public void Saml2AuthenticationContext_RelativeClassReference_ArgumentException()
{
var classRef = new Uri("resource", UriKind.Relative);
var authContext = new Saml2AuthenticationContext();
Assert.Throws <ArgumentException>(() => new Saml2AuthenticationContext(classRef));
}
public void Saml2AuthenticationContext_RelativeDeclarationReference_ArgumentException()
{
var authContext = new Saml2AuthenticationContext();
var declarationReference = new Uri("resource", UriKind.Relative);
Assert.Throws <ArgumentException>(() => authContext.DeclarationReference = declarationReference);
}
private static SecurityToken GenerateHardcodedToken()
{
var securityTokenDescriptor = new SecurityTokenDescriptor();
securityTokenDescriptor.Subject = ClaimsPrincipal.Current.Identity as ClaimsIdentity;
securityTokenDescriptor.Lifetime = new Lifetime(DateTime.Now, DateTime.Now.AddDays(2));
securityTokenDescriptor.TokenIssuerName = "http://identityserver.v2.thinktecture.com/trust/changethis";
securityTokenDescriptor.AppliesToAddress = "https://windows7:444/identity/wstrust/bearer";
securityTokenDescriptor.SigningCredentials = GenerateSigningCredentials();
Saml2SecurityTokenHandler saml2SecurityTokenHandler = new Saml2SecurityTokenHandler();
var saml2SecurityToken = saml2SecurityTokenHandler.CreateToken(securityTokenDescriptor) as Saml2SecurityToken;
var authenticationMethod = "urn:oasis:names:tc:SAML:2.0:ac:classes:Password";
var authenticationContext = new Saml2AuthenticationContext(new Uri(authenticationMethod));
saml2SecurityToken.Assertion.Statements.Add(new Saml2AuthenticationStatement(authenticationContext));
return(saml2SecurityToken);
}
private static Saml2Assertion CreateAssertion(SigningCredentials samlpTokenSigningCredentials)
{
var assertion = new Saml2Assertion(new Saml2NameIdentifier("https://mojeid.regtest.nic.cz/saml/idp.xml", new Uri("urn:oasis:names:tc:SAML:2.0:nameid-format:entity")))
{
InclusiveNamespacesPrefixList = "ns1 ns2",
IssueInstant = DateTime.Parse("2019-04-08T10:30:49Z"),
SigningCredentials = samlpTokenSigningCredentials,
Id = new Saml2Id("id-2bMsOPOKIqeVIDLqJ")
};
var saml2SubjectConfirmationData = new Saml2SubjectConfirmationData
{
InResponseTo = new Saml2Id("ida5714d006fcc430c92aacf34ab30b166"),
NotOnOrAfter = DateTime.Parse("2019-04-08T10:45:49Z"),
Recipient = new Uri("https://tnia.eidentita.cz/fpsts/processRequest.aspx")
};
var saml2SubjectConfirmation = new Saml2SubjectConfirmation(new Uri("urn:oasis:names:tc:SAML:2.0:cm:bearer"), saml2SubjectConfirmationData);
var saml2Subject = new Saml2Subject(new Saml2NameIdentifier("6dfe0399103d11411b1fa00772b6a13e0858605b80c20ea845769c57b41479ed", new Uri("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent")));
saml2Subject.SubjectConfirmations.Add(saml2SubjectConfirmation);
assertion.Subject = saml2Subject;
var saml2AudienceRestrictions = new Saml2AudienceRestriction("urn:microsoft: cgg2010: fpsts");
var saml2Conditions = new Saml2Conditions();
saml2Conditions.AudienceRestrictions.Add(saml2AudienceRestrictions);
saml2Conditions.NotBefore = DateTime.Parse("2019-04-08T10:30:49Z");
saml2Conditions.NotOnOrAfter = DateTime.Parse("2019-04-08T10:45:49Z");
assertion.Conditions = saml2Conditions;
var saml2AuthenticationContext = new Saml2AuthenticationContext(new Uri("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"));
var saml2Statement = new Saml2AuthenticationStatement(saml2AuthenticationContext)
{
AuthenticationInstant = DateTime.Parse("2019-04-08T10:30:49Z"),
SessionIndex = "id-oTnhrqWtcTTEntvMy"
};
assertion.Statements.Add(saml2Statement);
return(assertion);
}
public void Saml2AuthenticationContext_NullClassReference_ArgumentNullException()
{
var authContext = new Saml2AuthenticationContext();
Assert.Throws <ArgumentNullException>(() => authContext.ClassReference = null);
}
private async Task <Saml2SecurityToken> CreateSecurityTokenAsync(SignInRequest request, RelyingParty rp, ClaimsIdentity outgoingSubject)
{
var now = DateTime.Now;
var outgoingNameId = outgoingSubject.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier);
if (outgoingNameId == null)
{
_logger.LogError("The user profile does not have a name id");
throw new SignInException("The user profile does not have a name id");
}
var issuer = new Saml2NameIdentifier(_options.IssuerName);
var nameId = new Saml2NameIdentifier(outgoingNameId.Value);
var subjectConfirmationData = new Saml2SubjectConfirmationData();
subjectConfirmationData.NotOnOrAfter = now.AddMinutes(
rp.TokenLifetimeInMinutes.GetValueOrDefault(_options.DefaultNotOnOrAfterInMinutes));
if (request.Parameters.ContainsKey("Recipient"))
{
subjectConfirmationData.Recipient = new Uri(request.Parameters["Recipient"]);
}
else
{
subjectConfirmationData.Recipient = new Uri(rp.ReplyUrl);
}
var subjectConfirmation = new Saml2SubjectConfirmation(new Uri("urn:oasis:names:tc:SAML:2.0:cm:bearer"),
subjectConfirmationData);
subjectConfirmation.NameIdentifier = nameId;
var subject = new Saml2Subject(subjectConfirmation);
var conditions = new Saml2Conditions(new Saml2AudienceRestriction[]
{
new Saml2AudienceRestriction(request.Realm)
});
conditions.NotOnOrAfter = now.AddMinutes(
rp.TokenLifetimeInMinutes.GetValueOrDefault(_options.DefaultNotOnOrAfterInMinutes));
conditions.NotBefore = now.Subtract(TimeSpan.FromMinutes(_options.DefaultNotBeforeInMinutes));
var authContext = new Saml2AuthenticationContext(new Uri("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"));
var authStatement = new Saml2AuthenticationStatement(authContext, now);
authStatement.SessionIndex = (request.Parameters.ContainsKey("SessionIndex")) ? request.Parameters["SessionIndex"] : null;
var attributeStament = new Saml2AttributeStatement();
foreach (var claim in outgoingSubject.Claims)
{
_logger.LogDebug("Adding attribute in SAML token '{0} - {1}'", claim.Type, claim.Value);
attributeStament.Attributes.Add(new Saml2Attribute(claim.Type, claim.Value));
}
var assertion = new Saml2Assertion(issuer);
assertion.Id = new Saml2Id();
assertion.Subject = subject;
assertion.Conditions = conditions;
assertion.Statements.Add(attributeStament);
assertion.Statements.Add(authStatement);
assertion.IssueInstant = now;
assertion.SigningCredentials = await _keyService.GetSigningCredentialsAsync();
var token = new Saml2SecurityToken(assertion);
token.SigningKey = assertion.SigningCredentials.Key;
return(token);
}
