public static Saml2Assertion BuildAssertion()
{
var certificate = AssertionFactroryMock.GetMockCertificate();
var signingCredentials = new SigningCredentials(new X509AsymmetricSecurityKey(certificate), SecurityAlgorithms.RsaSha1Signature, SecurityAlgorithms.Sha1Digest, new SecurityKeyIdentifier(new X509RawDataKeyIdentifierClause(certificate)));
var assertion = new Saml2Assertion(new Saml2NameIdentifier("https://dg-mfb/idp/shibboleth", new Uri(NameIdentifierFormats.Entity)));
assertion.Subject = new Saml2Subject(new Saml2NameIdentifier("TestSubject", new Uri(NameIdentifierFormats.Persistent)));
assertion.SigningCredentials = signingCredentials;
return(assertion);
}
/// <summary>
/// Creates a Saml2Assertion from a ClaimsIdentity.
/// </summary>
/// <param name="identity">Claims to include in Assertion.</param>
/// <param name="issuer">Issuer to include in assertion.</param>
/// <param name="audience">Audience to set as audience restriction.</param>
/// <returns>Saml2Assertion</returns>
public static Saml2Assertion ToSaml2Assertion(
this ClaimsIdentity identity,
EntityId issuer,
Uri audience)
{
if (identity == null)
{
throw new ArgumentNullException(nameof(identity));
}
if (issuer == null)
{
throw new ArgumentNullException(nameof(issuer));
}
var assertion = new Saml2Assertion(new Saml2NameIdentifier(issuer.Id))
{
Subject = new Saml2Subject(new Saml2NameIdentifier(
identity.Claims.Single(c => c.Type == ClaimTypes.NameIdentifier).Value)),
};
assertion.Statements.Add(
new Saml2AuthenticationStatement(
new Saml2AuthenticationContext(
new Uri("urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified")))
{
SessionIndex = identity.Claims.SingleOrDefault(
c => c.Type == AuthServicesClaimTypes.SessionIndex)?.Value
});
var attributeClaims = identity.Claims.Where(
c => c.Type != ClaimTypes.NameIdentifier &&
c.Type != AuthServicesClaimTypes.SessionIndex).GroupBy(c => c.Type);
if (attributeClaims.Any())
{
assertion.Statements.Add(
new Saml2AttributeStatement(
attributeClaims.Select(
ac => new Saml2Attribute(ac.Key, ac.Select(c => c.Value)))));
}
assertion.Conditions = new Saml2Conditions()
{
NotOnOrAfter = DateTime.UtcNow.AddMinutes(2)
};
if (audience != null)
{
assertion.Conditions.AudienceRestrictions.Add(
new Saml2AudienceRestriction(audience));
}
return(assertion);
}
/*public SecurityToken ExchangeAssertion(SealCard sc, string appliesTo)
* {
* return ExchangeAssertion(appliesTo, sc.Xassertion);
* }
*
* public SecurityToken ExchangeAssertion(IdCard sc, string appliesTo)
* {
* return ExchangeAssertion(appliesTo, sc.Xassertion);
* }
*
* public SecurityToken ExchangeAssertionViaGW( string appliesTo)
* {
* return ExchangeAssertion(appliesTo, new XElement(NameSpaces.xwsse + "SecurityTokenReference", new XElement(NameSpaces.xwsse + "Reference", new XAttribute("URI", "#IDCard"))));
* }*/
SecurityToken ExchangeAssertion(Saml2Assertion assertion, Saml2Assertion healthAssertion, string appliesTo)
{
var rst = CreateWsTrustRequest();
rst.Context = "urn:uuid:" + Guid.NewGuid().ToString("D");
rst.ActAs = new SecurityTokenElement(new Saml2SecurityToken2(assertion, healthAssertion));
rst.AppliesTo = new AppliesTo(new EndpointReference(appliesTo));
rst.TokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
return(this.GetTokenCore(TimeSpan.Zero) as SealSaml2SecurityToken);
}
public static Saml2Assertion MakeNemIdAssertion(X509Certificate2 certificate)
{
var doc = Global.SignedTokenXml();
Saml2Assertion sa;
using (var rd = doc.CreateReader())
{
var s2sth = new Saml2SecurityTokenHandler
{
/*Configuration = new SecurityTokenHandlerConfiguration
* {
* IssuerTokenResolver = new Saml2IssuerTokenResolver()
* }*/
};
var s2st = s2sth.ReadToken(rd) as Saml2SecurityToken;
sa = s2st.Assertion;
}
var ass = new Saml2Assertion(new Saml2NameIdentifier(sa.Issuer.Value))
{
Conditions = new Saml2Conditions
{
NotOnOrAfter = DateTime.Now + TimeSpan.FromHours(8),
NotBefore = DateTime.Now
},
Subject = new Saml2Subject(new Saml2NameIdentifier(certificate.SubjectName.Name))
};
ass.Subject.SubjectConfirmations.Add(new Saml2SubjectConfirmation(new Uri("urn:oasis:names:tc:SAML:2.0:cm:bearer"))
{
SubjectConfirmationData = new Saml2SubjectConfirmationData
{
NotOnOrAfter = DateTime.Now + TimeSpan.FromHours(8),
Recipient = new Uri("https://staging.fmk-online.dk/fmk/saml/SAMLAssertionConsumer")
}
});
var q = from att in sa.Statements.OfType <Saml2AttributeStatement>().First().Attributes
select new Saml2Attribute(att.Name, att.Values.First())
{
NameFormat = att.NameFormat
};
ass.Statements.Add(new Saml2AttributeStatement(q));
ass.Statements.Add(new Saml2AuthenticationStatement(new Saml2AuthenticationContext(new Uri("element:urn:oasis:names:tc:SAML:2.0:ac:classes:X509")), DateTime.Now));
/*var secClause = new X509RawDataKeyIdentifierClause(certificate);
* var issuerKeyIdentifier = new SecurityKeyIdentifier(secClause);
* issuerKeyIdentifier.Add(secClause);*/
ass.SigningCredentials = new X509SigningCredentials(certificate); //, SignedXml.XmlDsigRSASHA1Url, SignedXml.XmlDsigSHA1Url);
return(ass);
}
public OioSamlAssertionToIdCardRequest(XDocument doc) : base(doc)
{
List <XElement> assertions = GetTags(new List <ITag>()
{
SoapTags.Envelope, SoapTags.Body, WstTags.RequestSecurityToken, Wst14Tags.ActAs, SamlTags.Assertion
});
if (assertions.Count > 1)
{
contextToken = new Saml2AssertionSerializer().ReadSaml2Assertion(assertions[1].CreateReader());
}
}
public void CanonicalString()
{
var context = new CompareContext($"{this}.CanonicalString");
var assertion = new Saml2Assertion(new Saml2NameIdentifier("nameIdentifier"));
var canonicalString = assertion.CanonicalString;
var canonicalString2 = assertion.CanonicalString;
IdentityComparer.AreStringsEqual(canonicalString, canonicalString2, context);
TestUtilities.AssertFailIfErrors(context);
}
private Saml2Assertion CreateSaml2Assertion(Saml20Assertion assertion)
{
var result = new Saml2Assertion(new Saml2NameIdentifier(assertion.Subject.Value));
var attributes = new List <Saml2Attribute>();
foreach (var samlAttribute in assertion.Attributes)
{
attributes.Add(new Saml2Attribute(samlAttribute.Name, samlAttribute.AttributeValue));
}
result.Statements.Add(new Saml2AttributeStatement(attributes));
return(result);
}
public override SecurityToken ReadToken(string tokenString)
{
var assertion = new Saml2Assertion(new Saml2NameIdentifier("__TemporaryIssuer__"));
var wrappedSerializer = new WrappedSerializer(this, assertion);
var sr = new StringReader(_samlXml);
using (var reader1 = XmlReader.Create(sr))
{
var reader2 = new EnvelopedSignatureReader(reader1,
wrappedSerializer,
Configuration.IssuerTokenResolver,
false,
false, false);
if (!reader2.ReadToFollowing("Signature", "http://www.w3.org/2000/09/xmldsig#") || !reader2.TryReadSignature())
{
throw new FederatedAuthenticationException("Cannot find token signature",
FederatedAuthenticationErrorCode.WrongFormat);
}
if (!reader2.ReadToFollowing("Assertion", "urn:oasis:names:tc:SAML:2.0:assertion"))
{
throw new FederatedAuthenticationException("Cannot find token assertion",
FederatedAuthenticationErrorCode.WrongFormat);
}
assertion = ReadAssertion(reader2);
try
{
while (reader2.Read())
{
//
}
}
catch (CryptographicException cryptographicExceptione)
{
throw new FederatedAuthenticationException(cryptographicExceptione.Message,
FederatedAuthenticationErrorCode.NotTrustedIssuer,
cryptographicExceptione);
}
assertion.SigningCredentials = reader2.SigningCredentials;
var keys = ResolveSecurityKeys(assertion, Configuration.ServiceTokenResolver);
SecurityToken token;
TryResolveIssuerToken(assertion, Configuration.IssuerTokenResolver, out token);
return(new Saml2SecurityToken(assertion, keys, token));
}
}
private string GetTokenString(string organizationName, bool isServiceBusScope)
{
// Generate Saml assertions..
string issuerName = DefaultIssuer;
//string issuerName = "localhost";
Saml2NameIdentifier saml2NameIdentifier = new Saml2NameIdentifier(issuerName); // this is the issuer name.
Saml2Assertion saml2Assertion = new Saml2Assertion(saml2NameIdentifier);
Uri acsScope = new Uri(StsPath(solutionName, isServiceBusScope));
saml2Assertion.Conditions = new Saml2Conditions();
saml2Assertion.Conditions
.AudienceRestrictions.Add(new Saml2AudienceRestriction(acsScope)); // this is the ACS uri.
saml2Assertion.Conditions.NotOnOrAfter = DateTime.Now.AddDays(1); // Should this be utc?
saml2Assertion.Conditions.NotBefore = DateTime.Now.AddHours(-1); // should this be utc?
string certName = "localhost";
X509Certificate2 localCert = RetrieveCertificate(certName);
if (!localCert.HasPrivateKey)
{
throw new ArgumentException("Cert should have private key.", "certificate");
}
saml2Assertion.SigningCredentials = new X509SigningCredentials(localCert); // this cert should have the private keys.
// Add claim assertions.
saml2Assertion.Statements.Add(
new Saml2AttributeStatement(
new Saml2Attribute(OrganizationClaimType, organizationName)));
// the submitter should always be a bearer.
saml2Assertion.Subject = new Saml2Subject(new Saml2SubjectConfirmation(Saml2Constants.ConfirmationMethods.Bearer));
// Wrap it into a security token.
SecurityTokenHandler tokenHandler = new Saml2SecurityTokenHandler();
SecurityToken securityToken = new Saml2SecurityToken(saml2Assertion);
// Serialize the security token.
StringBuilder sb = new StringBuilder();
using (XmlWriter writer = XmlTextWriter.Create(new StringWriter(sb, CultureInfo.InvariantCulture)))
{
tokenHandler.WriteToken(writer, securityToken);
writer.Close();
}
return(sb.ToString());
}
public void Saml2AssertionExtensions_ToXElement_Statements()
{
var attributeValue = "Test";
var assertion = new Saml2Assertion(
new Saml2NameIdentifier("http://idp.example.com"));
assertion.Statements.Add(
new Saml2AttributeStatement(new Saml2Attribute(ClaimTypes.Role, attributeValue)));
assertion.Statements.Add(
new Saml2AuthenticationStatement(
new Saml2AuthenticationContext(
new Uri("urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified")))
{
SessionIndex = "SessionIndex"
});
// Grab time before and after to use when comparing times. Even if
// the time changes in the middle of the test, it should match one
// of these times (unless you're debugging and spending more than
// one second stepping through the code).
var timeBefore = DateTime.UtcNow;
var result = assertion.ToXElement();
var timeAfter = DateTime.UtcNow;
var actualAttributeXml = result.Element(Saml2Namespaces.Saml2 + "AttributeStatement");
var expectedAttributeXml = new XElement(Saml2Namespaces.Saml2 + "AttributeStatement",
new XElement(Saml2Namespaces.Saml2 + "Attribute",
new XAttribute("Name", ClaimTypes.Role),
new XElement(Saml2Namespaces.Saml2 + "AttributeValue",
attributeValue)));
actualAttributeXml.Should().BeEquivalentTo(expectedAttributeXml);
var actualAuthnXml = result.Element(Saml2Namespaces.Saml2 + "AuthnStatement");
// Compare time first and then drop it to avoid race issues
var authnInstant = actualAuthnXml.Attribute("AuthnInstant");
authnInstant.Value.Should().Match(
d => d == timeBefore.ToSaml2DateTimeString() || d == timeAfter.ToSaml2DateTimeString());
authnInstant.Remove();
var expectedAuthnXml = new XElement(Saml2Namespaces.Saml2 + "AuthnStatement",
new XAttribute("SessionIndex", "SessionIndex"),
new XElement(Saml2Namespaces.Saml2 + "AuthnContext",
new XElement(Saml2Namespaces.Saml2 + "AuthnContextClassRef",
"urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified")));
actualAuthnXml.Should().BeEquivalentTo(expectedAuthnXml);
}
public void Saml2AssertionExtensions_ToXElement_Subject()
{
var subjectName = "JohnDoe";
var assertion = new Saml2Assertion(
new Saml2NameIdentifier("http://idp.example.com"))
{
Subject = new Saml2Subject(new Saml2NameIdentifier(subjectName))
};
var subject = assertion.ToXElement();
subject.Element(Saml2Namespaces.Saml2 + "Subject").
Element(Saml2Namespaces.Saml2 + "NameID").Value.Should().Be(subjectName);
}
public void Saml2AssertionExtensions_ToXElement_Statements()
{
var attributeValue = "Test";
var assertion = new Saml2Assertion(
new Saml2NameIdentifier("http://idp.example.com"));
assertion.Statements.Add(
new Saml2AttributeStatement(new Saml2Attribute(ClaimTypes.Role, attributeValue)));
var subject = assertion.ToXElement();
subject.Element(Saml2Namespaces.Saml2 + "AttributeStatement").Element(Saml2Namespaces.Saml2 + "Attribute").Attribute("Name").Value.Should().Be(ClaimTypes.Role);
subject.Element(Saml2Namespaces.Saml2 + "AttributeStatement").Element(Saml2Namespaces.Saml2 + "Attribute").Element(Saml2Namespaces.Saml2 + "AttributeValue").Value.Should().Be(attributeValue);
}
private static XmlNode GetAssertion(XmlDocument xmlDoc, SSOLoginData ssoLoginData)
{
if (File.Exists(certPath))
{
var assertion = new Saml2Assertion(new Saml2NameIdentifier("Assurex Global Test System"));
assertion.Subject = new Saml2Subject(new Saml2NameIdentifier("*****@*****.**"));
assertion.Subject.SubjectConfirmations.Add(new Saml2SubjectConfirmation(new Uri(SAML2_Bearer))
{ SubjectConfirmationData = new Saml2SubjectConfirmationData() { Recipient = new Uri(recepient) } });
assertion.Statements.Add(new Saml2AuthenticationStatement(new Saml2AuthenticationContext(new Uri(SAML2_Password))));
List<Saml2Attribute> attributes = new List<Saml2Attribute>()
{
GetAttribute("UserName", ssoLoginData.Email),
GetAttribute("FirstName", ssoLoginData.FirstName),
GetAttribute("LastName", ssoLoginData.LastName),
GetAttribute("Country", ssoLoginData.Country),
GetAttribute("City", ssoLoginData.City),
GetAttribute("Department", ssoLoginData.Department),
GetAttribute("PhoneNumber", ssoLoginData.PhoneNumber),
GetAttribute("GroupMembership", ssoLoginData.GroupMembership),
GetAttribute("ErrorUrl", ssoLoginData.ErrorUrl),
};
assertion.Statements.Add(new Saml2AttributeStatement(attributes));
var samlAssertion = assertion;
var serializer = new Saml2Serializer();
var sb = new StringBuilder();
var settings = new XmlWriterSettings();
using (var writer = XmlWriter.Create(sb, settings))
{
serializer.WriteSaml2Assertion(writer, samlAssertion);
}
var samlXmlDoc = new XmlDocument();
samlXmlDoc.LoadXml(sb.ToString());
var xmlAssertion = xmlDoc.ImportNode(samlXmlDoc.DocumentElement, true);
return xmlAssertion;
}
else
{
throw new Exception($"Unable to find Certificate. Path: {certPath}");
}
}
public static Saml2Assertion MakeHealthContextAssertion(string nameIdentifier,
string subjectName,
string itSystem,
string userAuthorizationCode = null,
string userEducationCode = null,
string userGivenName = null,
string userSurName = null)
{
var sa = new Saml2Assertion(new Saml2NameIdentifier(nameIdentifier))
{
Subject = new Saml2Subject(new Saml2NameIdentifier(subjectName, new Uri(SamlValues.NameidFormatX509SubjectName)))
};
sa.Subject.SubjectConfirmations.Add(new Saml2SubjectConfirmation(new Uri(SamlValues.ConfirmationMethodSenderVouches)));
var attributes = new[]
{
userAuthorizationCode == null
? null
: new Saml2Attribute(HealthcareSamlAttributes.UserAuthorizationCode, userAuthorizationCode)
{
NameFormat = new Uri(SamlValues.NameFormatBasic)
},
userEducationCode == null
? null
: new Saml2Attribute(HealthcareSamlAttributes.UserEducationCode, userEducationCode)
{
NameFormat = new Uri(SamlValues.NameFormatBasic)
},
userGivenName == null
? null
: new Saml2Attribute(HealthcareSamlAttributes.UserGivenName, userGivenName)
{
NameFormat = new Uri(SamlValues.NameFormatBasic)
},
userSurName == null
? null
: new Saml2Attribute(HealthcareSamlAttributes.UserSurName, userSurName)
{
NameFormat = new Uri(SamlValues.NameFormatBasic)
},
new Saml2Attribute(HealthcareSamlAttributes.ItSystemName, itSystem)
{
NameFormat = new Uri(SamlValues.NameFormatBasic)
}
};
sa.Statements.Add(new Saml2AttributeStatement(attributes.Where(a => a != null)));
return(sa);
}
private async Task SignIn(Saml2Assertion assertion, AuthenticationProperties authenticationProperties)
{
System.Console.WriteLine("");
System.Console.WriteLine("[Saml2Handler][SignIn] =>");
var claims = _claimFactory.Create(assertion);
var identity = new ClaimsIdentity(claims, Scheme.Name);
var principal = new ClaimsPrincipal(identity);
System.Console.WriteLine("[Saml2Handler][SignIn] => claims: " + claims);
System.Console.WriteLine("[Saml2Handler][SignIn] => identity: " + identity);
System.Console.WriteLine("[Saml2Handler][SignIn] => principal: " + principal);
await Context.SignInAsync(Options.SignInScheme, principal, authenticationProperties);
}
public static SecurityToken MakeBootstrapSecurityToken()
{
Saml2NameIdentifier identifier = new Saml2NameIdentifier("http://localhost/Echo");
Saml2Assertion assertion = new Saml2Assertion(identifier);
assertion.Issuer = new Saml2NameIdentifier("idp1.test.oio.dk");
assertion.Subject = new Saml2Subject(new Saml2NameIdentifier("Casper", new Uri("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified")));
Saml2Attribute atribute = new Saml2Attribute("dk:gov:saml:attribute:AssuranceLevel", "2");
atribute.NameFormat = new Uri("urn:oasis:names:tc:SAML:2.0:attrname-format:basic");
assertion.Statements.Add(new Saml2AttributeStatement(atribute));
return(new Saml2SecurityToken(assertion));
}
public SealCard ExchangeAssertion(Saml2Assertion assertion, Saml2Assertion healthAssertion, string appliesTo)
{
var rst = CreateWsTrustRequest();
rst.Context = "urn:uuid:" + Guid.NewGuid().ToString("D");
rst.ActAs = new SecurityTokenElement(new Saml2SecurityToken2(assertion, healthAssertion));
rst.AppliesTo = new AppliesTo(new EndpointReference(appliesTo));
rst.TokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
//RequestSecurityTokenResponse rstr = null;
//var token = new ChannelFactory<WSTrustChannel>().Issue(rst, out rstr) as SealSaml2SecurityToken;
var token = GetTokenCore(TimeSpan.Zero) as SealSaml2SecurityToken;
return(new SealCard(token.assertion));
}
private static XmlDocument CreateXmlDocFromSamlAssertion(Saml2Assertion assertion)
{
var serializer = new Saml2Serializer();
var sb = new StringBuilder();
var settings = new XmlWriterSettings();
using (var writer = XmlWriter.Create(sb, settings))
{
serializer.WriteSaml2Assertion(writer, assertion);
}
var doc = new XmlDocument();
doc.LoadXml(sb.ToString());
return(doc);
}
public static ClaimsIdentity ToClaimsIdentity(this Saml2Assertion value, string authenticationType, string nameType = null, string roleType = null)
{
//throw new NotImplementedException();
if (value == null)
{
throw new ArgumentNullException("value");
}
var claims = value.Statements
.OfType <Saml2AttributeStatement>()
.SelectMany(a => a.Attributes, (s, atr) => atr.ToClaims(value.Issuer.Value))
.SelectMany(r => r)
.Union(ClaimsFromSubject(value.Subject, value.Issuer));
return(new ClaimsIdentity(claims
, authenticationType, nameType, roleType));
}
public void Saml2AssertionExtensions_ToXElement_Conditions()
{
var assertion = new Saml2Assertion(
new Saml2NameIdentifier("http://idp.example.com"))
{
Conditions = new Saml2Conditions()
{
NotOnOrAfter = new DateTime(2099, 07, 25, 19, 52, 42, DateTimeKind.Utc)
}
};
var subject = assertion.ToXElement();
subject.Element(Saml2Namespaces.Saml2 + "Conditions")
.Attribute("NotOnOrAfter").Value.Should().Be("2099-07-25T19:52:42Z");
}
private static XElement Saml2AssertionToXElement(Saml2Assertion assertion)
{
var sb = new StringBuilder();
var settings = new XmlWriterSettings
{
OmitXmlDeclaration = true,
Encoding = Encoding.UTF8
};
using (var stringWriter = new StringWriter(sb))
using (var xmlWriter = XmlWriter.Create(stringWriter, settings))
using (var dictionaryWriter = XmlDictionaryWriter.CreateDictionaryWriter(xmlWriter))
{
new Saml2AssertionSerializer().WriteSaml2Assertion(xmlWriter, assertion);
}
return(XElement.Parse(sb.ToString()));
}
public static string GetAttributeValue(this Saml2Assertion ass, string attributeName)
{
foreach (var contextTokenStatement in ass.Statements)
{
var attributeStatement = contextTokenStatement as Saml2AttributeStatement;
if (attributeStatement != null)
{
foreach (var attributeStatementAttribute in attributeStatement.Attributes)
{
if (attributeStatementAttribute.Name == attributeName)
{
return(attributeStatementAttribute.Values.FirstOrDefault());
}
}
}
}
return("");
}
/// <summary>
/// Creates a Saml2Assertion from a ClaimsIdentity.
/// </summary>
/// <returns>Saml2Assertion</returns>
public static Saml2Assertion ToSaml2Assertion(this ClaimsIdentity identity, string issuer)
{
if (identity == null)
{
throw new ArgumentNullException("identity");
}
var assertion = new Saml2Assertion(new Saml2NameIdentifier(issuer));
assertion.Subject = new Saml2Subject(new Saml2NameIdentifier(
identity.Claims.Single(c => c.Type == ClaimTypes.NameIdentifier).Value));
assertion.Conditions = new Saml2Conditions()
{
NotOnOrAfter = DateTime.UtcNow.AddMinutes(2)
};
return(assertion);
}
public void ShouldAddSubjectConfirmationData(string recipient)
{
var assertion = new Saml2Assertion(new Saml2NameIdentifier("__notused__"));
assertion.Subject = new Saml2Subject(new Saml2NameIdentifier("__notused__"));
var recipientUrl = new Uri(recipient);
var token = new Saml2SecurityToken(assertion);
token.SetRecipient(recipientUrl);
var bearers = token.Assertion.Subject.SubjectConfirmations.Where(c => c.Method == Saml2Constants.ConfirmationMethods.Bearer);
Assert.Single(bearers);
var data = bearers.Single().SubjectConfirmationData;
Assert.NotNull(data);
Assert.Equal(recipientUrl, data.Recipient);
Assert.Null(data.InResponseTo);
}
public SecurityToken ExchangeAssertion(Saml2Assertion assertion, Saml2Assertion healthAssertion, SealCard sc, string appliesTo)
{
var rst = CreateWsTrustRequest();
rst.Context = "urn:uuid:" + Guid.NewGuid().ToString("D");
rst.ActAs = new SecurityTokenElement(new Saml2SecurityToken2(assertion, healthAssertion));
rst.AppliesTo = new AppliesTo(new EndpointReference(appliesTo));
rst.TokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
return(this.GetTokenCore(TimeSpan.Zero) as SealSaml2SecurityToken);
/*
* RequestSecurityTokenResponse rstr = null;
* var cc = Channel.Channel as IContextChannel;
* using (var scope = new OperationContextScope(cc))
* {
* OperationContext.Current.OutgoingMessageHeaders.Add(new SealCardMessageHeader(sc));
* return Channel.Issue(rst, out rstr);
* }*/
}
public IList <Claim> Create(Saml2Assertion assertion)
{
var claims = new List <Claim>();
if (!string.IsNullOrEmpty(assertion.Subject.Value))
{
claims.Add(new Claim(Saml2ClaimTypes.Subject, assertion.Subject.Value));
claims.Add(new Claim(Saml2ClaimTypes.Name, assertion.Subject.Value));
claims.Add(new Claim(Saml2ClaimTypes.NameIdentifier, assertion.Subject.Value));
}
claims.Add(assertion.SessionIndex.IsNotNullOrEmpty()
? new Claim(Saml2ClaimTypes.SessionIndex, assertion.SessionIndex)
: new Claim(Saml2ClaimTypes.SessionIndex, assertion.Id));
claims.AddRange(assertion.Attributes.Select(attribute =>
new Claim(attribute.Name, attribute.AttributeValue[0].ToString())));
return(claims);
}
private static Saml2Assertion CreateAssertion(SigningCredentials samlpTokenSigningCredentials)
{
var assertion = new Saml2Assertion(new Saml2NameIdentifier("https://mojeid.regtest.nic.cz/saml/idp.xml", new Uri("urn:oasis:names:tc:SAML:2.0:nameid-format:entity")))
{
InclusiveNamespacesPrefixList = "ns1 ns2",
IssueInstant = DateTime.Parse("2019-04-08T10:30:49Z"),
SigningCredentials = samlpTokenSigningCredentials,
Id = new Saml2Id("id-2bMsOPOKIqeVIDLqJ")
};
var saml2SubjectConfirmationData = new Saml2SubjectConfirmationData
{
InResponseTo = new Saml2Id("ida5714d006fcc430c92aacf34ab30b166"),
NotOnOrAfter = DateTime.Parse("2019-04-08T10:45:49Z"),
Recipient = new Uri("https://tnia.eidentita.cz/fpsts/processRequest.aspx")
};
var saml2SubjectConfirmation = new Saml2SubjectConfirmation(new Uri("urn:oasis:names:tc:SAML:2.0:cm:bearer"), saml2SubjectConfirmationData);
var saml2Subject = new Saml2Subject(new Saml2NameIdentifier("6dfe0399103d11411b1fa00772b6a13e0858605b80c20ea845769c57b41479ed", new Uri("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent")));
saml2Subject.SubjectConfirmations.Add(saml2SubjectConfirmation);
assertion.Subject = saml2Subject;
var saml2AudienceRestrictions = new Saml2AudienceRestriction("urn:microsoft: cgg2010: fpsts");
var saml2Conditions = new Saml2Conditions();
saml2Conditions.AudienceRestrictions.Add(saml2AudienceRestrictions);
saml2Conditions.NotBefore = DateTime.Parse("2019-04-08T10:30:49Z");
saml2Conditions.NotOnOrAfter = DateTime.Parse("2019-04-08T10:45:49Z");
assertion.Conditions = saml2Conditions;
var saml2AuthenticationContext = new Saml2AuthenticationContext(new Uri("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"));
var saml2Statement = new Saml2AuthenticationStatement(saml2AuthenticationContext)
{
AuthenticationInstant = DateTime.Parse("2019-04-08T10:30:49Z"),
SessionIndex = "id-oTnhrqWtcTTEntvMy"
};
assertion.Statements.Add(saml2Statement);
return(assertion);
}
public void Saml2AssertionExtensions_ToXElement_SubjectConfirmationData()
{
var subjectName = "JohnDoe";
var destination = new Uri("http://sp.example.com");
var inResponseTo = new Saml2Id("abc123");
var notOnOrAfter = DateTime.UtcNow.AddMinutes(2);
var assertion = new Saml2Assertion(
new Saml2NameIdentifier("http://idp.example.com"))
{
Subject = new Saml2Subject(new Saml2NameIdentifier(subjectName))
{
SubjectConfirmations =
{
new Saml2SubjectConfirmation(
new Uri("urn:oasis:names:tc:SAML:2.0:cm:bearer"),
new Saml2SubjectConfirmationData
{
NotOnOrAfter = notOnOrAfter,
InResponseTo = inResponseTo,
Recipient = destination
})
}
}
};
var subject = assertion.ToXElement();
var confirmationData = subject.Element(Saml2Namespaces.Saml2 + "Subject").
Element(Saml2Namespaces.Saml2 + "SubjectConfirmation").
Element(Saml2Namespaces.Saml2 + "SubjectConfirmationData");
confirmationData.
Attribute("Recipient").Value.Should().Be(destination.OriginalString);
confirmationData.
Attribute("NotOnOrAfter").Value.Should().Be(notOnOrAfter.ToSaml2DateTimeString());
confirmationData.
Attribute("InResponseTo").Value.Should().Be(inResponseTo.Value);
}
public void Saml2AssertionExtensions_ToXElement_Xml_BasicAttributes()
{
// Grab the current time before and after creating the assertion to
// handle the unlikely event that the second part of the date time
// is incremented during the test run. We don't want any heisenbugs.
var before = DateTime.UtcNow.ToSaml2DateTimeString();
var issuer = "http://idp.example.com";
var assertion = new Saml2Assertion(new Saml2NameIdentifier(issuer));
var after = DateTime.UtcNow.ToSaml2DateTimeString();
var subject = assertion.ToXElement();
subject.ToString().Should().StartWith(
@"<saml2:Assertion xmlns:saml2=""urn:oasis:names:tc:SAML:2.0:assertion");
subject.Attribute("Version").Value.Should().Be("2.0");
subject.Attribute("ID").Value.Should().NotBeNullOrWhiteSpace();
subject.Attribute("IssueInstant").Value.Should().Match(
i => i == before || i == after);
}
public void ShouldAddSubjectConfirmationDataWithInResponseTo()
{
var inResponseTo = $"_{Guid.NewGuid()}";
var assertion = new Saml2Assertion(new Saml2NameIdentifier("__notused__"));
assertion.Subject = new Saml2Subject(new Saml2NameIdentifier("__notused__"));
var recipientUrl = new Uri("https://notused");
var token = new Saml2SecurityToken(assertion);
token.SetRecipient(recipientUrl, inResponseTo);
var bearers = token.Assertion.Subject.SubjectConfirmations.Where(c => c.Method == Saml2Constants.ConfirmationMethods.Bearer);
Assert.Single(bearers);
var data = bearers.Single().SubjectConfirmationData;
Assert.NotNull(data);
Assert.NotNull(data.InResponseTo);
Assert.Equal(inResponseTo, data.InResponseTo.Value);
}
/// <summary>
/// Creates an instance of <see cref="Saml2SecurityKeyIdentifierClause"/>
/// </summary>
/// <param name="assertion">The assertion can be queried to obtain information about
/// the issuer when resolving the key needed to check the signature.</param>
public Saml2SecurityKeyIdentifierClause(Saml2Assertion assertion)
: base(typeof(Saml2SecurityKeyIdentifierClause).ToString())
{
this.assertion = assertion;
}
