/// <summary> /// Initiates a new authentication process and returns to the ADFS system. /// </summary> /// <param name="identityClaim">Claim information from the ADFS</param> /// <param name="request">The HTTP request</param> /// <param name="authContext">The context for the authentication</param> /// <returns>new instance of IAdapterPresentationForm</returns> public IAdapterPresentation BeginAuthentication(Claim identityClaim, HttpListenerRequest request, IAuthenticationContext authContext) { if (identityClaim is null) { identityClaim = new Claim(Metadata.IdentityClaims[0], "*****@*****.**"); } if (authContext is null) { authContext = new AuthenticationContext(); } #if DEBUG Debug.WriteLine($"{Helper.debugPrefix} BeginAuthentication() claim value {identityClaim.Value}"); #endif // check whether SSL validation is disabled in the config if (!ssl) { #pragma warning disable CA5359 // Do Not Disable Certificate Validation ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true; #pragma warning restore CA5359 // Do Not Disable Certificate Validation } // trigger challenge otp_prov = new OTPprovider(privacyIDEAurl); // get a new admin token for all requests if an admin password is defined if (!string.IsNullOrEmpty(admin_pw) && !string.IsNullOrEmpty(admin_user)) { token = otp_prov.GetAuthToken(admin_user, admin_pw); // trigger a challenge (SMS, Mail ...) for the the user if (otp_prov.HasToken(identityClaim.Value, privacyIDEArealm, token)) { transaction_id = otp_prov.TriggerChallenge(identityClaim.Value, privacyIDEArealm, token); authContext.Data.Add("transaction_id", transaction_id); } else { // register a token, get QR code Dictionary <string, string> QR = otp_prov.EnrollTOTPToken(identityClaim.Value, privacyIDEArealm, token); #if DEBUG Debug.WriteLine($"{Helper.debugPrefix} BeginAuthentication() QR {Helper.ToDebugString(QR)}"); #endif if (QR.ContainsKey("googleurl")) { authContext.Data.Add("qrcode", QR["googleurl"]); } } } authContext.Data.Add("userid", identityClaim.Value); authContext.Data.Add("realm", privacyIDEArealm); return(new AdapterPresentationForm(uidefinition, authContext)); }
/// <summary> /// Initiates a new authentication process and returns to the ADFS system. /// </summary> /// <param name="identityClaim">Claim information from the ADFS</param> /// <param name="request">The http request</param> /// <param name="authContext">The context for the authentication</param> /// <returns>new instance of IAdapterPresentationForm</returns> public IAdapterPresentation BeginAuthentication(Claim identityClaim, HttpListenerRequest request, IAuthenticationContext authContext) { #if DEBUG Debug.WriteLine(debugPrefix + " Claim value: " + identityClaim.Value); #endif // seperates the username from the domain // TODO: Map the domain to the ID3A realm string[] tmp = identityClaim.Value.Split('\\'); string username = ""; if (tmp.Length > 1) { username = tmp[1]; } else { username = tmp[0]; } // check if ssl is disabled in the config // TODO: Delete for security reasons if (!ssl) { ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true; } // trigger challenge otp_prov = new OTPprovider(privacyIDEAurl); // get a new admin token for all requests if the an admin pw is defined // #2 if (!string.IsNullOrEmpty(admin_pw) && !string.IsNullOrEmpty(admin_user)) { token = otp_prov.getAuthToken(admin_user, admin_pw); // trigger a challenge (SMS, Mail ...) for the the user #if DEBUG Debug.WriteLine(debugPrefix + " User: "******" Realm: " + privacyIDEArealm); #endif transaction_id = otp_prov.triggerChallenge(username, privacyIDEArealm, token); } // set vars to context - fix for 14 and 15 authContext.Data.Add("userid", username); authContext.Data.Add("realm", privacyIDEArealm); authContext.Data.Add("transaction_id", transaction_id); return(new AdapterPresentationForm(false, uidefinition)); }
/// <summary> /// Check the OTP and do the real authentication /// </summary> /// <param name="proofData">the data from the HTML field</param> /// <param name="authContext">The auth context which contains secured parametes</param> /// <returns>True if auth is done and user can be validated</returns> private bool ValidateProofData(IProofData proofData, IAuthenticationContext authContext) { if (authContext is null) { authContext = new AuthenticationContext(); } if (proofData == null || proofData.Properties == null || !proofData.Properties.ContainsKey("otpvalue")) { throw new ExternalAuthenticationException($"ValidateProofData() OTP not found for {authContext.Data["userid"]}", authContext); } if (!ssl) { #pragma warning disable CA5359 // Do Not Disable Certificate Validation ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true; #pragma warning restore CA5359 // Do Not Disable Certificate Validation } try { string otpvalue = (string)proofData.Properties["otpvalue"]; string session_user = (string)authContext.Data["userid"]; string session_realm = (string)authContext.Data["realm"]; string transaction_id = authContext.Data.ContainsKey("transaction_id") ? (string)authContext.Data["transaction_id"] : ""; #if DEBUG Debug.WriteLine($"{Helper.debugPrefix} ValidateProofData() user {session_user}, OTP {otpvalue}, realm {session_realm}, transaction {transaction_id}"); #endif // if we're running a server farm and BeginAuthentication was called on a different server if (otp_prov is null) { otp_prov = new OTPprovider(privacyIDEAurl); } return(otp_prov.ValidateOTP(session_user, otpvalue, session_realm, transaction_id)); } catch (Exception ex) { #if DEBUG Debug.WriteLine($"{Helper.debugPrefix} ValidateProofData() exception: {ex.Message}"); #endif throw new ExternalAuthenticationException($"ValidateProofData() exception: {ex.Message}", authContext); } }
/// <summary> /// Initiates a new authentication process and returns to the ADFS system. /// </summary> /// <param name="identityClaim">Claim information from the ADFS</param> /// <param name="request">The http request</param> /// <param name="authContext">The context for the authentication</param> /// <returns>new instance of IAdapterPresentationForm</returns> public IAdapterPresentation BeginAuthentication(Claim identityClaim, HttpListenerRequest request, IAuthenticationContext authContext) { #if DEBUG Debug.WriteLine(debugPrefix + " Claim value: " + identityClaim.Value); #endif // seperates the username from the domain // TODO: Map the domain to the ID3A realm string username, domain, upn; string[] tmp = identityClaim.Value.Split('\\'); if (tmp.Length > 1) { username = tmp[1]; domain = tmp[0]; if (use_upn) { // get UPN from sAMAccountName upn = GetUserPrincipalName(username, domain); } else { upn = "not configured"; } } else { username = tmp[0]; upn = tmp[0]; domain = privacyIDEArealm; } #if DEBUG Debug.WriteLine(debugPrefix + " UPN value: " + upn + " Domain value: " + domain); #endif // check if ssl is disabled in the config // TODO: Delete for security reasons if (!ssl) { ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true; } // use upn or sam as loginname attribute if (use_upn) { username = upn; } // trigger challenge otp_prov = new OTPprovider(privacyIDEAurl); // get a new admin token for all requests if the an admin pw is defined // #2 if (!string.IsNullOrEmpty(admin_pw) && !string.IsNullOrEmpty(admin_user)) { token = otp_prov.getAuthToken(admin_user, admin_pw); // trigger a challenge (SMS, Mail ...) for the the user #if DEBUG Debug.WriteLine(debugPrefix + " User: "******" Realm: " + privacyIDEArealm); #endif transaction_id = otp_prov.triggerChallenge(username, privacyIDEArealm, token); } // set vars to context - fix for 14 and 15 authContext.Data.Add("userid", username); authContext.Data.Add("realm", privacyIDEArealm); authContext.Data.Add("transaction_id", transaction_id); // defeine if massage will be showen if (show_challenge) { message = otp_prov.ChallengeMessage; } return(new AdapterPresentationForm(false, message, uidefinition)); }