protected virtual SecurityTokenHandler GetSecurityTokenHandler()
{
var authPlugin = PluginManager.GetSingleton <SamlOAuthClient>();
//var config = System.IdentityModel.Services.Configuration..FederationConfiguration..;
SecurityTokenHandler handler = null;
var securityRequirements = new SamlSecurityTokenRequirement();
var securityTokenHandlerConfig = new SecurityTokenHandlerConfiguration();
switch (authPlugin.IdpBindingType)
{
case SamlBinding.SAML11_POST:
handler = new SamlSecurityTokenHandler(securityRequirements)
{
Configuration = securityTokenHandlerConfig
};
break;
case SamlBinding.SAML20_POST:
handler = new SubjectConfirmationDataSaml2SecurityTokenHandler(securityRequirements, authPlugin.SubjectRecipientValidationMode)
{
Configuration = securityTokenHandlerConfig
};
break;
}
if (handler == null)
{
throw new InvalidOperationException(
string.Format("No suitable token handler was loaded for the SAML binding type : {0}",
tokenProcessorConfiguration.IdpBindingType));
}
handler.Configuration.IssuerNameRegistry = new CodeBasedIssuerNameRegistry(tokenProcessorConfiguration.TrustedIssuerThumbprint.Split(','));
handler.Configuration.CertificateValidationMode = tokenProcessorConfiguration.CertificateValidationMode;
if (typeof(SamlSecurityTokenHandler).IsAssignableFrom(handler.GetType()))
{
((SamlSecurityTokenHandler)handler).CertificateValidator = GetCertificateValidator(handler.Configuration.CertificateValidationMode);
}
if (typeof(Saml2SecurityTokenHandler).IsAssignableFrom(handler.GetType()))
{
((Saml2SecurityTokenHandler)handler).CertificateValidator = GetCertificateValidator(handler.Configuration.CertificateValidationMode);
}
handler.Configuration.AudienceRestriction.AudienceMode = System.IdentityModel.Selectors.AudienceUriMode.Never;
return(handler);
}
public override ReadOnlyCollection <ClaimsIdentity> ValidateToken(SecurityToken token)
{
var saml2SecurityToken = token as Saml2SecurityToken;
this.ValidateConditions(saml2SecurityToken.Assertion.Conditions, SamlSecurityTokenRequirement.ShouldEnforceAudienceRestriction(Configuration.AudienceRestriction.AudienceMode, saml2SecurityToken));
if (this.Configuration.DetectReplayedTokens)
{
this.DetectReplayedToken(saml2SecurityToken);
}
// If the backing token is x509, validate trust
X509SecurityToken issuerToken = saml2SecurityToken.IssuerToken as X509SecurityToken;
if (issuerToken != null)
{
this.CertificateValidator.Validate(issuerToken.Certificate);
}
var identity = this.CreateClaims(saml2SecurityToken);
if (saml2SecurityToken.Assertion.Subject.NameId != null)
{
identity.AddClaim(new Claim(Saml2ClaimTypes.NameId, saml2SecurityToken.Assertion.Subject.NameId.Value));
//throw new InvalidDataException("The requered NameID Assertion is null");
if (saml2SecurityToken.Assertion.Subject.NameId.Format != null)
{
identity.AddClaim(new Claim(Saml2ClaimTypes.NameIdFormat, saml2SecurityToken.Assertion.Subject.NameId.Format.AbsoluteUri));
//throw new InvalidDataException("The requered NameID Assertion Format is null");
}
}
identity.AddClaim(new Claim(Saml2ClaimTypes.SessionIndex, saml2SecurityToken.Id));
if (Configuration.SaveBootstrapContext)
{
identity.BootstrapContext = new BootstrapContext(saml2SecurityToken, this);
}
return(new List <ClaimsIdentity>(1)
{
identity
}.AsReadOnly());
}
public IPrincipal ProcessResponse(string samlResponse, IFederatedAuthenticationSettings settings)
{
ThrowIf.ArgumentNull(samlResponse, nameof(samlResponse));
ThrowIf.ArgumentNull(settings, nameof(settings));
var token = ReadSecurityToken(samlResponse, settings);
if (token == null)
{
// TODO add logging
// Log.DebugFormat("[SAMLHandler] Cannot read non SAML2 token.\n {0}", tokenString);
throw new FederatedAuthenticationException("Cannot read token",
FederatedAuthenticationErrorCode.WrongFormat);
}
var samlSecurityTokenRequirement = new SamlSecurityTokenRequirement
{
NameClaimType = settings.NameClaimType, // "Username",
MapToWindows = false
};
var handler = new BpSaml2SecurityTokenHandler(samlResponse, samlSecurityTokenRequirement)
{
Configuration = new SecurityTokenHandlerConfiguration()
};
ConfigureHandler(handler.Configuration, settings);
ReadOnlyCollection <ClaimsIdentity> validateToken;
try
{
validateToken = handler.ValidateToken(token);
}
catch (FederatedAuthenticationException faEx)
{
if (faEx.ErrorCode != FederatedAuthenticationErrorCode.WrongFormat)
{
throw;
}
token = (Saml2SecurityToken)handler.ReadToken(samlResponse);
validateToken = handler.ValidateToken(token);
}
return(new ClaimsPrincipal(validateToken));
}
public ReadOnlyCollection <ClaimsIdentity> ValidateToken(SecurityToken token, Saml2Response saml2Response)
{
var saml2SecurityToken = token as Saml2SecurityToken;
ValidateConditions(saml2SecurityToken.Assertion.Conditions, SamlSecurityTokenRequirement.ShouldEnforceAudienceRestriction(Configuration.AudienceRestriction.AudienceMode, saml2SecurityToken));
if (Configuration.DetectReplayedTokens)
{
DetectReplayedToken(saml2SecurityToken);
}
var identity = CreateClaims(saml2SecurityToken);
if (saml2SecurityToken.Assertion.Subject.NameId != null)
{
saml2Response.NameId = saml2SecurityToken.Assertion.Subject.NameId;
identity.AddClaim(new Claim(Saml2ClaimTypes.NameId, saml2Response.NameId.Value));
if (saml2Response.NameId.Format != null)
{
identity.AddClaim(new Claim(Saml2ClaimTypes.NameIdFormat, saml2Response.NameId.Format.OriginalString));
}
}
var sessionIndex = (saml2SecurityToken.Assertion.Statements.Where(s => s is Saml2AuthenticationStatement).FirstOrDefault() as Saml2AuthenticationStatement)?.SessionIndex;
if (sessionIndex != null)
{
saml2Response.SessionIndex = sessionIndex;
identity.AddClaim(new Claim(Saml2ClaimTypes.SessionIndex, saml2Response.SessionIndex));
}
if (Configuration.SaveBootstrapContext)
{
identity.BootstrapContext = new BootstrapContext(saml2SecurityToken, this);
}
return(new List <ClaimsIdentity>(1)
{
identity
}.AsReadOnly());
}
public CardSignIn()
{
SecurityTokenHandlerConfiguration handlerConfig = new SecurityTokenHandlerConfiguration();
handlerConfig.IssuerNameRegistry = new TrustedIssuerNameRegistry();
List <SecurityToken> servicetokens = new List <SecurityToken>(1);
servicetokens.Add(new X509SecurityToken(CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, "CN=localhost")));
handlerConfig.ServiceTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(servicetokens.AsReadOnly(), false);
handlerConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri("https://localhost/AuthAssuranceSTS/CardSignIn.aspx"));
_handlers = new SecurityTokenHandlerCollection(handlerConfig);
SamlSecurityTokenRequirement samlReqs = new SamlSecurityTokenRequirement();
_handlers.Add(new EncryptedSecurityTokenHandler());
_handlers.Add(new Saml11SecurityTokenHandler(samlReqs));
}
public void Validate(Saml2SecurityToken token, SecurityTokenHandlerConfiguration configuration)
{
if (token == null || token.Response == null || configuration == null)
{
throw new ArgumentNullException();
}
if (token.Response.Assertions != null)
{
foreach (var assertion in token.Response.Assertions)
{
if (assertion.Conditions != null)
{
if (configuration.AudienceRestriction.AudienceMode == AudienceUriMode.Always)
{
if (configuration.AudienceRestriction.AllowedAudienceUris.Count() == 0)
{
throw new ValidationException("AudienceRestriction's allowed uris must be provided if AudienceMode is set to Always. Set to Never to suppress this.");
}
if (assertion.Conditions.AudienceRestriction.Count() == 0)
{
throw new ValidationException("Token doesn't contain any audience to validate the configuration against");
}
var security = new SamlSecurityTokenRequirement();
foreach (var restriction in assertion.Conditions.AudienceRestriction)
{
security.ValidateAudienceRestriction(configuration.AudienceRestriction.AllowedAudienceUris, restriction.Audience.Select(a => new Uri(a)).ToList());
}
}
if (configuration.AudienceRestriction.AudienceMode == AudienceUriMode.BearerKeyOnly)
{
#warning TODO!
}
}
}
}
}
public HttpSaml2SecurityTokenHandler(SamlSecurityTokenRequirement requirement, string identifier)
: base(requirement)
{
_identifier = new string[] { identifier };
}
public ReadOnlyCollection <ClaimsIdentity> ValidateToken(SecurityToken token, string tokenString, Saml2Response saml2Response)
#endif
{
var saml2SecurityToken = token as Saml2SecurityToken;
#if NETFULL
ValidateConditions(saml2SecurityToken.Assertion.Conditions, SamlSecurityTokenRequirement.ShouldEnforceAudienceRestriction(Configuration.AudienceRestriction.AudienceMode, saml2SecurityToken));
#else
ValidateConditions(saml2SecurityToken, TokenValidationParameters);
#endif
#if NETFULL
if (Configuration.DetectReplayedTokens)
{
DetectReplayedToken(saml2SecurityToken);
}
#else
if (TokenValidationParameters.ValidateTokenReplay)
{
ValidateTokenReplay(saml2SecurityToken.Assertion.Conditions.NotBefore, tokenString, TokenValidationParameters);
}
#endif
#if NETFULL
var identity = CreateClaims(saml2SecurityToken);
#else
var identity = CreateClaimsIdentity(saml2SecurityToken, TokenValidationParameters.ValidIssuer, TokenValidationParameters);
#endif
if (saml2SecurityToken.Assertion.Subject.NameId != null)
{
saml2Response.NameId = saml2SecurityToken.Assertion.Subject.NameId;
identity.AddClaim(new Claim(Saml2ClaimTypes.NameId, saml2Response.NameId.Value));
if (saml2Response.NameId.Format != null)
{
identity.AddClaim(new Claim(Saml2ClaimTypes.NameIdFormat, saml2Response.NameId.Format.OriginalString));
}
}
var sessionIndex = (saml2SecurityToken.Assertion.Statements.Where(s => s is Saml2AuthenticationStatement).FirstOrDefault() as Saml2AuthenticationStatement)?.SessionIndex;
if (sessionIndex != null)
{
saml2Response.SessionIndex = sessionIndex;
identity.AddClaim(new Claim(Saml2ClaimTypes.SessionIndex, saml2Response.SessionIndex));
}
#if NETFULL
if (Configuration.SaveBootstrapContext)
{
identity.BootstrapContext = new BootstrapContext(saml2SecurityToken, this);
}
#else
if (TokenValidationParameters.SaveSigninToken)
{
identity.BootstrapContext = tokenString;
}
#endif
return(new List <ClaimsIdentity>(1)
{
identity
}.AsReadOnly());
}
public HttpSamlSecurityTokenHandler(SamlSecurityTokenRequirement requirement)
: base(requirement)
{
}
public SubjectConfirmationDataSaml2SecurityTokenHandler(SamlSecurityTokenRequirement samlSecurityTokenRequirement, SubjectRecipientValidationMode subjectRecipientValidationMode) : base(samlSecurityTokenRequirement)
{
_subjectRecipientValidationMode = subjectRecipientValidationMode;
}
public SubjectConfirmationDataSaml2SecurityTokenHandler(SamlSecurityTokenRequirement samlSecurityTokenRequirement) : base(samlSecurityTokenRequirement)
{
}
public BpSaml2SecurityTokenHandler(string samlXml, SamlSecurityTokenRequirement samlSecurityTokenRequirement)
: base(samlSecurityTokenRequirement)
{
_samlXml = samlXml;
}
public SamlImpersonatableSecurityTokenHandler(SamlSecurityTokenRequirement samlSecurityTokenRequirement) : base(samlSecurityTokenRequirement)
{
}
