private SecurityToken CreateOutputSamlToken(ClaimsIdentity identity, ProofDescriptor proof, X509Certificate2 encryptingCertificate) { var adfsIssuerUri = _configuration.AdfsIntegration.IssuerUri; var encryptingCredentials = new EncryptedKeyEncryptingCredentials( new X509EncryptingCredentials(encryptingCertificate), 256, "http://www.w3.org/2001/04/xmlenc#aes256-cbc"); var descriptor = new SecurityTokenDescriptor { AppliesToAddress = adfsIssuerUri, TokenIssuerName = _configuration.Global.IssuerUri, SigningCredentials = new X509SigningCredentials(_configuration.Keys.SigningCertificate), // signing creds of IdSrv EncryptingCredentials = encryptingCredentials, Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddHours(1)), Proof = proof, Subject = identity, TokenType = TokenTypes.Saml2TokenProfile11 }; return(_handler.CreateToken(descriptor) as Saml2SecurityToken); }
/// <summary> /// Gets the proof token. /// </summary> /// <param name="request">The incoming token request.</param> /// <param name="scope">The scope instance encapsulating information about the relying party.</param> /// <returns>The newly created proof decriptor that could be either asymmetric proof descriptor or symmetric proof descriptor or null in the bearer token case.</returns> protected virtual ProofDescriptor GetProofToken(RST request, Scope scope) { if (request == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("request"); } if (scope == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("scope"); } EncryptingCredentials requestorWrappingCredentials = GetRequestorProofEncryptingCredentials(request); if (scope.EncryptingCredentials != null && !(scope.EncryptingCredentials.SecurityKey is AsymmetricSecurityKey)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new SecurityTokenException(SR.GetString(SR.ID4179))); } EncryptingCredentials targetWrappingCredentials = scope.EncryptingCredentials; // // Generate the proof key // string keyType = (string.IsNullOrEmpty(request.KeyType)) ? KeyTypes.Symmetric : request.KeyType; ProofDescriptor result = null; if (StringComparer.Ordinal.Equals(keyType, KeyTypes.Asymmetric)) { // // Asymmetric is only supported with UseKey // if (request.UseKey == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidRequestException(SR.GetString(SR.ID3091))); } result = new AsymmetricProofDescriptor(request.UseKey.SecurityKeyIdentifier); } else if (StringComparer.Ordinal.Equals(keyType, KeyTypes.Symmetric)) { // // Only support PSHA1. Overwrite STS to support custom key algorithm // if (request.ComputedKeyAlgorithm != null && !StringComparer.Ordinal.Equals(request.ComputedKeyAlgorithm, ComputedKeyAlgorithms.Psha1)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new RequestFailedException(SR.GetString(SR.ID2011, request.ComputedKeyAlgorithm))); } // // We must wrap the symmetric key inside the security token // if (targetWrappingCredentials == null && scope.SymmetricKeyEncryptionRequired) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new RequestFailedException(SR.GetString(SR.ID4007))); } // // We are encrypting the proof token or the server entropy using client's encrypting credential if present, // which will be used to encrypt the key during serialization. // Otherwise, we can only send back the key in plain text. However, the current implementation of // WSTrustServiceContract sets the rst.ProofEncryption = null by default. Therefore, the server entropy // or the proof token will be sent in plain text no matter the client's entropy is sent encrypted or unencrypted. // if (request.KeySizeInBits.HasValue) { if (request.Entropy != null) { result = new SymmetricProofDescriptor(request.KeySizeInBits.Value, targetWrappingCredentials, requestorWrappingCredentials, request.Entropy.GetKeyBytes(), request.EncryptWith); } else { result = new SymmetricProofDescriptor(request.KeySizeInBits.Value, targetWrappingCredentials, requestorWrappingCredentials, request.EncryptWith); } } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new RequestFailedException(SR.GetString(SR.ID2059))); } } else if (StringComparer.Ordinal.Equals(keyType, KeyTypes.Bearer)) { // // Intentionally empty, no proofDescriptor // } return(result); }