public void Validate(Saml2SecurityToken token, SecurityTokenHandlerConfiguration configuration)
{
if (token == null || token.RawResponse == null ||
configuration == null)
{
throw new ArgumentNullException();
}
// search for signatures (possibly multiple)
var signatureNodes = token.RawResponse.GetElementsByTagName("Signature", Namespaces.XMLDSIG);
foreach (XmlElement signatureNode in signatureNodes)
{
var signedXml = new SignedXml(signatureNode.ParentNode as XmlElement);
signedXml.LoadXml(signatureNode);
signedXml.SafeCanonicalizationMethods.Add("http://www.w3.org/TR/1999/REC-xpath-19991116");
var result = signedXml.CheckSignature();
if (!result)
{
throw new ValidationException("Token's signature validation failed");
}
}
}
public void Validate(Saml2SecurityToken token, SecurityTokenHandlerConfiguration configuration)
{
if (token == null || token.Response == null || configuration == null)
{
throw new ArgumentNullException();
}
if (token.Response.Assertions != null)
{
foreach (var assertion in token.Response.Assertions)
{
if (assertion.Conditions != null)
{
ValidateNotBefore(assertion.Conditions.NotBefore, configuration.MaxClockSkew);
ValidateNotOnOrAfter(assertion.Conditions.NotOnOrAfter, configuration.MaxClockSkew);
}
if (
assertion.Subject != null &&
assertion.Subject.SubjectConfirmation != null &&
assertion.Subject.SubjectConfirmation.SubjectConfirmationData != null
)
{
ValidateNotBefore(assertion.Subject.SubjectConfirmation.SubjectConfirmationData.NotBefore, configuration.MaxClockSkew);
ValidateNotOnOrAfter(assertion.Subject.SubjectConfirmation.SubjectConfirmationData.NotOnOrAfter, configuration.MaxClockSkew);
}
}
}
}
static void Main(string[] args)
{
//
// Create a SAML token signed with the given certificate
//
byte[] clientCertificateBytes = ManagementServiceHelper.ReadBytesFromPfxFile(ClientCertificateFilePath, ClientCertificatePassword);
Saml2SecurityToken token = SelfSignedSaml2TokenGenerator.GetSamlAssertionSignedWithCertificate(ClientName, clientCertificateBytes, ClientCertificatePassword);
//
// Encode the SAML token into an OAuth request to ACS.
//
Dictionary <string, string> requestParameters = new Dictionary <string, string>();
requestParameters[OAuth2Constants.Scope] = ConfigurationManager.AppSettings.Get("RelyingPartyScope");
requestParameters[OAuth2Constants.GrantType] = WifTokenTypes.Saml2TokenProfile11;
requestParameters[OAuth2Constants.Assertion] = GetSaml2TokenString(token);
Dictionary <string, string> acsResponse = GetOAuth2ResponseFromAcs(requestParameters);
//
// Pass the access token returned by ACS to the protected resource.
//
Console.WriteLine(GetProtectedResource(acsResponse[OAuth2Constants.AccessToken]));
Console.WriteLine("Press <ENTER> to exit...");
Console.ReadLine();
}
public void ShouldWriterSamlResponseAssertionElement()
{
var issuer = new Saml2NameIdentifier("issuer");
var assertion = new Saml2Assertion(issuer)
{
Subject = new Saml2Subject(new Saml2NameIdentifier("subject"))
};
var token = new Saml2SecurityToken(assertion);
var response = new SamlResponse
{
SecurityToken = token
};
var serialized = _serializer.SerializeSamlResponse(response);
Assert.NotNull(serialized);
var doc = XDocument.Parse(serialized);
var root = doc.Root;
_mockHandler.Verify(h => h.WriteToken(It.IsAny <XmlWriter>(), token), Times.Once());
var element = root.Element(XName.Get("Assertion", _assertionNamespace));
Assert.NotNull(element);
}
protected override SecurityToken GetTokenCore(TimeSpan timeout)
{
SecurityToken securityToken;
Saml2Assertion saml2Assertion;
if (base.TokenRequirement.KeyType == SecurityKeyType.SymmetricKey)
{
securityToken = SamlSecurityTokenProvider.CreateSymmetricProofToken(base.TokenRequirement.KeySize);
saml2Assertion = this.CreateSamlAssertionWithSymmetricKey((BinarySecretSecurityToken)securityToken);
}
else
{
if (base.TokenRequirement.KeyType != SecurityKeyType.AsymmetricKey)
{
throw new ArgumentOutOfRangeException("KeyType");
}
securityToken = SamlSecurityTokenProvider.CreateAsymmetricProofToken();
saml2Assertion = this.CreateSamlAssertionWithAsymmetricKey(securityToken);
}
Saml2SecurityToken saml2SecurityToken = new Saml2SecurityToken(saml2Assertion);
XmlDocument xmlDocument = new XmlDocument();
using (XmlWriter xmlWriter = xmlDocument.CreateNavigator().AppendChild())
{
Saml2SecurityTokenHandler saml2SecurityTokenHandler = new Saml2SecurityTokenHandler();
saml2SecurityTokenHandler.WriteToken(xmlWriter, saml2SecurityToken);
}
SamlAssertionKeyIdentifierClause samlAssertionKeyIdentifierClause = saml2SecurityToken.CreateKeyIdentifierClause <SamlAssertionKeyIdentifierClause>();
return(new GenericXmlSecurityToken(xmlDocument.DocumentElement, securityToken, saml2Assertion.Conditions.NotBefore.Value, saml2Assertion.Conditions.NotOnOrAfter.Value, samlAssertionKeyIdentifierClause, samlAssertionKeyIdentifierClause, null));
}
/// <summary>
/// Creates a <see cref="ClaimsIdentity"/> from the Saml2 token.
/// </summary>
/// <param name="samlToken">The Saml2SecurityToken.</param>
/// <param name="issuer">the issuer value for each <see cref="Claim"/> in the <see cref="ClaimsIdentity"/>.</param>
/// <param name="validationParameters"> contains parameters for validating the token.</param>
/// <returns>An IClaimIdentity.</returns>
protected virtual ClaimsIdentity CreateClaimsIdentity(Saml2SecurityToken samlToken, string issuer, TokenValidationParameters validationParameters)
{
if (samlToken == null)
{
throw new ArgumentNullException("samlToken");
}
if (validationParameters == null)
{
throw new ArgumentNullException("validationParameters");
}
if (string.IsNullOrWhiteSpace(issuer))
{
throw new ArgumentException(ErrorMessages.IDX10221);
}
Saml2Assertion assertion = samlToken.Assertion;
if (assertion == null)
{
throw new ArgumentException(ErrorMessages.IDX10202);
}
ClaimsIdentity identity = validationParameters.CreateClaimsIdentity(samlToken, issuer);
_smSaml2HandlerPrivateNeverSetAnyProperties.ProcessSamlSubjectPublic(samlToken.Assertion.Subject, identity, issuer);
_smSaml2HandlerPrivateNeverSetAnyProperties.ProcessStatmentPublic(samlToken.Assertion.Statements, identity, issuer);
return(identity);
}
public void Validate(Saml2SecurityToken token, SecurityTokenHandlerConfiguration configuration)
{
if (token == null || token.Response == null ||
configuration == null)
{
throw new ArgumentNullException();
}
if (configuration.IssuerNameRegistry == null)
{
throw new ArgumentNullException("configuration", "Issuer name registry cannot empty in the configuration");
}
if (token.Response.Assertions != null)
{
foreach (var assertion in token.Response.Assertions)
{
var securityToken = assertion.GetX509SecurityToken();
if (securityToken != null)
{
var issuer = configuration.IssuerNameRegistry.GetIssuerName(securityToken);
if (string.IsNullOrEmpty(issuer))
{
throw new ValidationException("Issuer name registry doesn't recognize token's certificate");
}
}
}
}
}
private void OutputToken(Saml2SecurityTokenHandler handler, Saml2SecurityToken token)
{
Assert.NotNull(token);
_output.WriteLine("SAML assertion:");
if (token == null)
{
_output.WriteLine("null");
return;
}
using (var inner = new StringWriter())
{
var settings = new XmlWriterSettings
{
OmitXmlDeclaration = true,
Indent = true,
NewLineOnAttributes = false,
Encoding = new UTF8Encoding(false)
};
using (var writer = XmlWriter.Create(inner, settings))
{
handler.WriteToken(writer, token);
}
_output.WriteLine(inner.ToString());
}
}
private void CreateSaml2Tokens(SecurityTokenDescriptor tokenDescriptor)
{
Saml2SecurityTokenHandler samlTokenHandler = new Saml2SecurityTokenHandler();
Saml2SecurityToken token = samlTokenHandler.CreateToken(tokenDescriptor) as Saml2SecurityToken;
MemoryStream ms = new MemoryStream();
XmlDictionaryWriter writer = XmlDictionaryWriter.CreateTextWriter(ms);
samlTokenHandler.WriteToken(writer, token);
}
private void PrintSaml2Token(Saml2SecurityToken token)
{
var sb = new StringBuilder();
var xmlWriter = XmlWriter.Create(sb, new XmlWriterSettings{Indent = true});
_saml2SecurityTokenHandler.WriteToken(xmlWriter, token);
xmlWriter.Close();
Console.WriteLine(sb.ToString());
}
/// <summary>
/// Creates a success result.
/// </summary>
/// <param name="partnerId">The id of the Saml2p SSO partner.</param>
/// <param name="token">The <see cref="Saml2SecurityToken"/> from a <see cref="SamlResponse"/>.</param>
/// <param name="subject">The <see cref="ClaimsPrincipal"/> that was created from <paramref name="token"/>.</param>
/// <returns>A success result.</returns>
public static FinishSsoResult Success(string partnerId, Saml2SecurityToken token, ClaimsPrincipal subject)
{
return(new FinishSsoResult
{
Status = Saml2pConstants.Statuses.Success,
PartnerId = partnerId,
SecurityToken = token,
Subject = subject
});
}
private void WriteRequestedSecurityToken(XmlWriter writer, Saml2SecurityToken token)
{
writer.WriteStartElement("t", "RequestedSecurityToken", WsTrust200502Namespace);
Saml2Serializer serializer = new Saml2Serializer();
serializer.WriteAssertion(writer, token.Assertion);
writer.WriteEndElement();
}
// public static SamlSecurityToken CreateSamlSecurityToken(byte[] certificate, string password, params Claim[] claims)
// {
// const string acsUrl = "http://blueprintsys.com";
// var assertion = new SamlAssertion(new SamlNameIdentifier(DefaultIssuer));
// var conditions = new Saml2Conditions
// {
// NotBefore = DateTime.UtcNow,
// NotOnOrAfter = DateTime.MaxValue
// };
// conditions.AudienceRestrictions.Add(new Saml2AudienceRestriction(new Uri(acsUrl, UriKind.RelativeOrAbsolute)));
// assertion.Conditions = conditions;
// var subject = new Saml2Subject();
// subject.SubjectConfirmations.Add(new Saml2SubjectConfirmation(Bearer));
// assertion.Subject = subject;
// var statement = new Saml2AttributeStatement();
// foreach (var claim in claims)
// {
// statement.Attributes.Add(new Saml2Attribute(claim.Type, claim.Value));
// assertion.Statements.Add(statement);
// }
// var clientSigningCredentials = new X509SigningCredentials(
// new X509Certificate2(certificate, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable));
// assertion.SigningCredentials = clientSigningCredentials;
// return new Saml2SecurityToken(assertion);
// }
public static string Serialize(Saml2SecurityToken token)
{
var handler = new Saml2SecurityTokenHandler();
var sw = I18NHelper.CreateStringWriterInvariant();
using (var textWriter = new XmlTextWriter(sw))
{
handler.WriteToken(textWriter, token);
return(sw.ToString());
}
}
/// <summary>
/// Create claims from the token.
/// </summary>
/// <param name="samlToken">The token to translate to claims.</param>
/// <returns>An identity with the created claims.</returns>
protected override ClaimsIdentity CreateClaimsIdentity(Saml2SecurityToken samlToken, string issuer, TokenValidationParameters validationParameters)
{
var identity = base.CreateClaimsIdentity(samlToken, issuer, validationParameters);
if (Configuration.SaveBootstrapContext)
{
identity.BootstrapContext = new BootstrapContext(samlToken, this);
}
return(identity);
}
/// <summary>
/// Create claims from the token.
/// </summary>
/// <param name="samlToken">The token to translate to claims.</param>
/// <returns>An identity with the created claims.</returns>
public new ClaimsIdentity CreateClaims(Saml2SecurityToken samlToken)
{
var identity = base.CreateClaims(samlToken);
if (Configuration.SaveBootstrapContext)
{
identity.BootstrapContext = new BootstrapContext(samlToken, this);
}
return(identity);
}
/// <summary>
/// Create claims from the token.
/// </summary>
/// <param name="samlToken">The token to translate to claims.</param>
/// <returns>An identity with the created claims.</returns>
public new ClaimsIdentity CreateClaims(Saml2SecurityToken samlToken)
{
var identity = base.CreateClaims(samlToken);
if (Configuration.SaveBootstrapContext)
{
identity.BootstrapContext = new BootstrapContext(samlToken, this);
}
return identity;
}
public void CompareSaml2SecurityTokens()
{
TestUtilities.WriteHeader($"{this}.CompareSaml2SecurityTokens", true);
var context = new CompareContext($"{this}.CompareSaml2SecurityTokens");
var saml2SecurityToken1 = new Saml2SecurityToken(new Saml2Assertion(new Saml2NameIdentifier(Guid.NewGuid().ToString())));
var saml2SecurityToken2 = new Saml2SecurityToken(new Saml2Assertion(new Saml2NameIdentifier(Guid.NewGuid().ToString())));
IdentityComparer.AreEqual(saml2SecurityToken1, saml2SecurityToken2, context);
Assert.True(context.Diffs.Count(s => s == "Id:") == 2);
Assert.True(context.Diffs.Count(s => s == "Issuer:") == 2);
}
public ITokenVisualizer GetTokenVisualizer(SecurityToken token)
{
Saml2SecurityToken saml2SecurityToken = token as Saml2SecurityToken;
if (saml2SecurityToken == null)
{
throw new ArgumentException("Token is not a SamlSecurityToken.");
}
return(new Saml2TokenVisualizer(saml2SecurityToken));
}
/// <summary>
/// Issuer URL should be a perfect match including case with the IDP
/// </summary>
/// <param name="assertion"></param>
protected void ValidateIssuer(Saml2SecurityToken assertion)
{
if (_config.ValidIssuers.Count() > 0)
{
string issuer = GetIssuer(assertion);
if (!_config.ValidIssuers.Any(m => m == issuer))
{
throw new Exception("Issuer is not matching with the provided valid issuers.");
}
}
}
public string ToXml(Saml2Assertion assertion)
{
var tokenHandlers = new Saml2SecurityTokenHandler();
var stringBuilder = new StringBuilder();
using (var xmlWriter = new XmlTextWriter(new StringWriter(stringBuilder)))
{
var token = new Saml2SecurityToken(assertion);
tokenHandlers.WriteToken(xmlWriter, token);
return stringBuilder.ToString();
}
}
private GenericXmlSecurityToken SetSecurityToken <T>(T contract, Saml2SecurityToken samlToken,
CustomSaml2SecurityTokenHandler tokenHandler, SecurityTokenDescriptor tokenDescriptor)
where T : SamlTokenContract
{
GenericXmlSecurityToken xmlToken;
var outputTokenString = samlToken.ToTokenXmlString();
var attachedReference = tokenHandler.CreateSecurityTokenReference(samlToken, true);
var unattachedReference = tokenHandler.CreateSecurityTokenReference(samlToken, false);
if (contract.Confirmation == SubjectConfirmationMethod.HolderOfKey)
{
if (contract is AsymmetricSamlTokenContract)
{
xmlToken = new GenericXmlSecurityToken(
GetElement(outputTokenString),
new X509SecurityToken(contract.SigningCertificate),
DateTime.UtcNow,
DateTime.UtcNow.AddHours(8),
attachedReference,
unattachedReference,
new ReadOnlyCollection <IAuthorizationPolicy>(new List <IAuthorizationPolicy>()));
}
else if (contract is SymmetricSamlTokenContract)
{
var proof = (SymmetricProofDescriptor)tokenDescriptor.Proof;
xmlToken = new GenericXmlSecurityToken(
GetElement(outputTokenString),
new BinarySecretSecurityToken(proof.GetKeyBytes()),
DateTime.UtcNow,
DateTime.UtcNow.AddHours(8),
attachedReference,
unattachedReference,
new ReadOnlyCollection <IAuthorizationPolicy>(new List <IAuthorizationPolicy>()));
}
else
{
throw new InvalidOperationException("Unsupported Holder-of-Key contract: " + contract.GetType().Name);
}
}
else
{
xmlToken = new GenericXmlSecurityToken(
GetElement(outputTokenString),
null,
DateTime.UtcNow,
DateTime.UtcNow.AddHours(8),
attachedReference,
unattachedReference,
new ReadOnlyCollection <IAuthorizationPolicy>(new List <IAuthorizationPolicy>()));
}
return(xmlToken);
}
public static string CallCreate(ChannelFactory <Resource> resourceFactory, Uri thisUrl, string smlDomain, int assuranceLevel, CreateRequest request, IMessageMetadata messageMetadata)
{
STARTLibrary.accesspointService.Resource ws = null;
try
{
var serviceMetadata = !string.IsNullOrEmpty(smlDomain) ?
ServiceMetadata.FromSml(smlDomain, request) :
ServiceMetadata.FromKnownEndpoint(resourceFactory);
//NOTE: if you want to debug and send to "wrong" address, change below:
//var test1 = ServiceMetadata.FromSml(smlDomain, request); //henter metadata fra SML
//var test2 = ServiceMetadata.FromKnownEndpoint(resourceFactory);
//var test3 = new ServiceMetadata()
// {
// Address = new Uri("https://ehf.fylkesmannen.no/oxalis"), //factory.Endpoint.Address.Uri,
// Certificate = resourceFactory.Credentials.ServiceCertificate.DefaultCertificate
// };
//serviceMetadata = test1;
if (serviceMetadata.Certificate == null)
{
throw new ArgumentException("Certificate required (both for custom validation and for authenticationMode \"MutualCertificate\").");
}
SetExpectedServiceCertificate(resourceFactory, serviceMetadata.Certificate);
X509Certificate2 clientCertificate = resourceFactory.Credentials.ClientCertificate.Certificate;
Saml2SecurityToken token = AccessPointToken.ClaimsToSaml2SenderVouchesToken(
AccessPointToken.MakeClaims(request.SenderIdentifier.Value, assuranceLevel),
thisUrl.AbsoluteUri, clientCertificate);
//NOTE: changed when upgrading to .NET 4.5:
//ws = resourceFactory.CreateChannelWithIssuedToken(new EndpointAddress(thisUrl, resourceFactory.Endpoint.Address.Identity), token);
ws = resourceFactory.CreateChannelWithIssuedToken(token, new EndpointAddress(thisUrl, resourceFactory.Endpoint.Address.Identity));
var response = ws.Create(request);
return("Document sent.");
}
catch (Exception exception)
{
throw exception;
}
finally
{
if (ws is IDisposable)
{
(ws as IDisposable).Dispose();
}
};
}
private string GetTokenString(string organizationName, bool isServiceBusScope)
{
// Generate Saml assertions..
string issuerName = DefaultIssuer;
//string issuerName = "localhost";
Saml2NameIdentifier saml2NameIdentifier = new Saml2NameIdentifier(issuerName); // this is the issuer name.
Saml2Assertion saml2Assertion = new Saml2Assertion(saml2NameIdentifier);
Uri acsScope = new Uri(StsPath(solutionName, isServiceBusScope));
saml2Assertion.Conditions = new Saml2Conditions();
saml2Assertion.Conditions
.AudienceRestrictions.Add(new Saml2AudienceRestriction(acsScope)); // this is the ACS uri.
saml2Assertion.Conditions.NotOnOrAfter = DateTime.Now.AddDays(1); // Should this be utc?
saml2Assertion.Conditions.NotBefore = DateTime.Now.AddHours(-1); // should this be utc?
string certName = "localhost";
X509Certificate2 localCert = RetrieveCertificate(certName);
if (!localCert.HasPrivateKey)
{
throw new ArgumentException("Cert should have private key.", "certificate");
}
saml2Assertion.SigningCredentials = new X509SigningCredentials(localCert); // this cert should have the private keys.
// Add claim assertions.
saml2Assertion.Statements.Add(
new Saml2AttributeStatement(
new Saml2Attribute(OrganizationClaimType, organizationName)));
// the submitter should always be a bearer.
saml2Assertion.Subject = new Saml2Subject(new Saml2SubjectConfirmation(Saml2Constants.ConfirmationMethods.Bearer));
// Wrap it into a security token.
SecurityTokenHandler tokenHandler = new Saml2SecurityTokenHandler();
SecurityToken securityToken = new Saml2SecurityToken(saml2Assertion);
// Serialize the security token.
StringBuilder sb = new StringBuilder();
using (XmlWriter writer = XmlTextWriter.Create(new StringWriter(sb, CultureInfo.InvariantCulture)))
{
tokenHandler.WriteToken(writer, securityToken);
writer.Close();
}
return(sb.ToString());
}
protected override void ValidateSubject(Saml2SecurityToken samlToken, TokenValidationParameters validationParameters)
{
base.ValidateSubject(samlToken, validationParameters);
if (!samlToken.Assertion.Subject.SubjectConfirmations.Any())
{
throw new Saml2ResponseFailedValidationException("No subject confirmation method found.");
}
if (!samlToken.Assertion.Subject.SubjectConfirmations.Any(sc => sc.Method == bearerUri))
{
throw new Saml2ResponseFailedValidationException("Only assertions with subject confirmation method \"bearer\" are supported.");
}
}
private static IList <Saml2Attribute> GetTokenAttributes(Saml2SecurityToken samlToken)
{
IList <Saml2Attribute> attributes = null;
foreach (Saml2Statement statement in samlToken.Assertion.Statements)
{
if (statement.GetType() == typeof(Saml2AttributeStatement))
{
attributes = ((Saml2AttributeStatement)statement).Attributes;
}
}
return(attributes);
}
private static string GetSaml2TokenString(Saml2SecurityToken token)
{
XmlWriterSettings writerSettings = new XmlWriterSettings();
StringBuilder sb = new StringBuilder();
writerSettings.OmitXmlDeclaration = true;
using (XmlWriter xw = XmlWriter.Create(sb, writerSettings))
{
new Saml2SecurityTokenHandler().WriteToken(xw, token);
return(sb.ToString());
}
}
public static XmlElement SerialiseToken(Saml2SecurityToken token)
{
var handler = new Saml2SecurityTokenHandler();
var sb = new StringBuilder();
using (var writer = XmlWriter.Create(sb))
{
handler.WriteToken(writer, token);
writer.Flush();
var document = new XmlDocument();
document.LoadXml(sb.ToString());
return(document.DocumentElement);
}
}
/// <summary>
/// Multiple audience can be validated. Check at least one audiance urls exist then allow passage.
/// </summary>
/// <param name="assertion"></param>
protected void ValidateAudiance(Saml2SecurityToken assertion)
{
if (String.IsNullOrEmpty(_config.Audience))
{
throw new Exception("Missing Audience, specify the Audience URL.");
}
Uri audienceUri = new Uri(_config.Audience);
if (!assertion.Assertion.Conditions.AudienceRestrictions.Any(m => m.Audiences.Any(o => o == audienceUri)))
{
throw new Exception("Issuer is not matching with the provided valid audiences.");
}
}
/// <summary>
/// Current time should be LESS THAN TimeStamp NotOnOrAfter UTC
/// Current time should be MORE THAN TimeStamp NotBefore UTC
/// </summary>
/// <param name="assertion"></param>
protected void ValidateTimeStamp(Saml2SecurityToken assertion)
{
DateTime notOnOrAfter = assertion.Assertion.Conditions.NotOnOrAfter.Value;
DateTime notBefore = assertion.Assertion.Conditions.NotBefore.Value;
if (DateTime.UtcNow >= notOnOrAfter)
{
throw new Exception("Current time should be LESS THAN TimeStamp NotOnOrAfter UTC");
}
if (DateTime.UtcNow <= notBefore)
{
throw new Exception("Current time should be MORE THAN TimeStamp NotBefore UTC");
}
}
private AccessTokenType?DetermineAccessTokenType(Saml2SecurityToken securityToken)
{
var method = securityToken.Assertion.Subject.SubjectConfirmations.FirstOrDefault()?.Method;
if (method == Saml2BearerMethod)
{
return(AccessTokenType.Bearer);
}
if (method == Saml2HolderOfKeyMethod)
{
return(AccessTokenType.HolderOfKey);
}
return(null);
}
public void Validate(Saml2SecurityToken token, SecurityTokenHandlerConfiguration configuration)
{
if (token == null || token.Response == null || configuration == null)
{
throw new ArgumentNullException();
}
if (
token.Response.Status != null &&
token.Response.Status.StatusCode != null
)
{
if (token.Response.Status.StatusCode.Value != StatusCodes.SUCCESS)
{
throw new ValidationException(string.Format("Token status code validation error. Error reason: {0}", token.Response.Status.StatusCode.Value));
}
}
}
protected void Page_Load(object sender, EventArgs e)
{
EnsureChildControls();
//The email and given name values should be based on data from SQL User Store
Dictionary <string, string> claims = new Dictionary <string, string>();
claims[ClaimTypes.Name] = User.Identity.Name;
claims[ClaimTypes.Email] = User.Identity.Name;
claims[ClaimTypes.GivenName] = User.Identity.Name;
Saml2SecurityToken token = SAMLFactory.CreateSaml2Token(
ConfigurationManager.AppSettings["samlIssuedBy"],
//This should be the username or user display name. It will be modified by the relying system
User.Identity.Name,
claims,
ConfigurationManager.AppSettings["x509CertThumbPrint"]);
Saml2SecurityTokenHandler tokenHandler = new Saml2SecurityTokenHandler();
XmlWriterSettings xmlSettings = new XmlWriterSettings();
xmlSettings.Encoding = System.Text.Encoding.UTF8;
using (MemoryStream ms = new MemoryStream())
{
using (XmlWriter w = XmlWriter.Create(ms, xmlSettings))
{
tokenHandler.WriteToken(w, token);
w.Flush();
w.Close();
}
ms.Position = 0;
samlresponse.Text = Convert.ToBase64String(ms.GetBuffer());
}
relaystate.Text = Page.Request.QueryString["RelayState"];
HtmlGenericControl f = Page.FindControl("bodySSO") as HtmlGenericControl;
if (f != null)
{
f.Attributes.Add("onload", "document.forms.form1.submit();");
}
}
private static List<SamlAttribute> GetClaims(Saml2SecurityToken samlToken)
{
IList<Saml2Attribute> attributes = GetTokenAttributes(samlToken);
if (attributes == null)
return null;
var claims = new List<SamlAttribute>();
foreach (Saml2Attribute attribute in attributes)
{
claims.AddRange(
SamlAttribute.SamlAttributeFromToken(attribute));
}
return claims;
}
public ClaimsIdentity CreateClaimsPublic(Saml2SecurityToken samlToken, string issuer, TokenValidationParameters validationParameters)
{
return base.CreateClaimsIdentity(samlToken, issuer, validationParameters);
}
void SerializeTokenToStream(Saml2SecurityToken saml2Token, CustomTextTraceSource ts, string section)
{
// serialize the token
ts.TraceInformation(section);
if (saml2Token.Assertion.Issuer != null)
{
ts.TraceInformation("\tIssuer: " + saml2Token.Assertion.Issuer.Value);
}
else
{
ts.TraceInformation("Saml 2 Assertion Issuer: NULL");
}
if (saml2Token.Assertion.Issuer != null)
{
ts.TraceInformation("\tSigningCredentials: " + saml2Token.Assertion.SigningCredentials.ToString());
}
else
{
ts.TraceInformation("Saml 2 Assertion SigningCredentials: NULL");
}
if (saml2Token.Assertion.Subject != null)
{
if (saml2Token.Assertion.Subject.NameId != null)
{
ts.TraceInformation("\tSubject NameId: " + saml2Token.Assertion.Subject.NameId.Value);
}
else
{
ts.TraceInformation("\tSubject NameId: NULL");
}
}
else
{
ts.TraceInformation("Saml 2 Assertion Subject: NULL");
}
ts.TraceInformation("Saml Token:\n");
ts.TraceInformation(TokenToString(saml2Token));
}
// Pass thru the claims of the original user
protected override IClaimsIdentity CreateClaims(Saml2SecurityToken samlToken)
{
CustomTextTraceSource ts = new CustomTextTraceSource("CommercialVehicleCollisionWebservice.CustomSaml2SecurityTokenHandler.CreateClaims",
"MyTraceSource", SourceLevels.Information);
// process subject in base
IClaimsIdentity subject = base.CreateClaims(samlToken);
Saml2Assertion assertion = samlToken.Assertion;
// process Condition/Delegation
// TODO: Refactor to a function ProcessDelegation()
ts.TraceInformation("assertion.Conditions Type: " + assertion.Conditions.GetType().Name);
if (assertion.Conditions is Saml2ConditionsDelegateWrapper)
{
Saml2ConditionsDelegateWrapper delegateData = assertion.Conditions as Saml2ConditionsDelegateWrapper;
// Iterate over the Condition delegate elements
// Check if there are delegates within an incoming assertion
IClaimsIdentity currentSubject = subject;
if (delegateData != null && delegateData.Delegates != null)
{
// Add the delegates in the DelegationRestrictionType
ts.TraceInformation("Number of Delegates: " + delegateData.Delegates.Delegate.Length);
for (int i = 0; i < delegateData.Delegates.Delegate.Length; i++)
{
DelegateType del = delegateData.Delegates.Delegate[i];
if (del != null)
{
string nameId = del.Item.ToString();
var claims = new List<Claim>();
claims.Add(new Claim(ClaimTypes.Name, nameId));
claims.Add(new Claim(ClaimTypes.AuthenticationInstant, XmlConvert.ToString(del.DelegationInstant, DateTimeFormats.Generated)));
// now add to current subject
currentSubject.Actor = new ClaimsIdentity(claims);
currentSubject = currentSubject.Actor;
}
}
}
}
return subject;
}
/// <summary>
/// Returns the time until which the token should be held in the token replay cache.
/// </summary>
/// <param name="token">The token to return an expiration time for.</param>
/// <exception cref="ArgumentNullException">The input argument 'token' is null.</exception>
/// <exception cref="SecurityTokenValidationException">The Saml2SecurityToken's validity period is greater than the expiration period set to TokenReplayCache.</exception>
/// <returns>A DateTime representing the expiration time.</returns>
/// <remarks>By default, this function returns the NotOnOrAfter of the SAML Condition if present.
/// If that value does not exist, it returns the NotOnOrAfter of the first SubjectConfirmationData.
/// This function will never return a value further from now than Configuration.TokenReplayCacheExpirationPeriod.</remarks>
protected virtual DateTime GetTokenReplayCacheEntryExpirationTime(Saml2SecurityToken token)
{
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("token");
}
DateTime? tokenExpiration = null;
Saml2Assertion assertion = token.Assertion;
if (assertion != null)
{
if (assertion.Conditions != null && assertion.Conditions.NotOnOrAfter.HasValue)
{
// The Condition has a NotOnOrAfter set, use that.
tokenExpiration = assertion.Conditions.NotOnOrAfter.Value;
}
else if (assertion.Subject != null && assertion.Subject.SubjectConfirmations != null &&
assertion.Subject.SubjectConfirmations.Count != 0 &&
assertion.Subject.SubjectConfirmations[0].SubjectConfirmationData != null &&
assertion.Subject.SubjectConfirmations[0].SubjectConfirmationData.NotOnOrAfter.HasValue)
{
// The condition did not have NotOnOrAfter set, but SCD[0] has a NotOnOrAfter set, use that.
tokenExpiration = assertion.Subject.SubjectConfirmations[0].SubjectConfirmationData.NotOnOrAfter.Value;
}
}
// DateTimeUtil handles overflows
DateTime maximumExpirationTime = DateTimeUtil.Add(DateTime.UtcNow, Configuration.TokenReplayCacheExpirationPeriod);
// Use DateTime.MaxValue as expiration value for tokens without expiration
tokenExpiration = tokenExpiration ?? DateTime.MaxValue;
// If the refined token validity period is greater than the TokenReplayCacheExpirationPeriod, throw
if (DateTime.Compare(maximumExpirationTime, tokenExpiration.Value) < 0)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new SecurityTokenValidationException(SR.GetString(SR.ID1069, tokenExpiration.Value.ToString(), Configuration.TokenReplayCacheExpirationPeriod.ToString())));
}
return tokenExpiration.Value;
}
/// <summary>
/// Creates claims from a Saml2 token.
/// </summary>
/// <param name="samlToken">The Saml2SecurityToken.</param>
/// <returns>An IClaimIdentity.</returns>
protected virtual ClaimsIdentity CreateClaims(Saml2SecurityToken samlToken)
{
if (samlToken == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("samlToken");
}
ClaimsIdentity subject = new ClaimsIdentity(AuthenticationTypes.Federation, SamlSecurityTokenRequirement.NameClaimType, SamlSecurityTokenRequirement.RoleClaimType);
Saml2Assertion assertion = samlToken.Assertion;
if (assertion == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument("samlToken", SR.GetString(SR.ID1034));
}
if (this.Configuration == null)
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4274));
}
if (this.Configuration.IssuerNameRegistry == null)
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4277));
}
string issuer = this.Configuration.IssuerNameRegistry.GetIssuerName(samlToken.IssuerToken, assertion.Issuer.Value);
if (string.IsNullOrEmpty(issuer))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(SR.GetString(SR.ID4175)));
}
this.ProcessSamlSubject(assertion.Subject, subject, issuer);
this.ProcessStatement(assertion.Statements, subject, issuer);
return subject;
}
/// <summary>
/// Creates a <see cref="SecurityToken"/> based on a information contained in the <see cref="SecurityTokenDescriptor"/>.
/// </summary>
/// <param name="tokenDescriptor">The <see cref="SecurityTokenDescriptor"/> that has creation information.</param>
/// <returns>A <see cref="SecurityToken"/> instance.</returns>
/// <exception cref="ArgumentNullException">Thrown if 'tokenDescriptor' is null.</exception>
public override SecurityToken CreateToken(SecurityTokenDescriptor tokenDescriptor)
{
if (null == tokenDescriptor)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenDescriptor");
}
// Assertion/issuer
Saml2Assertion assertion = new Saml2Assertion(this.CreateIssuerNameIdentifier(tokenDescriptor));
// Subject
assertion.Subject = this.CreateSamlSubject(tokenDescriptor);
// Signature
assertion.SigningCredentials = this.GetSigningCredentials(tokenDescriptor);
// Conditions
assertion.Conditions = this.CreateConditions(tokenDescriptor.Lifetime, tokenDescriptor.AppliesToAddress, tokenDescriptor);
// Advice
assertion.Advice = this.CreateAdvice(tokenDescriptor);
// Statements
IEnumerable<Saml2Statement> statements = this.CreateStatements(tokenDescriptor);
if (null != statements)
{
foreach (Saml2Statement statement in statements)
{
assertion.Statements.Add(statement);
}
}
// encrypting credentials
assertion.EncryptingCredentials = this.GetEncryptingCredentials(tokenDescriptor);
SecurityToken token = new Saml2SecurityToken(assertion);
return token;
}
public Saml2TokenVisualizer(Saml2SecurityToken token)
{
this.Token = token;
}
public new ClaimsIdentity CreateClaims(Saml2SecurityToken samlToken)
{
return base.CreateClaims(samlToken);
}
public void Saml2Response_GetClaims_CorrectEncryptedSingleAssertion_UsingWIF()
{
var response =
@"<saml2p:Response xmlns:saml2p=""urn:oasis:names:tc:SAML:2.0:protocol""
xmlns:saml2=""urn:oasis:names:tc:SAML:2.0:assertion""
ID = """ + MethodBase.GetCurrentMethod().Name + @""" Version=""2.0"" IssueInstant=""2013-01-01T00:00:00Z"">
<saml2:Issuer>https://idp.example.com</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value=""urn:oasis:names:tc:SAML:2.0:status:Success"" />
</saml2p:Status>
{0}
</saml2p:Response>";
var assertion = new Saml2Assertion(new Saml2NameIdentifier("https://idp.example.com"));
assertion.Subject = new Saml2Subject(new Saml2NameIdentifier("WIFUser"));
assertion.Subject.SubjectConfirmations.Add(new Saml2SubjectConfirmation(new Uri("urn:oasis:names:tc:SAML:2.0:cm:bearer")));
assertion.Conditions = new Saml2Conditions { NotOnOrAfter = new DateTime(2100, 1, 1) };
var token = new Saml2SecurityToken(assertion);
var handler = new Saml2SecurityTokenHandler();
assertion.SigningCredentials = new X509SigningCredentials(SignedXmlHelper.TestCert,
signatureAlgorithm: SecurityAlgorithms.RsaSha1Signature,
digestAlgorithm: SecurityAlgorithms.Sha1Digest);
assertion.EncryptingCredentials = new EncryptedKeyEncryptingCredentials(
SignedXmlHelper.TestCert2,
keyWrappingAlgorithm: SecurityAlgorithms.RsaOaepKeyWrap,
keySizeInBits: 256,
encryptionAlgorithm: SecurityAlgorithms.Aes192Encryption);
string assertionXml = String.Empty;
using (var sw = new StringWriter())
{
using (var xw = XmlWriter.Create(sw, new XmlWriterSettings { OmitXmlDeclaration = true }))
{
handler.WriteToken(xw, token);
}
assertionXml = sw.ToString();
}
var responseWithAssertion = string.Format(response, assertionXml);
var claims = Saml2Response.Read(responseWithAssertion).GetClaims(Options.FromConfiguration);
claims.Count().Should().Be(1);
claims.First().FindFirst(ClaimTypes.NameIdentifier).Value.Should().Be("WIFUser");
}
protected override ClaimsIdentity CreateClaims(Saml2SecurityToken samlToken)
{
Console.WriteLine(samlToken.Id);
return base.CreateClaims(samlToken);
}
/// <summary>
/// Creates a <see cref="ClaimsIdentity"/> from the Saml2 securityToken.
/// </summary>
/// <param name="samlToken">The Saml2SecurityToken.</param>
/// <param name="issuer">the issuer value for each <see cref="Claim"/> in the <see cref="ClaimsIdentity"/>.</param>
/// <param name="validationParameters"> contains parameters for validating the securityToken.</param>
/// <returns>An IClaimIdentity.</returns>
protected virtual ClaimsIdentity CreateClaimsIdentity(Saml2SecurityToken samlToken, string issuer, TokenValidationParameters validationParameters)
{
if (samlToken == null)
{
throw new ArgumentNullException("samlToken");
}
if (string.IsNullOrWhiteSpace(issuer))
{
throw new ArgumentException(ErrorMessages.IDX10221);
}
Saml2Assertion assertion = samlToken.Assertion;
if (assertion == null)
{
throw new ArgumentException(ErrorMessages.IDX10202);
}
ClaimsIdentity identity = validationParameters.CreateClaimsIdentity(samlToken, issuer);
_smSaml2HandlerPrivateNeverSetAnyProperties.ProcessSamlSubjectPublic(samlToken.Assertion.Subject, identity, issuer);
_smSaml2HandlerPrivateNeverSetAnyProperties.ProcessStatmentPublic(samlToken.Assertion.Statements, identity, issuer);
return identity;
}
private static IList<Saml2Attribute> GetTokenAttributes(Saml2SecurityToken samlToken)
{
IList<Saml2Attribute> attributes = null;
foreach (Saml2Statement statement in samlToken.Assertion.Statements)
if (statement.GetType() == typeof(Saml2AttributeStatement))
attributes = ((Saml2AttributeStatement)statement).Attributes;
return attributes;
}
