/// <summary>
/// Gets claims identities from the specified SAML token as a GenericXmlSecurityToken
/// </summary>
/// <param name="token">SAML token to get identities from</param>
/// <param name="audienceUri">Audience URI used to obtain the token</param>
/// <param name="trustIssuer">True to automatically trust the issuer.
/// False to validate the issuer against the app configuration</param>
/// <returns>A collection of claims identities from the SAML token.</returns>
public static IEnumerable <ClaimsIdentity> GetIdentitiesFromSamlToken(SecurityToken token, string audienceUri, bool trustIssuer)
{
SamlSecurityTokenHandler handler = new SamlSecurityTokenHandler
{
Configuration = new SecurityTokenHandlerConfiguration()
};
SamlSecurityToken samlToken = token as SamlSecurityToken;
if (samlToken == null && token is GenericXmlSecurityToken)
{
samlToken = handler.ReadToken(new XmlNodeReader(((GenericXmlSecurityToken)token).TokenXml)) as SamlSecurityToken;
}
if (samlToken == null)
{
throw new ArgumentException("The token must be a SAML token or a generic XML SAML token");
}
handler.SamlSecurityTokenRequirement.CertificateValidator = X509CertificateValidator.None;
handler.Configuration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(audienceUri));
if (trustIssuer)
{
// configure to auto-trust the issuer
ConfigurationBasedIssuerNameRegistry issuers = handler.Configuration.IssuerNameRegistry as ConfigurationBasedIssuerNameRegistry;
issuers.AddTrustedIssuer(((X509SecurityToken)samlToken.Assertion.SigningToken).Certificate.Thumbprint, "sts");
}
else
{
handler.Configuration.IssuerNameRegistry.LoadCustomConfiguration(
SystemIdentityModelSection.DefaultIdentityConfigurationElement.IssuerNameRegistry.ChildNodes);
}
return(handler.ValidateToken(samlToken));
}
/// <summary>
/// Validates the token using the wrapped token handler and generates IAuthorizationPolicy
/// wrapping the returned ClaimsIdentities.
/// </summary>
/// <param name="token">Token to be validated.</param>
/// <returns>Read-only collection of IAuthorizationPolicy</returns>
protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(SecurityToken token)
{
IEnumerable <ClaimsIdentity> identities = null;
try
{
identities = _wrappedSaml11SecurityTokenHandler.ValidateToken(token);
}
catch (Exception ex)
{
if (!_exceptionMapper.HandleSecurityTokenProcessingException(ex))
{
throw;
}
}
List <IAuthorizationPolicy> policies = new List <IAuthorizationPolicy>(1);
policies.Add(new AuthorizationPolicy(identities));
return(policies.AsReadOnly());
}
public void ReadEpamSignedSamlToken()
{
var tokenHandler = new SamlSecurityTokenHandler();
var issuerRegistry = new ConfigurationBasedIssuerNameRegistry();
issuerRegistry.AddTrustedIssuer(CERTIFICATE_THUMBPRINT,
ISSUER_NAME);
tokenHandler.Configuration = new SecurityTokenHandlerConfiguration()
{
AudienceRestriction = new AudienceRestriction(AudienceUriMode.Never),
IssuerNameRegistry = issuerRegistry,
MaxClockSkew = TimeSpan.MaxValue
};
var xmlReader = XmlReader.Create(new StringReader(Resource.EpamToken));
var token = tokenHandler.ReadToken(xmlReader, new NamedKeyIssuerTokenResolver()) as SamlSecurityToken;
var identity = tokenHandler.ValidateToken(token).First();
PrintIdentity(identity);
}
public void Saml1TokenHandlerValidateToken()
{
_saml1SecurityTokenHandler.ValidateToken(_saml1Token, _tokenValidationParameters, out _);
}
internal static ClaimsIdentity ValidateSaml(SamlSecurityToken token)
{
SamlSecurityTokenHandler handler = TokenHelper.GetSamlHandler();
return(handler.ValidateToken(token).FirstOrDefault <ClaimsIdentity>());
}
