Esempio n. 1
0
        private string AuthnRequestForIdp(IdentityProvider identityProvider, Saml20AuthnRequest request, IOwinContext context, Saml2Configuration config)
        {
            var logger = SAML2.Logging.LoggerProvider.LoggerFor(typeof(SamlMessage));

            context.Set(IdpTempSessionKey, identityProvider.Id);

            // Determine which endpoint to use from the configuration file or the endpoint metadata.
            var destination = IdpSelectionUtil.DetermineEndpointConfiguration(BindingType.Redirect, identityProvider.Endpoints.DefaultSignOnEndpoint, identityProvider.Metadata.SSOEndpoints);
            request.Destination = destination.Url;

            if (identityProvider.ForceAuth) {
                request.ForceAuthn = true;
            }

            // Check isPassive status
            if (context.Get<bool>(IdpIsPassive)) {
                request.IsPassive = true;
            }

            if (identityProvider.IsPassive) {
                request.IsPassive = true;
            }

            // Check if request should forceAuthn            
            if (context.Get<bool>(IdpForceAuthn)) {
                request.ForceAuthn = true;
            }

            // Check if protocol binding should be forced
            if (identityProvider.Endpoints.DefaultSignOnEndpoint != null) {
                if (!string.IsNullOrEmpty(identityProvider.Endpoints.DefaultSignOnEndpoint.ForceProtocolBinding)) {
                    request.ProtocolBinding = identityProvider.Endpoints.DefaultSignOnEndpoint.ForceProtocolBinding;
                }
            }

            // Save request message id to session
            Utility.AddExpectedResponseId(request.Id);

            switch (destination.Binding) {
            case BindingType.Redirect:
                logger.DebugFormat(TraceMessages.AuthnRequestPrepared, identityProvider.Id, Saml20Constants.ProtocolBindings.HttpRedirect);

                var redirectBuilder = new HttpRedirectBindingBuilder
                {
                    SigningKey = config.ServiceProvider.SigningCertificate.PrivateKey,
                    Request = request.GetXml().OuterXml
                };
                if (context.Authentication != null &&
                    context.Authentication.AuthenticationResponseChallenge != null &&
                    context.Authentication.AuthenticationResponseChallenge.Properties != null &&
                    context.Authentication.AuthenticationResponseChallenge.Properties.Dictionary != null &&
                    context.Authentication.AuthenticationResponseChallenge.Properties.Dictionary.Count > 0)
                    redirectBuilder.RelayState = context.Authentication.AuthenticationResponseChallenge.Properties.Dictionary.ToDelimitedString();
                logger.DebugFormat(TraceMessages.AuthnRequestSent, redirectBuilder.Request);

                var redirectLocation = request.Destination + "?" + redirectBuilder.ToQuery();
                return redirectLocation;
            case BindingType.Post:
                throw new NotImplementedException();
                //logger.DebugFormat(TraceMessages.AuthnRequestPrepared, identityProvider.Id, Saml20Constants.ProtocolBindings.HttpPost);

                //var postBuilder = new HttpPostBindingBuilder(destination);

                //// Honor the ForceProtocolBinding and only set this if it's not already set
                //if (string.IsNullOrEmpty(request.ProtocolBinding)) {
                //    request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpPost;
                //}

                //var requestXml = request.GetXml();
                //XmlSignatureUtils.SignDocument(requestXml, request.Id, config.ServiceProvider.SigningCertificate);
                //postBuilder.Request = requestXml.OuterXml;

                //logger.DebugFormat(TraceMessages.AuthnRequestSent, postBuilder.Request);

                //context.Response.Write(postBuilder.GetPage());
                //break;
            case BindingType.Artifact:
                throw new NotImplementedException();
                //logger.DebugFormat(TraceMessages.AuthnRequestPrepared, identityProvider.Id, Saml20Constants.ProtocolBindings.HttpArtifact);

                //var artifactBuilder = new HttpArtifactBindingBuilder(context, config);

                //// Honor the ForceProtocolBinding and only set this if it's not already set
                //if (string.IsNullOrEmpty(request.ProtocolBinding)) {
                //    request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpArtifact;
                //}

                //logger.DebugFormat(TraceMessages.AuthnRequestSent, request.GetXml().OuterXml);

                //artifactBuilder.RedirectFromLogin(destination, request);
                //break;
            default:
                logger.Error(SAML2.ErrorMessages.EndpointBindingInvalid);
                throw new Saml20Exception(SAML2.ErrorMessages.EndpointBindingInvalid);
            }
            throw new NotImplementedException();
        }
Esempio n. 2
0
        /// <summary>
        /// Returns an instance of the class with meaningful default values set.
        /// </summary>
        /// <returns>The default <see cref="Saml20AuthnRequest"/>.</returns>
        public static Saml20AuthnRequest GetDefault()
        {
            var config = Saml2Config.GetConfig();
            var result = new Saml20AuthnRequest { Issuer = config.ServiceProvider.Id };
            if (config.ServiceProvider.Endpoints.SignOnEndpoint.Binding != BindingType.NotSet)
            {
                var baseUrl = new Uri(config.ServiceProvider.Server);
                result.AssertionConsumerServiceUrl = new Uri(baseUrl, config.ServiceProvider.Endpoints.SignOnEndpoint.LocalPath).ToString();
            }

            // Binding
            switch (config.ServiceProvider.Endpoints.SignOnEndpoint.Binding)
            {
                case BindingType.Artifact:
                    result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpArtifact;
                    break;
                case BindingType.Post:
                    result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpPost;
                    break;
                case BindingType.Redirect:
                    result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpRedirect;
                    break;
                case BindingType.Soap:
                    result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpSoap;
                    break;
            }

            // NameIDPolicy
            if (config.ServiceProvider.NameIdFormats.Count > 0)
            {
                result.NameIdPolicy = new NameIdPolicy
                                          {
                                              AllowCreate = config.ServiceProvider.NameIdFormats.AllowCreate,
                                              Format = config.ServiceProvider.NameIdFormats[0].Format
                                          };

                if (result.NameIdPolicy.Format != Saml20Constants.NameIdentifierFormats.Entity)
                {
                    result.NameIdPolicy.SPNameQualifier = config.ServiceProvider.Id;
                }
            }

            // RequestedAuthnContext
            if (config.ServiceProvider.AuthenticationContexts.Count > 0)
            {
                result.RequestedAuthnContext = new RequestedAuthnContext();
                switch (config.ServiceProvider.AuthenticationContexts.Comparison)
                {
                    case AuthenticationContextComparison.Better:
                        result.RequestedAuthnContext.Comparison = AuthnContextComparisonType.Better;
                        result.RequestedAuthnContext.ComparisonSpecified = true;
                        break;
                    case AuthenticationContextComparison.Minimum:
                        result.RequestedAuthnContext.Comparison = AuthnContextComparisonType.Minimum;
                        result.RequestedAuthnContext.ComparisonSpecified = true;
                        break;
                    case AuthenticationContextComparison.Maximum:
                        result.RequestedAuthnContext.Comparison = AuthnContextComparisonType.Maximum;
                        result.RequestedAuthnContext.ComparisonSpecified = true;
                        break;
                    case AuthenticationContextComparison.Exact:
                        result.RequestedAuthnContext.Comparison = AuthnContextComparisonType.Exact;
                        result.RequestedAuthnContext.ComparisonSpecified = true;
                        break;
                    default:
                        result.RequestedAuthnContext.ComparisonSpecified = false;
                        break;
                }

                result.RequestedAuthnContext.Items = new string[config.ServiceProvider.AuthenticationContexts.Count];
                result.RequestedAuthnContext.ItemsElementName = new Schema.Protocol.AuthnContextType[config.ServiceProvider.AuthenticationContexts.Count];

                var count = 0;
                foreach (var authenticationContext in config.ServiceProvider.AuthenticationContexts)
                {
                    result.RequestedAuthnContext.Items[count] = authenticationContext.Context;
                    switch (authenticationContext.ReferenceType)
                    {
                        case "AuthnContextDeclRef":
                            result.RequestedAuthnContext.ItemsElementName[count] = Schema.Protocol.AuthnContextType.AuthnContextDeclRef;
                            break;
                        default:
                            result.RequestedAuthnContext.ItemsElementName[count] = Schema.Protocol.AuthnContextType.AuthnContextClassRef;
                            break;
                    }

                    count++;
                }
            }

            // Restrictions
            var audienceRestrictions = new List<ConditionAbstract>(1);
            var audienceRestriction = new AudienceRestriction { Audience = new List<string>(1) { config.ServiceProvider.Id } };
            audienceRestrictions.Add(audienceRestriction);

            result.SetConditions(audienceRestrictions);

            return result;
        }
Esempio n. 3
0
        /// <summary>
        /// Returns an instance of the class with meaningful default values set.
        /// </summary>
        /// <returns>The default <see cref="Saml20AuthnRequest"/>.</returns>
        public static Saml20AuthnRequest GetDefault()
        {
            var config = Saml2Config.GetConfig();
            var result = new Saml20AuthnRequest {
                Issuer = config.ServiceProvider.Id
            };

            if (config.ServiceProvider.Endpoints.SignOnEndpoint.Binding != BindingType.NotSet)
            {
                var baseUrl = new Uri(config.ServiceProvider.Server);
                result.AssertionConsumerServiceUrl = new Uri(baseUrl, config.ServiceProvider.Endpoints.SignOnEndpoint.LocalPath).ToString();
            }

            // Binding
            switch (config.ServiceProvider.Endpoints.SignOnEndpoint.Binding)
            {
            case BindingType.Artifact:
                result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpArtifact;
                break;

            case BindingType.Post:
                result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpPost;
                break;

            case BindingType.Redirect:
                result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpRedirect;
                break;

            case BindingType.Soap:
                result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpSoap;
                break;
            }

            // NameIDPolicy
            if (config.ServiceProvider.NameIdFormats.Count > 0)
            {
                result.NameIdPolicy = new NameIdPolicy
                {
                    AllowCreate = config.ServiceProvider.NameIdFormats.AllowCreate,
                    Format      = config.ServiceProvider.NameIdFormats[0].Format
                };

                if (result.NameIdPolicy.Format != Saml20Constants.NameIdentifierFormats.Entity)
                {
                    result.NameIdPolicy.SPNameQualifier = config.ServiceProvider.Id;
                }
            }

            // RequestedAuthnContext
            if (config.ServiceProvider.AuthenticationContexts.Count > 0)
            {
                result.RequestedAuthnContext = new RequestedAuthnContext();
                switch (config.ServiceProvider.AuthenticationContexts.Comparison)
                {
                case AuthenticationContextComparison.Better:
                    result.RequestedAuthnContext.Comparison          = AuthnContextComparisonType.Better;
                    result.RequestedAuthnContext.ComparisonSpecified = true;
                    break;

                case AuthenticationContextComparison.Minimum:
                    result.RequestedAuthnContext.Comparison          = AuthnContextComparisonType.Minimum;
                    result.RequestedAuthnContext.ComparisonSpecified = true;
                    break;

                case AuthenticationContextComparison.Maximum:
                    result.RequestedAuthnContext.Comparison          = AuthnContextComparisonType.Maximum;
                    result.RequestedAuthnContext.ComparisonSpecified = true;
                    break;

                case AuthenticationContextComparison.Exact:
                    result.RequestedAuthnContext.Comparison          = AuthnContextComparisonType.Exact;
                    result.RequestedAuthnContext.ComparisonSpecified = true;
                    break;

                default:
                    result.RequestedAuthnContext.ComparisonSpecified = false;
                    break;
                }

                result.RequestedAuthnContext.Items            = new string[config.ServiceProvider.AuthenticationContexts.Count];
                result.RequestedAuthnContext.ItemsElementName = new Schema.Protocol.AuthnContextType[config.ServiceProvider.AuthenticationContexts.Count];

                var count = 0;
                foreach (var authenticationContext in config.ServiceProvider.AuthenticationContexts)
                {
                    result.RequestedAuthnContext.Items[count] = authenticationContext.Context;
                    switch (authenticationContext.ReferenceType)
                    {
                    case "AuthnContextDeclRef":
                        result.RequestedAuthnContext.ItemsElementName[count] = Schema.Protocol.AuthnContextType.AuthnContextDeclRef;
                        break;

                    default:
                        result.RequestedAuthnContext.ItemsElementName[count] = Schema.Protocol.AuthnContextType.AuthnContextClassRef;
                        break;
                    }

                    count++;
                }
            }

            // Restrictions
            var audienceRestrictions = new List <ConditionAbstract>(1);
            var audienceRestriction  = new AudienceRestriction {
                Audience = new List <string>(1)
                {
                    config.ServiceProvider.Id
                }
            };

            audienceRestrictions.Add(audienceRestriction);

            result.SetConditions(audienceRestrictions);

            return(result);
        }