public void ValidateJsonWebToken(string tokenString, SsoSettings settings, IList<string> audiences)
{
try
{
TokenString = tokenString;
SecurityToken securityToken;
_log.DebugFormat("JWT Validation securityAlgorithm={0}, audience[0]={1}, audience[1]={2}", settings.ValidationType, audiences[0], audiences[1]);
switch (settings.ValidationType)
{
case ValidationTypes.RSA_SHA256:
RSACryptoServiceProvider publicOnly = new RSACryptoServiceProvider();
//"<RSAKeyValue><Modulus>zeyPa4SwRb0IO+KMq20760ZmaUvy/qzecdOkRUNdNpdUe1E72Xt1WkAcWNu24/UeS3pETu08rVTqHJUMfhHcSKgL7LAk/MMj2inGFxop1LipGZSnqZhnjsfj1ERJL5eXs1O9hqyAcXvY4A2wo67qqv/lbHLKTW59W+YQkbIOVR4nQlbh1lK1TIY+oqK0J/5Ileb4QfERn0Rv/J/K0fy6VzLmVt+kg9MRNxYwnVsC3m5/kIu1fw3OpZxcaCC68SRqLLb/UXmaJM8NXYKkAkHKxT4DQqSk6KbFSQG6qi49Q34akohekzxjxmmGeoO5tsFCuMJofKAsBKKtOkLPaJD2rQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"
publicOnly.FromXmlString(settings.PublicKey);
securityToken = new RsaSecurityToken(publicOnly);
break;
case ValidationTypes.HMAC_SHA256:
//var key = "zeyPa4SwRb0IO+KMq20760ZmaUvy/qzecdOkRUNdNpdUe1E72Xu24/UeS3pETu";
securityToken = new System.ServiceModel.Security.Tokens.BinarySecretSecurityToken(GetBytes(settings.PublicKey));
break;
case ValidationTypes.X509:
var certificate = new Certificate();
certificate.LoadCertificate(settings.PublicKey);
securityToken = new X509SecurityToken(certificate.cert);
break;
default:
_log.ErrorFormat("ValidationType has wrong value: {0}", settings.ValidationType);
throw new ArgumentException("ValidationType has wrong value");
}
TokenValidationParameters validationParams = new TokenValidationParameters();
validationParams.ValidIssuer = settings.Issuer;
validationParams.ValidAudiences = audiences;
validationParams.ValidateIssuer = true;
validationParams.ValidateIssuerSigningKey = true;
validationParams.ValidateAudience = true;
validationParams.ValidateActor = true;
validationParams.IssuerSigningToken = securityToken;
JwtSecurityTokenHandler recipientTokenHandler = new JwtSecurityTokenHandler();
recipientTokenHandler.TokenLifetimeInMinutes = MAX_CLOCK_SKEW;
SecurityToken validatedToken = null;
ClaimsPrincipalReceived = recipientTokenHandler.ValidateToken(TokenString, validationParams, out validatedToken);
JwtSecurityToken = validatedToken;
}
catch (Exception e)
{
_log.ErrorFormat("JWT Validation error. {0}", e);
}
}
public SamlResponse(SsoSettings ssoSettings)
{
_ssoSettings = ssoSettings;
_certificate = new Certificate();
_certificate.LoadCertificate(_ssoSettings.PublicKey);
}
public string SaveSettings(string serializeSettings)
{
if (Context.User != null && Context.User.Identity != null)
{
var userInfo = CoreContext.UserManager.GetUsers(((IUserAccount)Context.User.Identity).ID);
if (userInfo != Constants.LostUser && userInfo.IsAdmin())
{
try
{
if (string.IsNullOrWhiteSpace(serializeSettings))
{
_log.ErrorFormat("SSO settings are null or empty.");
return Resource.SsoSettingsAreEmpty;
}
Settings = (SsoSettings)JavaScriptDeserializer.DeserializeFromJson(serializeSettings, typeof(SsoSettings));
if (Settings == null)
{
_log.ErrorFormat("Wrong SSO settings were received from client.");
return Resource.SsoSettingsWrongSerialization;
}
var messageAction = Settings.EnableSso ? MessageAction.SSOEnabled : MessageAction.SSODisabled;
if (Settings.EnableSso)
{
if (!(string.IsNullOrWhiteSpace(Settings.Issuer) || CheckUri(Settings.Issuer)))
{
_log.ErrorFormat("Wrong Issuer URL: {0}", Settings.Issuer);
return string.Format(Resource.SsoSettingsWrongURL, Settings.Issuer);
}
else
{
Settings.Issuer = Settings.Issuer.Trim();
}
if (!(string.IsNullOrWhiteSpace(Settings.SsoEndPoint) || CheckUri(Settings.SsoEndPoint)))
{
_log.ErrorFormat("Wrong SsoEndPoint URL: {0}", Settings.SsoEndPoint);
return string.Format(Resource.SsoSettingsWrongURL, Settings.SsoEndPoint);
}
else
{
Settings.SsoEndPoint = Settings.SsoEndPoint.Trim();
}
if (!string.IsNullOrWhiteSpace(Settings.SloEndPoint) && !CheckUri(Settings.SloEndPoint))
{
_log.ErrorFormat("Wrong SloEndPoint URL: {0}", Settings.SloEndPoint);
return string.Format(Resource.SsoSettingsWrongURL, Settings.SloEndPoint);
}
else
{
Settings.SloEndPoint = Settings.SloEndPoint.Trim();
}
if (string.IsNullOrWhiteSpace(Settings.PublicKey))
{
_log.ErrorFormat("Wrong PublicKey: {0}", Settings.PublicKey);
return Resource.SsoSettingsWrongPublicKey;
}
else
{
Settings.PublicKey = Settings.PublicKey.Trim();
}
if (Settings.TokenType != TokenTypes.SAML && Settings.TokenType != TokenTypes.JWT)
{
_log.ErrorFormat("Wrong token type: {0}", Settings.TokenType);
return Resource.SsoSettingsWrongTokenType;
}
if ((Settings.ValidationType != ValidationTypes.HMAC_SHA256 && Settings.ValidationType != ValidationTypes.RSA_SHA256
&& Settings.ValidationType != ValidationTypes.X509))
{
_log.ErrorFormat("Wrong validaion type: {0}", Settings.ValidationType);
return Resource.SsoSettingsWrongValidationType;
}
if (Settings.TokenType == TokenTypes.SAML && Settings.ValidationType != ValidationTypes.X509)
{
Settings.ValidationType = ValidationTypes.X509;
}
}
if (!SettingsManager.Instance.SaveSettings(Settings, TenantProvider.CurrentTenantID))
{
_log.ErrorFormat("Can't save SSO settings.");
return Resource.SsoSettingsCantSaveSettings;
}
MessageService.Send(HttpContext.Current.Request, messageAction);
}
catch(Exception e)
{
_log.ErrorFormat("Save SSO setting error: {0}.", e);
return Resource.SsoSettingsUnexpectedError;
}
return string.Empty;
}
}
_log.ErrorFormat("Insufficient Access Rights by saving sso settings!");
throw new SecurityException();
}
protected void Page_Load(object sender, EventArgs e)
{
AjaxPro.Utility.RegisterTypeForAjax(typeof(SingleSignOnSettings), Page);
Page.RegisterBodyScripts(ResolveUrl("~/usercontrols/management/singlesignonsettings/js/singlesignonsettings.js"));
Settings = SettingsManager.Instance.LoadSettings<SsoSettings>(TenantProvider.CurrentTenantID);
}
public SamlRequest(SsoSettings ssoSettings)
{
_ssoSettings = ssoSettings;
_id = "_" + Guid.NewGuid().ToString();
_issueInstant = DateTime.Now.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ");
}