/// <summary>
/// Creates the security token
/// </summary>
/// <param name="timeout">Maximum amount of time the method is supposed to take. Ignored in this implementation.</param>
/// <returns>A SecurityToken that corresponds to the SAML assertion and proof key specified at construction time</returns>
protected override SecurityToken GetTokenCore(TimeSpan timeout)
{
// Create a SamlSecurityToken from the provided assertion.
SamlSecurityToken samlToken = new SamlSecurityToken(assertion);
// Create a SecurityTokenSerializer that is used to serialize the SamlSecurityToken
WSSecurityTokenSerializer ser = new WSSecurityTokenSerializer();
// Create a memory stream to write the serialized token into
// Use an initial size of 64Kb
MemoryStream s = new MemoryStream(UInt16.MaxValue);
// Create an XmlWriter over the stream
XmlWriter xw = XmlWriter.Create(s);
// Write the SamlSecurityToken into the stream
ser.WriteToken(xw, samlToken);
// Seek back to the beginning of the stream
s.Seek(0, SeekOrigin.Begin);
// Load the serialized token into a DOM
XmlDocument dom = new XmlDocument();
dom.Load(s);
// Create a KeyIdentifierClause for the SamlSecurityToken
SamlAssertionKeyIdentifierClause samlKeyIdentifierClause = samlToken.CreateKeyIdentifierClause<SamlAssertionKeyIdentifierClause>();
// Return a GenericXmlToken from the XML for the SamlSecurityToken, the proof token, the valid from
// and valid until times from the assertion and the key identifier clause created above
return new GenericXmlSecurityToken(dom.DocumentElement, proofToken, assertion.Conditions.NotBefore, assertion.Conditions.NotOnOrAfter, samlKeyIdentifierClause, samlKeyIdentifierClause, null);
}
// Methods of BodyWriter
protected override void OnWriteBodyContents(XmlDictionaryWriter writer)
{
writer.WriteStartElement(Constants.Trust.Elements.RequestSecurityTokenResponse, Constants.Trust.NamespaceUri);
if (this.TokenType != null && this.TokenType.Length > 0)
{
writer.WriteStartElement(Constants.Trust.Elements.TokenType, Constants.Trust.NamespaceUri);
writer.WriteString(this.TokenType);
writer.WriteEndElement(); // wst:TokenType
}
WSSecurityTokenSerializer ser = new WSSecurityTokenSerializer();
if (this.RequestedSecurityToken != null)
{
writer.WriteStartElement(Constants.Trust.Elements.RequestedSecurityToken, Constants.Trust.NamespaceUri);
ser.WriteToken(writer, this.RequestedSecurityToken);
writer.WriteEndElement(); // wst:RequestedSecurityToken
}
if ( this.RequestedAttachedReference != null )
{
writer.WriteStartElement(Constants.Trust.Elements.RequestedAttachedReference, Constants.Trust.NamespaceUri);
ser.WriteKeyIdentifierClause ( writer, this.RequestedAttachedReference);
writer.WriteEndElement(); // wst:RequestedAttachedReference
}
if ( this.RequestedUnattachedReference != null )
{
writer.WriteStartElement(Constants.Trust.Elements.RequestedUnattachedReference, Constants.Trust.NamespaceUri);
ser.WriteKeyIdentifierClause ( writer, this.RequestedUnattachedReference);
writer.WriteEndElement(); // wst:RequestedAttachedReference
}
if (this.AppliesTo != null)
{
writer.WriteStartElement(Constants.Policy.Elements.AppliesTo, Constants.Policy.NamespaceUri);
this.AppliesTo.WriteTo(AddressingVersion.WSAddressing10, writer);
writer.WriteEndElement(); // wsp:AppliesTo
}
if (this.RequestedProofToken != null)// Issuer entropy; write RPT only
{
writer.WriteStartElement(Constants.Trust.Elements.RequestedProofToken, Constants.Trust.NamespaceUri);
ser.WriteToken(writer, this.RequestedProofToken);
writer.WriteEndElement(); // wst:RequestedSecurityToken
}
if(this.IssuerEntropy != null && this.ComputeKey) // Combined entropy; write RPT and Entropy
{
writer.WriteStartElement(Constants.Trust.Elements.RequestedProofToken, Constants.Trust.NamespaceUri);
writer.WriteStartElement(Constants.Trust.Elements.ComputedKey, Constants.Trust.NamespaceUri);
writer.WriteValue(Constants.Trust.ComputedKeyAlgorithms.PSHA1);
writer.WriteEndElement(); // wst:ComputedKey
writer.WriteEndElement(); // wst:RequestedSecurityToken
if (this.IssuerEntropy!= null)
{
writer.WriteStartElement(Constants.Trust.Elements.Entropy, Constants.Trust.NamespaceUri);
ser.WriteToken(writer, this.IssuerEntropy);
writer.WriteEndElement(); // wst:Entropy
}
}
writer.WriteEndElement(); // wst:RequestSecurityTokenResponse
}
// Methods of BodyWriter
/// <summary>
/// Writes out an XML representation of the instance.
/// </summary>
/// <param name="writer">The writer to be used to write out the XML content</param>
protected override void OnWriteBodyContents(XmlDictionaryWriter writer)
{
// Write out the wst:RequestSecurityTokenResponse start tag
writer.WriteStartElement(Constants.Trust.Elements.RequestSecurityTokenResponse, Constants.Trust.NamespaceUri);
// If we have a non-null, non-empty tokenType...
if (this.TokenType != null && this.TokenType.Length > 0)
{
// Write out the wst:TokenType start tag
writer.WriteStartElement(Constants.Trust.Elements.TokenType, Constants.Trust.NamespaceUri);
// Write out the tokenType string
writer.WriteString(this.TokenType);
writer.WriteEndElement(); // wst:TokenType
}
// Create a serializer that knows how to write out security tokens
WSSecurityTokenSerializer ser = new WSSecurityTokenSerializer();
// If we have a requestedSecurityToken...
if (this.requestedSecurityToken != null)
{
// Write out the wst:RequestedSecurityToken start tag
writer.WriteStartElement(Constants.Trust.Elements.RequestedSecurityToken, Constants.Trust.NamespaceUri);
// Write out the requested token using the serializer
ser.WriteToken(writer, requestedSecurityToken);
writer.WriteEndElement(); // wst:RequestedSecurityToken
}
// If we have a requestedAttachedReference...
if ( this.requestedAttachedReference != null )
{
// Write out the wst:RequestedAttachedReference start tag
writer.WriteStartElement(Constants.Trust.Elements.RequestedAttachedReference, Constants.Trust.NamespaceUri);
// Write out the reference using the serializer
ser.WriteKeyIdentifierClause ( writer, this.requestedAttachedReference );
writer.WriteEndElement(); // wst:RequestedAttachedReference
}
// If we have a requestedUnattachedReference...
if ( this.requestedUnattachedReference != null )
{
// Write out the wst:RequestedUnattachedReference start tag
writer.WriteStartElement(Constants.Trust.Elements.RequestedUnattachedReference, Constants.Trust.NamespaceUri);
// Write out the reference using the serializer
ser.WriteKeyIdentifierClause ( writer, this.requestedUnattachedReference );
writer.WriteEndElement(); // wst:RequestedAttachedReference
}
// If we have a non-null appliesTo
if (this.AppliesTo != null)
{
// Write out the wsp:AppliesTo start tag
writer.WriteStartElement(Constants.Policy.Elements.AppliesTo, Constants.Policy.NamespaceUri);
// Write the appliesTo in WS-Addressing 1.0 format
this.AppliesTo.WriteTo(AddressingVersion.WSAddressing10, writer);
writer.WriteEndElement(); // wsp:AppliesTo
}
// If the requestedProofToken is non-null, then the STS is providing all the key material...
if (this.requestedProofToken != null)
{
// Write the wst:RequestedProofToken start tag
writer.WriteStartElement(Constants.Trust.Elements.RequestedProofToken, Constants.Trust.NamespaceUri);
// Write the proof token using the serializer
ser.WriteToken(writer, requestedProofToken);
writer.WriteEndElement(); // wst:RequestedSecurityToken
}
// If issuerEntropy is non-null and computeKey is true, then combined entropy is being used...
if(this.issuerEntropy != null && this.computeKey )
{
// Write the wst:RequestedProofToken start tag
writer.WriteStartElement(Constants.Trust.Elements.RequestedProofToken, Constants.Trust.NamespaceUri);
// Write the wst:ComputeKey start tag
writer.WriteStartElement(Constants.Trust.Elements.ComputedKey, Constants.Trust.NamespaceUri);
// Write the PSHA1 algorithm value
writer.WriteValue(Constants.Trust.ComputedKeyAlgorithms.PSHA1);
writer.WriteEndElement(); // wst:ComputedKey
writer.WriteEndElement(); // wst:RequestedSecurityToken
// Write the wst:Entropy start tag
writer.WriteStartElement(Constants.Trust.Elements.Entropy, Constants.Trust.NamespaceUri);
// Write the issuerEntropy out using the serializer
ser.WriteToken(writer, this.issuerEntropy);
writer.WriteEndElement(); // wst:Entropy
}
writer.WriteEndElement(); // wst:RequestSecurityTokenResponse
}
public void ReadWriteTokenDerivedKeyTokenRefToExistent ()
{
WSSecurityTokenSerializer serializer =
new WSSecurityTokenSerializer (true); // emitBSP
SecurityToken token;
using (XmlReader xr = XmlReader.Create (new StringReader (derived_key_token1))) {
token = serializer.ReadToken (xr,
GetResolver (
new WrappedKeySecurityToken ("uuid:urn:abc", new byte [32], SecurityAlgorithms.RsaOaepKeyWrap, new X509SecurityToken (cert), null)
));
}
StringWriter sw = new StringWriter ();
using (XmlWriter w = XmlWriter.Create (sw, GetWriterSettings ())) {
serializer.WriteToken (w, token);
}
Assert.AreEqual (derived_key_token1.Replace ('\'', '"').Replace (" ", "").Replace ("\n", "").Replace ("\r", ""), sw.ToString ());
}
/// <summary cref="IUserIdentity.GetIdentityToken" />
public UserIdentityToken GetIdentityToken()
{
// check for anonymous.
if (m_token == null)
{
AnonymousIdentityToken token = new AnonymousIdentityToken();
token.PolicyId = m_policyId;
return token;
}
// return a user name token.
UserNameSecurityToken usernameToken = m_token as UserNameSecurityToken;
if (usernameToken != null)
{
UserNameIdentityToken token = new UserNameIdentityToken();
token.PolicyId = m_policyId;
token.UserName = usernameToken.UserName;
token.DecryptedPassword = usernameToken.Password;
return token;
}
// return an X509 token.
X509SecurityToken x509Token = m_token as X509SecurityToken;
if (x509Token != null)
{
X509IdentityToken token = new X509IdentityToken();
token.PolicyId = m_policyId;
token.CertificateData = x509Token.Certificate.GetRawCertData();
token.Certificate = x509Token.Certificate;
return token;
}
// handle SAML token.
SamlSecurityToken samlToken = m_token as SamlSecurityToken;
if (samlToken != null)
{
MemoryStream ostrm = new MemoryStream();
XmlTextWriter writer = new XmlTextWriter(ostrm, new UTF8Encoding());
try
{
SamlSerializer serializer = new SamlSerializer();
serializer.WriteToken(samlToken, writer, WSSecurityTokenSerializer.DefaultInstance);
}
finally
{
writer.Close();
}
IssuedIdentityToken wssToken = new IssuedIdentityToken();
wssToken.PolicyId = m_policyId;
wssToken.DecryptedTokenData = ostrm.ToArray();
return wssToken;
}
// return a WSS token by default.
if (m_token != null)
{
MemoryStream ostrm = new MemoryStream();
XmlWriter writer = new XmlTextWriter(ostrm, new UTF8Encoding());
try
{
WSSecurityTokenSerializer serializer = new WSSecurityTokenSerializer();
serializer.WriteToken(writer, m_token);
}
finally
{
writer.Close();
}
IssuedIdentityToken wssToken = new IssuedIdentityToken();
wssToken.PolicyId = m_policyId;
wssToken.DecryptedTokenData = ostrm.ToArray();
return wssToken;
}
return null;
}
/// <summary>
/// Build the contents of the SAML token
/// </summary>
/// <param name="writer"><b>XmlDictionaryWriter</b> to write the contents of this token to</param>
protected override void OnWriteBodyContents(XmlDictionaryWriter writer)
{
// Subject
SamlSubject subject = new SamlSubject();
if ( this.useKey != null )
{
// Add the key and the Holder-Of-Key confirmation method
subject.KeyIdentifier = this.useKey;
subject.ConfirmationMethods.Add( SamlConstants.HolderOfKey );
}
else
{
// This is a bearer token
subject.ConfirmationMethods.Add( SamlConstants.SenderVouches );
}
// Attributes, statements, conditions, and assertions
List<SamlStatement> statements = new List<SamlStatement>();
List<SamlAttribute> attributes = GetTokenAttributes();
statements.Add(new SamlAuthenticationStatement(subject, Constants.Saml.AuthenticationMethods.Unspecified, DateTime.Now, null, null, null));
statements.Add(new SamlAttributeStatement(subject, attributes));
SamlConditions conditions = new SamlConditions(DateTime.Now, (DateTime.Now + TimeSpan.FromHours(8.0)));
SamlAssertion assertion = new SamlAssertion("uuid-" + Guid.NewGuid(), Program.Issuer, DateTime.Now, conditions, null, statements);
// Build the signing token
SecurityToken signingToken = new X509SecurityToken(Program.SigningCertificate);
SecurityKeyIdentifier keyIdentifier = new SecurityKeyIdentifier(signingToken.CreateKeyIdentifierClause<X509RawDataKeyIdentifierClause>());
SigningCredentials signingCredentials = new SigningCredentials(signingToken.SecurityKeys[0], SecurityAlgorithms.RsaSha1Signature, SecurityAlgorithms.Sha1Digest, keyIdentifier);
assertion.SigningCredentials = signingCredentials;
// Build the SAML token
SamlSecurityToken token = new SamlSecurityToken(assertion);
SecurityKeyIdentifierClause attachedReference = token.CreateKeyIdentifierClause<SamlAssertionKeyIdentifierClause>();
SecurityKeyIdentifierClause unattachedReference = token.CreateKeyIdentifierClause<SamlAssertionKeyIdentifierClause>();
//
// Write the XML
//
//writer = XmlDictionaryWriter.CreateTextWriter(File.CreateText("output.xml").BaseStream);
// RSTR
writer.WriteStartElement(Constants.WSTrust.NamespaceUri.Prefix, Constants.WSTrust.Elements.RequestSecurityTokenResponse, Constants.WSTrust.NamespaceUri.Uri);
if (context != null)
{
writer.WriteAttributeString(Constants.WSTrust.Attributes.Context, context);
}
// TokenType
writer.WriteElementString(Constants.WSTrust.NamespaceUri.Prefix, Constants.WSTrust.Elements.TokenType, Constants.WSTrust.NamespaceUri.Uri, Constants.WSTrust.TokenTypes.Saml10Assertion);
// RequestedSecurityToken (the SAML token)
SecurityTokenSerializer tokenSerializer = new WSSecurityTokenSerializer();
writer.WriteStartElement(Constants.WSTrust.NamespaceUri.Prefix, Constants.WSTrust.Elements.RequestedSecurityToken, Constants.WSTrust.NamespaceUri.Uri);
tokenSerializer.WriteToken(writer, token);
writer.WriteEndElement();
// RequestedAttachedReference
writer.WriteStartElement(Constants.WSTrust.NamespaceUri.Prefix, Constants.WSTrust.Elements.RequestedAttachedReference, Constants.WSTrust.NamespaceUri.Uri);
tokenSerializer.WriteKeyIdentifierClause(writer, attachedReference);
writer.WriteEndElement();
// RequestedUnattachedReference
writer.WriteStartElement(Constants.WSTrust.NamespaceUri.Prefix, Constants.WSTrust.Elements.RequestedUnattachedReference, Constants.WSTrust.NamespaceUri.Uri);
tokenSerializer.WriteKeyIdentifierClause(writer, unattachedReference);
writer.WriteEndElement();
// RequestedDisplayToken (display token)
string displayTokenNS = "http://schemas.xmlsoap.org/ws/2005/05/identity";
writer.WriteStartElement("wsid", "RequestedDisplayToken", displayTokenNS);
writer.WriteStartElement("wsid", "DisplayToken", displayTokenNS);
foreach (SamlAttribute attribute in attributes)
{
writer.WriteStartElement("wsid", "DisplayClaim", displayTokenNS);
writer.WriteAttributeString("Uri", attribute.Namespace + "/" + attribute.Name);
writer.WriteStartElement("wsid", "DisplayTag", displayTokenNS);
writer.WriteValue(attribute.Name);
writer.WriteEndElement();
writer.WriteStartElement("wsid", "Description", displayTokenNS);
writer.WriteValue(attribute.Namespace + "/" + attribute.Name);
writer.WriteEndElement();
foreach (string attributeValue in attribute.AttributeValues)
{
writer.WriteStartElement("wsid", "DisplayValue", displayTokenNS);
writer.WriteValue(attributeValue);
writer.WriteEndElement();
}
writer.WriteEndElement();
}
writer.WriteEndElement();
writer.WriteEndElement();
// RSTR End
writer.WriteEndElement();
//writer.Close();
}
