private static void OnFederationConfigurationCreated(object sender, FederationConfigurationCreatedEventArgs e)
{
List<CookieTransform> sessionTransforms = new List<CookieTransform>(new CookieTransform[]
{
new DeflateCookieTransform(),
new RsaEncryptionCookieTransform(e.FederationConfiguration.ServiceCertificate),
new RsaSignatureCookieTransform(e.FederationConfiguration.ServiceCertificate)
});
SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());
e.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);
}
void OnServiceConfigurationCreated(object sender, FederationConfigurationCreatedEventArgs e)
{
// Change cookie encryption type from DPAPI to RSA. This avoids a security exception due to a cookie size limit with the SSO cookie. See http://fabriccontroller.net/blog/posts/key-not-valid-for-use-in-specified-state-exception-when-working-with-the-access-control-service/
var sessionTransforms = new List<CookieTransform>(new CookieTransform[] {
new DeflateCookieTransform(),
new RsaEncryptionCookieTransform(e.FederationConfiguration.ServiceCertificate),
new RsaSignatureCookieTransform(e.FederationConfiguration.ServiceCertificate)
});
var sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());
e.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);
}
/// <summary>
/// Initializes an instance of <see cref="WrappedRsaSecurityTokenAuthenticator"/>
/// </summary>
/// <param name="sessionTokenHandler">The sessionTokenHandler to wrap</param>
/// <param name="wcfSessionAuthenticator">The wcf SessionTokenAuthenticator.</param>
/// <param name="sctClaimsHandler">Handler that converts WCF generated IAuthorizationPolicy to <see cref="AuthorizationPolicy"/></param>
/// <param name="exceptionMapper">Converts token validation exception to SOAP faults.</param>
public WrappedSessionSecurityTokenAuthenticator( SessionSecurityTokenHandler sessionTokenHandler,
SecurityTokenAuthenticator wcfSessionAuthenticator,
SctClaimsHandler sctClaimsHandler,
ExceptionMapper exceptionMapper )
: base()
{
if ( sessionTokenHandler == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "sessionTokenHandler" );
}
if ( wcfSessionAuthenticator == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "wcfSessionAuthenticator" );
}
if ( sctClaimsHandler == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "sctClaimsHandler" );
}
if ( exceptionMapper == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "exceptionMapper" );
}
_issuanceSecurityTokenAuthenticator = wcfSessionAuthenticator as IIssuanceSecurityTokenAuthenticator;
if ( _issuanceSecurityTokenAuthenticator == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation( SR.GetString( SR.ID4244 ) );
}
_communicationObject = wcfSessionAuthenticator as ICommunicationObject;
if ( _communicationObject == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation( SR.GetString( SR.ID4245 ) );
}
_sessionTokenHandler = sessionTokenHandler;
_sctClaimsHandler = sctClaimsHandler;
_exceptionMapper = exceptionMapper;
}
public ActionResult SessionTokenRaw()
{
var cookieHandler = FederatedAuthentication.SessionAuthenticationModule.CookieHandler;
var cookieBytes = cookieHandler.Read();
if (cookieBytes != null && cookieBytes.Length != 0)
{
var handler = new SessionSecurityTokenHandler();
var sam = FederatedAuthentication.SessionAuthenticationModule;
var sessionToken = sam.ReadSessionTokenFromCookie(cookieBytes);
var sb = new StringBuilder(128);
handler.WriteToken(XmlWriter.Create(sb, new XmlWriterSettings { OmitXmlDeclaration = true }), sessionToken);
return new ContentResult
{
ContentType = "text/xml",
Content = sb.ToString()
};
}
return null;
}
private static SessionSecurityTokenHandler GetOrCreateSessionSecurityTokenHandler()
{
SecurityTokenHandlerCollection defaultHandlers = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
SessionSecurityTokenHandler ssth = defaultHandlers[typeof(SessionSecurityToken)] as SessionSecurityTokenHandler;
if (ssth == null)
{
ssth = new SessionSecurityTokenHandler();
defaultHandlers.AddOrReplace(ssth);
}
return ssth;
}
/// <summary>
/// Helper method to setup the WrappedSecureConversttion
/// </summary>
SecurityTokenAuthenticator SetupSecureConversationWrapper( RecipientServiceModelSecurityTokenRequirement tokenRequirement, SessionSecurityTokenHandler tokenHandler, out SecurityTokenResolver outOfBandTokenResolver )
{
// This code requires Orcas SP1 to compile.
// WCF expects this securityTokenAuthenticator to support:
// 1. IIssuanceSecurityTokenAuthenticator
// 2. ICommunicationObject is needed for this to work right.
// WCF opens a listener in this STA that handles the nego and uses an internal class for negotiating the
// the bootstrap tokens. We want to handle ValidateToken to return our authorization policies and surface the bootstrap tokens.
// when sp1 is installed, use this one.
//SecurityTokenAuthenticator sta = base.CreateSecureConversationTokenAuthenticator( tokenRequirement as RecipientServiceModelSecurityTokenRequirement, _saveBootstrapTokensInSession, out outOfBandTokenResolver );
// use this code if SP1 is not installed
SecurityTokenAuthenticator sta = base.CreateSecurityTokenAuthenticator( tokenRequirement, out outOfBandTokenResolver );
SessionSecurityTokenHandler sessionTokenHandler = tokenHandler;
//
// If there is no SCT handler here, create one.
//
if ( tokenHandler == null )
{
sessionTokenHandler = new SessionSecurityTokenHandler( _cookieTransforms, SessionSecurityTokenHandler.DefaultTokenLifetime );
sessionTokenHandler.ContainingCollection = _securityTokenHandlerCollection;
sessionTokenHandler.Configuration = _securityTokenHandlerCollection.Configuration;
}
if ( ServiceCredentials != null )
{
sessionTokenHandler.Configuration.MaxClockSkew = ServiceCredentials.IdentityConfiguration.MaxClockSkew;
}
SctClaimsHandler claimsHandler = new SctClaimsHandler(
_securityTokenHandlerCollection,
GetNormalizedEndpointId( tokenRequirement ) );
WrappedSessionSecurityTokenAuthenticator wssta = new WrappedSessionSecurityTokenAuthenticator( sessionTokenHandler, sta,
claimsHandler, _exceptionMapper );
WrappedTokenCache wrappedTokenCache = new WrappedTokenCache( _tokenCache, claimsHandler);
SetWrappedTokenCache( wrappedTokenCache, sta, wssta, claimsHandler );
outOfBandTokenResolver = wrappedTokenCache;
return wssta;
}
public SessionAuthenticationConfiguration()
{
Enabled = false;
TokenHandler = new MachineKeySessionSecurityTokenHandler();
}
