/// <summary>
/// Replace the RelyingParty encryption keys with a new set of keys from a metadata update.
/// </summary>
static void UpdateRelyingPartyMetadata()
{
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
Console.WriteLine(String.Format("Reading metadata from file '{0}'...\n", RPMetadataForUpdate));
using (FileStream fileStream = new FileStream(RPMetadataForUpdate, FileMode.Open))
{
//
// Note that this sample uses EntityID to correlate between the relying party originally imported
// and the relying party to update.
//
EntityDescriptor metadata = ReadMetadata(fileStream);
List <X509Certificate2> rpKeys = ExtractX509CertificatesFromMetadata <ApplicationServiceDescriptor>(metadata, KeyType.Encryption);
string relyingPartyName = GetEntityName(metadata);
RelyingParty relyingParty = svc.GetRelyingPartyByName(relyingPartyName, true);
Console.WriteLine(String.Format("Updating metadata for relying party '{0}'...\n", relyingPartyName));
//
// For the purposes of this sample, the existing keys are simply deleted and new ones added.
// Metadata contains more information such as endpoint addresses.
// Updating the remainder of these attributes is left as an exercise to the reader.
//
DeleteExistingRelyingPartyEncryptingKeys(svc, relyingParty);
InsertRelyingPartyEncryptingKeysFromMetadata(svc, rpKeys, relyingParty);
//
// SaveChangesOptions.Batch guarantees a transaction across all operations prior to this call. This
// is important because on a running service, the update must happen atomically or service calls may fail.
//
svc.SaveChangesBatch();
}
}
/// <summary>
/// Replace the IdentityProvider signing keys with a new set of keys from a metadata update.
/// </summary>
static void UpdateIdentityProviderMetadata()
{
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
Console.WriteLine(String.Format("Reading metadata from file '{0}'...\n", IDPMetadataForUpdate));
using (FileStream fileStream = new FileStream(IDPMetadataForUpdate, FileMode.Open))
{
//
// Note that this sample uses EntityID to correlate between the identity provider originally imported
// and the identity provider to update.
//
EntityDescriptor metadata = ReadMetadata(fileStream);
List <X509Certificate2> idpKeys = ExtractX509CertificatesFromMetadata <SecurityTokenServiceDescriptor>(metadata, KeyType.Signing);
string issuerName = GetEntityName(metadata);
IdentityProvider identityProvider = svc.GetIdentityProviderByName(issuerName, true);
Console.WriteLine(String.Format("Updating metadata for issuer '{0}'...\n", issuerName));
//
// For the sake of simplicity, the existing keys are simply deleted and new ones added.
// Metadata contains more information such as endpoint addresses, claim types issued, etc.
// Updating the remainder of these attributes is left as an exercise to the reader.
//
DeleteExistingIdentityProviderSigningKeys(svc, identityProvider);
InsertIdentityProviderSigningKeysFromMetadata(svc, idpKeys, identityProvider);
//
// SaveChangesOptions.Batch guarantees a transaction across all operations prior to this call. This
// is important because on a running service, the update must happen atomically or service calls may fail.
//
svc.SaveChangesBatch();
}
}
/// <summary>
/// Import the relying party from metadata using a call to the management service.
/// </summary>
static void ImportRelyingPartyMetadata()
{
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
Console.WriteLine(String.Format("Reading metadata from file '{0}'...\n", RPMetadataForImport));
using (FileStream fileStream = new FileStream(RPMetadataForImport, FileMode.Open))
{
EntityDescriptor metadata = ReadMetadata(fileStream);
string relyingPartyName = GetEntityName(metadata);
svc.DeleteRelyingPartyByNameIfExists(relyingPartyName);
svc.SaveChangesBatch();
// Import the relying party from metadata.
Console.WriteLine(String.Format("Importing metadata for relying party '{0}'...\n", relyingPartyName));
fileStream.Seek(0, SeekOrigin.Begin);
svc.ImportRelyingPartyFromStream(fileStream);
}
}
/// <summary>
/// Import the identity provider from metadata using a call to the management service.
/// </summary>
static void ImportIdentityProviderMetadata()
{
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
Console.WriteLine(String.Format("Reading metadata from file '{0}'...\n", IDPMetadataForImport));
using (FileStream fileStream = new FileStream(IDPMetadataForImport, FileMode.Open))
{
EntityDescriptor metadata = ReadMetadata(fileStream);
string issuerName = GetEntityName(metadata);
svc.DeleteIdentityProviderIfExists(issuerName);
svc.SaveChangesBatch();
// Import the identity provider from metadata.
Console.WriteLine(String.Format("Importing metadata for issuer '{0}'...\n", issuerName));
fileStream.Seek(0, SeekOrigin.Begin);
svc.ImportIdentityProviderFromStream(fileStream);
}
}
/// <summary>
/// Extract the certificates for a specific role and use.
/// </summary>
/// <typeparam name="T">The derived type from RoleDescriptor which represents the role this entity is using to participate in the federation.</typeparam>
/// <param name="metadata">EntityDescriptor representing the entity.</param>
/// <param name="keyType">Usage for the certificate.</param>
/// <returns>The list of certificates associated with the role and usage the entity is using to participate in the federation.</returns>
static List <X509Certificate2> ExtractX509CertificatesFromMetadata <T>(EntityDescriptor metadata, KeyType keyType) where T : RoleDescriptor
{
List <X509Certificate2> certs = new List <X509Certificate2>();
foreach (RoleDescriptor roleDescriptor in metadata.RoleDescriptors)
{
if (roleDescriptor.GetType() == typeof(T))
{
foreach (KeyDescriptor keyDescriptor in roleDescriptor.Keys)
{
if (keyDescriptor.Use == keyType)
{
certs.AddRange(GetCertificatesFromKeyInfo(keyDescriptor.KeyInfo));
}
}
}
}
return(certs);
}
/// <summary>
/// Extract the entity id from an entity descriptor.
/// </summary>
/// <param name="metadata">EntityDescriptor representing the entity.</param>
/// <returns>Name of the entity.</returns>
static string GetEntityName(EntityDescriptor metadata)
{
return(metadata.EntityId.Id);
}
