/// <summary> /// Returns the collection of certificates that the STS uses to sign tokens. /// </summary> /// <returns>The collection of certificates.</returns> private IEnumerable <X509Certificate2> ReadStsSigningCertificates(SecurityTokenServiceDescriptor stsDescriptor) { List <X509Certificate2> stsCertificates = new List <X509Certificate2>(); if (stsDescriptor != null && stsDescriptor.Keys != null) { Collection <KeyDescriptor> keyDescriptors = (Collection <KeyDescriptor>)stsDescriptor.Keys; if (keyDescriptors != null && keyDescriptors.Count > 0) { foreach (KeyDescriptor keyDescriptor in keyDescriptors) { if (keyDescriptor.KeyInfo != null && (keyDescriptor.Use == KeyType.Signing || keyDescriptor.Use == KeyType.Unspecified)) { SecurityKeyIdentifier kid = keyDescriptor.KeyInfo; X509RawDataKeyIdentifierClause clause = null; kid.TryFind <X509RawDataKeyIdentifierClause>(out clause); if (clause != null) { X509Certificate2 certificate = new X509Certificate2(clause.GetX509RawData()); stsCertificates.Add(certificate); } } } } } return(stsCertificates); }
public virtual ClaimSet ResolveClaimSet(SecurityKeyIdentifier keyIdentifier) { RsaKeyIdentifierClause clause; EncryptedKeyIdentifierClause clause2; if (keyIdentifier == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifier"); } if (keyIdentifier.TryFind<RsaKeyIdentifierClause>(out clause)) { return new DefaultClaimSet(new Claim[] { new Claim(ClaimTypes.Rsa, clause.Rsa, Rights.PossessProperty) }); } if (keyIdentifier.TryFind<EncryptedKeyIdentifierClause>(out clause2)) { return new DefaultClaimSet(new Claim[] { Claim.CreateHashClaim(clause2.GetBuffer()) }); } return null; }
public virtual ClaimSet ResolveClaimSet(SecurityKeyIdentifier keyIdentifier) { RsaKeyIdentifierClause clause; EncryptedKeyIdentifierClause clause2; if (keyIdentifier == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifier"); } if (keyIdentifier.TryFind <RsaKeyIdentifierClause>(out clause)) { return(new DefaultClaimSet(new Claim[] { new Claim(ClaimTypes.Rsa, clause.Rsa, Rights.PossessProperty) })); } if (keyIdentifier.TryFind <EncryptedKeyIdentifierClause>(out clause2)) { return(new DefaultClaimSet(new Claim[] { Claim.CreateHashClaim(clause2.GetBuffer()) })); } return(null); }
protected override bool TryResolveTokenCore(SecurityKeyIdentifier keyIdentifier, out SecurityToken token) { SecurityContextKeyIdentifierClause clause; if (keyIdentifier.TryFind <SecurityContextKeyIdentifierClause>(out clause)) { return(base.TryResolveToken(clause, out token)); } token = null; return(false); }
public virtual IIdentity ResolveIdentity(SecurityKeyIdentifier keyIdentifier) { RsaKeyIdentifierClause clause; if (keyIdentifier == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifier"); } if (keyIdentifier.TryFind <RsaKeyIdentifierClause>(out clause)) { return(System.IdentityModel.SecurityUtils.CreateIdentity(clause.Rsa.ToXmlString(false), base.GetType().Name)); } return(null); }
protected override bool TryResolveTokenCore(SecurityKeyIdentifier keyIdentifier, out SecurityToken token) { SecurityContextKeyIdentifierClause sctSkiClause; if (keyIdentifier.TryFind <SecurityContextKeyIdentifierClause>(out sctSkiClause)) { return(TryResolveTokenCore(sctSkiClause, out token)); } else { token = null; return(false); } }
SecurityToken ResolveSignatureToken(SecurityKeyIdentifier keyIdentifier, SecurityTokenResolver resolver, bool isPrimarySignature) { SecurityToken token = null; TryResolveKeyIdentifier(keyIdentifier, resolver, true, out token); if (token == null && !isPrimarySignature) { // check if there is a rsa key token authenticator if (keyIdentifier.Count == 1) { RsaKeyIdentifierClause rsaClause; if (keyIdentifier.TryFind <RsaKeyIdentifierClause>(out rsaClause)) { RsaSecurityTokenAuthenticator rsaAuthenticator = FindAllowedAuthenticator <RsaSecurityTokenAuthenticator>(false); if (rsaAuthenticator != null) { token = new RsaSecurityToken(rsaClause.Rsa); ReadOnlyCollection <IAuthorizationPolicy> authorizationPolicies = rsaAuthenticator.ValidateToken(token); SupportingTokenAuthenticatorSpecification spec; TokenTracker rsaTracker = GetSupportingTokenTracker(rsaAuthenticator, out spec); if (rsaTracker == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.Format(SR.UnknownTokenAuthenticatorUsedInTokenProcessing, rsaAuthenticator))); } rsaTracker.RecordToken(token); SecurityTokenAuthorizationPoliciesMapping.Add(token, authorizationPolicies); } } } } if (token == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException( SR.Format(SR.UnableToResolveKeyInfoForVerifyingSignature, keyIdentifier, resolver))); } return(token); }
public virtual IIdentity ResolveIdentity(SecurityKeyIdentifier keyIdentifier) { if (keyIdentifier == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifier"); RsaKeyIdentifierClause rsaKeyIdentifierClause; if (keyIdentifier.TryFind<RsaKeyIdentifierClause>(out rsaKeyIdentifierClause)) { return SecurityUtils.CreateIdentity(rsaKeyIdentifierClause.Rsa.ToXmlString(false), this.GetType().Name); } return null; }
public virtual ClaimSet ResolveClaimSet(SecurityKeyIdentifier keyIdentifier) { if (keyIdentifier == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifier"); RsaKeyIdentifierClause rsaKeyIdentifierClause; EncryptedKeyIdentifierClause encryptedKeyIdentifierClause; if (keyIdentifier.TryFind<RsaKeyIdentifierClause>(out rsaKeyIdentifierClause)) { return new DefaultClaimSet(new Claim(ClaimTypes.Rsa, rsaKeyIdentifierClause.Rsa, Rights.PossessProperty)); } else if (keyIdentifier.TryFind<EncryptedKeyIdentifierClause>(out encryptedKeyIdentifierClause)) { return new DefaultClaimSet(Claim.CreateHashClaim(encryptedKeyIdentifierClause.GetBuffer())); } return null; }
private SecurityToken ResolveSignatureToken(SecurityKeyIdentifier keyIdentifier, SecurityTokenResolver resolver, bool isPrimarySignature) { SecurityToken token; RsaKeyIdentifierClause clause; TryResolveKeyIdentifier(keyIdentifier, resolver, true, out token); if (((token == null) && !isPrimarySignature) && ((keyIdentifier.Count == 1) && keyIdentifier.TryFind <RsaKeyIdentifierClause>(out clause))) { RsaSecurityTokenAuthenticator tokenAuthenticator = base.FindAllowedAuthenticator <RsaSecurityTokenAuthenticator>(false); if (tokenAuthenticator != null) { SupportingTokenAuthenticatorSpecification specification; token = new RsaSecurityToken(clause.Rsa); ReadOnlyCollection <IAuthorizationPolicy> onlys = tokenAuthenticator.ValidateToken(token); TokenTracker supportingTokenTracker = base.GetSupportingTokenTracker(tokenAuthenticator, out specification); if (supportingTokenTracker == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(System.ServiceModel.SR.GetString("UnknownTokenAuthenticatorUsedInTokenProcessing", new object[] { tokenAuthenticator }))); } supportingTokenTracker.RecordToken(token); base.SecurityTokenAuthorizationPoliciesMapping.Add(token, onlys); } } if (token == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToResolveKeyInfoForVerifyingSignature", new object[] { keyIdentifier, resolver }))); } return(token); }
SecurityToken ResolveSignatureToken(SecurityKeyIdentifier keyIdentifier, SecurityTokenResolver resolver, bool isPrimarySignature) { SecurityToken token; TryResolveKeyIdentifier(keyIdentifier, resolver, true, out token); if (token == null && !isPrimarySignature) { // check if there is a rsa key token authenticator if (keyIdentifier.Count == 1) { RsaKeyIdentifierClause rsaClause; if (keyIdentifier.TryFind<RsaKeyIdentifierClause>(out rsaClause)) { RsaSecurityTokenAuthenticator rsaAuthenticator = FindAllowedAuthenticator<RsaSecurityTokenAuthenticator>(false); if (rsaAuthenticator != null) { token = new RsaSecurityToken(rsaClause.Rsa); ReadOnlyCollection<IAuthorizationPolicy> authorizationPolicies = rsaAuthenticator.ValidateToken(token); SupportingTokenAuthenticatorSpecification spec; TokenTracker rsaTracker = GetSupportingTokenTracker(rsaAuthenticator, out spec); if (rsaTracker == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(SR.GetString(SR.UnknownTokenAuthenticatorUsedInTokenProcessing, rsaAuthenticator))); } rsaTracker.RecordToken(token); SecurityTokenAuthorizationPoliciesMapping.Add(token, authorizationPolicies); } } } } if (token == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException( SR.GetString(SR.UnableToResolveKeyInfoForVerifyingSignature, keyIdentifier, resolver))); } return token; }
private SecurityToken ResolveSignatureToken(SecurityKeyIdentifier keyIdentifier, SecurityTokenResolver resolver, bool isPrimarySignature) { SecurityToken token; RsaKeyIdentifierClause clause; TryResolveKeyIdentifier(keyIdentifier, resolver, true, out token); if (((token == null) && !isPrimarySignature) && ((keyIdentifier.Count == 1) && keyIdentifier.TryFind<RsaKeyIdentifierClause>(out clause))) { RsaSecurityTokenAuthenticator tokenAuthenticator = base.FindAllowedAuthenticator<RsaSecurityTokenAuthenticator>(false); if (tokenAuthenticator != null) { SupportingTokenAuthenticatorSpecification specification; token = new RsaSecurityToken(clause.Rsa); ReadOnlyCollection<IAuthorizationPolicy> onlys = tokenAuthenticator.ValidateToken(token); TokenTracker supportingTokenTracker = base.GetSupportingTokenTracker(tokenAuthenticator, out specification); if (supportingTokenTracker == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperWarning(new MessageSecurityException(System.ServiceModel.SR.GetString("UnknownTokenAuthenticatorUsedInTokenProcessing", new object[] { tokenAuthenticator }))); } supportingTokenTracker.RecordToken(token); base.SecurityTokenAuthorizationPoliciesMapping.Add(token, onlys); } } if (token == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new MessageSecurityException(System.ServiceModel.SR.GetString("UnableToResolveKeyInfoForVerifyingSignature", new object[] { keyIdentifier, resolver }))); } return token; }
public virtual IIdentity ResolveIdentity(SecurityKeyIdentifier keyIdentifier) { RsaKeyIdentifierClause clause; if (keyIdentifier == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("keyIdentifier"); } if (keyIdentifier.TryFind<RsaKeyIdentifierClause>(out clause)) { return System.IdentityModel.SecurityUtils.CreateIdentity(clause.Rsa.ToXmlString(false), base.GetType().Name); } return null; }
protected override bool TryResolveTokenCore(SecurityKeyIdentifier keyIdentifier, out SecurityToken token) { SecurityContextKeyIdentifierClause sctSkiClause; if (keyIdentifier.TryFind<SecurityContextKeyIdentifierClause>(out sctSkiClause)) { return TryResolveToken(sctSkiClause, out token); } else { token = null; return false; } }
internal static SecurityToken ResolveSecurityToken(SecurityKeyIdentifier ski, SecurityTokenResolver tokenResolver) { SecurityToken token = null; if (tokenResolver != null) { tokenResolver.TryResolveToken(ski, out token); } if (token == null) { // Check if this is a RSA key. RsaKeyIdentifierClause rsaClause; if (ski.TryFind<RsaKeyIdentifierClause>(out rsaClause)) token = new RsaSecurityToken(rsaClause.Rsa); } if (token == null) { // Check if this is a X509RawDataKeyIdentifier Clause. X509RawDataKeyIdentifierClause rawDataKeyIdentifierClause; if (ski.TryFind<X509RawDataKeyIdentifierClause>(out rawDataKeyIdentifierClause)) token = new X509SecurityToken(new X509Certificate2(rawDataKeyIdentifierClause.GetX509RawData())); } return token; }
internal static SecurityToken ResolveSecurityToken(SecurityKeyIdentifier ski, SecurityTokenResolver tokenResolver) { SecurityToken token = null; RsaKeyIdentifierClause clause; X509RawDataKeyIdentifierClause clause2; if (tokenResolver != null) { tokenResolver.TryResolveToken(ski, out token); } if ((token == null) && ski.TryFind<RsaKeyIdentifierClause>(out clause)) { token = new RsaSecurityToken(clause.Rsa); } if ((token == null) && ski.TryFind<X509RawDataKeyIdentifierClause>(out clause2)) { token = new X509SecurityToken(new X509Certificate2(clause2.GetX509RawData())); } return token; }
/// <summary> /// Configure ACS endpoint address in Web.config. /// </summary> public static void Intialize() { // Compute federation metadata address based on web config's // <system.identityModel.services>\<federationConfiguration>\<wsFederation issuer=""> attribute value var settings = DependencyResolver.Current.GetService <IPortalFrontendSettings>(); string acsNamespace = settings.AcsNamespace; // Setup correct issuer name // Compute federation metadata address based on web config's // <system.identityModel.services>\<federationConfiguration>\<wsFederation issuer=""> attribute value string stsMetadataAddress = string.Format(WsFederationMetadata, acsNamespace); // Update the web config with latest local STS federation meta data each // time when instance of the application is created try { using (XmlReader metadataReader = XmlReader.Create(stsMetadataAddress)) { // Creates the xml reader pointing to the updated web.config contents // Don't validate the cert signing the federation metadata var serializer = new MetadataSerializer { CertificateValidationMode = X509CertificateValidationMode.None, }; var metadata = (EntityDescriptor)serializer.ReadMetadata(metadataReader); // Select security token descriptors SecurityTokenServiceDescriptor descriptor = metadata.RoleDescriptors.OfType <SecurityTokenServiceDescriptor>().FirstOrDefault(); if (descriptor != null) { var issuerNameRegistry = new ConfigurationBasedIssuerNameRegistry(); // Try to find and add certificates for trusted issuers foreach (KeyDescriptor keyDescriptor in descriptor.Keys) { if (keyDescriptor.KeyInfo != null && (keyDescriptor.Use == KeyType.Signing || keyDescriptor.Use == KeyType.Unspecified)) { SecurityKeyIdentifier keyInfo = keyDescriptor.KeyInfo; X509RawDataKeyIdentifierClause clause; keyInfo.TryFind(out clause); if (clause != null) { var x509Certificate2 = new X509Certificate2(clause.GetX509RawData()); if (x509Certificate2.Thumbprint != null) { issuerNameRegistry.AddTrustedIssuer(x509Certificate2.Thumbprint, x509Certificate2.SubjectName.Name); } } } } // Set retrieved issuers FederatedAuthentication.FederationConfiguration.IdentityConfiguration.IssuerNameRegistry = issuerNameRegistry; } metadataReader.Dispose(); } } catch (Exception e) { Trace.TraceError("Error occured when update web config with latest local STS federation meta data. {0}", e); return; } // Add audience URIs string portalUri = settings.PortalUri; // Front-end var uriBuilder = new UriBuilder(portalUri); FederatedAuthentication.FederationConfiguration.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(uriBuilder.Uri); // Extension uriBuilder.Path = "/extension/login"; FederatedAuthentication.FederationConfiguration.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(uriBuilder.Uri); // Update WS-Federation configuration FederatedAuthentication.WSFederationAuthenticationModule.Issuer = string.Format(WsFederationIssuer, acsNamespace); FederatedAuthentication.WSFederationAuthenticationModule.Realm = portalUri; }
protected override bool TryResolveTokenCore(SecurityKeyIdentifier keyIdentifier, out SecurityToken token) { SecurityContextKeyIdentifierClause clause; if (keyIdentifier.TryFind<SecurityContextKeyIdentifierClause>(out clause)) { return base.TryResolveToken(clause, out token); } token = null; return false; }