public static ContextualSecurityToken OTPGateChallengeResponse(WorkflowAuthenticationResponse gateResponse,
ref AuthenticationRequiredException authNException,
out WorkflowAuthenticationChallenge workflowAuthenticationChallenge)
{
AuthenticationChallengeResponseType[] authenticationChallengeResponses = null;
if (gateResponse != null)
{
AuthenticationChallengeResponseType authenticationChallengeResponse = new AuthenticationChallengeResponseType();
authenticationChallengeResponse.Response = new ClientSerializer(
typeof(WorkflowAuthenticationResponse)).WriteObjectToXmlElement(gateResponse);
authenticationChallengeResponses = new AuthenticationChallengeResponseType[] { authenticationChallengeResponse };
}
ContextualSecurityToken authNSecurityToken = null;
workflowAuthenticationChallenge = null;
try
{
MessageBuffer messageBuffer;
authNSecurityToken = authNException.Authenticate(authenticationChallengeResponses, out messageBuffer);
}
catch (AuthenticationRequiredException exception)
{
authNException = exception;
workflowAuthenticationChallenge = (WorkflowAuthenticationChallenge) new Microsoft.ResourceManagement.Client.ClientSerializer(
typeof(WorkflowAuthenticationChallenge)).ReadObjectFromXmlNode(
authNException.AuthenticationChallenges[0].Challenge);
}
return(authNSecurityToken);
}
private ContextualSecurityToken HandleAuthNFault(String stsEndpointAddress, ContextMessageProperty responseContext)
{
ContextualSecurityToken returnToken = null;
//create new client to talk to the STS
SecurityTokenServiceClient stsClient = new SecurityTokenServiceClient("ServiceMultipleTokenBinding_SecurityTokenService", stsEndpointAddress);
Guid contextGuid = new Guid(responseContext.Context["instanceId"]);
Message RST; //The Request for Security Token
Message RSTR; //The Request for Security Token Response
ClientSerializer RSTRSerializer = new ClientSerializer(typeof(Client.WsTrust.RequestSecurityTokenResponse));
Client.WsTrust.RequestSecurityTokenResponse serializedRSTR;
Dictionary <int, String> answers = new Dictionary <int, string>();
//Initial RST, RSTR
RST = stsClient.BuildRequestSecurityTokenMessage(contextGuid);
RSTR = stsClient.RequestSecurityToken(RST);
//We will continue asking for RSTR untill we get a Security Token (or get a fault)
do
{
serializedRSTR = (Client.WsTrust.RequestSecurityTokenResponse)RSTRSerializer.ReadObject(RSTR.GetReaderAtBodyContents());
if (serializedRSTR != null)
{
if (serializedRSTR.Authchallenge != null)
{
if (serializedRSTR.Authchallenge.challenge.workflowAuthChallenge.Name == "QAGate")
{
answers = questionHandler.Invoke(serializedRSTR.Authchallenge.challenge.workflowAuthChallenge);
Client.WsTrust.RequestSecurityTokenResponse RSTRrequest = new Client.WsTrust.RequestSecurityTokenResponse();
RSTRrequest.Context = serializedRSTR.Context;
RSTRrequest.AuthChallengeResponse = new AuthenticationChallengeResponse(answers);
RSTR = stsClient.BuildRequestSecurityTokenResponseMessage(RSTRrequest);
RSTR = stsClient.RequestSecurityTokenResponse(RSTR);
}
}
else if (serializedRSTR.RequestedSecurityToken != null)
{
returnToken = serializedRSTR.GetContextTokenFromResponse(responseContext);
}
else
{
throw new Exception("The STS returned a response that is neither an AuthChallenge nor a Security Response.");
}
}
else
{
throw new Exception("Received a response from the STS that we do not understand.");
}
} while (returnToken == null);
return(returnToken);
}
public Microsoft.ResourceManagement.WebServices.Client.ContextualSecurityToken GetContextTokenFromResponse(ContextMessageProperty context)
{
Microsoft.ResourceManagement.WebServices.Client.ContextualSecurityToken returnToken = null;
if (RequestedSecurityToken != null)
{
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.Load(new XmlNodeReader(RequestedSecurityToken));
XmlNamespaceManager nsManager = new XmlNamespaceManager(xmlDoc.NameTable);
nsManager.AddNamespace("saml", "urn:oasis:names:tc:SAML:1.0:assertion");
DateTime effectiveTime = DateTime.Parse(
RequestedSecurityToken.SelectSingleNode(
"saml:Conditions/@NotBefore",
nsManager
).Value);
DateTime expirationTime = DateTime.Parse(
RequestedSecurityToken.SelectSingleNode(
"saml:Conditions/@NotOnOrAfter",
nsManager
).Value);
WSSecurityTokenSerializer serializer = new WSSecurityTokenSerializer();
SecurityToken requestedProofToken =
serializer.ReadToken(
new XmlNodeReader(this.RequestedProofToken),
new SecurityContextSecurityTokenResolver(Int32.MaxValue, false));
SecurityKeyIdentifierClause requestedUnattachedReference =
serializer.ReadKeyIdentifierClause(new XmlNodeReader(RequestedUnattachedReference));
SecurityKeyIdentifierClause requestedAttachedReference =
serializer.ReadKeyIdentifierClause(new XmlNodeReader(RequestedAttachedReference));
returnToken = new ContextualSecurityToken(
new GenericXmlSecurityToken(
RequestedSecurityToken,
requestedProofToken,
effectiveTime,
expirationTime,
requestedUnattachedReference,
requestedAttachedReference,
new ReadOnlyCollection <IAuthorizationPolicy>(new List <IAuthorizationPolicy>())
), context);
}
return(returnToken);
}
public bool Put(RmResourceChanges transaction, bool useAlternateEndpoint, out PutResponse response, SecurityToken token, ContextMessageProperty context)
{
response = null;
if (transaction == null)
{
throw new ArgumentNullException("transaction");
}
if (!useAlternateEndpoint)
{
PutRequest resourceEPrequest = this.requestFactory.CreatePutRequest(transaction);
try {
this.wsTransferClient.Put(resourceEPrequest, out response);
}
//catch AuthN Fault here so we have the original transaction so we can re-submit later
catch (System.ServiceModel.FaultException <Microsoft.ResourceManagement.Client.Faults.AuthenticationRequiredFault> authNFault) {
String STSEndpoinAddresst = authNFault.Detail.SecurityTokenServiceAddress;
ContextMessageProperty responseContext;
//TODO: Add AuthNLogicHere. For now, only support QA gates on the Authernate Endpoint
}
if (response == null)
{
return(false);
}
else
{
return(true);
}
}
else
{
//TODO:Verify that the ObjectID is in the form Domain\User.
PutRequest alternateEPrequest = this.requestFactory.CreatePutRequest(transaction);
response = null;
try {
this.alternateClient.Put(alternateEPrequest, out response, token, context);
} catch (System.ServiceModel.FaultException <Microsoft.ResourceManagement.Client.Faults.AuthenticationRequiredFault> authNFault) {
String STSEndpointAddress = authNFault.Detail.SecurityTokenServiceAddress;
ContextMessageProperty responseContext;
if (ContextMessageProperty.TryGet(response.Message, out responseContext))
{
ContextualSecurityToken userToken = HandleAuthNFault(STSEndpointAddress, responseContext);
Put(transaction, true, out response, userToken, responseContext);
}
else
{
throw new Exception("Could not get security context from Put.");
}
}
if (response == null)
{
return(false);
}
else
{
return(true);
}
}
}
public static void OTPReset(string domain, string username, ContextualSecurityToken authNSecurityToken, ContextMessageProperty contextMessageProperty)
{
// Create Anonymouse RmPerson and set ObjectID to Domain\User
// The ObjectID attribute will become ResourceReferenceProperty in the message header
RmPerson user = new RmPerson();
RmReference domainAndUsernameReference = new RmReference();
domainAndUsernameReference.DomainAndUserNameValue = domain + '\\' + username;
user.ObjectID = domainAndUsernameReference;
PutResponse putResponse;
putResponse = new PutResponse();
string STSEndpoint = String.Empty;
bool putSuccess = false; //This should always stay false with these calls unless no password reset workflow or qa authn workflow is attached.
var alternateClient = new AlternateClient();
var mexClient = new MexClient();
XmlSchemaSet metadata = mexClient.Get();
var requestFactory = new RmRequestFactory(metadata);
// Set ResetPassword to true
// Need a transaction to watch changes to the user
using (RmResourceChanges transaction = new RmResourceChanges(user))
{
transaction.BeginChanges();
user.ResetPassword = "******";
try
{
if (transaction.RmObject.ObjectID.Value.Split('\\').Length != 2)
{
throw new ArgumentException("User Identity must be specified by netbios domain in this format: Domain name\\user name.");
}
PutRequest alternateEPrequest = requestFactory.CreatePutRequest(transaction);
try
{
alternateClient.Put(alternateEPrequest, out putResponse, authNSecurityToken, contextMessageProperty);
putSuccess = true;
}
catch (System.ServiceModel.FaultException <Microsoft.ResourceManagement.Client.Faults.AuthenticationRequiredFault> authNFault)
{
Microsoft.ResourceManagement.WebServices.WSResourceManagement.AuthenticationRequiredFault msAuthNFault =
new Microsoft.ResourceManagement.WebServices.WSResourceManagement.AuthenticationRequiredFault(authNFault.Detail.SecurityTokenServiceAddress,
authNFault.Detail.UserRegistered.GetValueOrDefault(),
authNFault.Detail.UserLockedOut.GetValueOrDefault());
ContextMessageProperty responseContext;
if (ContextMessageProperty.TryGet(putResponse.Message, out responseContext) == false)
{
throw new InvalidOperationException("Could not retrieve security context message property even though we received an AuthN Fault. Something is fundamentally broken. Ensure assembly versions are correct and upgrades did not change protocol.");
}
throw new AuthenticationRequiredException(authNFault.Reason.ToString(),
msAuthNFault,
responseContext);
}
}
finally
{
if (putSuccess == true)
{
transaction.AcceptChanges();
}
else
{
transaction.DiscardChanges();
}
}
}
}
public static void OTPReset(string domain, string username, ContextualSecurityToken authNSecurityToken, ContextMessageProperty contextMessageProperty)
{
// Create Anonymouse RmPerson and set ObjectID to Domain\User
// The ObjectID attribute will become ResourceReferenceProperty in the message header
RmPerson user = new RmPerson();
RmReference domainAndUsernameReference = new RmReference();
domainAndUsernameReference.DomainAndUserNameValue = domain + '\\' + username;
user.ObjectID = domainAndUsernameReference;
PutResponse putResponse;
putResponse = new PutResponse();
string STSEndpoint = String.Empty;
bool putSuccess = false; //This should always stay false with these calls unless no password reset workflow or qa authn workflow is attached.
var alternateClient = new AlternateClient();
var mexClient = new MexClient();
XmlSchemaSet metadata = mexClient.Get();
var requestFactory = new RmRequestFactory(metadata);
// Set ResetPassword to true
// Need a transaction to watch changes to the user
using (RmResourceChanges transaction = new RmResourceChanges(user))
{
transaction.BeginChanges();
user.ResetPassword = "******";
try
{
if (transaction.RmObject.ObjectID.Value.Split('\\').Length != 2)
{
throw new ArgumentException("User Identity must be specified by netbios domain in this format: Domain name\\user name.");
}
PutRequest alternateEPrequest = requestFactory.CreatePutRequest(transaction);
try
{
alternateClient.Put(alternateEPrequest, out putResponse, authNSecurityToken, contextMessageProperty);
putSuccess = true;
}
catch (System.ServiceModel.FaultException<Microsoft.ResourceManagement.Client.Faults.AuthenticationRequiredFault> authNFault)
{
Microsoft.ResourceManagement.WebServices.WSResourceManagement.AuthenticationRequiredFault msAuthNFault =
new Microsoft.ResourceManagement.WebServices.WSResourceManagement.AuthenticationRequiredFault(authNFault.Detail.SecurityTokenServiceAddress,
authNFault.Detail.UserRegistered.GetValueOrDefault(),
authNFault.Detail.UserLockedOut.GetValueOrDefault());
ContextMessageProperty responseContext;
if (ContextMessageProperty.TryGet(putResponse.Message, out responseContext) == false)
{
throw new InvalidOperationException("Could not retrieve security context message property even though we received an AuthN Fault. Something is fundamentally broken. Ensure assembly versions are correct and upgrades did not change protocol.");
}
throw new AuthenticationRequiredException(authNFault.Reason.ToString(),
msAuthNFault,
responseContext);
}
}
finally
{
if (putSuccess == true)
{
transaction.AcceptChanges();
}
else
{
transaction.DiscardChanges();
}
}
}
}
public Microsoft.ResourceManagement.WebServices.Client.ContextualSecurityToken GetContextTokenFromResponse(ContextMessageProperty context)
{
Microsoft.ResourceManagement.WebServices.Client.ContextualSecurityToken returnToken = null;
if (RequestedSecurityToken != null)
{
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.Load(new XmlNodeReader(RequestedSecurityToken));
XmlNamespaceManager nsManager = new XmlNamespaceManager(xmlDoc.NameTable);
nsManager.AddNamespace("saml", "urn:oasis:names:tc:SAML:1.0:assertion");
DateTime effectiveTime = DateTime.Parse(
RequestedSecurityToken.SelectSingleNode(
"saml:Conditions/@NotBefore",
nsManager
).Value);
DateTime expirationTime = DateTime.Parse(
RequestedSecurityToken.SelectSingleNode(
"saml:Conditions/@NotOnOrAfter",
nsManager
).Value);
WSSecurityTokenSerializer serializer = new WSSecurityTokenSerializer();
SecurityToken requestedProofToken =
serializer.ReadToken(
new XmlNodeReader(this.RequestedProofToken),
new SecurityContextSecurityTokenResolver(Int32.MaxValue, false));
SecurityKeyIdentifierClause requestedUnattachedReference =
serializer.ReadKeyIdentifierClause(new XmlNodeReader(RequestedUnattachedReference));
SecurityKeyIdentifierClause requestedAttachedReference =
serializer.ReadKeyIdentifierClause(new XmlNodeReader(RequestedAttachedReference));
returnToken = new ContextualSecurityToken(
new GenericXmlSecurityToken(
RequestedSecurityToken,
requestedProofToken,
effectiveTime,
expirationTime,
requestedUnattachedReference,
requestedAttachedReference,
new ReadOnlyCollection<IAuthorizationPolicy>(new List<IAuthorizationPolicy>())
), context);
}
return returnToken;
}
