private string AuthnRequestForIdp(IdentityProvider identityProvider, Saml20AuthnRequest request, IOwinContext context, Saml2Configuration config)
{
var logger = SAML2.Logging.LoggerProvider.LoggerFor(typeof(SamlMessage));
context.Set(IdpTempSessionKey, identityProvider.Id);
// Determine which endpoint to use from the configuration file or the endpoint metadata.
var destination = IdpSelectionUtil.DetermineEndpointConfiguration(BindingType.Redirect, identityProvider.Endpoints.DefaultSignOnEndpoint, identityProvider.Metadata.SSOEndpoints);
request.Destination = destination.Url;
if (identityProvider.ForceAuth) {
request.ForceAuthn = true;
}
// Check isPassive status
if (context.Get<bool>(IdpIsPassive)) {
request.IsPassive = true;
}
if (identityProvider.IsPassive) {
request.IsPassive = true;
}
// Check if request should forceAuthn
if (context.Get<bool>(IdpForceAuthn)) {
request.ForceAuthn = true;
}
// Check if protocol binding should be forced
if (identityProvider.Endpoints.DefaultSignOnEndpoint != null) {
if (!string.IsNullOrEmpty(identityProvider.Endpoints.DefaultSignOnEndpoint.ForceProtocolBinding)) {
request.ProtocolBinding = identityProvider.Endpoints.DefaultSignOnEndpoint.ForceProtocolBinding;
}
}
// Save request message id to session
Utility.AddExpectedResponseId(request.Id);
switch (destination.Binding) {
case BindingType.Redirect:
logger.DebugFormat(TraceMessages.AuthnRequestPrepared, identityProvider.Id, Saml20Constants.ProtocolBindings.HttpRedirect);
var redirectBuilder = new HttpRedirectBindingBuilder
{
SigningKey = config.ServiceProvider.SigningCertificate.PrivateKey,
Request = request.GetXml().OuterXml
};
if (context.Authentication != null &&
context.Authentication.AuthenticationResponseChallenge != null &&
context.Authentication.AuthenticationResponseChallenge.Properties != null &&
context.Authentication.AuthenticationResponseChallenge.Properties.Dictionary != null &&
context.Authentication.AuthenticationResponseChallenge.Properties.Dictionary.Count > 0)
redirectBuilder.RelayState = context.Authentication.AuthenticationResponseChallenge.Properties.Dictionary.ToDelimitedString();
logger.DebugFormat(TraceMessages.AuthnRequestSent, redirectBuilder.Request);
var redirectLocation = request.Destination + "?" + redirectBuilder.ToQuery();
return redirectLocation;
case BindingType.Post:
throw new NotImplementedException();
//logger.DebugFormat(TraceMessages.AuthnRequestPrepared, identityProvider.Id, Saml20Constants.ProtocolBindings.HttpPost);
//var postBuilder = new HttpPostBindingBuilder(destination);
//// Honor the ForceProtocolBinding and only set this if it's not already set
//if (string.IsNullOrEmpty(request.ProtocolBinding)) {
// request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpPost;
//}
//var requestXml = request.GetXml();
//XmlSignatureUtils.SignDocument(requestXml, request.Id, config.ServiceProvider.SigningCertificate);
//postBuilder.Request = requestXml.OuterXml;
//logger.DebugFormat(TraceMessages.AuthnRequestSent, postBuilder.Request);
//context.Response.Write(postBuilder.GetPage());
//break;
case BindingType.Artifact:
throw new NotImplementedException();
//logger.DebugFormat(TraceMessages.AuthnRequestPrepared, identityProvider.Id, Saml20Constants.ProtocolBindings.HttpArtifact);
//var artifactBuilder = new HttpArtifactBindingBuilder(context, config);
//// Honor the ForceProtocolBinding and only set this if it's not already set
//if (string.IsNullOrEmpty(request.ProtocolBinding)) {
// request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpArtifact;
//}
//logger.DebugFormat(TraceMessages.AuthnRequestSent, request.GetXml().OuterXml);
//artifactBuilder.RedirectFromLogin(destination, request);
//break;
default:
logger.Error(SAML2.ErrorMessages.EndpointBindingInvalid);
throw new Saml20Exception(SAML2.ErrorMessages.EndpointBindingInvalid);
}
throw new NotImplementedException();
}
/// <summary>
/// Returns an instance of the class with meaningful default values set.
/// </summary>
/// <returns>The default <see cref="Saml20AuthnRequest"/>.</returns>
public static Saml20AuthnRequest GetDefault()
{
var config = Saml2Config.GetConfig();
var result = new Saml20AuthnRequest { Issuer = config.ServiceProvider.Id };
if (config.ServiceProvider.Endpoints.SignOnEndpoint.Binding != BindingType.NotSet)
{
var baseUrl = new Uri(config.ServiceProvider.Server);
result.AssertionConsumerServiceUrl = new Uri(baseUrl, config.ServiceProvider.Endpoints.SignOnEndpoint.LocalPath).ToString();
}
// Binding
switch (config.ServiceProvider.Endpoints.SignOnEndpoint.Binding)
{
case BindingType.Artifact:
result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpArtifact;
break;
case BindingType.Post:
result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpPost;
break;
case BindingType.Redirect:
result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpRedirect;
break;
case BindingType.Soap:
result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpSoap;
break;
}
// NameIDPolicy
if (config.ServiceProvider.NameIdFormats.Count > 0)
{
result.NameIdPolicy = new NameIdPolicy
{
AllowCreate = config.ServiceProvider.NameIdFormats.AllowCreate,
Format = config.ServiceProvider.NameIdFormats[0].Format
};
if (result.NameIdPolicy.Format != Saml20Constants.NameIdentifierFormats.Entity)
{
result.NameIdPolicy.SPNameQualifier = config.ServiceProvider.Id;
}
}
// RequestedAuthnContext
if (config.ServiceProvider.AuthenticationContexts.Count > 0)
{
result.RequestedAuthnContext = new RequestedAuthnContext();
switch (config.ServiceProvider.AuthenticationContexts.Comparison)
{
case AuthenticationContextComparison.Better:
result.RequestedAuthnContext.Comparison = AuthnContextComparisonType.Better;
result.RequestedAuthnContext.ComparisonSpecified = true;
break;
case AuthenticationContextComparison.Minimum:
result.RequestedAuthnContext.Comparison = AuthnContextComparisonType.Minimum;
result.RequestedAuthnContext.ComparisonSpecified = true;
break;
case AuthenticationContextComparison.Maximum:
result.RequestedAuthnContext.Comparison = AuthnContextComparisonType.Maximum;
result.RequestedAuthnContext.ComparisonSpecified = true;
break;
case AuthenticationContextComparison.Exact:
result.RequestedAuthnContext.Comparison = AuthnContextComparisonType.Exact;
result.RequestedAuthnContext.ComparisonSpecified = true;
break;
default:
result.RequestedAuthnContext.ComparisonSpecified = false;
break;
}
result.RequestedAuthnContext.Items = new string[config.ServiceProvider.AuthenticationContexts.Count];
result.RequestedAuthnContext.ItemsElementName = new Schema.Protocol.AuthnContextType[config.ServiceProvider.AuthenticationContexts.Count];
var count = 0;
foreach (var authenticationContext in config.ServiceProvider.AuthenticationContexts)
{
result.RequestedAuthnContext.Items[count] = authenticationContext.Context;
switch (authenticationContext.ReferenceType)
{
case "AuthnContextDeclRef":
result.RequestedAuthnContext.ItemsElementName[count] = Schema.Protocol.AuthnContextType.AuthnContextDeclRef;
break;
default:
result.RequestedAuthnContext.ItemsElementName[count] = Schema.Protocol.AuthnContextType.AuthnContextClassRef;
break;
}
count++;
}
}
// Restrictions
var audienceRestrictions = new List<ConditionAbstract>(1);
var audienceRestriction = new AudienceRestriction { Audience = new List<string>(1) { config.ServiceProvider.Id } };
audienceRestrictions.Add(audienceRestriction);
result.SetConditions(audienceRestrictions);
return result;
}
/// <summary>
/// Returns an instance of the class with meaningful default values set.
/// </summary>
/// <returns>The default <see cref="Saml20AuthnRequest"/>.</returns>
public static Saml20AuthnRequest GetDefault()
{
var config = Saml2Config.GetConfig();
var result = new Saml20AuthnRequest {
Issuer = config.ServiceProvider.Id
};
if (config.ServiceProvider.Endpoints.SignOnEndpoint.Binding != BindingType.NotSet)
{
var baseUrl = new Uri(config.ServiceProvider.Server);
result.AssertionConsumerServiceUrl = new Uri(baseUrl, config.ServiceProvider.Endpoints.SignOnEndpoint.LocalPath).ToString();
}
// Binding
switch (config.ServiceProvider.Endpoints.SignOnEndpoint.Binding)
{
case BindingType.Artifact:
result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpArtifact;
break;
case BindingType.Post:
result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpPost;
break;
case BindingType.Redirect:
result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpRedirect;
break;
case BindingType.Soap:
result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpSoap;
break;
}
// NameIDPolicy
if (config.ServiceProvider.NameIdFormats.Count > 0)
{
result.NameIdPolicy = new NameIdPolicy
{
AllowCreate = config.ServiceProvider.NameIdFormats.AllowCreate,
Format = config.ServiceProvider.NameIdFormats[0].Format
};
if (result.NameIdPolicy.Format != Saml20Constants.NameIdentifierFormats.Entity)
{
result.NameIdPolicy.SPNameQualifier = config.ServiceProvider.Id;
}
}
// RequestedAuthnContext
if (config.ServiceProvider.AuthenticationContexts.Count > 0)
{
result.RequestedAuthnContext = new RequestedAuthnContext();
switch (config.ServiceProvider.AuthenticationContexts.Comparison)
{
case AuthenticationContextComparison.Better:
result.RequestedAuthnContext.Comparison = AuthnContextComparisonType.Better;
result.RequestedAuthnContext.ComparisonSpecified = true;
break;
case AuthenticationContextComparison.Minimum:
result.RequestedAuthnContext.Comparison = AuthnContextComparisonType.Minimum;
result.RequestedAuthnContext.ComparisonSpecified = true;
break;
case AuthenticationContextComparison.Maximum:
result.RequestedAuthnContext.Comparison = AuthnContextComparisonType.Maximum;
result.RequestedAuthnContext.ComparisonSpecified = true;
break;
case AuthenticationContextComparison.Exact:
result.RequestedAuthnContext.Comparison = AuthnContextComparisonType.Exact;
result.RequestedAuthnContext.ComparisonSpecified = true;
break;
default:
result.RequestedAuthnContext.ComparisonSpecified = false;
break;
}
result.RequestedAuthnContext.Items = new string[config.ServiceProvider.AuthenticationContexts.Count];
result.RequestedAuthnContext.ItemsElementName = new Schema.Protocol.AuthnContextType[config.ServiceProvider.AuthenticationContexts.Count];
var count = 0;
foreach (var authenticationContext in config.ServiceProvider.AuthenticationContexts)
{
result.RequestedAuthnContext.Items[count] = authenticationContext.Context;
switch (authenticationContext.ReferenceType)
{
case "AuthnContextDeclRef":
result.RequestedAuthnContext.ItemsElementName[count] = Schema.Protocol.AuthnContextType.AuthnContextDeclRef;
break;
default:
result.RequestedAuthnContext.ItemsElementName[count] = Schema.Protocol.AuthnContextType.AuthnContextClassRef;
break;
}
count++;
}
}
// Restrictions
var audienceRestrictions = new List <ConditionAbstract>(1);
var audienceRestriction = new AudienceRestriction {
Audience = new List <string>(1)
{
config.ServiceProvider.Id
}
};
audienceRestrictions.Add(audienceRestriction);
result.SetConditions(audienceRestrictions);
return(result);
}
