private static Saml2NameIdentifier ProcessLogoutNameIdentifier(Claim claim) { var fields = DelimitedString.Split(claim.Value); var saml2NameIdentifier = new Saml2NameIdentifier(fields[4]); if (!string.IsNullOrEmpty(fields[0])) { saml2NameIdentifier.NameQualifier = fields[0]; } if (!string.IsNullOrEmpty(fields[1])) { saml2NameIdentifier.SPNameQualifier = fields[1]; } if (!string.IsNullOrEmpty(fields[2])) { saml2NameIdentifier.Format = new Uri(fields[2]); } if (!string.IsNullOrEmpty(fields[3])) { saml2NameIdentifier.SPProvidedId = fields[3]; } return(saml2NameIdentifier); }
public void ShouldWriterSamlResponseAssertionElement() { var issuer = new Saml2NameIdentifier("issuer"); var assertion = new Saml2Assertion(issuer) { Subject = new Saml2Subject(new Saml2NameIdentifier("subject")) }; var token = new Saml2SecurityToken(assertion); var response = new SamlResponse { SecurityToken = token }; var serialized = _serializer.SerializeSamlResponse(response); Assert.NotNull(serialized); var doc = XDocument.Parse(serialized); var root = doc.Root; _mockHandler.Verify(h => h.WriteToken(It.IsAny <XmlWriter>(), token), Times.Once()); var element = root.Element(XName.Get("Assertion", _assertionNamespace)); Assert.NotNull(element); }
private static Saml2Assertion CreatePlaceholderAssertion() { var issuer = new Saml2NameIdentifier("__encrypted__"); var assertion = new Saml2Assertion(issuer); return(assertion); }
public SamlLogoutContext(Uri reason, Saml2NameIdentifier nameId, string federationPartyId, params string[] sessionIndex) { this.Reason = reason; this.NameId = nameId; this.FederationPartyId = federationPartyId; this.SessionIndex = sessionIndex; }
private Saml2Assertion CreateSamlAssertion(SecurityKey signatureKey, SecurityKeyIdentifier signatureKeyIdentifier, SecurityKeyIdentifier proofKeyIdentifier) { Claim claim = base.ClientCredentials.Claims.FirstOrDefault((Claim c) => c.Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"); if (claim == null) { throw new ArgumentException("At least one NameIdentifier/Identity claim must be present in the claimset", "ClaimsClientCredentials.Claims"); } Saml2Subject saml2Subject = new Saml2Subject { NameId = new Saml2NameIdentifier(claim.Value, new Uri("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified")) }; Saml2SubjectConfirmationData saml2SubjectConfirmationData = new Saml2SubjectConfirmationData(); saml2SubjectConfirmationData.KeyIdentifiers.Add(proofKeyIdentifier); saml2Subject.SubjectConfirmations.Add(new Saml2SubjectConfirmation(new Uri("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"), saml2SubjectConfirmationData)); IEnumerable <Saml2Attribute> enumerable = from c in base.ClientCredentials.Claims.Except(new Claim[] { claim }) select new Saml2Attribute(c.Type, c.Value); Claim claim2 = base.ClientCredentials.Claims.FirstOrDefault((Claim c) => c.Type == "http://www.tridion.com/2009/08/directoryservice/claims/directoryServiceName"); Saml2NameIdentifier issuer; if (claim2 == null) { Saml2Attribute saml2Attribute = new Saml2Attribute("http://www.tridion.com/2009/08/directoryservice/claims/directoryServiceName", claim.Issuer); enumerable = enumerable.Concat(new Saml2Attribute[] { saml2Attribute }); issuer = new Saml2NameIdentifier(claim.Issuer); } else { issuer = new Saml2NameIdentifier(claim2.Value); } DateTime utcNow = DateTime.UtcNow; Saml2Assertion saml2Assertion = new Saml2Assertion(issuer) { Subject = saml2Subject, IssueInstant = utcNow, Conditions = new Saml2Conditions { NotBefore = new DateTime?(utcNow), NotOnOrAfter = new DateTime?(utcNow + base.TokenValidityTimeSpan) }, Advice = new Saml2Advice(), SigningCredentials = new SigningCredentials(signatureKey, base.SecurityAlgorithmSuite.DefaultAsymmetricSignatureAlgorithm, base.SecurityAlgorithmSuite.DefaultDigestAlgorithm, signatureKeyIdentifier) }; saml2Assertion.Statements.Add(new Saml2AttributeStatement(enumerable)); if (base.ClientCredentials.AudienceUris != null) { saml2Assertion.Conditions.AudienceRestrictions.Add(new Saml2AudienceRestriction(base.ClientCredentials.AudienceUris)); } return(saml2Assertion); }
public Saml2LogoutRequest(Saml2Configuration config, ClaimsPrincipal currentPrincipal) : this(config) { var identity = currentPrincipal.Identities.First(); if (identity.IsAuthenticated) { NameId = new Saml2NameIdentifier(ReadClaimValue(identity, Saml2ClaimTypes.NameId), new Uri(ReadClaimValue(identity, Saml2ClaimTypes.NameIdFormat))); SessionIndex = ReadClaimValue(identity, Saml2ClaimTypes.SessionIndex); } }
public void ClaimsExtensions_ToSaml2NameIdentifier_LogoutNameIdentifier_NameOnly() { var claim = new Claim(Saml2ClaimTypes.LogoutNameIdentifier, ",,,,NameId"); var actual = claim.ToSaml2NameIdentifier(); var expected = new Saml2NameIdentifier("NameId"); actual.Should().BeEquivalentTo(expected); }
public Saml2LogoutRequest() { NotOnOrAfter = DateTime.UtcNow.AddMinutes(10); var identity = ClaimsPrincipal.Current.Identities.First(); if (identity.IsAuthenticated) { NameId = new Saml2NameIdentifier(ReadClaimValue(identity, Saml2ClaimTypes.NameId), new Uri(ReadClaimValue(identity, Saml2ClaimTypes.NameIdFormat))); SessionIndex = ReadClaimValue(identity, Saml2ClaimTypes.SessionIndex); } }
private string GetTokenString(string organizationName, bool isServiceBusScope) { // Generate Saml assertions.. string issuerName = DefaultIssuer; //string issuerName = "localhost"; Saml2NameIdentifier saml2NameIdentifier = new Saml2NameIdentifier(issuerName); // this is the issuer name. Saml2Assertion saml2Assertion = new Saml2Assertion(saml2NameIdentifier); Uri acsScope = new Uri(StsPath(solutionName, isServiceBusScope)); saml2Assertion.Conditions = new Saml2Conditions(); saml2Assertion.Conditions .AudienceRestrictions.Add(new Saml2AudienceRestriction(acsScope)); // this is the ACS uri. saml2Assertion.Conditions.NotOnOrAfter = DateTime.Now.AddDays(1); // Should this be utc? saml2Assertion.Conditions.NotBefore = DateTime.Now.AddHours(-1); // should this be utc? string certName = "localhost"; X509Certificate2 localCert = RetrieveCertificate(certName); if (!localCert.HasPrivateKey) { throw new ArgumentException("Cert should have private key.", "certificate"); } saml2Assertion.SigningCredentials = new X509SigningCredentials(localCert); // this cert should have the private keys. // Add claim assertions. saml2Assertion.Statements.Add( new Saml2AttributeStatement( new Saml2Attribute(OrganizationClaimType, organizationName))); // the submitter should always be a bearer. saml2Assertion.Subject = new Saml2Subject(new Saml2SubjectConfirmation(Saml2Constants.ConfirmationMethods.Bearer)); // Wrap it into a security token. SecurityTokenHandler tokenHandler = new Saml2SecurityTokenHandler(); SecurityToken securityToken = new Saml2SecurityToken(saml2Assertion); // Serialize the security token. StringBuilder sb = new StringBuilder(); using (XmlWriter writer = XmlTextWriter.Create(new StringWriter(sb, CultureInfo.InvariantCulture))) { tokenHandler.WriteToken(writer, securityToken); writer.Close(); } return(sb.ToString()); }
private Saml2Subject GetSaml2Subject(XmlDocument xmlDocument) { XmlNamespaceManager nsManager = new XmlNamespaceManager(xmlDocument.NameTable); nsManager.AddNamespace("saml2", "urn:oasis:names:tc:SAML:2.0:assertion"); XmlNode subjectNode = xmlDocument.SelectSingleNode("//saml2:Subject", nsManager); XmlNode nameIDNode = subjectNode.SelectSingleNode("//saml2:NameID", nsManager); Saml2NameIdentifier nameId = new Saml2NameIdentifier(nameIDNode.InnerText, new Uri(nameIDNode.Attributes["Format"].Value)); return(new Saml2Subject(nameId)); }
public void ClaimsExtensions_ToSaml2NameIdentifier_LogoutNameIdentifier_SPProvidedId() { var claim = new Claim(Saml2ClaimTypes.LogoutNameIdentifier, ",,,spId,NameId"); var actual = claim.ToSaml2NameIdentifier(); var expected = new Saml2NameIdentifier("NameId") { SPProvidedId = "spId" }; actual.Should().BeEquivalentTo(expected); }
public void ClaimsExtensions_ToSaml2NameIdentifier_LogoutNameIdentifier_NameIdFormat() { var claim = new Claim(Saml2ClaimTypes.LogoutNameIdentifier, ",,urn:foo,,NameId"); var actual = claim.ToSaml2NameIdentifier(); var expected = new Saml2NameIdentifier("NameId") { Format = new Uri("urn:foo") }; actual.Should().BeEquivalentTo(expected); }
public void ClaimsExtensions_ToSaml2NameIdentifier_LogoutNameIdentifier_SPNameQualifier() { var claim = new Claim(AuthServicesClaimTypes.LogoutNameIdentifier, ",qualifier,,,NameId"); var actual = claim.ToSaml2NameIdentifier(); var expected = new Saml2NameIdentifier("NameId") { SPNameQualifier = "qualifier" }; actual.ShouldBeEquivalentTo(expected); }
private static IEnumerable <Claim> ClaimsFromSubject(Saml2Subject subject, Saml2NameIdentifier issuer) { if (subject == null) { yield break; } if (subject.NameId != null) { yield return(new Claim("sub", subject.NameId.Value, ClaimValueTypes.String, issuer.Value)); // openid connect yield return(new Claim(ClaimTypes.NameIdentifier, subject.NameId.Value, ClaimValueTypes.String, issuer.Value)); // saml } }
public void ClaimsExtensions_ToSaml2NameIdentifier_NameIdentifier_SPProvidedId() { var claim = new Claim(ClaimTypes.NameIdentifier, "NameId"); claim.Properties[ClaimProperties.SamlNameIdentifierSPProvidedId] = "spId"; var actual = claim.ToSaml2NameIdentifier(); var expected = new Saml2NameIdentifier("NameId") { SPProvidedId = "spId" }; actual.Should().BeEquivalentTo(expected); }
public void ClaimsExtensions_ToSaml2NameIdentifier_NameIdentifier_NameQualifier() { var claim = new Claim(ClaimTypes.NameIdentifier, "NameId"); claim.Properties[ClaimProperties.SamlNameIdentifierNameQualifier] = "qualifier"; var actual = claim.ToSaml2NameIdentifier(); var expected = new Saml2NameIdentifier("NameId") { NameQualifier = "qualifier" }; actual.Should().BeEquivalentTo(expected); }
public void ClaimsExtensions_ToSaml2NameIdentifier_NameIdentifier_NameIdFormat() { var claim = new Claim(ClaimTypes.NameIdentifier, "NameId"); claim.Properties[ClaimProperties.SamlNameIdentifierFormat] = "urn:foo"; var actual = claim.ToSaml2NameIdentifier(); var expected = new Saml2NameIdentifier("NameId") { Format = new Uri("urn:foo") }; actual.Should().BeEquivalentTo(expected); }
public static SecurityToken MakeBootstrapSecurityToken() { Saml2NameIdentifier identifier = new Saml2NameIdentifier("http://localhost/Echo"); Saml2Assertion assertion = new Saml2Assertion(identifier); assertion.Issuer = new Saml2NameIdentifier("idp1.test.oio.dk"); assertion.Subject = new Saml2Subject(new Saml2NameIdentifier("Casper", new Uri("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"))); Saml2Attribute atribute = new Saml2Attribute("dk:gov:saml:attribute:AssuranceLevel", "2"); atribute.NameFormat = new Uri("urn:oasis:names:tc:SAML:2.0:attrname-format:basic"); assertion.Statements.Add(new Saml2AttributeStatement(atribute)); return(new Saml2SecurityToken(assertion)); }
private static Saml2NameIdentifier ProcessNameIdentifier(Claim claim) { var saml2NameIdentifier = new Saml2NameIdentifier(claim.Value); claim.ExtractProperty(ClaimProperties.SamlNameIdentifierFormat, value => saml2NameIdentifier.Format = new Uri(value)); claim.ExtractProperty(ClaimProperties.SamlNameIdentifierNameQualifier, value => saml2NameIdentifier.NameQualifier = value); claim.ExtractProperty(ClaimProperties.SamlNameIdentifierSPNameQualifier, value => saml2NameIdentifier.SPNameQualifier = value); claim.ExtractProperty(ClaimProperties.SamlNameIdentifierSPProvidedId, value => saml2NameIdentifier.SPProvidedId = value); return(saml2NameIdentifier); }
/// <summary> /// Create XElement for the Saml2NameIdentifier. /// </summary> /// <param name="nameIdentifier"></param> /// <returns></returns> public static XElement ToXElement(this Saml2NameIdentifier nameIdentifier) { if (nameIdentifier == null) { throw new ArgumentNullException("nameIdentifier"); } var nameIdElement = new XElement(Saml2Namespaces.Saml2 + "NameID", nameIdentifier.Value); nameIdElement.AddAttributeIfNotNullOrEmpty("Format", nameIdentifier.Format); nameIdElement.AddAttributeIfNotNullOrEmpty("NameQualifier", nameIdentifier.NameQualifier); nameIdElement.AddAttributeIfNotNullOrEmpty("SPNameQualifier", nameIdentifier.SPNameQualifier); nameIdElement.AddAttributeIfNotNullOrEmpty("SPProvidedID", nameIdentifier.SPProvidedId); return(nameIdElement); }
public Saml2LogoutRequest(Saml2Configuration config, ClaimsPrincipal currentPrincipal) : this(config) { var identity = currentPrincipal.Identities.First(); if (identity.IsAuthenticated) { var nameIdFormat = ReadClaimValue(identity, Saml2ClaimTypes.NameIdFormat, false); if (string.IsNullOrEmpty(nameIdFormat)) { NameId = new Saml2NameIdentifier(ReadClaimValue(identity, Saml2ClaimTypes.NameId)); } else { NameId = new Saml2NameIdentifier(ReadClaimValue(identity, Saml2ClaimTypes.NameId), new Uri(nameIdFormat)); } SessionIndex = ReadClaimValue(identity, Saml2ClaimTypes.SessionIndex, false); } }
public void IdentityProvider_CreateLogoutRequest() { var options = StubFactory.CreateOptions(); options.SPOptions.ServiceCertificates.Add(new ServiceCertificate() { Certificate = SignedXmlHelper.TestCert }); var subject = options.IdentityProviders[0]; var nameIdClaim = new Claim(ClaimTypes.NameIdentifier, "NameId", null, subject.EntityId.Id); nameIdClaim.Properties[ClaimProperties.SamlNameIdentifierFormat] = "urn:nameIdFormat"; Thread.CurrentPrincipal = new ClaimsPrincipal(new ClaimsIdentity( new Claim[] { nameIdClaim, new Claim(AuthServicesClaimTypes.SessionIndex, "SessionId", null, subject.EntityId.Id) }, "Federation")); // Grab a datetime both before and after creation to handle case // when the second part is changed during excecution of the test. // We're assuming that the creation does not take more than a // second, so two values will do. var beforeTime = DateTime.UtcNow.ToSaml2DateTimeString(); var actual = subject.CreateLogoutRequest(); var aftertime = DateTime.UtcNow.ToSaml2DateTimeString(); actual.Issuer.Id.Should().Be(options.SPOptions.EntityId.Id); actual.Id.Value.Should().NotBeEmpty(); actual.IssueInstant.Should().Match(i => i == beforeTime || i == aftertime); actual.SessionIndex.Should().Be("SessionId"); actual.SigningCertificate.Thumbprint.Should().Be(SignedXmlHelper.TestCert.Thumbprint); var expectedNameId = new Saml2NameIdentifier("NameId") { Format = new Uri("urn:nameIdFormat") }; actual.NameId.ShouldBeEquivalentTo(expectedNameId); }
/// <summary> /// Create a Saml2NameIdentifier from a NameIdentifier claim. /// </summary> /// <param name="nameIdClaim">Name identifier claim.</param> /// <returns>Saml2NameIdentifier</returns> public static Saml2NameIdentifier ToSaml2NameIdentifier(this Claim nameIdClaim) { if (nameIdClaim == null) { throw new ArgumentNullException(nameof(nameIdClaim)); } var saml2NameIdentifier = new Saml2NameIdentifier(nameIdClaim.Value); nameIdClaim.ExtractProperty(ClaimProperties.SamlNameIdentifierFormat, value => saml2NameIdentifier.Format = new Uri(value)); nameIdClaim.ExtractProperty(ClaimProperties.SamlNameIdentifierNameQualifier, value => saml2NameIdentifier.NameQualifier = value); nameIdClaim.ExtractProperty(ClaimProperties.SamlNameIdentifierSPNameQualifier, value => saml2NameIdentifier.SPNameQualifier = value); nameIdClaim.ExtractProperty(ClaimProperties.SamlNameIdentifierSPProvidedId, value => saml2NameIdentifier.SPProvidedId = value); return(saml2NameIdentifier); }
/// <summary> /// Creates the SAML authentication request with the correct name identifier. /// </summary> /// <param name="identityClaim">The identity claim.</param> /// <param name="authnRequestId">The AuthnRequest identifier.</param> /// <param name="ascUri">The asc URI.</param> /// <returns>The authentication request.</returns> public static Saml2AuthenticationSecondFactorRequest CreateAuthnRequest(Claim identityClaim, string authnRequestId, Uri ascUri) { var serviceproviderConfiguration = Kentor.AuthServices.Configuration.Options.FromConfiguration; Log.DebugFormat("Creating AuthnRequest for identity '{0}'", identityClaim.Value); var nameIdentifier = new Saml2NameIdentifier(GetNameId(identityClaim), new Uri("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified")); var authnRequest = new Saml2AuthenticationSecondFactorRequest { DestinationUrl = Settings.Default.SecondFactorEndpoint, AssertionConsumerServiceUrl = ascUri, Issuer = serviceproviderConfiguration.SPOptions.EntityId, RequestedAuthnContext = new Saml2RequestedAuthnContext(Settings.Default.MinimalLoa, AuthnContextComparisonType.Exact), Subject = new Saml2Subject(nameIdentifier), }; authnRequest.SetId(authnRequestId); Log.InfoFormat("Created AuthnRequest for '{0}' with id '{1}'", identityClaim.Value, authnRequest.Id.Value); return(authnRequest); }
private async Task <Saml2SecurityToken> CreateSecurityTokenAsync(SignInRequest request, RelyingParty rp, ClaimsIdentity outgoingSubject) { var now = DateTime.Now; var outgoingNameId = outgoingSubject.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier); if (outgoingNameId == null) { _logger.LogError("The user profile does not have a name id"); throw new SignInException("The user profile does not have a name id"); } var issuer = new Saml2NameIdentifier(_options.IssuerName); var nameId = new Saml2NameIdentifier(outgoingNameId.Value); var subjectConfirmationData = new Saml2SubjectConfirmationData(); subjectConfirmationData.NotOnOrAfter = now.AddMinutes( rp.TokenLifetimeInMinutes.GetValueOrDefault(_options.DefaultNotOnOrAfterInMinutes)); if (request.Parameters.ContainsKey("Recipient")) { subjectConfirmationData.Recipient = new Uri(request.Parameters["Recipient"]); } else { subjectConfirmationData.Recipient = new Uri(rp.ReplyUrl); } var subjectConfirmation = new Saml2SubjectConfirmation(new Uri("urn:oasis:names:tc:SAML:2.0:cm:bearer"), subjectConfirmationData); subjectConfirmation.NameIdentifier = nameId; var subject = new Saml2Subject(subjectConfirmation); var conditions = new Saml2Conditions(new Saml2AudienceRestriction[] { new Saml2AudienceRestriction(request.Realm) }); conditions.NotOnOrAfter = now.AddMinutes( rp.TokenLifetimeInMinutes.GetValueOrDefault(_options.DefaultNotOnOrAfterInMinutes)); conditions.NotBefore = now.Subtract(TimeSpan.FromMinutes(_options.DefaultNotBeforeInMinutes)); var authContext = new Saml2AuthenticationContext(new Uri("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")); var authStatement = new Saml2AuthenticationStatement(authContext, now); authStatement.SessionIndex = (request.Parameters.ContainsKey("SessionIndex")) ? request.Parameters["SessionIndex"] : null; var attributeStament = new Saml2AttributeStatement(); foreach (var claim in outgoingSubject.Claims) { _logger.LogDebug("Adding attribute in SAML token '{0} - {1}'", claim.Type, claim.Value); attributeStament.Attributes.Add(new Saml2Attribute(claim.Type, claim.Value)); } var assertion = new Saml2Assertion(issuer); assertion.Id = new Saml2Id(); assertion.Subject = subject; assertion.Conditions = conditions; assertion.Statements.Add(attributeStament); assertion.Statements.Add(authStatement); assertion.IssueInstant = now; assertion.SigningCredentials = await _keyService.GetSigningCredentialsAsync(); var token = new Saml2SecurityToken(assertion); token.SigningKey = assertion.SigningCredentials.Key; return(token); }
public Saml2EncryptedAssertion(Saml2NameIdentifier issuer) : base(issuer) { }