public async Task <IActionResult> Edit(int id, [Bind("Name,Id")] IssuingAuthority issuingAuthority)
{
if (id != issuingAuthority.Id)
{
return(NotFound());
}
if (ModelState.IsValid)
{
try
{
_context.Update(issuingAuthority);
await _context.SaveChangesAsync();
}
catch (DbUpdateConcurrencyException)
{
if (!IssuingAuthorityExists(issuingAuthority.Id))
{
return(NotFound());
}
else
{
throw;
}
}
return(RedirectToAction(nameof(Index)));
}
return(View(issuingAuthority));
}
/// <summary>
/// RefreshKeys
/// </summary>
/// <param name="metadataLocation"></param>
public static void RefreshKeys(string metadataLocation)
{
IssuingAuthority issuingAuthority = ValidatingIssuerNameRegistry.GetIssuingAuthority(metadataLocation);
bool newKeys = false;
foreach (string thumbprint in issuingAuthority.Thumbprints)
{
if (!ContainsKey(thumbprint))
{
newKeys = true;
break;
}
}
if (newKeys)
{
using (MyCompanyContext context = new MyCompanyContext())
{
context.IssuingAuthorityKeys.RemoveRange(context.IssuingAuthorityKeys);
foreach (string thumbprint in issuingAuthority.Thumbprints)
{
context.IssuingAuthorityKeys.Add(new IssuingAuthorityKey {
Id = thumbprint
});
}
context.SaveChanges();
}
}
}
public static void RefreshKeys(string metadataAddress)
{
IssuingAuthority ia =
ValidatingIssuerNameRegistry.GetIssuingAuthority(metadataAddress);
bool newKeys = false;
foreach (string thumbp in ia.Thumbprints)
{
if (!ContainsKey(thumbp))
{
newKeys = true;
break;
}
}
if (newKeys)
{
XElement keysRoot =
(XElement)(from tt in doc.Descendants("keys") select tt).First();
keysRoot.RemoveNodes();
foreach (string thumbp in ia.Thumbprints)
{
XElement node = new XElement("key", new XAttribute("id", thumbp));
keysRoot.Add(node);
}
doc.Save(filePath);
}
}
public static FederationConfiguration Create(string relyingPartyUrl, string stsUrl, string domain, string certificateThumbprint, string authCookieName, bool requireSsl)
{
var federationConfiguration = new FederationConfiguration();
federationConfiguration.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(relyingPartyUrl));
var issuingAuthority = new IssuingAuthority(stsUrl);
issuingAuthority.Thumbprints.Add(certificateThumbprint);
issuingAuthority.Issuers.Add(stsUrl);
var issuingAuthorities = new List<IssuingAuthority> { issuingAuthority };
var validatingIssuerNameRegistry = new ValidatingIssuerNameRegistry { IssuingAuthorities = issuingAuthorities };
federationConfiguration.IdentityConfiguration.IssuerNameRegistry = validatingIssuerNameRegistry;
federationConfiguration.IdentityConfiguration.CertificateValidationMode = X509CertificateValidationMode.None;
var chunkedCookieHandler = new ChunkedCookieHandler
{
RequireSsl = requireSsl,
Name = authCookieName,
Domain = domain,
PersistentSessionLifetime = new TimeSpan(0, 0, 30, 0)
};
federationConfiguration.CookieHandler = chunkedCookieHandler;
var issuerOfToken = stsUrl;
federationConfiguration.WsFederationConfiguration.Issuer = issuerOfToken;
federationConfiguration.WsFederationConfiguration.Realm = relyingPartyUrl;
federationConfiguration.WsFederationConfiguration.RequireHttps = requireSsl;
return federationConfiguration;
}
public static void RefreshKeys(string metadataLocation)
{
IssuingAuthority issuingAuthority = ValidatingIssuerNameRegistry.GetIssuingAuthority(metadataLocation);
bool newKeys = false;
bool refreshTenant = false;
foreach (string thumbprint in issuingAuthority.Thumbprints)
{
if (!ContainsKey(thumbprint))
{
newKeys = true;
refreshTenant = true;
break;
}
}
foreach (string issuer in issuingAuthority.Issuers)
{
if (!ContainsTenant(GetIssuerId(issuer)))
{
refreshTenant = true;
break;
}
}
if (newKeys || refreshTenant)
{
using (TenantDbContext context = new TenantDbContext())
{
if (newKeys)
{
context.IssuingAuthorityKeys.RemoveRange(context.IssuingAuthorityKeys);
foreach (string thumbprint in issuingAuthority.Thumbprints)
{
context.IssuingAuthorityKeys.Add(new IssuingAuthorityKey {
Id = thumbprint
});
}
}
if (refreshTenant)
{
// Add the default tenant to the registry.
// Comment or remove the following code if you do not wish to have the default tenant use the application.
foreach (string issuer in issuingAuthority.Issuers)
{
string issuerId = GetIssuerId(issuer);
if (!ContainsTenant(issuerId))
{
context.Tenants.Add(new Tenant {
Id = issuerId
});
}
}
}
context.SaveChanges();
}
}
}
private static void FederatedAuthentication_FederationConfigurationCreated(object sender, FederationConfigurationCreatedEventArgs e)
{
//from appsettings...
const string allowedAudience = "http://audience1/user/get";
const string rpRealm = "http://audience1/";
const string domain = "";
const bool requireSsl = false;
const string issuer = "http://sts/token/create;
const string certThumbprint = " mythumbprint ";
const string authCookieName = " StsAuth ";
var federationConfiguration = new FederationConfiguration();
federationConfiguration.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(allowedAudience));
var issuingAuthority = new IssuingAuthority(internalSts);
issuingAuthority.Thumbprints.Add(certThumbprint);
issuingAuthority.Issuers.Add(internalSts);
var issuingAuthorities = new List<IssuingAuthority> {issuingAuthority};
var validatingIssuerNameRegistry = new ValidatingIssuerNameRegistry {IssuingAuthorities = issuingAuthorities};
federationConfiguration.IdentityConfiguration.IssuerNameRegistry = validatingIssuerNameRegistry;
federationConfiguration.IdentityConfiguration.CertificateValidationMode = X509CertificateValidationMode.None;
var chunkedCookieHandler = new ChunkedCookieHandler {RequireSsl = false, Name = authCookieName, Domain = domain, PersistentSessionLifetime = new TimeSpan(0, 0, 30, 0)};
federationConfiguration.CookieHandler = chunkedCookieHandler;
federationConfiguration.WsFederationConfiguration.Issuer = issuer;
federationConfiguration.WsFederationConfiguration.Realm = rpRealm;
federationConfiguration.WsFederationConfiguration.RequireHttps = requireSsl;
e.FederationConfiguration = federationConfiguration;
}
public static void RefreshKeys(string metadataLocation)
{
IssuingAuthority issuingAuthority = ValidatingIssuerNameRegistry.GetIssuingAuthority(metadataLocation);
bool newKeys = false;
bool refreshTenant = false;
foreach (string thumbprint in issuingAuthority.Thumbprints)
{
if (!ContainsKey(thumbprint))
{
newKeys = true;
refreshTenant = true;
break;
}
}
foreach (string issuer in issuingAuthority.Issuers)
{
if (!ContainsTenant(GetIssuerId(issuer)))
{
refreshTenant = true;
break;
}
}
if (newKeys || refreshTenant)
{
using (TenantDbContext context = new TenantDbContext())
{
if (newKeys)
{
context.IssuingAuthorityKeys.RemoveRange(context.IssuingAuthorityKeys);
foreach (string thumbprint in issuingAuthority.Thumbprints)
{
context.IssuingAuthorityKeys.Add(new IssuingAuthorityKey {
Id = thumbprint
});
}
}
if (refreshTenant)
{
foreach (string issuer in issuingAuthority.Issuers)
{
string issuerId = GetIssuerId(issuer);
if (!ContainsTenant(issuerId))
{
context.Tenants.Add(new Tenant {
Id = issuerId
});
}
}
}
context.SaveChanges();
}
}
}
public async Task <IActionResult> Create([Bind("Name,Id")] IssuingAuthority issuingAuthority)
{
if (ModelState.IsValid)
{
_context.Add(issuingAuthority);
await _context.SaveChangesAsync();
return(RedirectToAction(nameof(Index)));
}
return(View(issuingAuthority));
}
public static void RefreshKeys(string metadataLocation)
{
IssuingAuthority issuingAuthority = ValidatingIssuerNameRegistry.GetIssuingAuthority(metadataLocation);
bool newKeys = false;
bool refreshTenant = false;
foreach (string thumbprint in issuingAuthority.Thumbprints)
{
if (!ContainsKey(thumbprint))
{
newKeys = true;
refreshTenant = true;
break;
}
}
foreach (string issuer in issuingAuthority.Issuers)
{
if (!ContainsTenant(GetIssuerId(issuer)))
{
refreshTenant = true;
break;
}
}
if (newKeys || refreshTenant)
{
if (newKeys)
{
session.RemoveBatch <IssuingAuthorityKey>(session.GetQueryable <IssuingAuthorityKey>().Select(i => i.Id).ToList());
foreach (string thumbprint in issuingAuthority.Thumbprints)
{
session.Add(new IssuingAuthorityKey {
Id = thumbprint
});
}
}
if (refreshTenant)
{
foreach (string issuer in issuingAuthority.Issuers)
{
string issuerId = GetIssuerId(issuer);
if (!ContainsTenant(issuerId))
{
session.Add(new Tenant {
Id = issuerId
});
}
}
}
}
}
private static IssuingAuthority GetIssuingAuthority()
{
IssuingAuthority issuingAuthority = issuingAuthorityCache[IssuingAuthorityCacheKey] as IssuingAuthority;
if (issuingAuthority == null)
{
issuingAuthority = ValidatingIssuerNameRegistry.GetIssuingAuthority(MetadataLocation);
issuingAuthorityCache.Add(IssuingAuthorityCacheKey, issuingAuthority, DateTimeOffset.UtcNow.AddHours(1.0));
}
return(issuingAuthority);
}
public static void RefreshKeys(string metadataLocation)
{
IssuingAuthority issuingAuthority = ValidatingIssuerNameRegistry.GetIssuingAuthority(metadataLocation);
bool newKeys = false;
bool refreshTenant = false;
foreach (string thumbprint in issuingAuthority.Thumbprints)
{
if (!ContainsKey(thumbprint))
{
newKeys = true;
refreshTenant = true;
break;
}
}
foreach (string issuer in issuingAuthority.Issuers)
{
if (!ContainsTenant(GetIssuerId(issuer)))
{
refreshTenant = true;
break;
}
}
if (!newKeys && !refreshTenant)
{
return;
}
if (newKeys)
{
//IssuingAuthorityKeys.RemoveRange(context.IssuingAuthorityKeys);
IssuingAuthorityKeys.Clear();
foreach (var thumbprint in issuingAuthority.Thumbprints)
{
IssuingAuthorityKeys.Add(new IssuingAuthorityKey {
Id = thumbprint
});
}
}
foreach (
string issuerId in
issuingAuthority.Issuers.Select(GetIssuerId).Where(issuerId => !ContainsTenant(issuerId)))
{
Tenants.Add(new Tenant {
Id = issuerId
});
}
}
public AuthController()
{
AzureAdAppUri = "http://localhost:47828/";
AzureAdAppClientId = "515e8337-2a81-421a-bf76-cbc78ff89288";
AzureAdAppClientSecret = "sYEVBHHMM4kQNv2NOT6x0c55sogupaknnr3gdX9cptg=";
// Fix for ID4175 & WIF10201 http://www.cloudidentity.com/blog/2013/02/08/multitenant-sts-and-token-validation-4/
AzureAdAuthroAuthority = new IssuingAuthority("WAAD");
// Issuer = Azure Ad Tenant
AzureAdAuthroAuthority.Issuers.Add("https://sts.windows.net/3351acfe-7e1b-4e9b-b587-f34bfa2e128a/");
AzureAdAuthroAuthority.Thumbprints.Add("3464C5BDD2BE7F2B6112E2F08E9C0024E33D9FE0");
// Thumbprint can be read via this code:
// ia = ValidatingIssuerNameRegistry.GetIssuingAuthority("https://login.windows.net/TENANTID/FederationMetadata/2007-06/FederationMetadata.xml");
}
public AuthController()
{
AzureAdAppUri = "http://localhost:47828/";
AzureAdAppClientId = "515e8337-2a81-421a-bf76-cbc78ff89288";
AzureAdAppClientSecret = "sYEVBHHMM4kQNv2NOT6x0c55sogupaknnr3gdX9cptg=";
// Fix for ID4175 & WIF10201 http://www.cloudidentity.com/blog/2013/02/08/multitenant-sts-and-token-validation-4/
AzureAdAuthroAuthority = new IssuingAuthority("WAAD");
// Issuer = Azure Ad Tenant
AzureAdAuthroAuthority.Issuers.Add("https://sts.windows.net/3351acfe-7e1b-4e9b-b587-f34bfa2e128a/");
AzureAdAuthroAuthority.Thumbprints.Add("3464C5BDD2BE7F2B6112E2F08E9C0024E33D9FE0");
// Thumbprint can be read via this code:
// ia = ValidatingIssuerNameRegistry.GetIssuingAuthority("https://login.windows.net/TENANTID/FederationMetadata/2007-06/FederationMetadata.xml");
}
public static FederationConfiguration LoadConfigurationSection()
{
var allowedAudience = MortysMixedAuthenticationConfiguration.Settings.ClientApplicationUri;
var rpRealm = MortysMixedAuthenticationConfiguration.Settings.ClientApplicationUri;
var domain = "";
var requireSsl = true;
var issuer = MortysMixedAuthenticationConfiguration.Settings.SecurityTokenIssuerUri;
var certThumbprint = MortysMixedAuthenticationConfiguration.Settings.TokenSigningSertificateThumbprint;
var issuingAuthorityUri = MortysMixedAuthenticationConfiguration.Settings.TokenIssuingAuthorityUri;
var authCookieName = "FocusFederatedAuth";
var federationConfiguration = new FederationConfiguration();
federationConfiguration.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(allowedAudience));
var issuingAuthority = new IssuingAuthority(issuingAuthorityUri);
issuingAuthority.Thumbprints.Add(certThumbprint);
issuingAuthority.Issuers.Add(issuingAuthorityUri);
var validatingIssuerNameRegistry = new ValidatingIssuerNameRegistry
{
IssuingAuthorities = new List <IssuingAuthority> {
issuingAuthority
}
};
federationConfiguration.IdentityConfiguration.IssuerNameRegistry = validatingIssuerNameRegistry;
federationConfiguration.IdentityConfiguration.CertificateValidationMode = X509CertificateValidationMode.None;
var chunkedCookieHandler = new ChunkedCookieHandler {
RequireSsl = false, Name = authCookieName, Domain = domain, PersistentSessionLifetime = new TimeSpan(0, 0, 30, 0)
};
federationConfiguration.CookieHandler = chunkedCookieHandler;
federationConfiguration.WsFederationConfiguration.Issuer = issuer;
federationConfiguration.WsFederationConfiguration.Realm = rpRealm;
federationConfiguration.WsFederationConfiguration.RequireHttps = requireSsl;
federationConfiguration.WsFederationConfiguration.PassiveRedirectEnabled = true;
return(federationConfiguration);
}
public FederationPartyConfiguration(string federationPartyId, string metadataAddress)
{
if (String.IsNullOrWhiteSpace(federationPartyId))
{
throw new ArgumentNullException("federationParty");
}
if (String.IsNullOrWhiteSpace(metadataAddress))
{
throw new ArgumentNullException("metadataContext");
}
this.FederationPartyId = federationPartyId;
this.MetadataAddress = metadataAddress;
this.AutomaticRefreshInterval = FederationPartyConfiguration.DefaultAutomaticRefreshInterval;
this.RefreshInterval = FederationPartyConfiguration.DefaultRefreshInterval;
this.OutboundBinding = new Uri(Bindings.Http_Redirect);
this.InboundBinding = new Uri(Bindings.Http_Post);
this.IssuingAuthority = new IssuingAuthority(federationPartyId);
}
/// <inheritdoc/>
public string ToDelimitedString()
{
CultureInfo culture = CultureInfo.CurrentCulture;
return(string.Format(
culture,
StringHelper.StringFormatSequence(0, 32, Configuration.FieldSeparator),
Id,
SetIdCer.HasValue ? SetIdCer.Value.ToString(culture) : null,
SerialNumber,
Version,
GrantingAuthority?.ToDelimitedString(),
IssuingAuthority?.ToDelimitedString(),
Signature?.ToDelimitedString(),
GrantingCountry,
GrantingStateProvince?.ToDelimitedString(),
GrantingCountyParish?.ToDelimitedString(),
CertificateType?.ToDelimitedString(),
CertificateDomain?.ToDelimitedString(),
SubjectId?.ToDelimitedString(),
SubjectName,
SubjectDirectoryAttributeExtension != null ? string.Join(Configuration.FieldRepeatSeparator, SubjectDirectoryAttributeExtension.Select(x => x.ToDelimitedString())) : null,
SubjectPublicKeyInfo?.ToDelimitedString(),
AuthorityKeyIdentifier?.ToDelimitedString(),
BasicConstraint,
CrlDistributionPoint != null ? string.Join(Configuration.FieldRepeatSeparator, CrlDistributionPoint.Select(x => x.ToDelimitedString())) : null,
JurisdictionCountry,
JurisdictionStateProvince?.ToDelimitedString(),
JurisdictionCountyParish?.ToDelimitedString(),
JurisdictionBreadth != null ? string.Join(Configuration.FieldRepeatSeparator, JurisdictionBreadth.Select(x => x.ToDelimitedString())) : null,
GrantingDate.HasValue ? GrantingDate.Value.ToString(Consts.DateTimeFormatPrecisionSecond, culture) : null,
IssuingDate.HasValue ? IssuingDate.Value.ToString(Consts.DateTimeFormatPrecisionSecond, culture) : null,
ActivationDate.HasValue ? ActivationDate.Value.ToString(Consts.DateTimeFormatPrecisionSecond, culture) : null,
InactivationDate.HasValue ? InactivationDate.Value.ToString(Consts.DateTimeFormatPrecisionSecond, culture) : null,
ExpirationDate.HasValue ? ExpirationDate.Value.ToString(Consts.DateTimeFormatPrecisionSecond, culture) : null,
RenewalDate.HasValue ? RenewalDate.Value.ToString(Consts.DateTimeFormatPrecisionSecond, culture) : null,
RevocationDate.HasValue ? RevocationDate.Value.ToString(Consts.DateTimeFormatPrecisionSecond, culture) : null,
RevocationReasonCode?.ToDelimitedString(),
CertificateStatusCode?.ToDelimitedString()
).TrimEnd(Configuration.FieldSeparator.ToCharArray()));
}
//Λύνει το πρόβλημα που περιγράφεται στο:
//https://erikvanderstarre.wordpress.com/2014/12/14/using-the-jwtsecuritytokenhandler/
/// <summary>
/// Reads and validates a token encoded in JSON Compact serialized format.
/// </summary>
/// <param name="securityToken">A 'JSON Web Token' (JWT) that has been encoded as a JSON object. May be signed using 'JSON Web Signature' (JWS).</param>
/// <returns>A <see cref="ReadOnlyCollection<ClaimsIdentity>"/> from the jwt.</returns>
public override ReadOnlyCollection <ClaimsIdentity> ValidateToken(SecurityToken token)
{
JwtSecurityToken jwtToken = (JwtSecurityToken)token;
// Get the configuration from the configuration file (element "issuerNameRegistry").
ValidatingIssuerNameRegistry issuerNameRegistry = (ValidatingIssuerNameRegistry)
Configuration.IssuerNameRegistry;
IssuingAuthority issuingAuthority = issuerNameRegistry.IssuingAuthorities.First();
// Set the validation parameters from the configuration.
var validationParameters = new TokenValidationParameters
{
// Get the audiences that are expected.
ValidAudiences = Configuration.AudienceRestriction.AllowedAudienceUris.Select(s => s.ToString()),
// Get the issuer that are expected.
ValidIssuers = issuingAuthority.Issuers,
// Get the certificate to validate signing from the certificate store (if configured).
IssuerSigningKey = getCertificate(issuingAuthority.Thumbprints.FirstOrDefault()),
// Get the symmetric key token that is used to sign (if configured).
// Did not get this one working though.
//IssuerSigningToken = GetSymmetricKeyToken(issuingAuthority.SymmetricKeys.FirstOrDefault()),
// Get how to validate the certificate.
CertificateValidator = Configuration.CertificateValidator,
// Get if the token should be preserved.
SaveSigninToken = Configuration.SaveBootstrapContext
};
// Call the correct validation method.
SecurityToken validatedToken;
ClaimsPrincipal validated = ValidateToken(jwtToken.RawData, validationParameters, out validatedToken);
// Return the claim identities.
return(new ReadOnlyCollection <ClaimsIdentity>(validated.Identities.ToList()));
}
public static void InitializeIssuingAuthorityData(ICosmosDbService <IssuingAuthority> cosmosDbService)
{
IssuingAuthority issuingAuthority1 = new IssuingAuthority
{
Id = "0x6Bd701A0D24b7c83cCe83989f6c8021e84bb60Ca",
IssuingCountry = "Spain",
Name = "Spanish National Health Organization",
PublicAddress = "0x6Bd701A0D24b7c83cCe83989f6c8021e84bb60Ca"
};
IssuingAuthority issuingAuthority2 = new IssuingAuthority
{
Id = "0x726a73323FE176221311185034ED1b87EE2d7dfd",
IssuingCountry = "Norway",
Name = "Norwegian Institute of Public Health",
PublicAddress = "0x726a73323FE176221311185034ED1b87EE2d7dfd"
};
IssuingAuthority issuingAuthority3 = new IssuingAuthority
{
Id = "0xf8E149A98eB1d0b30F3E4dB9474296aB5822Bb91",
IssuingCountry = "England",
Name = "English Institute of Public Health",
PublicAddress = "0xf8E149A98eB1d0b30F3E4dB9474296aB5822Bb91"
};
IssuingAuthority issuingAuthority4 = new IssuingAuthority
{
Id = "0x4D48A90c9ad0fDb1F67A37A86901FBecbC2848AC",
IssuingCountry = "Croatia",
Name = "Croatian Natioanl Health Institution",
PublicAddress = "0x4D48A90c9ad0fDb1F67A37A86901FBecbC2848AC"
};
cosmosDbService.AddItemAsync(issuingAuthority1);
cosmosDbService.AddItemAsync(issuingAuthority2);
cosmosDbService.AddItemAsync(issuingAuthority3);
cosmosDbService.AddItemAsync(issuingAuthority4);
}
public static FederationConfiguration Create(string relyingPartyUrl, string stsUrl, string domain, string certificateThumbprint, string authCookieName, bool requireSsl)
{
var federationConfiguration = new FederationConfiguration();
federationConfiguration.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(relyingPartyUrl));
var issuingAuthority = new IssuingAuthority(stsUrl);
issuingAuthority.Thumbprints.Add(certificateThumbprint);
issuingAuthority.Issuers.Add(stsUrl);
var issuingAuthorities = new List <IssuingAuthority> {
issuingAuthority
};
var validatingIssuerNameRegistry = new ValidatingIssuerNameRegistry {
IssuingAuthorities = issuingAuthorities
};
federationConfiguration.IdentityConfiguration.IssuerNameRegistry = validatingIssuerNameRegistry;
federationConfiguration.IdentityConfiguration.CertificateValidationMode = X509CertificateValidationMode.None;
var chunkedCookieHandler = new ChunkedCookieHandler
{
RequireSsl = requireSsl,
Name = authCookieName,
Domain = domain,
PersistentSessionLifetime = new TimeSpan(0, 0, 30, 0)
};
federationConfiguration.CookieHandler = chunkedCookieHandler;
var issuerOfToken = stsUrl;
federationConfiguration.WsFederationConfiguration.Issuer = issuerOfToken;
federationConfiguration.WsFederationConfiguration.Realm = relyingPartyUrl;
federationConfiguration.WsFederationConfiguration.RequireHttps = requireSsl;
return(federationConfiguration);
}
public static void RefreshKeys(string metadataLocation)
{
IssuingAuthority issuingAuthority = ValidatingIssuerNameRegistry.GetIssuingAuthority(metadataLocation);
bool newKeys = false;
foreach (string thumbprint in issuingAuthority.Thumbprints)
{
if (!ContainsKey(thumbprint))
{
newKeys = true;
break;
}
}
if (newKeys)
{
using (TenantDbContext context = new TenantDbContext())
{
context.IssuingAuthorityKeys.RemoveRange(context.IssuingAuthorityKeys);
foreach (string thumbprint in issuingAuthority.Thumbprints)
{
context.IssuingAuthorityKeys.Add(new IssuingAuthorityKey {
Id = thumbprint
});
}
foreach (string issuer in issuingAuthority.Issuers)
{
context.Tenants.Add(new Tenant {
Id = issuer.TrimEnd('/').Split('/').Last()
});
}
context.SaveChanges();
}
}
}
public void InitiateFederatedAuthentication(AccessControlServiceSettings accessControlServiceSettings = null)
{
if (accessControlServiceSettings == null)
{
if (!databaseUpgradeDetectorFactory().UpdateNeeded())
{
// Database needs an upgrade or is not reachable. We cannot configure Fed Auth at this time.
return;
}
if (!SettingsProvider.TryGetSettings(out accessControlServiceSettings))
{
// Unable to load the settings from the databse. We cannot configure Fed Auth at this time.
return;
}
}
string realm = accessControlServiceSettings.Realm;
string acsNamespace = accessControlServiceSettings.Namespace;
string thumbprint = accessControlServiceSettings.IssuerThumbprint;
IEnumerable<Uri> audienceUris = accessControlServiceSettings
.AudienceUris
.Split(Constants.Chars.NewLine, Constants.Chars.Space)
.Where(a => { Uri uri; return Uri.TryCreate(a, UriKind.Absolute, out uri); })
.Select(a => new Uri(a));
var defaultSettings = SettingsProvider.GetDefaultSettings<AccessControlServiceSettings>();
if (!accessControlServiceSettings.Enabled ||
realm == defaultSettings.Realm || acsNamespace == defaultSettings.Namespace || thumbprint == defaultSettings.IssuerThumbprint)
{
return;
}
// system.identityModel -> identityConfiguration
IdentityConfiguration identityConfiguration = FederatedAuthentication.FederationConfiguration.IdentityConfiguration;
identityConfiguration.AudienceRestriction.AllowedAudienceUris.Clear();
foreach (var audienceUri in audienceUris)
{
identityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(audienceUri);
}
var validatingIssuerNameRegistry = identityConfiguration.IssuerNameRegistry as ValidatingIssuerNameRegistry;
if (validatingIssuerNameRegistry != null)
{
string acsAddress = string.Format("https://{0}.accesscontrol.windows.net/", acsNamespace);
var authority = new IssuingAuthority(acsAddress);
authority.Issuers.Add(acsAddress);
authority.Thumbprints.Add(thumbprint);
validatingIssuerNameRegistry.IssuingAuthorities = new[] { authority };
}
// system.identityModel.services -> federationConfiguration -> wsFederation
string issuer = string.Format("https://{0}.accesscontrol.windows.net/v2/wsfederation", acsNamespace);
FederatedAuthentication.FederationConfiguration.WsFederationConfiguration.Issuer = issuer;
FederatedAuthentication.FederationConfiguration.WsFederationConfiguration.Realm = realm;
}
private static bool ContainsIssuerId(IssuingAuthority issuingAuthority, string issuerId)
{
return(issuingAuthority.Issuers.Any(i => string.Equals(GetIssuerId(i), issuerId, StringComparison.OrdinalIgnoreCase)));
}
private static bool ContainsThumbprint(IssuingAuthority issuingAuthority, string thumbprint)
{
return(issuingAuthority.Thumbprints.Contains(thumbprint));
}
public IssuingAuthority AddIssuingAuthority(IssuingAuthority issuingAuthority)
{
return(cosmosDbService.AddItemAsync(issuingAuthority));
}
public void InitiateFederatedAuthentication(AccessControlServiceSettings accessControlServiceSettings = null)
{
if (accessControlServiceSettings == null)
{
if (!databaseUpgradeDetectorFactory().UpdateNeeded())
{
// Database needs an upgrade or is not reachable. We cannot configure Fed Auth at this time.
return;
}
if (!SettingsProvider.TryGetSettings(out accessControlServiceSettings))
{
// Unable to load the settings from the databse. We cannot configure Fed Auth at this time.
return;
}
}
string realm = accessControlServiceSettings.Realm;
string acsNamespace = accessControlServiceSettings.Namespace;
string thumbprint = accessControlServiceSettings.IssuerThumbprint;
IEnumerable <Uri> audienceUris = accessControlServiceSettings
.AudienceUris
.Split(Constants.Chars.NewLine, Constants.Chars.Space)
.Where(a => { Uri uri; return(Uri.TryCreate(a, UriKind.Absolute, out uri)); })
.Select(a => new Uri(a));
var defaultSettings = SettingsProvider.GetDefaultSettings <AccessControlServiceSettings>();
if (!accessControlServiceSettings.Enabled ||
realm == defaultSettings.Realm || acsNamespace == defaultSettings.Namespace || thumbprint == defaultSettings.IssuerThumbprint)
{
return;
}
// system.identityModel -> identityConfiguration
IdentityConfiguration identityConfiguration = FederatedAuthentication.FederationConfiguration.IdentityConfiguration;
identityConfiguration.AudienceRestriction.AllowedAudienceUris.Clear();
foreach (var audienceUri in audienceUris)
{
identityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(audienceUri);
}
var validatingIssuerNameRegistry = identityConfiguration.IssuerNameRegistry as ValidatingIssuerNameRegistry;
if (validatingIssuerNameRegistry != null)
{
string acsAddress = string.Format("https://{0}.accesscontrol.windows.net/", acsNamespace);
var authority = new IssuingAuthority(acsAddress);
authority.Issuers.Add(acsAddress);
authority.Thumbprints.Add(thumbprint);
validatingIssuerNameRegistry.IssuingAuthorities = new[] { authority };
}
// system.identityModel.services -> federationConfiguration -> wsFederation
string issuer = string.Format("https://{0}.accesscontrol.windows.net/v2/wsfederation", acsNamespace);
FederatedAuthentication.FederationConfiguration.WsFederationConfiguration.Issuer = issuer;
FederatedAuthentication.FederationConfiguration.WsFederationConfiguration.Realm = realm;
}