private IEnumerable <ClaimsIdentity> CreateClaims(StoredRequestState storedRequestState, IOptions options)
        {
            Validate(storedRequestState, options);

            if (status != Saml2StatusCode.Success)
            {
                throw new InvalidOperationException("The Saml2Response must have status success to extract claims.");
            }

            foreach (XmlElement assertionNode in AllAssertionElementNodes)
            {
                using (var reader = new FilteringXmlNodeReader(SignedXml.XmlDsigNamespaceUrl, "Signature", assertionNode))
                {
                    var handler = options.SPOptions.Saml2PSecurityTokenHandler;

                    var token = (Saml2SecurityToken)handler.ReadToken(reader);
                    handler.DetectReplayedToken(token);

                    var validateAudience = token.Assertion.Conditions.AudienceRestrictions.Count > 0;

                    handler.ValidateConditions(token.Assertion.Conditions, validateAudience);

                    yield return(handler.CreateClaims(token));
                }
            }
        }
        private IEnumerable <ClaimsIdentity> CreateClaims(IOptions options)
        {
            Validate(options);

            if (status != Saml2StatusCode.Success)
            {
                throw new UnsuccessfulSamlOperationException(string.Format("The Saml2Response must have status success to extract claims. Status: {0}.{1}"
                                                                           , status.ToString(), statusMessage != null ? " Message: " + statusMessage + "." : string.Empty),
                                                             status, statusMessage, secondLevelStatus);
            }

            foreach (XmlElement assertionNode in GetAllAssertionElementNodes(options))
            {
                using (var reader = new FilteringXmlNodeReader(SignedXml.XmlDsigNamespaceUrl, "Signature", assertionNode))
                {
                    var handler = options.SPOptions.Saml2PSecurityTokenHandler;

                    var token = (Saml2SecurityToken)handler.ReadToken(reader);
                    handler.DetectReplayedToken(token);

                    var validateAudience = options.SPOptions
                                           .Saml2PSecurityTokenHandler
                                           .SamlSecurityTokenRequirement
                                           .ShouldEnforceAudienceRestriction(options.SPOptions
                                                                             .SystemIdentityModelIdentityConfiguration
                                                                             .AudienceRestriction.AudienceMode, token);

                    handler.ValidateConditions(token.Assertion.Conditions, validateAudience);

                    yield return(handler.CreateClaims(token));
                }
            }
        }
        void FilteringXmlNodeReader_RemovesFilteredOutNode(bool preserveWhiteSpace)
        {
            var xmlData =
            @"<a:root xmlns:a=""urn:a"" xmlns:b=""urn:b"">
                <a:preserveChild>Preserve</a:preserveChild>
                <a:removeChild>
                    <b:removeThisToo>Remove this!</b:removeThisToo>
                </a:removeChild>
                <b:removeChild>Just kidding, this should be kept.</b:removeChild>
            </a:root>";

            var xmlDoc = new XmlDocument()
            {
                PreserveWhitespace = preserveWhiteSpace
            };
            xmlDoc.LoadXml(xmlData);

            var subject = new FilteringXmlNodeReader("urn:a", "removeChild", xmlDoc.DocumentElement);

            subject.ReadStartElement("root", "urn:a");
            subject.ReadStartElement("preserveChild", "urn:a");
            subject.Skip();
            subject.ReadEndElement();
            subject.ReadStartElement("removeChild", "urn:b");
            subject.Skip();
            subject.ReadEndElement();

            subject.MoveToContent();
            subject.NodeType.Should().Be(XmlNodeType.EndElement);
            subject.Name.Should().Be("a:root");
        }
Exemple #4
0
        private IEnumerable <ClaimsIdentity> CreateClaims(IOptions options)
        {
            Validate(options);

            if (status != Saml2StatusCode.Success)
            {
                throw new UnsuccessfulSamlOperationException(
                          "The Saml2Response must have status success to extract claims.",
                          status, statusMessage, secondLevelStatus);
            }

            foreach (XmlElement assertionNode in GetAllAssertionElementNodes(options))
            {
                using (var reader = new FilteringXmlNodeReader(SignedXml.XmlDsigNamespaceUrl, "Signature", assertionNode))
                {
                    var handler = options.SPOptions.Saml2PSecurityTokenHandler;

                    var token = (Saml2SecurityToken)handler.ReadToken(reader);
                    options.SPOptions.Logger.WriteVerbose("Extracted SAML assertion " + token.Id);

                    handler.DetectReplayedToken(token);

                    var validateAudience = options.SPOptions
                                           .Saml2PSecurityTokenHandler
                                           .SamlSecurityTokenRequirement
                                           .ShouldEnforceAudienceRestriction(options.SPOptions
                                                                             .SystemIdentityModelIdentityConfiguration
                                                                             .AudienceRestriction.AudienceMode, token);

                    handler.ValidateConditions(token.Assertion.Conditions, validateAudience);

                    options.SPOptions.Logger.WriteVerbose("Validated conditions for SAML2 Response " + Id);

                    sessionNotOnOrAfter = DateTimeHelper.EarliestTime(sessionNotOnOrAfter,
                                                                      token.Assertion.Statements.OfType <Saml2AuthenticationStatement>()
                                                                      .SingleOrDefault()?.SessionNotOnOrAfter);

                    yield return(handler.CreateClaims(token));
                }
            }
        }
        private IEnumerable<ClaimsIdentity> CreateClaims(IOptions options)
        {
            Validate(options);

            if (status != Saml2StatusCode.Success)
            {
                throw new InvalidOperationException(string.Format("The Saml2Response must have status success to extract claims. Status: {0}.{1}"
                    , status.ToString(), statusMessage != null ? " Message: " + statusMessage + "." : string.Empty));
            }

            foreach (XmlElement assertionNode in AllAssertionElementNodes)
            {
                using (var reader = new FilteringXmlNodeReader(SignedXml.XmlDsigNamespaceUrl, "Signature", assertionNode))
                {
                    var handler = options.SPOptions.Saml2PSecurityTokenHandler;

                    var token = (Saml2SecurityToken)handler.ReadToken(reader);
                    handler.DetectReplayedToken(token);

                    var validateAudience = token.Assertion.Conditions.AudienceRestrictions.Count > 0;

                    handler.ValidateConditions(token.Assertion.Conditions, validateAudience);

                    yield return handler.CreateClaims(token);
                }
            }
        }