public override void WriteContent(XmlDictionaryWriter writer, SecurityKeyIdentifierClause clause)
{
SamlAssertionKeyIdentifierClause samlClause = clause as SamlAssertionKeyIdentifierClause;
if (!string.IsNullOrEmpty(samlClause.Binding) || !string.IsNullOrEmpty(samlClause.Location) || !string.IsNullOrEmpty(samlClause.AuthorityKind))
{
writer.WriteStartElement(XD.SamlDictionary.PreferredPrefix.Value, XD.SamlDictionary.AuthorityBinding, XD.SecurityJan2004Dictionary.SamlUri);
if (!string.IsNullOrEmpty(samlClause.Binding))
{
writer.WriteAttributeString(XD.SamlDictionary.Binding, null, samlClause.Binding);
}
if (!string.IsNullOrEmpty(samlClause.Location))
{
writer.WriteAttributeString(XD.SamlDictionary.Location, null, samlClause.Location);
}
if (!string.IsNullOrEmpty(samlClause.AuthorityKind))
{
writer.WriteAttributeString(XD.SamlDictionary.AuthorityKind, null, samlClause.AuthorityKind);
}
writer.WriteEndElement();
}
writer.WriteStartElement(XD.SecurityJan2004Dictionary.Prefix.Value, XD.SecurityJan2004Dictionary.KeyIdentifier, XD.SecurityJan2004Dictionary.Namespace);
string valueType = string.IsNullOrEmpty(samlClause.ValueType) ? XD.SecurityJan2004Dictionary.SamlAssertionIdValueType.Value : samlClause.ValueType;
writer.WriteAttributeString(XD.SecurityJan2004Dictionary.ValueType, null, valueType);
writer.WriteString(samlClause.AssertionId);
writer.WriteEndElement();
}
public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
{
SamlAssertionKeyIdentifierClause that = keyIdentifierClause as SamlAssertionKeyIdentifierClause;
// PreSharp Bug: Parameter 'that' to this public method must be validated: A null-dereference can occur here.
#pragma warning suppress 56506
return(ReferenceEquals(this, that) || (that != null && that.Matches(this.assertionId)));
}
public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
{
SamlAssertionKeyIdentifierClause that = keyIdentifierClause as SamlAssertionKeyIdentifierClause;
// PreSharp
#pragma warning suppress 56506
return(ReferenceEquals(this, that) || (that != null && that.Matches(this.assertionId)));
}
public override bool MatchesKeyIdentifierClause(SecurityKeyIdentifierClause keyIdentifierClause)
{
SamlAssertionKeyIdentifierClause samlKeyIdentifierClause = keyIdentifierClause as SamlAssertionKeyIdentifierClause;
if (samlKeyIdentifierClause != null)
{
return(samlKeyIdentifierClause.Matches(this.Id));
}
return(false);
}
public override bool SupportsCore(SecurityKeyIdentifierClause clause)
{
if (typeof(SamlAssertionKeyIdentifierClause).IsAssignableFrom(clause.GetType()))
{
SamlAssertionKeyIdentifierClause samlclause = clause as SamlAssertionKeyIdentifierClause;
if ((samlclause.TokenTypeUri == null) || (samlclause.TokenTypeUri == this.GetTokenTypeUri()))
{
return(true);
}
}
return(false);
}
private static void ParseValues(JsonNotifyRequestSecurityTokenResponse rstr)
{
rstr.ValidFrom = ulong.Parse(rstr.Created).ToDateTimeFromEpoch();
rstr.ValidTo = ulong.Parse(rstr.Expires).ToDateTimeFromEpoch();
rstr.SecurityTokenString = HttpUtility.HtmlDecode(rstr.SecurityTokenString);
var xml = XElement.Parse(rstr.SecurityTokenString);
string idAttribute = "";
switch (rstr.TokenType)
{
case SecurityTokenTypes.Saml11:
idAttribute = "AssertionID";
break;
case SecurityTokenTypes.Saml2:
idAttribute = "ID";
break;
}
if (rstr.TokenType == SecurityTokenTypes.Saml11 || rstr.TokenType == SecurityTokenTypes.Saml2)
{
var tokenId = xml.Attribute(idAttribute);
var xmlElement = xml.ToXmlElement();
SecurityKeyIdentifierClause clause = null;
if (tokenId != null)
{
clause = new SamlAssertionKeyIdentifierClause(tokenId.Value);
}
rstr.SecurityToken = new GenericXmlSecurityToken(
xmlElement,
null,
rstr.ValidFrom,
rstr.ValidTo,
clause,
clause,
new ReadOnlyCollection<IAuthorizationPolicy>(new List<IAuthorizationPolicy>()));
}
else if (rstr.TokenType == SecurityTokenTypes.SWT)
{
rstr.SecurityTokenString = Encoding.UTF8.GetString(Convert.FromBase64String(xml.Value));
}
}
/// <summary>
/// Indicates whether the <see cref="SecurityKeyIdentifierClause"/> for an assertion matches the specified <see cref="SecurityKeyIdentifierClause"/>.
/// </summary>
/// <param name="assertionId">Id of the assertion</param>
/// <param name="keyIdentifierClause">A <see cref="SecurityKeyIdentifierClause"/> to match.</param>
/// <returns>'True' if the keyIdentifier matches this. 'False' otherwise.</returns>
public static bool Matches(string assertionId, SecurityKeyIdentifierClause keyIdentifierClause)
{
if (string.IsNullOrEmpty(assertionId))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("assertionId");
}
if (null == keyIdentifierClause)
{
return(false);
}
// Prefer our own type
Saml2AssertionKeyIdentifierClause saml2Clause = keyIdentifierClause as Saml2AssertionKeyIdentifierClause;
if (null != saml2Clause && StringComparer.Ordinal.Equals(assertionId, saml2Clause.Id))
{
return(true);
}
// For compatibility, match against the old WCF type.
// WCF will read SAML2-based key identifier clauses if our
// SecurityTokenSerializer doesn't get the chance. Unfortunately,
// the TokenTypeUri and ValueType properties are internal, so
// we can't check if they're for SAML2 or not. We're just going
// to go with the fact that SAML Assertion IDs, in both versions,
// are supposed to be sufficiently random as to not intersect.
// So, if the AssertionID matches our Id, we'll say that's good
// enough.
SamlAssertionKeyIdentifierClause wcfClause = keyIdentifierClause as SamlAssertionKeyIdentifierClause;
if (null != wcfClause && StringComparer.Ordinal.Equals(assertionId, wcfClause.AssertionId))
{
return(true);
}
// Out of options.
return(false);
}
void WriteSamlAssertionKeyIdentifierClause (XmlWriter w, SamlAssertionKeyIdentifierClause ic)
{
w.WriteStartElement ("o", "SecurityTokenReference", Constants.WssNamespace);
w.WriteStartElement ("o", "KeyIdentifier", Constants.WssNamespace);
w.WriteAttributeString ("ValueType", Constants.WssKeyIdentifierSamlAssertion);
w.WriteString (ic.AssertionId);
w.WriteEndElement ();
w.WriteEndElement ();
}
public override bool MatchesKeyIdentifierClause(SecurityKeyIdentifierClause keyIdentifierClause)
{
SamlAssertionKeyIdentifierClause clause = keyIdentifierClause as SamlAssertionKeyIdentifierClause;
return((clause != null) && clause.Matches(this.Id));
}
public override bool Matches(SecurityKeyIdentifierClause keyIdentifierClause)
{
SamlAssertionKeyIdentifierClause objB = keyIdentifierClause as SamlAssertionKeyIdentifierClause;
return(object.ReferenceEquals(this, objB) || ((objB != null) && objB.Matches(this.assertionId)));
}
protected override SecurityToken GetTokenCore(TimeSpan timeout)
{
Collection<XmlElement> reqParams = new Collection<XmlElement>();
foreach (XmlElement param in tokenRequirement.AdditionalRequestParameters)
{
if (param.NamespaceURI == "urn:oasis:names:tc:SAML:1.0:assertion")
{
reqParams.Add(param);
}
}
ISessionCache cache = (ISessionCache) Activator.CreateInstance(clientCredentials.Cache, clientCredentials.Config);
//Check the cache for existing session.
String id;
List<String> idSort;
id = clientCredentials.ClientCertificate.Certificate.Thumbprint + ";";
id += clientCredentials.Session.Thumbprint + ";";
idSort = new List<string>();
foreach (XmlElement reqParam in reqParams)
{
String val;
val = "{" + reqParam.GetAttribute("AttributeNamespace") + "}";
val += reqParam.GetAttribute("AttributeName");
val += "=";
val += reqParam.GetElementsByTagName("AttributeValue", "urn:oasis:names:tc:SAML:1.0:assertion")[0].InnerText;
val += ";";
idSort.Add(val);
}
idSort.Sort();
foreach (String val in idSort)
{
id += val;
}
idSort = new List<string>();
foreach (ClaimTypeRequirement req in tokenRequirement.ClaimTypeRequirements)
{
String val = req.ClaimType + ";";
idSort.Add(val);
}
idSort.Sort();
foreach (String val in idSort)
{
id += val;
}
XmlNamespaceManager nsmngr = null;
DateTime notOnOrAfter = DateTime.MinValue;
//Get the value from the cache
XmlElement assertion = cache.Get(id);
//If cache had a result, check if it is still valid
if (assertion != null)
{
nsmngr = new XmlNamespaceManager(assertion.OwnerDocument.NameTable);
nsmngr.AddNamespace("saml", "urn:oasis:names:tc:SAML:1.0:assertion");
notOnOrAfter = DateTime.Parse(assertion.SelectSingleNode("saml:Conditions/@NotOnOrAfter", nsmngr).Value, null, DateTimeStyles.RoundtripKind);
if (notOnOrAfter < DateTime.UtcNow)
{
assertion = null;
cache.Remove(id);
}
}
//If the cache wasn't successful, create new.
if (assertion == null)
{
//Get a new assertion token for the session
StsClient target = new StsClient(tokenRequirement.IssuerBinding, tokenRequirement.IssuerAddress);
target.Endpoint.Behaviors.Remove<ClientCredentials>();
target.Endpoint.Behaviors.Add(new OptClientCredentials());
target.ClientCredentials.ClientCertificate.Certificate = clientCredentials.ClientCertificate.Certificate;
target.InnerChannel.OperationTimeout = timeout;
assertion = target.RequestTicket("Anonymous", clientCredentials.Session, clientCredentials.Duration, reqParams, tokenRequirement.ClaimTypeRequirements);
nsmngr = new XmlNamespaceManager(assertion.OwnerDocument.NameTable);
nsmngr.AddNamespace("saml", "urn:oasis:names:tc:SAML:1.0:assertion");
notOnOrAfter = DateTime.Parse(assertion.SelectSingleNode("saml:Conditions/@NotOnOrAfter", nsmngr).Value, null, DateTimeStyles.RoundtripKind);
cache.Add(id, assertion, notOnOrAfter);
}
//Get some date from the assertion token
DateTime notBefore = DateTime.Parse(assertion.SelectSingleNode("saml:Conditions/@NotBefore", nsmngr).Value, null, DateTimeStyles.RoundtripKind);
String assertionId = assertion.SelectSingleNode("@AssertionID", nsmngr).Value;
// Create a KeyIdentifierClause for the SamlSecurityToken
SamlAssertionKeyIdentifierClause samlKeyIdentifierClause = new SamlAssertionKeyIdentifierClause(assertionId);
return new GenericXmlSecurityToken(assertion, new X509SecurityToken(clientCredentials.Session), notBefore, notOnOrAfter, samlKeyIdentifierClause, samlKeyIdentifierClause, null);
}
