private IEnumerable <ClaimsIdentity> CreateClaims(IOptions options) { Validate(options); if (status != Saml2StatusCode.Success) { throw new UnsuccessfulSamlOperationException(string.Format("The Saml2Response must have status success to extract claims. Status: {0}.{1}" , status.ToString(), statusMessage != null ? " Message: " + statusMessage + "." : string.Empty), status, statusMessage, secondLevelStatus); } foreach (XmlElement assertionNode in GetAllAssertionElementNodes(options)) { using (var reader = new FilteringXmlNodeReader(SignedXml.XmlDsigNamespaceUrl, "Signature", assertionNode)) { var handler = options.SPOptions.Saml2PSecurityTokenHandler; var token = (Saml2SecurityToken)handler.ReadToken(reader); handler.DetectReplayedToken(token); var validateAudience = options.SPOptions .Saml2PSecurityTokenHandler .SamlSecurityTokenRequirement .ShouldEnforceAudienceRestriction(options.SPOptions .SystemIdentityModelIdentityConfiguration .AudienceRestriction.AudienceMode, token); handler.ValidateConditions(token.Assertion.Conditions, validateAudience); yield return(handler.CreateClaims(token)); } } }
private IEnumerable <ClaimsIdentity> CreateClaims(SAML2AuthenticationOptions options) { Validate(options); if (status != Saml2StatusCode.Success) { throw new InvalidOperationException(string.Format("The Saml2Response must have status success to extract claims. Status: {0}.{1}" , status.ToString(), statusMessage != null ? " Message: " + statusMessage + "." : string.Empty)); } foreach (XmlElement assertionNode in AllAssertionElementNodes) { using (var reader = new FilteringXmlNodeReader(SignedXml.XmlDsigNamespaceUrl, "Signature", assertionNode)) { var handler = options.Saml2PSecurityTokenHandler; var token = (Saml2SecurityToken)handler.ReadToken(reader); handler.DetectReplayedToken(token); var validateAudience = token.Assertion.Conditions.AudienceRestrictions.Count > 0; handler.ValidateConditions(token.Assertion.Conditions, validateAudience); yield return(handler.CreateClaims(token)); } } }
private IEnumerable <ClaimsIdentity> CreateClaims(IOptions options) { Validate(options); if (status != Saml2StatusCode.Success) { throw new UnsuccessfulSamlOperationException(string.Format("The Saml2Response must have status success to extract claims. Status: {0}.{1}" , status.ToString(), statusMessage != null ? " Message: " + statusMessage + "." : string.Empty), status, statusMessage, secondLevelStatus); } foreach (XmlElement assertionNode in GetAllAssertionElementNodes(options)) { using (var reader = new FilteringXmlNodeReader(SignedXml.XmlDsigNamespaceUrl, "Signature", assertionNode)) { var handler = options.SPOptions.Saml2PSecurityTokenHandler; var token = (Saml2SecurityToken)handler.ReadToken(reader); options.SPOptions.Logger.WriteVerbose("Extracted SAML assertion " + token.Id); handler.DetectReplayedToken(token); var validateAudience = options.SPOptions .Saml2PSecurityTokenHandler .SamlSecurityTokenRequirement .ShouldEnforceAudienceRestriction(options.SPOptions .SystemIdentityModelIdentityConfiguration .AudienceRestriction.AudienceMode, token); handler.ValidateConditions(token.Assertion.Conditions, validateAudience); options.SPOptions.Logger.WriteVerbose("Validated conditions for SAML2 Response " + Id); sessionNotOnOrAfter = DateTimeHelper.EarliestTime(sessionNotOnOrAfter, token.Assertion.Statements.OfType <Saml2AuthenticationStatement>() .SingleOrDefault()?.SessionNotOnOrAfter); yield return(handler.CreateClaims(token)); } } }