivacyNoticeLink, int firstPrivacyNoticeVersion, SecurityTokenManager clientCredentialsTokenManager) { EndpointAddress nextTarget = target; IssuedSecurityTokenParameters nextParameters = parameters; List <PolicyElement> chain = new List <PolicyElement>(); Uri privacyNoticeLink = firstPrivacyNoticeLink; int privacyNoticeVersion = firstPrivacyNoticeVersion; bool isManagedIssuer = false; // // this is the binding to the final STS in the chain. Start from here and walk the // chain backwards to the 1st STS in the chain // while (null != nextParameters) { MessageSecurityVersion bindingSecurityVersion = null; if (nextParameters.IssuerBinding == null) { bindingSecurityVersion = GetBindingSecurityVersionOrDefault(outerBinding); } else { bindingSecurityVersion = GetBindingSecurityVersionOrDefault(nextParameters.IssuerBinding); } chain.Add(new PolicyElement(nextTarget, nextParameters.IssuerAddress, nextParameters.CreateRequestParameters(bindingSecurityVersion, clientCredentialsTokenManager.CreateSecurityTokenSerializer(bindingSecurityVersion.SecurityTokenVersion)), privacyNoticeLink, privacyNoticeVersion, isManagedIssuer, nextParameters.IssuerBinding)); isManagedIssuer = IsReferralToManagedIssuer(nextParameters.IssuerBinding); GetPrivacyNoticeLinkFromIssuerBinding(nextParameters.IssuerBinding, out privacyNoticeLink, out privacyNoticeVersion); nextTarget = nextParameters.IssuerAddress; outerBinding = nextParameters.IssuerBinding; nextParameters = TryGetNextStsIssuedTokenParameters(nextParameters.IssuerBinding); } // // Add the last element for the MCIP case // if (isManagedIssuer) { chain.Add(new PolicyElement(nextTarget, null, null, privacyNoticeLink, privacyNoticeVersion, isManagedIssuer, null)); } return(chain.ToArray()); }
internal static bool TryCreate <TSecurity>(SecurityBindingElement sbe, bool isSecureTransportMode, bool isReliableSession, out TSecurity messageSecurity) where TSecurity : MessageSecurityOverHttp { MessageCredentialType userName; bool flag2; SecurityBindingElement element; IssuedSecurityTokenParameters parameters; messageSecurity = default(TSecurity); if (!sbe.IncludeTimestamp) { return(false); } if (sbe.SecurityHeaderLayout != SecurityHeaderLayout.Strict) { return(false); } bool flag = true; SecurityAlgorithmSuite suite1 = SecurityAlgorithmSuite.Default; if (!SecurityBindingElement.IsSecureConversationBinding(sbe, true, out element)) { flag2 = false; element = sbe; } else { flag2 = true; } if (!flag2 && typeof(TSecurity).Equals(typeof(MessageSecurityOverHttp))) { return(false); } if (!flag2 && isReliableSession) { return(false); } if (isSecureTransportMode && !(element is TransportSecurityBindingElement)) { return(false); } if (isSecureTransportMode) { if (SecurityBindingElement.IsUserNameOverTransportBinding(element)) { userName = MessageCredentialType.UserName; } else if (SecurityBindingElement.IsCertificateOverTransportBinding(element)) { userName = MessageCredentialType.Certificate; } else if (SecurityBindingElement.IsSspiNegotiationOverTransportBinding(element, true)) { userName = MessageCredentialType.Windows; } else { if (!SecurityBindingElement.IsIssuedTokenOverTransportBinding(element, out parameters)) { return(false); } if (!IssuedSecurityTokenParameters.IsInfoCardParameters(parameters, new SecurityStandardsManager(sbe.MessageSecurityVersion, new WSSecurityTokenSerializer(sbe.MessageSecurityVersion.SecurityVersion, sbe.MessageSecurityVersion.TrustVersion, sbe.MessageSecurityVersion.SecureConversationVersion, true, null, null, null)))) { return(false); } userName = MessageCredentialType.IssuedToken; } } else if (SecurityBindingElement.IsSslNegotiationBinding(element, false, true)) { flag = true; userName = MessageCredentialType.None; } else if (SecurityBindingElement.IsUserNameForSslBinding(element, true)) { flag = true; userName = MessageCredentialType.UserName; } else if (SecurityBindingElement.IsSslNegotiationBinding(element, true, true)) { flag = true; userName = MessageCredentialType.Certificate; } else if (SecurityBindingElement.IsSspiNegotiationBinding(element, true)) { flag = true; userName = MessageCredentialType.Windows; } else if (SecurityBindingElement.IsIssuedTokenForSslBinding(element, true, out parameters)) { if (!IssuedSecurityTokenParameters.IsInfoCardParameters(parameters, new SecurityStandardsManager(sbe.MessageSecurityVersion, new WSSecurityTokenSerializer(sbe.MessageSecurityVersion.SecurityVersion, sbe.MessageSecurityVersion.TrustVersion, sbe.MessageSecurityVersion.SecureConversationVersion, true, null, null, null)))) { return(false); } flag = true; userName = MessageCredentialType.IssuedToken; } else if (SecurityBindingElement.IsUserNameForCertificateBinding(element)) { flag = false; userName = MessageCredentialType.UserName; } else if (SecurityBindingElement.IsMutualCertificateBinding(element)) { flag = false; userName = MessageCredentialType.Certificate; } else if (SecurityBindingElement.IsKerberosBinding(element)) { flag = false; userName = MessageCredentialType.Windows; } else if (SecurityBindingElement.IsIssuedTokenForCertificateBinding(element, out parameters)) { if (!IssuedSecurityTokenParameters.IsInfoCardParameters(parameters, new SecurityStandardsManager(sbe.MessageSecurityVersion, new WSSecurityTokenSerializer(sbe.MessageSecurityVersion.SecurityVersion, sbe.MessageSecurityVersion.TrustVersion, sbe.MessageSecurityVersion.SecureConversationVersion, true, null, null, null)))) { return(false); } flag = false; userName = MessageCredentialType.IssuedToken; } else if (SecurityBindingElement.IsAnonymousForCertificateBinding(element)) { flag = false; userName = MessageCredentialType.None; } else { return(false); } if (typeof(NonDualMessageSecurityOverHttp).Equals(typeof(TSecurity))) { messageSecurity = (TSecurity) new NonDualMessageSecurityOverHttp(); ((NonDualMessageSecurityOverHttp)((TSecurity)messageSecurity)).EstablishSecurityContext = flag2; } else { messageSecurity = (TSecurity) new MessageSecurityOverHttp(); } messageSecurity.ClientCredentialType = userName; messageSecurity.NegotiateServiceCredential = flag; messageSecurity.AlgorithmSuite = sbe.DefaultAlgorithmSuite; return(true); }
IssuedSecurityTokenProvider CreateIssuedSecurityTokenProvider(InitiatorServiceModelSecurityTokenRequirement initiatorRequirement, FederatedClientCredentialsParameters actAsOnBehalfOfParameters) { if (initiatorRequirement.TargetAddress == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenRequirementDoesNotSpecifyTargetAddress, initiatorRequirement)); } SecurityBindingElement securityBindingElement = initiatorRequirement.SecurityBindingElement; if (securityBindingElement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(SR.GetString(SR.TokenProviderRequiresSecurityBindingElement, initiatorRequirement)); } EndpointAddress issuerAddress = initiatorRequirement.IssuerAddress; Binding issuerBinding = initiatorRequirement.IssuerBinding; // // If the issuer address is indeed anonymous or null, we will try the local issuer // bool isLocalIssuer = (issuerAddress == null || issuerAddress.Equals(EndpointAddress.AnonymousAddress)); if (isLocalIssuer) { issuerAddress = parent.IssuedToken.LocalIssuerAddress; issuerBinding = parent.IssuedToken.LocalIssuerBinding; } if (issuerAddress == null) { // if issuer address is still null then the user forgot to specify the local issuer throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.StsAddressNotSet, initiatorRequirement.TargetAddress))); } if (issuerBinding == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.StsBindingNotSet, issuerAddress))); } Uri issuerUri = issuerAddress.Uri; KeyedByTypeCollection <IEndpointBehavior> issuerChannelBehaviors; if (!parent.IssuedToken.IssuerChannelBehaviors.TryGetValue(issuerAddress.Uri, out issuerChannelBehaviors) && isLocalIssuer) { issuerChannelBehaviors = parent.IssuedToken.LocalIssuerChannelBehaviors; } IssuedSecurityTokenProvider federationTokenProvider = new IssuedSecurityTokenProvider(GetCredentialsHandle(initiatorRequirement)); federationTokenProvider.TokenHandlerCollectionManager = this.parent.SecurityTokenHandlerCollectionManager; federationTokenProvider.TargetAddress = initiatorRequirement.TargetAddress; CopyIssuerChannelBehaviorsAndAddSecurityCredentials(federationTokenProvider, issuerChannelBehaviors, issuerAddress); federationTokenProvider.CacheIssuedTokens = parent.IssuedToken.CacheIssuedTokens; federationTokenProvider.IdentityVerifier = securityBindingElement.LocalClientSettings.IdentityVerifier; federationTokenProvider.IssuerAddress = issuerAddress; federationTokenProvider.IssuerBinding = issuerBinding; federationTokenProvider.KeyEntropyMode = GetIssuerBindingKeyEntropyModeOrDefault(issuerBinding); federationTokenProvider.MaxIssuedTokenCachingTime = parent.IssuedToken.MaxIssuedTokenCachingTime; federationTokenProvider.SecurityAlgorithmSuite = initiatorRequirement.SecurityAlgorithmSuite; MessageSecurityVersion issuerSecurityVersion; SecurityTokenSerializer issuerSecurityTokenSerializer; IssuedSecurityTokenParameters issuedTokenParameters = initiatorRequirement.GetProperty <IssuedSecurityTokenParameters>(ServiceModelSecurityTokenRequirement.IssuedSecurityTokenParametersProperty); GetIssuerBindingSecurityVersion(issuerBinding, issuedTokenParameters.DefaultMessageSecurityVersion, initiatorRequirement.SecurityBindingElement, out issuerSecurityVersion, out issuerSecurityTokenSerializer); federationTokenProvider.MessageSecurityVersion = issuerSecurityVersion; federationTokenProvider.SecurityTokenSerializer = issuerSecurityTokenSerializer; federationTokenProvider.IssuedTokenRenewalThresholdPercentage = parent.IssuedToken.IssuedTokenRenewalThresholdPercentage; IEnumerable <XmlElement> tokenRequestParameters = issuedTokenParameters.CreateRequestParameters(issuerSecurityVersion, issuerSecurityTokenSerializer); if (tokenRequestParameters != null) { foreach (XmlElement requestParameter in tokenRequestParameters) { federationTokenProvider.TokenRequestParameters.Add(requestParameter); } } ChannelParameterCollection channelParameters; if (initiatorRequirement.TryGetProperty <ChannelParameterCollection>(ServiceModelSecurityTokenRequirement.ChannelParametersCollectionProperty, out channelParameters)) { federationTokenProvider.ChannelParameters = channelParameters; } federationTokenProvider.SetupActAsOnBehalfOfParameters(actAsOnBehalfOfParameters); return(federationTokenProvider); }