private SecurityTokenSerializer WrapTokenHandlersAsSecurityTokenSerializer(SecurityTokenVersion version) { TrustVersion trustVersion = TrustVersion.WSTrust13; SecureConversationVersion scVersion = SecureConversationVersion.WSSecureConversation13; SecurityVersion securityVersion = SecurityVersion.WSSecurity11; foreach (string securitySpecification in version.GetSecuritySpecifications()) { if (StringComparer.Ordinal.Equals(securitySpecification, WSTrustFeb2005Constants.NamespaceURI)) { trustVersion = TrustVersion.WSTrustFeb2005; } else if (StringComparer.Ordinal.Equals(securitySpecification, WSTrust13Constants.NamespaceURI)) { trustVersion = TrustVersion.WSTrust13; } else if (StringComparer.Ordinal.Equals(securitySpecification, System.IdentityModel.WSSecureConversationFeb2005Constants.Namespace)) { scVersion = SecureConversationVersion.WSSecureConversationFeb2005; } else if (StringComparer.Ordinal.Equals(securitySpecification, System.IdentityModel.WSSecureConversation13Constants.Namespace)) { scVersion = SecureConversationVersion.WSSecureConversation13; } } securityVersion = FederatedSecurityTokenManager.GetSecurityVersion(version); // // SecurityTokenHandlerCollectionManager sthcm = this.parent.SecurityTokenHandlerCollectionManager; WsSecurityTokenSerializerAdapter adapter = new WsSecurityTokenSerializerAdapter(sthcm[SecurityTokenHandlerCollectionManager.Usage.Default], securityVersion, trustVersion, scVersion, false, null, null, null); return(adapter); }
static public SessionSecurityToken ConvertSctToSessionToken(SecurityContextSecurityToken sct, SecureConversationVersion version) { string endpointId = String.Empty; for (int i = 0; i < sct.AuthorizationPolicies.Count; ++i) { EndpointAuthorizationPolicy epAuthPolicy = sct.AuthorizationPolicies[i] as EndpointAuthorizationPolicy; if (epAuthPolicy != null) { endpointId = epAuthPolicy.EndpointId; break; } } SctAuthorizationPolicy sctAuthPolicy = null; for (int i = 0; i < sct.AuthorizationPolicies.Count; i++) { IAuthorizationPolicy authPolicy = sct.AuthorizationPolicies[i]; // The WCF SCT will have a SctAuthorizationPolicy that wraps the Primary Identity // of the bootstrap token. This is required for SCT renewal scenarios. Write the // SctAuthorizationPolicy if one is available. sctAuthPolicy = authPolicy as SctAuthorizationPolicy; if (sctAuthPolicy != null) { break; } } ClaimsPrincipal claimsPrincipal = null; // these can be empty in transport security if (sct.AuthorizationPolicies != null && sct.AuthorizationPolicies.Count > 0) { AuthorizationPolicy ap = null; for (int i = 0; i < sct.AuthorizationPolicies.Count; ++i) { ap = sct.AuthorizationPolicies[i] as AuthorizationPolicy; if (ap != null) { // We should have exactly one IAuthorizationPolicy of type AuthorizationPolicy. break; } } if (ap != null) { if (ap.IdentityCollection != null) { claimsPrincipal = new ClaimsPrincipal(ap.IdentityCollection); } } } if (claimsPrincipal == null) { // When _securityContextTokenWrapper is true, this implies WCF. // Authpolicies not found occurs when the SCT represents a bootstrap nego that is used obtain a key // for the outer or actual SCT {unfortunate but true and we haven't found a way to distinguish this otherwise}. // So return an empty ClaimsPrincipal so that when written on wire in cookie mode we DO NOT write an empty identity. // If we did, then when the actual bootstrap token, such as a SAML token arrives, we will add the bootstrap AND the SAML identities to the ClaimsPrincipal // and end up with multiple, one of them anonymous. // claimsPrincipal = new ClaimsPrincipal(); } return new SessionSecurityToken(claimsPrincipal, sct.ContextId, sct.Id, String.Empty, sct.GetKeyBytes(), endpointId, sct.ValidFrom, sct.ValidTo, sct.KeyGeneration, sct.KeyEffectiveTime, sct.KeyExpirationTime, sctAuthPolicy, new Uri(version.Namespace.Value)); }
static public SessionSecurityToken ConvertSctToSessionToken(SecurityContextSecurityToken sct, SecureConversationVersion version) { string endpointId = String.Empty; for (int i = 0; i < sct.AuthorizationPolicies.Count; ++i) { EndpointAuthorizationPolicy epAuthPolicy = sct.AuthorizationPolicies[i] as EndpointAuthorizationPolicy; if (epAuthPolicy != null) { endpointId = epAuthPolicy.EndpointId; break; } } SctAuthorizationPolicy sctAuthPolicy = null; for (int i = 0; i < sct.AuthorizationPolicies.Count; i++) { IAuthorizationPolicy authPolicy = sct.AuthorizationPolicies[i]; // The WCF SCT will have a SctAuthorizationPolicy that wraps the Primary Identity // of the bootstrap token. This is required for SCT renewal scenarios. Write the // SctAuthorizationPolicy if one is available. sctAuthPolicy = authPolicy as SctAuthorizationPolicy; if (sctAuthPolicy != null) { break; } } ClaimsPrincipal claimsPrincipal = null; // these can be empty in transport security if (sct.AuthorizationPolicies != null && sct.AuthorizationPolicies.Count > 0) { AuthorizationPolicy ap = null; for (int i = 0; i < sct.AuthorizationPolicies.Count; ++i) { ap = sct.AuthorizationPolicies[i] as AuthorizationPolicy; if (ap != null) { // We should have exactly one IAuthorizationPolicy of type AuthorizationPolicy. break; } } if (ap != null) { if (ap.IdentityCollection != null) { claimsPrincipal = new ClaimsPrincipal(ap.IdentityCollection); } } } if (claimsPrincipal == null) { // When _securityContextTokenWrapper is true, this implies WCF. // Authpolicies not found occurs when the SCT represents a bootstrap nego that is used obtain a key // for the outer or actual SCT {unfortunate but true and we haven't found a way to distinguish this otherwise}. // So return an empty ClaimsPrincipal so that when written on wire in cookie mode we DO NOT write an empty identity. // If we did, then when the actual bootstrap token, such as a SAML token arrives, we will add the bootstrap AND the SAML identities to the ClaimsPrincipal // and end up with multiple, one of them anonymous. // claimsPrincipal = new ClaimsPrincipal(); } return(new SessionSecurityToken(claimsPrincipal, sct.ContextId, sct.Id, String.Empty, sct.GetKeyBytes(), endpointId, sct.ValidFrom, sct.ValidTo, sct.KeyGeneration, sct.KeyEffectiveTime, sct.KeyExpirationTime, sctAuthPolicy, new Uri(version.Namespace.Value))); }