private static CommandResult RedirectToDiscoveryService(
string returnPath,
ISPOptions spOptions,
AuthServicesUrls authServicesUrls)
{
string returnUrl = authServicesUrls.SignInUrl.OriginalString;
if(!string.IsNullOrEmpty(returnPath))
{
returnUrl += "?ReturnUrl=" + Uri.EscapeDataString(returnPath);
}
var redirectLocation = string.Format(
CultureInfo.InvariantCulture,
"{0}?entityID={1}&return={2}&returnIDParam=idp",
spOptions.DiscoveryServiceUrl,
Uri.EscapeDataString(spOptions.EntityId.Id),
Uri.EscapeDataString(returnUrl));
return new CommandResult()
{
HttpStatusCode = HttpStatusCode.SeeOther,
Location = new Uri(redirectLocation)
};
}
private static CommandResult RedirectToDiscoveryService(
string returnPath,
ISPOptions spOptions,
AuthServicesUrls authServicesUrls)
{
string returnUrl = authServicesUrls.SignInUrl.OriginalString;
if (!string.IsNullOrEmpty(returnPath))
{
returnUrl += "?ReturnUrl=" + Uri.EscapeDataString(returnPath);
}
var redirectLocation = string.Format(
CultureInfo.InvariantCulture,
"{0}?entityID={1}&return={2}&returnIDParam=idp",
spOptions.DiscoveryServiceUrl,
Uri.EscapeDataString(spOptions.EntityId.Id),
Uri.EscapeDataString(returnUrl));
return(new CommandResult()
{
HttpStatusCode = HttpStatusCode.SeeOther,
Location = new Uri(redirectLocation)
});
}
internal IdentityProvider(IdentityProviderElement config, ISPOptions spOptions)
{
singleSignOnServiceUrl = config.DestinationUrl;
EntityId = new EntityId(config.EntityId);
binding = config.Binding;
AllowUnsolicitedAuthnResponse = config.AllowUnsolicitedAuthnResponse;
metadataUrl = config.MetadataUrl;
LoadMetadata = config.LoadMetadata;
this.spOptions = spOptions;
var certificate = config.SigningCertificate.LoadCertificate();
if (certificate != null)
{
signingKey = certificate.PublicKey.Key;
}
try
{
if (LoadMetadata)
{
DoLoadMetadata();
}
Validate();
}
catch (WebException)
{
// If we had a web exception, the metadata failed. It will
// be automatically retried.
}
}
internal IdentityProvider(IdentityProviderElement config, ISPOptions spOptions)
{
singleSignOnServiceUrl = config.SignOnUrl;
SingleLogoutServiceUrl = config.LogoutUrl;
EntityId = new EntityId(config.EntityId);
binding = config.Binding;
AllowUnsolicitedAuthnResponse = config.AllowUnsolicitedAuthnResponse;
metadataLocation = string.IsNullOrEmpty(config.MetadataLocation)
? null : config.MetadataLocation;
WantAuthnRequestsSigned = config.WantAuthnRequestsSigned;
var certificate = config.SigningCertificate.LoadCertificate();
if (certificate != null)
{
signingKeys.AddConfiguredKey(
new X509RawDataKeyIdentifierClause(certificate));
}
foreach (var ars in config.ArtifactResolutionServices)
{
ArtifactResolutionServiceUrls[ars.Index] = ars.Location;
}
// If configured to load metadata, this will immediately do the load.
LoadMetadata = config.LoadMetadata;
this.spOptions = spOptions;
// Validate if values are only from config. If metadata is loaded, validation
// is done on metadata load.
if (!LoadMetadata)
{
Validate();
}
}
internal IdentityProvider(IdentityProviderElement config, ISPOptions spOptions)
{
singleSignOnServiceUrl = config.DestinationUrl;
EntityId = new EntityId(config.EntityId);
binding = config.Binding;
AllowUnsolicitedAuthnResponse = config.AllowUnsolicitedAuthnResponse;
metadataUrl = config.MetadataUrl;
var certificate = config.SigningCertificate.LoadCertificate();
if (certificate != null)
{
signingKeys.AddConfiguredItem(certificate.PublicKey.Key);
}
// If configured to load metadata, this will immediately do the load.
LoadMetadata = config.LoadMetadata;
this.spOptions = spOptions;
// Validate if values are only from config. If metadata is loaded, validation
// is done on metadata load.
if (!LoadMetadata)
{
Validate();
}
}
internal IdentityProvider(IdentityProviderElement config, ISPOptions spOptions)
{
singleSignOnServiceUrl = config.SignOnUrl;
SingleLogoutServiceUrl = config.LogoutUrl;
EntityId = new EntityId(config.EntityId);
binding = config.Binding;
AllowUnsolicitedAuthnResponse = config.AllowUnsolicitedAuthnResponse;
metadataLocation = string.IsNullOrEmpty(config.MetadataLocation)
? null : config.MetadataLocation;
WantAuthnRequestsSigned = config.WantAuthnRequestsSigned;
var certificate = config.SigningCertificate.LoadCertificate();
if (certificate != null)
{
signingKeys.AddConfiguredKey(
new X509RawDataKeyIdentifierClause(certificate));
}
foreach (var ars in config.ArtifactResolutionServices)
{
ArtifactResolutionServiceUrls[ars.Index] = ars.Location;
}
// If configured to load metadata, this will immediately do the load.
LoadMetadata = config.LoadMetadata;
this.spOptions = spOptions;
// Validate if values are only from config. If metadata is loaded, validation
// is done on metadata load.
if (!LoadMetadata)
{
Validate();
}
}
internal IdentityProvider(IdentityProviderElement config, ISPOptions spOptions)
{
singleSignOnServiceUrl = config.DestinationUrl;
EntityId = new EntityId(config.EntityId);
binding = config.Binding;
AllowUnsolicitedAuthnResponse = config.AllowUnsolicitedAuthnResponse;
metadataUrl = config.MetadataUrl;
LoadMetadata = config.LoadMetadata;
this.spOptions = spOptions;
var certificate = config.SigningCertificate.LoadCertificate();
if (certificate != null)
{
signingKey = certificate.PublicKey.Key;
}
try
{
if (LoadMetadata)
{
DoLoadMetadata();
}
Validate();
}
catch (WebException)
{
// If we had a web exception, the metadata failed. It will
// be automatically retried.
}
}
internal IdentityProvider(IdentityProviderElement config, ISPOptions spOptions)
{
singleSignOnServiceUrl = config.DestinationUrl;
EntityId = new EntityId(config.EntityId);
binding = config.Binding;
AllowUnsolicitedAuthnResponse = config.AllowUnsolicitedAuthnResponse;
metadataUrl = config.MetadataUrl;
ShowNameIdPolicy = config.ShowNameIdPolicy;
// If configured to load metadata, this will immediately do the load.
VerifyCertificate = config.VerifyCertificate;
LoadMetadata = config.LoadMetadata;
this.spOptions = spOptions;
// Certificates from metadata already present, add eventual other certificates
// from web.config.
var certificate = config.SigningCertificate.LoadCertificate();
if (certificate != null)
{
signingKeys = new ConfiguredAndLoadedCollection<AsymmetricAlgorithm>();
signingKeys.AddConfiguredItem(certificate.PublicKey.Key);
}
// Validate if values are only from config. If metadata is loaded, validation
// is done on metadata load.
if (!LoadMetadata)
{
Validate();
}
}
internal IdentityProvider(IdentityProviderElement config, ISPOptions spOptions)
{
singleSignOnServiceUrl = config.DestinationUrl;
EntityId = new EntityId(config.EntityId);
binding = config.Binding;
AllowUnsolicitedAuthnResponse = config.AllowUnsolicitedAuthnResponse;
metadataUrl = config.MetadataUrl;
var certificate = config.SigningCertificate.LoadCertificate();
if (certificate != null)
{
signingKeys.AddConfiguredItem(certificate.PublicKey.Key);
}
// If configured to load metadata, this will immediately do the load.
LoadMetadata = config.LoadMetadata;
this.spOptions = spOptions;
// Validate if values are only from config. If metadata is loaded, validation
// is done on metadata load.
if (!LoadMetadata)
{
Validate();
}
}
/// <summary>
/// Register the configured service certificates.
/// </summary>
/// <param name="options">Current options.</param>
public void RegisterServiceCertificates(ISPOptions options)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
foreach (var serviceCertEntry in this)
{
options.ServiceCertificates.Add(new ServiceCertificate(serviceCertEntry));
}
}
public AuthServicesUrls(HttpRequestData request, ISPOptions spOptions)
{
if (request == null)
{
throw new ArgumentNullException("request");
}
if (spOptions == null)
{
throw new ArgumentNullException("spOptions");
}
Init(request.ApplicationUrl, spOptions.ModulePath);
}
public AuthServicesUrls(HttpRequestData request, ISPOptions spOptions)
{
if (request == null)
{
throw new ArgumentNullException(nameof(request));
}
if (spOptions == null)
{
throw new ArgumentNullException(nameof(spOptions));
}
Init(request.ApplicationUrl, spOptions.ModulePath);
}
public Saml2PSecurityTokenHandler(ISPOptions spOptions)
{
if (spOptions == null)
{
throw new ArgumentNullException(nameof(spOptions));
}
Configuration = new SecurityTokenHandlerConfiguration
{
IssuerNameRegistry = new ReturnRequestedIssuerNameRegistry(),
AudienceRestriction = GetAudienceRestriction(spOptions),
SaveBootstrapContext = spOptions.SystemIdentityModelIdentityConfiguration.SaveBootstrapContext
};
}
public Saml2PSecurityTokenHandler(ISPOptions spOptions)
{
if (spOptions == null)
{
throw new ArgumentNullException(nameof(spOptions));
}
Configuration = new SecurityTokenHandlerConfiguration
{
IssuerNameRegistry = new ReturnRequestedIssuerNameRegistry(),
AudienceRestriction = GetAudienceRestriction(spOptions),
SaveBootstrapContext = spOptions.SystemIdentityModelIdentityConfiguration.SaveBootstrapContext
};
}
public AuthServicesUrls(HttpRequestData request, ISPOptions spOptions)
{
if (request == null)
{
throw new ArgumentNullException(nameof(request));
}
if (spOptions == null)
{
throw new ArgumentNullException(nameof(spOptions));
}
Init(request.ApplicationUrl, spOptions);
}
/// <summary>
/// Check if an audience restriction from configuration should be
/// applied or if we should revert to the default behaviour of
/// restricting the audience to the entity id.
/// </summary>
/// <param name="spOptions">Sp Options with configuration</param>
/// <returns>Configured or created audience restriction.</returns>
private static AudienceRestriction GetAudienceRestriction(ISPOptions spOptions)
{
var audienceRestriction = spOptions.SystemIdentityModelIdentityConfiguration.AudienceRestriction;
if (audienceRestriction.AudienceMode != AudienceUriMode.Never &&
!audienceRestriction.AllowedAudienceUris.Any())
{
// Create a new instance instead of modifying the one from the
// configuration.
audienceRestriction = new AudienceRestriction(audienceRestriction.AudienceMode);
audienceRestriction.AllowedAudienceUris.Add(new Uri(spOptions.EntityId.Id));
}
return(audienceRestriction);
}
public static ExtendedEntityDescriptor CreateMetadata(this ISPOptions spOptions, AuthServicesUrls urls)
{
var ed = new ExtendedEntityDescriptor
{
EntityId = spOptions.EntityId,
Organization = spOptions.Organization,
CacheDuration = spOptions.MetadataCacheDuration
};
foreach (var contact in spOptions.Contacts)
{
ed.Contacts.Add(contact);
}
var spsso = new ExtendedServiceProviderSingleSignOnDescriptor();
spsso.ProtocolsSupported.Add(new Uri("urn:oasis:names:tc:SAML:2.0:protocol"));
spsso.AssertionConsumerServices.Add(0, new IndexedProtocolEndpoint()
{
Index = 0,
IsDefault = true,
Binding = Saml2Binding.HttpPostUri,
Location = urls.AssertionConsumerServiceUrl
});
foreach (var attributeService in spOptions.AttributeConsumingServices)
{
spsso.AttributeConsumingServices.Add(attributeService);
}
ed.RoleDescriptors.Add(spsso);
if (spOptions.DiscoveryServiceUrl != null &&
!string.IsNullOrEmpty(spOptions.DiscoveryServiceUrl.OriginalString))
{
ed.Extensions.DiscoveryResponse = new IndexedProtocolEndpoint
{
Binding = Saml2Binding.DiscoveryResponseUri,
Index = 0,
IsDefault = true,
Location = urls.SignInUrl
};
}
return(ed);
}
public Saml2PSecurityTokenHandler(ISPOptions spOptions)
{
if(spOptions== null)
{
throw new ArgumentNullException(nameof(spOptions));
}
var audienceRestriction = new AudienceRestriction(AudienceUriMode.Always);
audienceRestriction.AllowedAudienceUris.Add(
new Uri(spOptions.EntityId.Id));
Configuration = new SecurityTokenHandlerConfiguration
{
IssuerNameRegistry = new ReturnRequestedIssuerNameRegistry(),
AudienceRestriction = audienceRestriction,
SaveBootstrapContext = spOptions.SystemIdentityModelIdentityConfiguration.SaveBootstrapContext
};
}
public Saml2PSecurityTokenHandler(ISPOptions spOptions)
{
if (spOptions == null)
{
throw new ArgumentNullException(nameof(spOptions));
}
var audienceRestriction = new AudienceRestriction(AudienceUriMode.Always);
audienceRestriction.AllowedAudienceUris.Add(
new Uri(spOptions.EntityId.Id));
Configuration = new SecurityTokenHandlerConfiguration
{
IssuerNameRegistry = new ReturnRequestedIssuerNameRegistry(),
AudienceRestriction = audienceRestriction,
SaveBootstrapContext = spOptions.SystemIdentityModelIdentityConfiguration.SaveBootstrapContext
};
}
public static ExtendedEntityDescriptor CreateMetadata(this ISPOptions spOptions, AuthServicesUrls urls)
{
var ed = new ExtendedEntityDescriptor
{
EntityId = spOptions.EntityId,
Organization = spOptions.Organization,
CacheDuration = spOptions.MetadataCacheDuration
};
foreach (var contact in spOptions.Contacts)
{
ed.Contacts.Add(contact);
}
var spsso = new ExtendedServiceProviderSingleSignOnDescriptor();
spsso.ProtocolsSupported.Add(new Uri("urn:oasis:names:tc:SAML:2.0:protocol"));
spsso.AssertionConsumerServices.Add(0, new IndexedProtocolEndpoint()
{
Index = 0,
IsDefault = true,
Binding = Saml2Binding.HttpPostUri,
Location = urls.AssertionConsumerServiceUrl
});
spsso.AssertionConsumerServices.Add(1, new IndexedProtocolEndpoint()
{
Index = 1,
IsDefault = false,
Binding = Saml2Binding.HttpArtifactUri,
Location = urls.AssertionConsumerServiceUrl
});
foreach (var attributeService in spOptions.AttributeConsumingServices)
{
spsso.AttributeConsumingServices.Add(attributeService);
}
if (spOptions.ServiceCertificates != null)
{
var publishCertificates = spOptions.MetadataCertificates;
foreach (var serviceCert in publishCertificates)
{
using (var securityToken = new X509SecurityToken(serviceCert.Certificate))
{
spsso.Keys.Add(
new KeyDescriptor
{
Use = (KeyType)(byte)serviceCert.Use,
KeyInfo = new SecurityKeyIdentifier(securityToken.CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause>())
}
);
}
}
}
if (spOptions.DiscoveryServiceUrl != null &&
!string.IsNullOrEmpty(spOptions.DiscoveryServiceUrl.OriginalString))
{
spsso.Extensions.DiscoveryResponse = new IndexedProtocolEndpoint
{
Binding = Saml2Binding.DiscoveryResponseUri,
Index = 0,
IsDefault = true,
Location = urls.SignInUrl
};
}
ed.RoleDescriptors.Add(spsso);
return(ed);
}
void Init(Uri applicationUrl, ISPOptions spOptions)
{
var publicOrigin = spOptions.PublicOrigin ?? applicationUrl;
Init(publicOrigin, spOptions.ModulePath);
}
public IdentityProvider(EntityId entityId, ISPOptions spOptions)
{
EntityId = entityId;
this.spOptions = spOptions;
}
public Options(ISPOptions spOptions)
{
this.spOptions = spOptions;
}
void Init(Uri applicationUrl, ISPOptions spOptions)
{
var publicOrigin = spOptions.PublicOrigin ?? applicationUrl;
Init(publicOrigin, spOptions.ModulePath);
}
public IdentityProvider(Uri metadataUrl, ISPOptions spOptions)
{
this.spOptions = spOptions;
this.MetadataUrl = metadataUrl;
}
/// <summary>
/// Check if an audience restriction from configuration should be
/// applied or if we should revert to the default behaviour of
/// restricting the audience to the entity id.
/// </summary>
/// <param name="spOptions">Sp Options with configuration</param>
/// <returns>Configured or created audience restriction.</returns>
private static AudienceRestriction GetAudienceRestriction(ISPOptions spOptions)
{
var audienceRestriction = spOptions.SystemIdentityModelIdentityConfiguration.AudienceRestriction;
if (audienceRestriction.AudienceMode != AudienceUriMode.Never
&& ! audienceRestriction.AllowedAudienceUris.Any())
{
// Create a new instance instead of modifying the one from the
// configuration.
audienceRestriction = new AudienceRestriction(audienceRestriction.AudienceMode);
audienceRestriction.AllowedAudienceUris.Add(new Uri(spOptions.EntityId.Id));
}
return audienceRestriction;
}
public IdentityProvider(EntityId entityId, ISPOptions spOptions)
{
EntityId = entityId;
this.spOptions = spOptions;
}
public Options(ISPOptions spOptions)
{
this.spOptions = spOptions;
}