public void AcsCommand_Run_WithReturnUrl_SuccessfulResult_ClearSecureCookie()
{
var idp = Options.FromConfiguration.IdentityProviders.Default;
var response =
@"<saml2p:Response xmlns:saml2p=""urn:oasis:names:tc:SAML:2.0:protocol""
xmlns:saml2=""urn:oasis:names:tc:SAML:2.0:assertion""
ID = """ + MethodBase.GetCurrentMethod().Name + @""" InResponseTo = ""InResponseToId"" Version=""2.0"" IssueInstant=""2013-01-01T00:00:00Z"">
<saml2:Issuer>
https://idp.example.com
</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value=""urn:oasis:names:tc:SAML:2.0:status:Success"" />
</saml2p:Status>
<saml2:Assertion
Version=""2.0"" ID=""" + MethodBase.GetCurrentMethod().Name + @"_Assertion2""
IssueInstant=""2013-09-25T00:00:00Z"">
<saml2:Issuer>https://idp.example.com</saml2:Issuer>
<saml2:Subject>
<saml2:NameID>SomeUser</saml2:NameID>
<saml2:SubjectConfirmation Method=""urn:oasis:names:tc:SAML:2.0:cm:bearer"" />
</saml2:Subject>
<saml2:Conditions NotOnOrAfter=""2100-01-01T00:00:00Z"" />
</saml2:Assertion>
</saml2p:Response>";
var responseFormValue = Convert.ToBase64String
(Encoding.UTF8.GetBytes(SignedXmlHelper.SignXml(response)));
var relayStateFormValue = "rs1234";
var r = new HttpRequestData(
"POST",
new Uri("https://localhost"),
"/ModulePath",
new KeyValuePair <string, IEnumerable <string> >[]
{
new KeyValuePair <string, IEnumerable <string> >("SAMLResponse", new string[] { responseFormValue }),
new KeyValuePair <string, IEnumerable <string> >("RelayState", new string[] { relayStateFormValue })
},
new StoredRequestState(
new EntityId("https://idp.example.com"),
new Uri("http://localhost/testUrl.aspx"),
new Saml2Id("InResponseToId"),
null)
);
var options = StubFactory.CreateOptions();
options.SPOptions.ReturnUrl = null;
var actual = new AcsCommand().Run(r, options);
actual.SetCookieSecureFlag.Should().BeTrue();
}
public void AcsCommand_Run_UsesBindingFromNotification()
{
var options = StubFactory.CreateOptions();
options.Notifications.GetBinding = r => new StubSaml2Binding();
var subject = new AcsCommand();
subject.Invoking(s => s.Run(new HttpRequestData("GET", new Uri("http://host")), options))
.ShouldThrow <NotImplementedException>()
.WithMessage("StubSaml2Binding.*");
}
public void AcsCommand_Run_SessionNotOnOrAfterNullIfNotSpecifiedInResponse()
{
var messageId = MethodBase.GetCurrentMethod().Name;
var response =
$@"<saml2p:Response xmlns:saml2p=""urn:oasis:names:tc:SAML:2.0:protocol""
xmlns:saml2=""urn:oasis:names:tc:SAML:2.0:assertion""
ID = ""{messageId}"" Version=""2.0"" IssueInstant=""2013-01-01T00:00:00Z"">
<saml2:Issuer>
https://idp.example.com
</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value=""urn:oasis:names:tc:SAML:2.0:status:Success"" />
</saml2p:Status>
<saml2:Assertion
Version=""2.0"" ID=""{messageId}_Assertion""
IssueInstant=""2013-09-25T00:00:00Z"">
<saml2:Issuer>https://idp.example.com</saml2:Issuer>
<saml2:Subject>
<saml2:NameID>SomeUser</saml2:NameID>
<saml2:SubjectConfirmation Method=""urn:oasis:names:tc:SAML:2.0:cm:bearer"" />
</saml2:Subject>
<saml2:Conditions NotOnOrAfter=""2100-01-01T00:00:00Z"" />
<saml2:AuthnStatement AuthnInstant=""{DateTime.UtcNow.ToSaml2DateTimeString()}"">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>";
var formValue = Convert.ToBase64String(Encoding.UTF8.GetBytes(
SignedXmlHelper.SignXml(response)));
var requestData = new HttpRequestData(
"POST",
new Uri("http://localhost"),
"/ModulePath",
new KeyValuePair <string, string[]>[]
{
new KeyValuePair <string, string[]>("SAMLResponse", new string[] { formValue })
},
null);
var options = StubFactory.CreateOptions();
var subject = new AcsCommand();
var actual = subject.Run(requestData, options);
actual.SessionNotOnOrAfter.Should().NotHaveValue();
}
public void AcsCommand_Run_UsesIdpFromNotification()
{
var messageId = MethodBase.GetCurrentMethod().Name;
var response =
$@"<saml2p:Response xmlns:saml2p=""urn:oasis:names:tc:SAML:2.0:protocol""
xmlns:saml2=""urn:oasis:names:tc:SAML:2.0:assertion""
ID = ""{messageId}"" Version=""2.0"" InResponseTo=""InResponseToID"" IssueInstant=""2013-01-01T00:00:00Z"">
<saml2:Issuer>
https://other.idp.example.com
</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value=""urn:oasis:names:tc:SAML:2.0:status:Success"" />
</saml2p:Status>
<saml2:Assertion
Version=""2.0"" ID=""{messageId}_Assertion""
IssueInstant=""2013-09-25T00:00:00Z"">
<saml2:Issuer>https://other.idp.example.com</saml2:Issuer>
<saml2:Subject>
<saml2:NameID>SomeUser</saml2:NameID>
<saml2:SubjectConfirmation Method=""urn:oasis:names:tc:SAML:2.0:cm:bearer"" />
</saml2:Subject>
<saml2:Conditions NotOnOrAfter=""2100-01-01T00:00:00Z"" />
<saml2:AuthnStatement AuthnInstant=""{DateTime.UtcNow.ToSaml2DateTimeString()}"">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>";
var formValue = Convert.ToBase64String(Encoding.UTF8.GetBytes(
SignedXmlHelper.SignXml(response)));
var relayData = new Dictionary <string, string>
{
{ "key", "value" }
};
var requestData = new HttpRequestData(
"POST",
new Uri("http://localhost"),
"/ModulePath",
new KeyValuePair <string, IEnumerable <string> >[]
{
new KeyValuePair <string, IEnumerable <string> >("SAMLResponse", new string[] { formValue })
},
new StoredRequestState(
new EntityId("https://other.idp.example.com"),
new Uri("http://localhost/testUrl.aspx"),
new Saml2Id("InResponseToID"),
relayData));
var options = StubFactory.CreateOptions();
options.Notifications.GetIdentityProvider = (idpEntityId, rd, opt) =>
{
idpEntityId.Id.Should().Be("https://other.idp.example.com");
rd["key"].Should().Be("value");
var idp = new IdentityProvider(new EntityId("https://other.idp.example.com"), options.SPOptions);
idp.SigningKeys.AddConfiguredKey(SignedXmlHelper.TestCert);
return(idp);
};
var subject = new AcsCommand();
var actual = subject.Run(requestData, options);
actual.Principal.Claims.First().Issuer.Should().Be("https://other.idp.example.com");
}
