public async Task <SignInResponse> GenerateSignInResponse(SignInRequest request) { if (request == null) { throw new ArgumentNullException(nameof(request)); } _logger.LogDebug("Creating signin response"); var rp = await _relyingPartyStore.GetByRealm(request.Realm); // create profile _logger.LogDebug("Calling user profile manager"); var outgoingSubject = await CreateUserProfileAsync(request); _logger.LogDebug("Creating security token"); // create token for user var token = await CreateSecurityTokenAsync(request, rp, outgoingSubject); var response = new SignInResponse { AppliesTo = request.Realm, Token = token }; return(response); }
public async Task Invoke(HttpContext context) { var segment = _options.WsFedEndpoint; if (context.Request.Path.StartsWithSegments(new PathString(segment), StringComparison.InvariantCultureIgnoreCase)) { _logger.LogInformation("Received WsFed Request. {0}", context.Request.QueryString.ToUriComponent()); if (!context.User.Identity.IsAuthenticated) { _logger.LogInformation("User is not authenticated. Redirecting to authentication provider"); var qs = context.Request.QueryString; var url = $"{context.Request.Scheme}://{context.Request.Host}{context.Request.PathBase}{segment}/{context.Request.QueryString}"; await context.ChallengeAsync(new AuthenticationProperties { RedirectUri = url }); return; } var message = WsFederationMessage.FromQueryString(context.Request.QueryString.ToUriComponent()); if (message.IsSignInMessage) { var relyingParty = await _relyingPartyStore.GetByRealm(message.Wtrealm); if (relyingParty == null) { _logger.LogWarning("No relying party found for realm {0}", message.Wtrealm); context.Response.StatusCode = (int)HttpStatusCode.BadRequest; await context.Response.WriteAsync($"The realm { message.Wtrealm} is not registered"); } _logger.LogWarning("Processing WsFed Sign In for realm {0}", message.Wtrealm); var output = await HandleSignIn(message, context, relyingParty.ReplyUrl); context.Response.ContentType = "text/html"; await context.Response.WriteAsync(output); return; } else if (message.IsSignOutMessage) { _logger.LogWarning("Processing WsFed Sign Out"); var output = await HandleSignOut(message, context); context.Response.ContentType = "text/html"; await context.Response.WriteAsync(output); return; } context.Response.StatusCode = (int)HttpStatusCode.BadRequest; await context.Response.WriteAsync($"Invalid Ws-Fed Request Message"); return; } await _next(context); }
public async Task Invoke(HttpContext context) { var segment = _options.Saml20Endpoint; var idpInitiatedSegment = $"{segment}/idpinitiated"; if (context.Request.Path.StartsWithSegments(new PathString(segment), StringComparison.InvariantCultureIgnoreCase)) { if (!( context.Request.Method.Equals("POST", StringComparison.InvariantCultureIgnoreCase) || context.Request.Method.Equals("GET", StringComparison.InvariantCultureIgnoreCase)) ) { context.Response.StatusCode = (int)HttpStatusCode.MethodNotAllowed; return; } _logger.LogInformation("Received SAML 2.0 Request. {0}", context.Request.QueryString.ToUriComponent()); if (context.Request.Path.StartsWithSegments(idpInitiatedSegment)) { if (!context.Request.Query.ContainsKey("realm")) { _logger.LogWarning("Invalid message. IDP Initiated with no realm"); context.Response.StatusCode = (int)HttpStatusCode.BadRequest; await context.Response.WriteAsync($"Invalid message. IDP Initiated with no realm"); return; } } else if ((context.Request.Method == "GET" && !context.Request.Query.ContainsKey("SAMLRequest")) || (context.Request.Method == "POST" && !context.Request.Form.ContainsKey("SAMLRequest"))) { _logger.LogWarning("Invalid message. It does not contain SAMLRequest"); context.Response.StatusCode = (int)HttpStatusCode.BadRequest; await context.Response.WriteAsync($"Invalid SAMLRequest Request Message"); return; } SamlRequestMessage message = null; if (context.Request.Path.StartsWithSegments(idpInitiatedSegment)) { message = new SamlRequestMessage( Guid.NewGuid().ToString(), context.Request.Query["realm"], context.Request.Query["relayState"], true); } else { if (context.Request.Method.Equals("GET", StringComparison.InvariantCultureIgnoreCase)) { var samlRequest = context.Request.Query["SAMLRequest"]; _logger.LogWarning("Processing SAMLRequest from GET"); message = SamlRequestMessage.CreateFromCompressedRequest(samlRequest, context.Request.Query["relayState"]); } else { var samlRequest = context.Request.Form["SAMLRequest"]; _logger.LogWarning("Processing SAMLRequest from POST"); message = SamlRequestMessage.CreateFromEncodedRequest(samlRequest, context.Request.Form["relayState"]); } } if (!context.User.Identity.IsAuthenticated) { _logger.LogInformation("User is not authenticated. Redirecting to authentication provider"); var qs = context.Request.QueryString; var url = $"{context.Request.Scheme}://{context.Request.Host}{context.Request.PathBase}{idpInitiatedSegment}/?realm={message.Issuer}&relayState={message.RelayState}"; await context.ChallengeAsync(new AuthenticationProperties { RedirectUri = url }); return; } var relyingParty = await _relyingPartyStore.GetByRealm(message.Issuer); if (relyingParty == null) { _logger.LogWarning("No relying party found for realm {0}", message.Issuer); context.Response.StatusCode = (int)HttpStatusCode.BadRequest; await context.Response.WriteAsync($"{message.Issuer} is not registered"); return; } var parameters = context.Request.Query.ToDictionary(q => q.Key, q => q.Value[0]); if (message.IsSignInMessage) { _logger.LogWarning("Processing SAML Sign In for relying party with realm {0}", message.Issuer); var output = await HandleSignIn(context, message, _options.IssuerName, parameters, relyingParty.ReplyUrl); context.Response.ContentType = "text/html"; await context.Response.WriteAsync(output); return; } else { _logger.LogWarning("Processing SAML Sign out for relying party with realm {0}", message.Issuer); var output = HandleSignOut(context, message, _options.IssuerName, parameters, relyingParty.LogoutUrl); context.Response.ContentType = "text/html"; await context.Response.WriteAsync(output); return; } } await _next(context); }