public RequestDetailsScope(RequestDetails details, SigningCredentials signingCredentials, bool requireEncryption)
: base(details.Realm.Uri.AbsoluteUri, signingCredentials)
{
RequestDetails = details;
if (RequestDetails.UsesEncryption)
{
EncryptingCredentials = new X509EncryptingCredentials(details.EncryptingCertificate);
}
if (RequestDetails.TokenType == SimpleWebToken.OasisTokenProfile)
{
SigningCredentials = new SymmetricSigningCredentials(details.RelyingPartyRegistration.SymmetricSigningKey);
}
ReplyToAddress = RequestDetails.ReplyToAddress.AbsoluteUri;
TokenEncryptionRequired = requireEncryption;
}
public RequestDetailsScope(RequestDetails details, SigningCredentials signingCredentials, bool requireEncryption)
: base(details.Realm.Uri.AbsoluteUri, signingCredentials)
{
RequestDetails = details;
if (RequestDetails.UsesEncryption)
{
EncryptingCredentials = new X509EncryptingCredentials(details.EncryptingCertificate);
}
if (RequestDetails.TokenType == TokenTypes.SimpleWebToken || RequestDetails.TokenType == TokenTypes.JsonWebToken)
{
if (details.RelyingPartyRegistration.SymmetricSigningKey != null && details.RelyingPartyRegistration.SymmetricSigningKey.Length > 0)
{
SigningCredentials = new HmacSigningCredentials(details.RelyingPartyRegistration.SymmetricSigningKey);
}
}
ReplyToAddress = RequestDetails.ReplyToAddress.AbsoluteUri;
TokenEncryptionRequired = requireEncryption;
}
public StsConfiguration(String host)
{
SecurityTokenService = typeof(Sts);
// this.DefaultTokenType = "http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/Rsa";
// this.SecurityTokenHandlers.AddOrReplace(new SimpleWebTokenHandler());
settings = SecurityTokenServicesSection.Current.GetConfiguration(host);
// Configure token issuer
TokenIssuerName = settings.IssuerName;
// Configure signing and encrypting certificates
X509Store store = new X509Store(settings.StoreName, settings.StoreLocation);
try
{
store.Open(OpenFlags.ReadOnly);
SigningCredentials = new X509SigningCredentials(
store.FindExactlyOne(settings.SigningCertificateName));
if (false == String.IsNullOrEmpty(settings.EncryptingCertificateName))
{
EncryptingCredentials = new X509EncryptingCredentials(
store.FindExactlyOne(settings.EncryptingCertificateName));
}
}
finally
{
store.Close();
}
// Load standard claims
foreach (FieldInfo claim in typeof(ClaimTypes).GetFields())
{
standardClaims.Add(claim.Name, claim.GetValue(null) as String);
}
}
/// <summary>
/// This method returns the configuration for the token issuance request. The configuration
/// is represented by the Scope class. In our case, we are only capable of issuing a token for a
/// single RP identity represented by the EncryptingCertificateName.
/// </summary>
/// <param name="principal">The caller's principal.</param>
/// <param name="request">The incoming RST.</param>
/// <returns>The scope information to be used for the token issuance.</returns>
protected override Scope GetScope(IClaimsPrincipal principal, RequestSecurityToken request)
{
// TEMP
//ClaimsUtil.LogClaimsPrincipal(principal, "IdpSts.CustomSecurityTokenService.GetScope");
CustomTextTraceSource ts = new CustomTextTraceSource("IdpSts.CustomSecurityTokenService.GetScope",
"MyTraceSource", SourceLevels.Information);
ValidateAppliesTo(request.AppliesTo);
X509Certificate2 signingCert = CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine,
WebConfigurationManager.AppSettings["SigningCertificateName"]);
if (signingCert != null)
{
ts.TraceInformation("signingCert: " + signingCert.SubjectName);
ts.TraceInformation("\tthumbPrint: " + signingCert.Thumbprint);
}
else
{
ts.TraceInformation("signingCert: NULL");
}
//SecurityKeyIdentifier signingSki = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] {
// new X509SecurityToken(signingCert).CreateKeyIdentifierClause<X509SubjectKeyIdentifierClause>() });
SecurityKeyIdentifier signingSki = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] {
new X509SecurityToken(signingCert).CreateKeyIdentifierClause<X509RawDataKeyIdentifierClause>() });
X509SigningCredentials signingCredentialss = new X509SigningCredentials(signingCert, signingSki);
Scope scope = new Scope(request.AppliesTo.Uri.OriginalString, signingCredentialss);
//string encryptingCertificateName = "";
string encryptingCertificateName = WebConfigurationManager.AppSettings["EncryptingCertificateName"];
if (!string.IsNullOrEmpty(encryptingCertificateName))
{
// Important note on setting the encrypting credentials.
// In a production deployment, you would need to select a certificate that is specific to the RP that is requesting the token.
// You can examine the 'request' to obtain information to determine the certificate to use. (AppliesTo)
// Original SV
//scope.EncryptingCredentials = new X509EncryptingCredentials(CertificateUtil.GetCertificateByCommonName(StoreName.TrustedPeople,
// StoreLocation.LocalMachine, request.AppliesTo.Uri.Host));
// New HoK
X509Certificate2 cert = CertificateUtil.GetCertificate(StoreName.TrustedPeople,
StoreLocation.LocalMachine, encryptingCertificateName);
var ski = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[]
{
//new X509SecurityToken(cert).CreateKeyIdentifierClause<X509SubjectKeyIdentifierClause>()
new X509SecurityToken(cert).CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>()
}
);
X509EncryptingCredentials encryptingCredentials = new X509EncryptingCredentials(cert, ski);
scope.EncryptingCredentials = encryptingCredentials;
}
else
{
// If there is no encryption certificate specified, the STS will not perform encryption.
// This will succeed for tokens that are created without keys (BearerTokens) or asymmetric keys. Symmetric keys are
// required to be 'wrapped' and the STS will throw.
scope.TokenEncryptionRequired = false;
// Symmetric keys are required to be 'wrapped' or the STS will throw, uncomment the code below to turn off proof key encryption.
// Turning off proof key encryption is not secure and should not be used in a deployment scenario.
scope.SymmetricKeyEncryptionRequired = false;
}
//ts.TraceInformation("request.RequestType: " + request.RequestType);
//ts.TraceInformation("request.TokenType: " + request.TokenType);
//ts.TraceInformation("request.KeyType: " + request.KeyType);
//ts.TraceInformation("request.KeySizeInBits: " + request.KeySizeInBits);
//ts.TraceInformation("request.SecondaryParameters.TokenType: " + request.SecondaryParameters.TokenType);
//ts.TraceInformation("request.SecondaryParameters.KeyType: " + request.SecondaryParameters.KeyType);
//ts.TraceInformation("Principal Name: " + principal.Identity.Name);
//if (request.SecondaryParameters != null)
//{
// if (!string.IsNullOrEmpty(request.SecondaryParameters.TokenType))
// {
// if (string.IsNullOrEmpty(request.TokenType))
// {
// request.TokenType = request.SecondaryParameters.TokenType;
// }
// }
// if (!string.IsNullOrEmpty(request.SecondaryParameters.KeyType))
// {
// if (string.IsNullOrEmpty(request.KeyType))
// {
// request.TokenType = request.SecondaryParameters.KeyType;
// }
// }
// if (StringComparer.Ordinal.Equals(request.KeyType, "http://schemas.microsoft.com/idfx/keytype/bearer"))
// {
// if (request.KeySizeInBits.HasValue)
// {
// if (request.KeySizeInBits.Value > 0)
// {
// string errorMsg = string.Format("The request has a KeySize '{0}' that is greater than 0, which, when specified in the request is the required value for sender-vouches assertions.",
// request.KeySizeInBits.Value);
// ts.TraceInformation(errorMsg);
// request.KeySizeInBits = new int?(0);
// }
// }
// else
// {
// // the key size for an assertion with Sender-vouches confirmation must be 0
// request.KeySizeInBits = new int?(0);
// }
// ts.TraceInformation("KeySizeInBits: " + request.KeySizeInBits.Value.ToString());
// }
//}
//if ((StringComparer.Ordinal.Equals(request.KeyType, "http://schemas.microsoft.com/idfx/keytype/bearer") && request.KeySizeInBits.HasValue) && (request.KeySizeInBits.Value != 0))
//{
// ts.TraceInformation("Still Have problems with KeySize!!!");
//}
return scope;
}
protected override Scope GetScope(ClaimsPrincipal principal, RequestSecurityToken request)
{
ValidateAppliesTo(request.AppliesTo);
var scope = new Scope(request.AppliesTo.Uri.OriginalString, SecurityTokenServiceConfiguration.SigningCredentials);
if (!string.IsNullOrEmpty(ConfigurationManager.AppSettings["EncryptionCertificate"]))
{
// Important note on setting the encrypting credentials.
// In a production deployment, you would need to select a certificate that is specific to the RP that is requesting the token.
// You can examine the 'request' to obtain information to determine the certificate to use.
var encryptingCertificate = GetCertificate(ConfigurationManager.AppSettings["EncryptionCertificate"]);
var encryptingCredentials = new X509EncryptingCredentials(encryptingCertificate);
scope.EncryptingCredentials = encryptingCredentials;
}
else
{
// If there is no encryption certificate specified, the STS will not perform encryption.
// This will succeed for tokens that are created without keys (BearerTokens) or asymmetric keys.
scope.TokenEncryptionRequired = false;
}
scope.ReplyToAddress = request.ReplyTo;
return scope;
}
