/// <summary>
/// Returns the collection of certificates that the STS uses to sign tokens.
/// </summary>
/// <returns>The collection of certificates.</returns>
private IEnumerable <X509Certificate2> ReadStsSigningCertificates(SecurityTokenServiceDescriptor stsDescriptor)
{
List <X509Certificate2> stsCertificates = new List <X509Certificate2>();
if (stsDescriptor != null && stsDescriptor.Keys != null)
{
Collection <KeyDescriptor> keyDescriptors = (Collection <KeyDescriptor>)stsDescriptor.Keys;
if (keyDescriptors != null && keyDescriptors.Count > 0)
{
foreach (KeyDescriptor keyDescriptor in keyDescriptors)
{
if (keyDescriptor.KeyInfo != null && (keyDescriptor.Use == KeyType.Signing || keyDescriptor.Use == KeyType.Unspecified))
{
SecurityKeyIdentifier kid = keyDescriptor.KeyInfo;
X509RawDataKeyIdentifierClause clause = null;
kid.TryFind <X509RawDataKeyIdentifierClause>(out clause);
if (clause != null)
{
X509Certificate2 certificate = new X509Certificate2(clause.GetX509RawData());
stsCertificates.Add(certificate);
}
}
}
}
}
return(stsCertificates);
}
public virtual ClaimSet ResolveClaimSet(SecurityKeyIdentifier keyIdentifier)
{
RsaKeyIdentifierClause clause;
EncryptedKeyIdentifierClause clause2;
if (keyIdentifier == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifier");
}
if (keyIdentifier.TryFind<RsaKeyIdentifierClause>(out clause))
{
return new DefaultClaimSet(new Claim[] { new Claim(ClaimTypes.Rsa, clause.Rsa, Rights.PossessProperty) });
}
if (keyIdentifier.TryFind<EncryptedKeyIdentifierClause>(out clause2))
{
return new DefaultClaimSet(new Claim[] { Claim.CreateHashClaim(clause2.GetBuffer()) });
}
return null;
}
public virtual ClaimSet ResolveClaimSet(SecurityKeyIdentifier keyIdentifier)
{
RsaKeyIdentifierClause clause;
EncryptedKeyIdentifierClause clause2;
if (keyIdentifier == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifier");
}
if (keyIdentifier.TryFind <RsaKeyIdentifierClause>(out clause))
{
return(new DefaultClaimSet(new Claim[] { new Claim(ClaimTypes.Rsa, clause.Rsa, Rights.PossessProperty) }));
}
if (keyIdentifier.TryFind <EncryptedKeyIdentifierClause>(out clause2))
{
return(new DefaultClaimSet(new Claim[] { Claim.CreateHashClaim(clause2.GetBuffer()) }));
}
return(null);
}
protected override bool TryResolveTokenCore(SecurityKeyIdentifier keyIdentifier, out SecurityToken token)
{
SecurityContextKeyIdentifierClause clause;
if (keyIdentifier.TryFind <SecurityContextKeyIdentifierClause>(out clause))
{
return(base.TryResolveToken(clause, out token));
}
token = null;
return(false);
}
public virtual IIdentity ResolveIdentity(SecurityKeyIdentifier keyIdentifier)
{
RsaKeyIdentifierClause clause;
if (keyIdentifier == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifier");
}
if (keyIdentifier.TryFind <RsaKeyIdentifierClause>(out clause))
{
return(System.IdentityModel.SecurityUtils.CreateIdentity(clause.Rsa.ToXmlString(false), base.GetType().Name));
}
return(null);
}
protected override bool TryResolveTokenCore(SecurityKeyIdentifier keyIdentifier, out SecurityToken token)
{
SecurityContextKeyIdentifierClause sctSkiClause;
if (keyIdentifier.TryFind <SecurityContextKeyIdentifierClause>(out sctSkiClause))
{
return(TryResolveTokenCore(sctSkiClause, out token));
}
else
{
token = null;
return(false);
}
}
SecurityToken ResolveSignatureToken(SecurityKeyIdentifier keyIdentifier, SecurityTokenResolver resolver, bool isPrimarySignature)
{
SecurityToken token = null;
TryResolveKeyIdentifier(keyIdentifier, resolver, true, out token);
if (token == null && !isPrimarySignature)
{
// check if there is a rsa key token authenticator
if (keyIdentifier.Count == 1)
{
RsaKeyIdentifierClause rsaClause;
if (keyIdentifier.TryFind <RsaKeyIdentifierClause>(out rsaClause))
{
RsaSecurityTokenAuthenticator rsaAuthenticator = FindAllowedAuthenticator <RsaSecurityTokenAuthenticator>(false);
if (rsaAuthenticator != null)
{
token = new RsaSecurityToken(rsaClause.Rsa);
ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = rsaAuthenticator.ValidateToken(token);
SupportingTokenAuthenticatorSpecification spec;
TokenTracker rsaTracker = GetSupportingTokenTracker(rsaAuthenticator, out spec);
if (rsaTracker == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.UnknownTokenAuthenticatorUsedInTokenProcessing, rsaAuthenticator)));
}
rsaTracker.RecordToken(token);
SecurityTokenAuthorizationPoliciesMapping.Add(token, authorizationPolicies);
}
}
}
}
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
SR.Format(SR.UnableToResolveKeyInfoForVerifyingSignature, keyIdentifier, resolver)));
}
return(token);
}
public virtual IIdentity ResolveIdentity(SecurityKeyIdentifier keyIdentifier)
{
if (keyIdentifier == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifier");
RsaKeyIdentifierClause rsaKeyIdentifierClause;
if (keyIdentifier.TryFind<RsaKeyIdentifierClause>(out rsaKeyIdentifierClause))
{
return SecurityUtils.CreateIdentity(rsaKeyIdentifierClause.Rsa.ToXmlString(false), this.GetType().Name);
}
return null;
}
public virtual ClaimSet ResolveClaimSet(SecurityKeyIdentifier keyIdentifier)
{
if (keyIdentifier == null)
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifier");
RsaKeyIdentifierClause rsaKeyIdentifierClause;
EncryptedKeyIdentifierClause encryptedKeyIdentifierClause;
if (keyIdentifier.TryFind<RsaKeyIdentifierClause>(out rsaKeyIdentifierClause))
{
return new DefaultClaimSet(new Claim(ClaimTypes.Rsa, rsaKeyIdentifierClause.Rsa, Rights.PossessProperty));
}
else if (keyIdentifier.TryFind<EncryptedKeyIdentifierClause>(out encryptedKeyIdentifierClause))
{
return new DefaultClaimSet(Claim.CreateHashClaim(encryptedKeyIdentifierClause.GetBuffer()));
}
return null;
}
private SecurityToken ResolveSignatureToken(SecurityKeyIdentifier keyIdentifier, SecurityTokenResolver resolver, bool isPrimarySignature)
{
SecurityToken token;
RsaKeyIdentifierClause clause;
TryResolveKeyIdentifier(keyIdentifier, resolver, true, out token);
if (((token == null) && !isPrimarySignature) && ((keyIdentifier.Count == 1) && keyIdentifier.TryFind <RsaKeyIdentifierClause>(out clause)))
{
RsaSecurityTokenAuthenticator tokenAuthenticator = base.FindAllowedAuthenticator <RsaSecurityTokenAuthenticator>(false);
if (tokenAuthenticator != null)
{
SupportingTokenAuthenticatorSpecification specification;
token = new RsaSecurityToken(clause.Rsa);
ReadOnlyCollection <IAuthorizationPolicy> onlys = tokenAuthenticator.ValidateToken(token);
TokenTracker supportingTokenTracker = base.GetSupportingTokenTracker(tokenAuthenticator, out specification);
if (supportingTokenTracker == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(System.ServiceModel.SR.GetString("UnknownTokenAuthenticatorUsedInTokenProcessing", new object[] { tokenAuthenticator })));
}
supportingTokenTracker.RecordToken(token);
base.SecurityTokenAuthorizationPoliciesMapping.Add(token, onlys);
}
}
if (token == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToResolveKeyInfoForVerifyingSignature", new object[] { keyIdentifier, resolver })));
}
return(token);
}
SecurityToken ResolveSignatureToken(SecurityKeyIdentifier keyIdentifier, SecurityTokenResolver resolver, bool isPrimarySignature)
{
SecurityToken token;
TryResolveKeyIdentifier(keyIdentifier, resolver, true, out token);
if (token == null && !isPrimarySignature)
{
// check if there is a rsa key token authenticator
if (keyIdentifier.Count == 1)
{
RsaKeyIdentifierClause rsaClause;
if (keyIdentifier.TryFind<RsaKeyIdentifierClause>(out rsaClause))
{
RsaSecurityTokenAuthenticator rsaAuthenticator = FindAllowedAuthenticator<RsaSecurityTokenAuthenticator>(false);
if (rsaAuthenticator != null)
{
token = new RsaSecurityToken(rsaClause.Rsa);
ReadOnlyCollection<IAuthorizationPolicy> authorizationPolicies = rsaAuthenticator.ValidateToken(token);
SupportingTokenAuthenticatorSpecification spec;
TokenTracker rsaTracker = GetSupportingTokenTracker(rsaAuthenticator, out spec);
if (rsaTracker == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.GetString(SR.UnknownTokenAuthenticatorUsedInTokenProcessing, rsaAuthenticator)));
}
rsaTracker.RecordToken(token);
SecurityTokenAuthorizationPoliciesMapping.Add(token, authorizationPolicies);
}
}
}
}
if (token == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(
SR.GetString(SR.UnableToResolveKeyInfoForVerifyingSignature, keyIdentifier, resolver)));
}
return token;
}
private SecurityToken ResolveSignatureToken(SecurityKeyIdentifier keyIdentifier, SecurityTokenResolver resolver, bool isPrimarySignature)
{
SecurityToken token;
RsaKeyIdentifierClause clause;
TryResolveKeyIdentifier(keyIdentifier, resolver, true, out token);
if (((token == null) && !isPrimarySignature) && ((keyIdentifier.Count == 1) && keyIdentifier.TryFind<RsaKeyIdentifierClause>(out clause)))
{
RsaSecurityTokenAuthenticator tokenAuthenticator = base.FindAllowedAuthenticator<RsaSecurityTokenAuthenticator>(false);
if (tokenAuthenticator != null)
{
SupportingTokenAuthenticatorSpecification specification;
token = new RsaSecurityToken(clause.Rsa);
ReadOnlyCollection<IAuthorizationPolicy> onlys = tokenAuthenticator.ValidateToken(token);
TokenTracker supportingTokenTracker = base.GetSupportingTokenTracker(tokenAuthenticator, out specification);
if (supportingTokenTracker == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(System.ServiceModel.SR.GetString("UnknownTokenAuthenticatorUsedInTokenProcessing", new object[] { tokenAuthenticator })));
}
supportingTokenTracker.RecordToken(token);
base.SecurityTokenAuthorizationPoliciesMapping.Add(token, onlys);
}
}
if (token == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToResolveKeyInfoForVerifyingSignature", new object[] { keyIdentifier, resolver })));
}
return token;
}
public virtual IIdentity ResolveIdentity(SecurityKeyIdentifier keyIdentifier)
{
RsaKeyIdentifierClause clause;
if (keyIdentifier == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifier");
}
if (keyIdentifier.TryFind<RsaKeyIdentifierClause>(out clause))
{
return System.IdentityModel.SecurityUtils.CreateIdentity(clause.Rsa.ToXmlString(false), base.GetType().Name);
}
return null;
}
protected override bool TryResolveTokenCore(SecurityKeyIdentifier keyIdentifier, out SecurityToken token)
{
SecurityContextKeyIdentifierClause sctSkiClause;
if (keyIdentifier.TryFind<SecurityContextKeyIdentifierClause>(out sctSkiClause))
{
return TryResolveToken(sctSkiClause, out token);
}
else
{
token = null;
return false;
}
}
internal static SecurityToken ResolveSecurityToken(SecurityKeyIdentifier ski, SecurityTokenResolver tokenResolver)
{
SecurityToken token = null;
if (tokenResolver != null)
{
tokenResolver.TryResolveToken(ski, out token);
}
if (token == null)
{
// Check if this is a RSA key.
RsaKeyIdentifierClause rsaClause;
if (ski.TryFind<RsaKeyIdentifierClause>(out rsaClause))
token = new RsaSecurityToken(rsaClause.Rsa);
}
if (token == null)
{
// Check if this is a X509RawDataKeyIdentifier Clause.
X509RawDataKeyIdentifierClause rawDataKeyIdentifierClause;
if (ski.TryFind<X509RawDataKeyIdentifierClause>(out rawDataKeyIdentifierClause))
token = new X509SecurityToken(new X509Certificate2(rawDataKeyIdentifierClause.GetX509RawData()));
}
return token;
}
internal static SecurityToken ResolveSecurityToken(SecurityKeyIdentifier ski, SecurityTokenResolver tokenResolver)
{
SecurityToken token = null;
RsaKeyIdentifierClause clause;
X509RawDataKeyIdentifierClause clause2;
if (tokenResolver != null)
{
tokenResolver.TryResolveToken(ski, out token);
}
if ((token == null) && ski.TryFind<RsaKeyIdentifierClause>(out clause))
{
token = new RsaSecurityToken(clause.Rsa);
}
if ((token == null) && ski.TryFind<X509RawDataKeyIdentifierClause>(out clause2))
{
token = new X509SecurityToken(new X509Certificate2(clause2.GetX509RawData()));
}
return token;
}
/// <summary>
/// Configure ACS endpoint address in Web.config.
/// </summary>
public static void Intialize()
{
// Compute federation metadata address based on web config's
// <system.identityModel.services>\<federationConfiguration>\<wsFederation issuer=""> attribute value
var settings = DependencyResolver.Current.GetService <IPortalFrontendSettings>();
string acsNamespace = settings.AcsNamespace;
// Setup correct issuer name
// Compute federation metadata address based on web config's
// <system.identityModel.services>\<federationConfiguration>\<wsFederation issuer=""> attribute value
string stsMetadataAddress = string.Format(WsFederationMetadata, acsNamespace);
// Update the web config with latest local STS federation meta data each
// time when instance of the application is created
try
{
using (XmlReader metadataReader = XmlReader.Create(stsMetadataAddress))
{
// Creates the xml reader pointing to the updated web.config contents
// Don't validate the cert signing the federation metadata
var serializer = new MetadataSerializer
{
CertificateValidationMode = X509CertificateValidationMode.None,
};
var metadata = (EntityDescriptor)serializer.ReadMetadata(metadataReader);
// Select security token descriptors
SecurityTokenServiceDescriptor descriptor = metadata.RoleDescriptors.OfType <SecurityTokenServiceDescriptor>().FirstOrDefault();
if (descriptor != null)
{
var issuerNameRegistry = new ConfigurationBasedIssuerNameRegistry();
// Try to find and add certificates for trusted issuers
foreach (KeyDescriptor keyDescriptor in descriptor.Keys)
{
if (keyDescriptor.KeyInfo != null && (keyDescriptor.Use == KeyType.Signing || keyDescriptor.Use == KeyType.Unspecified))
{
SecurityKeyIdentifier keyInfo = keyDescriptor.KeyInfo;
X509RawDataKeyIdentifierClause clause;
keyInfo.TryFind(out clause);
if (clause != null)
{
var x509Certificate2 = new X509Certificate2(clause.GetX509RawData());
if (x509Certificate2.Thumbprint != null)
{
issuerNameRegistry.AddTrustedIssuer(x509Certificate2.Thumbprint, x509Certificate2.SubjectName.Name);
}
}
}
}
// Set retrieved issuers
FederatedAuthentication.FederationConfiguration.IdentityConfiguration.IssuerNameRegistry = issuerNameRegistry;
}
metadataReader.Dispose();
}
}
catch (Exception e)
{
Trace.TraceError("Error occured when update web config with latest local STS federation meta data. {0}", e);
return;
}
// Add audience URIs
string portalUri = settings.PortalUri;
// Front-end
var uriBuilder = new UriBuilder(portalUri);
FederatedAuthentication.FederationConfiguration.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(uriBuilder.Uri);
// Extension
uriBuilder.Path = "/extension/login";
FederatedAuthentication.FederationConfiguration.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(uriBuilder.Uri);
// Update WS-Federation configuration
FederatedAuthentication.WSFederationAuthenticationModule.Issuer = string.Format(WsFederationIssuer, acsNamespace);
FederatedAuthentication.WSFederationAuthenticationModule.Realm = portalUri;
}
protected override bool TryResolveTokenCore(SecurityKeyIdentifier keyIdentifier, out SecurityToken token)
{
SecurityContextKeyIdentifierClause clause;
if (keyIdentifier.TryFind<SecurityContextKeyIdentifierClause>(out clause))
{
return base.TryResolveToken(clause, out token);
}
token = null;
return false;
}
