public async Task<SignInValidationResult> ValidateAsync(SignInRequestMessage message, ClaimsPrincipal subject)
{
var result = new SignInValidationResult();
// todo: wfresh handling?
if (!subject.Identity.IsAuthenticated)
{
return new SignInValidationResult
{
IsSignInRequired = true,
};
};
var rp = await _relyingParties.GetByRealmAsync(message.Realm);
if (rp == null || rp.Enabled == false)
{
return new SignInValidationResult
{
IsError = true,
Error = "invalid_relying_party"
};
}
// todo: check wreply against list of allowed reply URLs
result.ReplyUrl = rp.ReplyUrl;
result.RelyingParty = rp;
result.SignInRequestMessage = message;
result.Subject = subject;
return result;
}
public string GetResponseHtml(IDictionary<string, string> parameters, Uri signinUri)
{
var requestToken = new OAuthRequestToken {Token = parameters["oauth_token"]};
// Exchange the Request Token for an Access Token
var service = new TwitterService(Settings.TwitterConsumerKey, Settings.TwitterConsumerSecret);
OAuthAccessToken accessToken = service.GetAccessToken(requestToken, parameters["oauth_verifier"]);
// Claim values
string name = accessToken.ScreenName;
string nameIdentifier = string.Format("https://twitter.com/account/redirect_by_id?id={0}", accessToken.UserId);
string token = accessToken.Token;
string tokenSecret = accessToken.TokenSecret;
string wtRealm = _configurationProvider.Get(Settings.TwitterWtRealm);
string wReply = _configurationProvider.Get(Settings.TwitterWReply);
var requestMessage = new SignInRequestMessage(signinUri, wtRealm, wReply);
// Add claims
var identity = new ClaimsIdentity(AuthenticationTypes.Federation);
identity.AddClaim(new Claim(ClaimTypes.Name, name));
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, nameIdentifier));
identity.AddClaim(new Claim(TwitterClaims.TwitterToken, token));
identity.AddClaim(new Claim(TwitterClaims.TwitterTokenSecret, tokenSecret));
var principal = new ClaimsPrincipal(identity);
// Serialize response message
SignInResponseMessage responseMessage = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(requestMessage, principal, this);
responseMessage.Context = parameters["context"];
return responseMessage.WriteFormPost();
}
private static void ValidateRequestIsSsl(bool requireSsl, SignInRequestMessage signInRequestMessage)
{
if (requireSsl && (signInRequestMessage.BaseUri.Scheme != Uri.UriSchemeHttps))
{
throw new InvalidRequestException("requests needs to be ssl");
}
}
// HACK: metodo/action fica comentado, para esconder a sua existencia de acesso directo externo
//public ActionResult LogOnFederated()
//{
// //throw new NotImplementedException();
// return View();
//}
//
// GET: /Account/LogOn
public ActionResult LogOn()
{
// HACK: constante para seleccao do home realm na aplicacao web e nao no ACS
// da' erro/nao servem de nada, pois e' necessario .cshtml ou .aspx a servir de intermediario
//const string localLoginPageUrl = "~/Account/applocal2LoginPageCode.html";
//const string localLoginPageUrl = "applocal2LoginPageCode.html";
// view em .aspx a servir de intermediario para applocal2LoginPageCode.html
//const string localLoginPageUrl = "~/Account/LogOnFederated";
const string localLoginPageIntermediateViewName = "LogOnFederated";
// HACK: em principio, sempre verdadeiro neste metodo (ou com !User.Identity.IsAuthenticated)
//if (!Request.IsAuthenticated)
//{
//}
// HACK: utilizar FederatedAuthentication, como alternativa ao pre-definido return View();
// HACK: try..catch realizado,para caso do web.config ser alterado para nao ter WS-Federation
try
{
/* 1 - tentar utilizar federacao:
* se conseguir (wsfam nao e' null, e nao ocorrem erros), faz redirect... */
var wsfam = FederatedAuthentication.WSFederationAuthenticationModule;
if (wsfam != null)
{
var signInRequest = new SignInRequestMessage(new Uri(wsfam.Issuer), wsfam.Realm,
wsfam.Reply)
{
AuthenticationType = wsfam.AuthenticationType,
Context = wsfam.Realm,
Freshness = wsfam.Freshness,
HomeRealm = wsfam.HomeRealm
};
// 1.1 - seleccao do home realm no ACS
//return Redirect(signInRequest.WriteQueryString());
// 1.2 - seleccao do home realm na aplicacao web
//return View("applocal2LoginPageCode"); // da' erro
// HACK: action fica comentada, para esconder existencia de acesso directo externo,
// logo, redirect's tambem ficam comentados, para nao haver action com acesso externo
//return Redirect(localLoginPageUrl); // nao da' erro, se for a action LogOnFederated
//return RedirectToAction(localLoginPageIntermediateViewName, "Account");
/* retorna-se a View, e assim, nao ha' acesso externo directo/explicto
* a esta view, pois nao existe action que corresponda apenas a esta view */
return View(localLoginPageIntermediateViewName);
}
}
catch (Exception)
{
// 2 - ...em caso de erro, nao faz nada, pois...
//throw;
}
// 3 - ...caso wsfam seja igual a null, ou em caso de erro, processa normalmente o LogOn
return View();
}
public SignInResponseMessage Generate(SignInRequestMessage request, WindowsPrincipal windowsPrincipal)
{
Logger.Info("Creating WS-Federation signin response");
// create subject
var outgoingSubject = SubjectGenerator.Create(windowsPrincipal, _options);
// create token for user
var token = CreateSecurityToken(outgoingSubject);
// return response
var rstr = new RequestSecurityTokenResponse
{
AppliesTo = new EndpointReference(_options.IdpRealm),
Context = request.Context,
ReplyTo = _options.IdpReplyUrl,
RequestedSecurityToken = new RequestedSecurityToken(token)
};
var serializer = new WSFederationSerializer(
new WSTrust13RequestSerializer(),
new WSTrust13ResponseSerializer());
var mgr = SecurityTokenHandlerCollectionManager.CreateEmptySecurityTokenHandlerCollectionManager();
mgr[SecurityTokenHandlerCollectionManager.Usage.Default] = CreateSupportedSecurityTokenHandler();
var responseMessage = new SignInResponseMessage(
new Uri(_options.IdpReplyUrl),
rstr,
serializer,
new WSTrustSerializationContext(mgr));
return responseMessage;
}
public ActionResult SignIn(SignInRequestMessage message)
{
var response = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(
message,
HttpContext.User,
new CustomSecurityTokenService(new CustomSecurityTokenServiceConfiguration()));
return new WSFederationResult(response);
}
public ActionResult SignIn(string returnUrl)
{
var fam = FederatedAuthentication.WSFederationAuthenticationModule;
fam.SignIn(Guid.NewGuid().ToString());
var signInRequestMessage = new SignInRequestMessage(new Uri(fam.Issuer), fam.Realm, returnUrl);
var parameters = HmacHelper.CreateHmacRequestParametersFromConfig(Consts.PermissionHmacSettingsPrefix);
parameters.ForEach(signInRequestMessage.Parameters.Add);
return new RedirectResult(signInRequestMessage.WriteQueryString());
}
public ActionResult Index()
{
ViewBag.Message = "Modify this template to jump-start your ASP.NET MVC application.";
SignInRequestMessage signInRequestMessage = new SignInRequestMessage(new Uri("https://andras1/idsrv/issue/wsfed"), "http://localhost:2533/");
ViewBag.StsSignInUrl = signInRequestMessage.WriteQueryString();
return View();
}
public async Task<SignInValidationResult> ValidateAsync(SignInRequestMessage message, ClaimsPrincipal subject)
{
Logger.Info("Start WS-Federation signin request validation");
var result = new SignInValidationResult();
// parse whr
if (!String.IsNullOrWhiteSpace(message.HomeRealm))
{
result.HomeRealm = message.HomeRealm;
}
// parse wfed
if (!String.IsNullOrWhiteSpace(message.Federation))
{
result.Federation = message.Federation;
}
if (!subject.Identity.IsAuthenticated)
{
result.IsSignInRequired = true;
return result;
}
// check realm
var rp = await _relyingParties.GetByRealmAsync(message.Realm);
if (rp == null || rp.Enabled == false)
{
LogError("Relying party not found: " + message.Realm, result);
return new SignInValidationResult
{
IsError = true,
Error = "invalid_relying_party"
};
}
result.ReplyUrl = rp.ReplyUrl;
result.RelyingParty = rp;
result.SignInRequestMessage = message;
result.Subject = subject;
var customResult = await _customValidator.ValidateSignInRequestAsync(result);
if (customResult.IsError)
{
LogError("Error in custom validation: " + customResult.Error, result);
return new SignInValidationResult
{
IsError = true,
Error = customResult.Error,
ErrorMessage = customResult.ErrorMessage,
};
}
LogSuccess(result);
return result;
}
private static void AuthenticateUser(AuthorizationContext context, string realm)
{
// user is not authenticated and it's entering for the first time
var fam = FederatedAuthentication.WSFederationAuthenticationModule;
var signIn = new SignInRequestMessage(new Uri(fam.Issuer), realm ?? fam.Realm)
{
Context = "ru=" + context.HttpContext.Request.Path
};
context.Result = new RedirectResult(signIn.WriteQueryString());
}
protected override WSFederationMessage BuildSignInMessage(AuthorizationContext context, Uri replyUrl)
{
var fam = FederatedAuthentication.WSFederationAuthenticationModule;
var signIn = new SignInRequestMessage(new Uri(fam.Issuer), fam.Realm)
{
Context = AuthenticateAndAuthorizeRoleAttribute.GetReturnUrl(context.RequestContext, RequestAppendAttribute.RawUrl, null).ToString(),
HomeRealm = Tailspin.Federation.HomeRealm,
Reply = replyUrl.ToString()
};
return signIn;
}
private void RequestAuthentication(HttpContextBase httpContext, string identityProviderUrl, string realm, string replyUrl)
{
var signIn = new SignInRequestMessage(new Uri(identityProviderUrl), realm)
{
Context = replyUrl,
Reply = replyUrl
};
var redirectUrl = signIn.WriteQueryString();
httpContext.Response.Redirect(redirectUrl, false);
httpContext.ApplicationInstance.CompleteRequest();
}
private static void AuthenticateUser(AuthorizationContext filterContext)
{
var organization = filterContext.RouteData.Values["organization"] as String ?? "mock.issuer.1";
var returnUrl = GetReturnUrl(filterContext.RequestContext);
var fam = FederatedAuthentication.WSFederationAuthenticationModule;
var signIn = new SignInRequestMessage(new Uri(fam.Issuer), fam.Realm)
{
Context = returnUrl.ToString(),
HomeRealm = GetHomeRealm(organization)
};
filterContext.Result = new RedirectResult(signIn.WriteQueryString());
}
private ActionResult ProcessSignIn(SignInRequestMessage signInMsg, ClaimsPrincipal user)
{
var config = new EmbeddedTokenServiceConfiguration();
var sts = config.CreateSecurityTokenService();
var appPath = Request.ApplicationPath;
if (!appPath.EndsWith("/")) appPath += "/";
signInMsg.Reply = new Uri(Request.Url, appPath).AbsoluteUri;
var response = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(signInMsg, user, sts);
var body = response.WriteFormPost();
return Html(body);
}
private ActionResult ProcessWSFederationSignIn(SignInRequestMessage message, IPrincipal principal)
{
// issue token and create ws-fed response
var response = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(
message,
principal,
TokenServiceConfiguration.Current.CreateSecurityTokenService());
// set cookie for single-sign-out
new SignInSessionsManager(HttpContext, ConfigurationRepository.Configuration.MaximumTokenLifetime)
.AddRealm(response.BaseUri.AbsoluteUri);
return new WSFederationResult(response);
}
private ActionResult ProcessWSFederationSignIn(SignInRequestMessage message, ClaimsPrincipal principal)
{
// issue token and create ws-fed response
var response = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(
message,
principal as ClaimsPrincipal,
TokenServiceConfiguration.Current.CreateSecurityTokenService());
// set cookie for single-sign-out
new SignInSessionsManager(HttpContext, _cookieName, ConfigurationRepository.Global.MaximumTokenLifetime)
.AddEndpoint(response.BaseUri.AbsoluteUri);
return new WSFederationResult(response, requireSsl: ConfigurationRepository.WSFederation.RequireSslForReplyTo);
}
private static void AuthenticateUser(AuthorizationContext context)
{
var returnUrl = GetReturnUrl(context.RequestContext);
// user is not authenticated and it's entering for the first time
var fam = FederatedAuthentication.WSFederationAuthenticationModule;
var signIn = new SignInRequestMessage(new Uri(fam.Issuer), fam.Realm)
{
Context = returnUrl.ToString(),
Reply = returnUrl.ToString()
};
context.Result = new RedirectResult(signIn.WriteQueryString());
}
public string GetResponseHtml(IDictionary<string, string> parameters, Uri signinUri)
{
string code = parameters["code"];
// Exchange the Request Token for an Access Token
string appId = _settings.VkApplicationId;
string appSecret = _settings.VkApplicationSecret;
string scheme = parameters["SERVER_PORT_SECURE"] == "1" ? "https" : "http";
var callbackUri = new UriBuilder(string.Format("{0}://{1}", scheme, parameters["HTTP_HOST"]))
{
Path = parameters["URL"],
Query = string.Format("context={0}", parameters["context"])
};
var service = new VkClient(appId, appSecret);
dynamic accessToken = service.GetAccessToken(code, callbackUri.ToString());
dynamic token = accessToken.access_token;
service.AuthenticateWith(token.ToString());
// Claims
dynamic result = service.Get("users.get", new
{
fields = "screen_name"
});
dynamic user = result.response[0];
string acsNamespace = _settings.AcsNamespace;
string wtRealm = string.Format(WtRealm, acsNamespace);
string wReply = string.Format(WReply, acsNamespace);
var requestMessage = new SignInRequestMessage(signinUri, wtRealm, wReply);
// Add extracted claims
var identity = new ClaimsIdentity(AuthenticationTypes.Federation);
identity.AddClaim(new Claim(ClaimTypes.Name, string.Format("{0} {1}", user.first_name, user.last_name)));
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.uid.ToString()));
identity.AddClaim(new Claim(VkClaims.VkToken, token.ToString()));
var principal = new ClaimsPrincipal(identity);
SignInResponseMessage responseMessage = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(requestMessage, principal, this);
responseMessage.Context = parameters["context"];
return responseMessage.WriteFormPost();
}
protected override WSFederationMessage BuildSignInMessage(AuthorizationContext context, Uri replyUrl)
{
var tenant = (context.Controller as TenantController).Tenant;
var fam = FederatedAuthentication.WSFederationAuthenticationModule;
var signIn = new SignInRequestMessage(new Uri(fam.Issuer), fam.Realm)
{
Context = AuthenticateAndAuthorizeRoleAttribute.GetReturnUrl(context.RequestContext, RequestAppendAttribute.RawUrl, null).ToString(),
HomeRealm = SubscriptionKind.Premium.Equals(tenant.SubscriptionKind)
? tenant.IssuerIdentifier ?? Tailspin.Federation.HomeRealm + "/" + (context.Controller as TenantController).Tenant.Name
: Tailspin.Federation.HomeRealm + "/" + (context.Controller as TenantController).Tenant.Name,
Reply = replyUrl.ToString()
};
return signIn;
}
private ActionResult ProcessSignIn(SignInRequestMessage signInMsg, ClaimsPrincipal user)
{
var config = new EmbeddedTokenServiceConfiguration();
var sts = config.CreateSecurityTokenService();
var appPath = Request.ApplicationPath;
if (!appPath.EndsWith("/")) appPath += "/";
// when the reply querystringparameter has been specified, don't overrule it.
if(String.IsNullOrEmpty(signInMsg.Reply))
signInMsg.Reply = new Uri(Request.Url, appPath).AbsoluteUri;
var response = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(signInMsg, user, sts);
var body = response.WriteFormPost();
return Html(body);
}
public static void LogOn(string issuer = null, string realm = null, string homeRealm = null)
{
WSFederationAuthenticationModule fam = FederatedAuthentication.WSFederationAuthenticationModule;
var signInRequest = new SignInRequestMessage(new Uri(issuer ?? fam.Issuer), realm ?? fam.Realm)
{
AuthenticationType = fam.AuthenticationType,
Context = GetReturnUrl(),
Freshness = fam.Freshness,
HomeRealm = homeRealm ?? fam.HomeRealm,
Reply = fam.Reply
};
HttpContext.Current.Response.Redirect(signInRequest.WriteQueryString(), false);
HttpContext.Current.ApplicationInstance.CompleteRequest();
}
private async Task<IHttpActionResult> ProcessSignInAsync(SignInRequestMessage msg)
{
var result = await _validator.ValidateAsync(msg, User as ClaimsPrincipal);
if (result.IsSignInRequired)
{
return RedirectToLogin(_settings);
}
if (result.IsError)
{
return BadRequest(result.Error);
}
var responseMessage = await _signInResponseGenerator.GenerateResponseAsync(result);
await _cookies.AddValueAsync(result.ReplyUrl);
return new SignInResult(responseMessage);
}
public string GetResponseHtml(IDictionary<string, string> parameters, Uri signinUri)
{
var requestToken = new OAuthRequestToken { Token = parameters["oauth_token"] };
// Exchange the Request Token for an Access Token
string consumerKey = _settings.TwitterConsumerKey;
string consumerSecret = _settings.TwitterConsumerSecret;
var service = new TwitterService(consumerKey, consumerSecret);
OAuthAccessToken accessToken = service.GetAccessToken(requestToken, parameters["oauth_verifier"]);
service.AuthenticateWith(accessToken.Token, accessToken.TokenSecret);
TwitterUser user = service.GetUserProfile(new GetUserProfileOptions());
// Claims
string name = user != null ? user.Name : accessToken.ScreenName;
string nameIdentifier = string.Format(TwitterAccountPage, accessToken.UserId);
string token = accessToken.Token;
string tokenSecret = accessToken.TokenSecret;
string acsNamespace = _settings.AcsNamespace;
string wtRealm = string.Format(WtRealm, acsNamespace);
string wReply = string.Format(WReply, acsNamespace);
var requestMessage = new SignInRequestMessage(signinUri, wtRealm, wReply);
// Add extracted claims
var identity = new ClaimsIdentity(AuthenticationTypes.Federation);
identity.AddClaim(new Claim(ClaimTypes.Name, name));
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, nameIdentifier));
identity.AddClaim(new Claim(TwitterClaims.TwitterToken, token));
identity.AddClaim(new Claim(TwitterClaims.TwitterTokenSecret, tokenSecret));
var principal = new ClaimsPrincipal(identity);
SignInResponseMessage responseMessage = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(requestMessage, principal, this);
responseMessage.Context = parameters["context"];
return responseMessage.WriteFormPost();
}
public async Task<SignInResponseMessage> GenerateAsync(SignInRequestMessage request, WindowsPrincipal windowsPrincipal)
{
Logger.Info("Creating WS-Federation signin response");
// create subject
var outgoingSubject = SubjectGenerator.Create(windowsPrincipal, _options);
// call custom claims tranformation logic
var context = new CustomClaimsProviderContext
{
WindowsPrincipal = windowsPrincipal,
OutgoingSubject = outgoingSubject
};
await _options.CustomClaimsProvider.TransformAsync(context);
// create token for user
var token = CreateSecurityToken(context.OutgoingSubject);
// return response
var rstr = new RequestSecurityTokenResponse
{
AppliesTo = new EndpointReference(_options.IdpRealm),
Context = request.Context,
ReplyTo = _options.IdpReplyUrl,
RequestedSecurityToken = new RequestedSecurityToken(token)
};
var serializer = new WSFederationSerializer(
new WSTrust13RequestSerializer(),
new WSTrust13ResponseSerializer());
var mgr = SecurityTokenHandlerCollectionManager.CreateEmptySecurityTokenHandlerCollectionManager();
mgr[SecurityTokenHandlerCollectionManager.Usage.Default] = CreateSupportedSecurityTokenHandler();
var responseMessage = new SignInResponseMessage(
new Uri(_options.IdpReplyUrl),
rstr,
serializer,
new WSTrustSerializationContext(mgr));
return responseMessage;
}
public async Task<SignInValidationResult> ValidateAsync(SignInRequestMessage message, ClaimsPrincipal subject)
{
Logger.Info("Validating WS-Federation signin request");
var result = new SignInValidationResult();
if (message.HomeRealm.IsPresent())
{
Logger.Info("Setting home realm to: " + message.HomeRealm);
result.HomeRealm = message.HomeRealm;
}
// todo: wfresh handling?
if (!subject.Identity.IsAuthenticated)
{
result.IsSignInRequired = true;
return result;
};
var rp = await _relyingParties.GetByRealmAsync(message.Realm);
if (rp == null || rp.Enabled == false)
{
Logger.Error("Relying party not found: " + rp.Realm);
return new SignInValidationResult
{
IsError = true,
Error = "invalid_relying_party"
};
}
Logger.InfoFormat("Relying party registration found: {0} / {1}", rp.Realm, rp.Name);
result.ReplyUrl = rp.ReplyUrl;
Logger.InfoFormat("Reply URL set to: " + result.ReplyUrl);
result.RelyingParty = rp;
result.SignInRequestMessage = message;
result.Subject = subject;
return result;
}
private SignInResponseMessage CreateSigninReponseMessage(SignInRequestMessage signInRequestMessage)
{
//get from config...
const string SamlTwoTokenType = "urn:oasis:names:tc:SAML:2.0:assertion";
const bool RequireSsl = false;
var allowedRpAudiences = GetAuthorisedAudiencesWeCanIssueTokensTo();
var samlTokenSigningCertificate = GetSamlTokenSigningCertificate();
var stsConfiguration = configurationFactory.Create(SamlTwoTokenType, InfrastructureConstants.StsTokenProviderUrl, samlTokenSigningCertificate, allowedRpAudiences);
var tokenService = stsConfiguration.CreateSecurityTokenService();
var signInResponseMessage = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(signInRequestMessage,
ClaimsPrincipal.Current, tokenService);
this.realmTracker.AddNewRealm(signInRequestMessage.Realm);
//sanity check
ValidateRequestIsSsl(RequireSsl, signInRequestMessage);
return signInResponseMessage;
}
/// <summary>
/// Process Saml2 sigin Request
/// </summary>
/// <param name="ip"></param>
/// <param name="request"></param>
/// <returns></returns>
private ActionResult ProcessSaml2SignIn(IdentityProvider ip, SignInRequestMessage request)
{
if (ip.Enabled)
{
var saml2ProtocolSerializer = new Saml2ProtocolSerializer();
var protocolBinding = ProtocolBindings.HttpRedirect;
HttpBindingSerializer httpBindingSerializer = new HttpRedirectBindingSerializer(saml2ProtocolSerializer);
var authenticationRequest = new AuthenticationRequest
{
Issuer = new Microsoft.IdentityModel.Tokens.Saml2.Saml2NameIdentifier(request.Realm.TrimEnd('/'), new Uri(ip.WSFederationEndpoint)),
Destination = new Uri(ip.WSFederationEndpoint)
};
//Provide Service provider default signin home page - hardcoded for testing purpose
var messageContainer = new MessageContainer(authenticationRequest, new ProtocolEndpoint(protocolBinding, new Uri(ip.WSFederationEndpoint + "/signon.ashx")));
var httpMessage = httpBindingSerializer.Serialize(messageContainer);
httpBindingSerializer.WriteHttpMessage(new HttpResponseWrapper(System.Web.HttpContext.Current.Response), httpMessage);
ControllerContext.HttpContext.ApplicationInstance.CompleteRequest();
}
return View("Error");
}
private ActionResult ProcessSignInRequest(SignInRequestMessage message)
{
if (!string.IsNullOrWhiteSpace(message.HomeRealm))
{
return RedirectToIdentityProvider(message);
}
else
{
return ShowHomeRealmSelection();
}
//// issue token and create ws-fed response
//var response = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(
// message,
// principal as ClaimsPrincipal,
// TokenServiceConfiguration.Current.CreateSecurityTokenService());
//// set cookie for single-sign-out
//new SignInSessionsManager(HttpContext, ConfigurationRepository.Configuration.MaximumTokenLifetime)
// .AddRealm(response.BaseUri.AbsoluteUri);
//return new WSFederationResult(response);
}
public async Task <IHttpActionResult> Login(string relyingPartyName)
{
if (string.IsNullOrWhiteSpace(relyingPartyName))
{
return(BadRequest("No relying party id provided"));
}
string action;
NameValueCollection content = null;
NameValueCollection qs = Request.RequestUri.ParseQueryString();
action = qs.Get(WSFederationConstants.Parameters.Action);
if (string.IsNullOrWhiteSpace(action))
{
content = await Request.Content.ReadAsFormDataAsync();
action = content.Get(WSFederationConstants.Parameters.Action);
}
if (action == WSFederationConstants.Actions.SignIn)
{
IRelyingParty rp = STSConfiguration <RelyingParty> .Current.RelyingParties.FindByName(relyingPartyName);
if (this.User != null && this.User.Identity.IsAuthenticated)
{
if (content == null)
{
content = await Request.Content.ReadAsFormDataAsync();
}
WSFederationMessage responseMessageFromIssuer = WSFederationMessage.CreateFromNameValueCollection(Request.RequestUri, content);
var contextId = responseMessageFromIssuer.Context;
var ctxCookie = System.Web.HttpContext.Current.Request.Cookies[contextId];
if (ctxCookie == null)
{
throw new InvalidOperationException("Context cookie not found");
}
var originalRequestUri = new Uri(ctxCookie.Value);
HttpCookie cookie = DeleteContextCookie(contextId);
System.Web.HttpContext.Current.Response.Cookies.Add(cookie);
var requestMessage = (SignInRequestMessage)WSFederationMessage.CreateFromUri(originalRequestUri);
var sts = new SimpleSts(rp.GetStsConfiguration());
SignInResponseMessage rm = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(requestMessage, User as ClaimsPrincipal, sts);
//WSTrustSerializationContext context = new WSTrustSerializationContext(FederatedAuthentication.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlerCollectionManager);
//WSFederationSerializer fedSer = new WSFederationSerializer();
//RequestSecurityTokenResponse token = fedSer.CreateResponse(rm, context);
//token.RequestedSecurityToken.SecurityToken.
FederatedPassiveSecurityTokenServiceOperations.ProcessSignInResponse(rm, System.Web.HttpContext.Current.Response);
return(StatusCode(HttpStatusCode.NoContent));
}
else
{
var contextId = Guid.NewGuid().ToString();
HttpCookie cookie = CreateContextCookie(contextId, HttpUtility.UrlDecode(this.Request.RequestUri.AbsoluteUri));
System.Web.HttpContext.Current.Response.Cookies.Add(cookie);
var message = new SignInRequestMessage(new Uri(rp.AuthenticationUrl), FederatedAuthentication.WSFederationAuthenticationModule.Realm)
{
CurrentTime = DateTime.UtcNow.ToString("s", CultureInfo.InvariantCulture) + "Z",
HomeRealm = rp.Realm,
Context = contextId,
Reply = Url.Link("Login", new { relyingPartyName = relyingPartyName })
};
message.Parameters.Add(new KeyValuePair <string, string>("originalRequest", Request.RequestUri.ToString()));
return(Redirect(message.RequestUrl));
}
}
else
{
return(BadRequest(String.Format(
CultureInfo.InvariantCulture,
"The action '{0}' (Request.QueryString['{1}']) is unexpected. Expected actions are: '{2}' or '{3}'.",
String.IsNullOrEmpty(action) ? "<EMPTY>" : action,
WSFederationConstants.Parameters.Action,
WSFederationConstants.Actions.SignIn,
WSFederationConstants.Actions.SignOut)));
}
}
private async Task<IHttpActionResult> ProcessSignInAsync(SignInRequestMessage request, WindowsPrincipal windowsUser)
{
var generator = new SignInResponseGenerator(_options);
var response = await generator.GenerateAsync(request, windowsUser);
return new SignInResult(response);
}
private async Task<IHttpActionResult> ProcessSignInAsync(SignInRequestMessage msg)
{
var result = await _validator.ValidateAsync(msg, User as ClaimsPrincipal);
if (result.IsSignInRequired)
{
Logger.Info("Redirecting to login page");
return RedirectToLogin(result);
}
if (result.IsError)
{
Logger.Error(result.Error);
return BadRequest(result.Error);
}
var responseMessage = await _signInResponseGenerator.GenerateResponseAsync(result);
await _cookies.AddValueAsync(WsFederationPluginOptions.CookieName, result.ReplyUrl);
return new SignInResult(responseMessage);
}
public async Task <SignInValidationResult> ValidateAsync(SignInRequestMessage message, ClaimsPrincipal subject)
{
Logger.Info("Start WS-Federation signin request validation");
var result = new SignInValidationResult();
// parse whr
if (!String.IsNullOrWhiteSpace(message.HomeRealm))
{
result.HomeRealm = message.HomeRealm;
}
// parse wfed
if (!String.IsNullOrWhiteSpace(message.Federation))
{
result.Federation = message.Federation;
}
if (!String.IsNullOrWhiteSpace(message.GetParameter("login_hint")))
{
result.LoginHint = message.GetParameter("login_hint");
}
if (!subject.Identity.IsAuthenticated)
{
result.IsSignInRequired = true;
return(result);
}
// check realm
var rp = await _relyingParties.GetByRealmAsync(message.Realm);
if (rp == null || rp.Enabled == false)
{
LogError("Relying party not found: " + message.Realm, result);
return(new SignInValidationResult
{
IsError = true,
Error = "invalid_relying_party"
});
}
result.ReplyUrl = rp.ReplyUrl;
result.RelyingParty = rp;
result.SignInRequestMessage = message;
result.Subject = subject;
var customResult = await _customValidator.ValidateSignInRequestAsync(result);
if (customResult.IsError)
{
LogError("Error in custom validation: " + customResult.Error, result);
return(new SignInValidationResult
{
IsError = true,
Error = customResult.Error,
ErrorMessage = customResult.ErrorMessage,
});
}
LogSuccess(result);
return(result);
}
private ActionResult ProcessHomeRealmFromCookieValue(SignInRequestMessage message, string pastHRDSelection)
{
message.HomeRealm = pastHRDSelection;
return(ProcessSignInRequest(message));
}
public async Task <SignInValidationResult> ValidateAsync(SignInRequestMessage message, ClaimsPrincipal user)
{
//Logger.Info("Start WS-Federation signin request validation");
var result = new SignInValidationResult
{
SignInRequestMessage = message
};
// check client
var client = await _clients.FindEnabledClientByIdAsync(message.Realm);
if (client == null)
{
LogError("Client not found: " + message.Realm, result);
return(new SignInValidationResult
{
Error = "invalid_relying_party"
});
}
if (client.ProtocolType != IdentityServerConstants.ProtocolTypes.WsFederation)
{
LogError("Client is not configured for WS-Federation", result);
return(new SignInValidationResult
{
Error = "invalid_relying_party"
});
}
result.Client = client;
result.ReplyUrl = client.RedirectUris.First();
// check if additional relying party settings exist
var rp = await _relyingParties.FindRelyingPartyByRealm(message.Realm);
if (rp == null)
{
rp = new RelyingParty
{
TokenType = _options.DefaultTokenType,
SignatureAlgorithm = _options.DefaultSignatureAlgorithm,
DigestAlgorithm = _options.DefaultDigestAlgorithm,
SamlNameIdentifierFormat = _options.DefaultSamlNameIdentifierFormat,
ClaimMapping = _options.DefaultClaimMapping
};
}
result.RelyingParty = rp;
if (user == null ||
user.Identity.IsAuthenticated == false)
{
result.SignInRequired = true;
}
result.User = user;
LogSuccess(result);
return(result);
}
/// <summary>
/// This method validates the Sign in request
/// </summary>
/// <param name="requestAbsoluteUri">the url of the request</param>
/// <param name="message">the sign in request message</param>
/// <param name="subject">The sign in subject</param>
/// <returns>The validation result</returns>
public async Task <SignInValidationResult> ValidateAsync(string requestAbsoluteUri, SignInRequestMessage message, ClaimsPrincipal subject)
{
Logger.Info("Start SiteFinity signin request validation");
var result = new SignInValidationResult();
if (!String.IsNullOrWhiteSpace(message.Realm))
{
result.Realm = message.Realm;
}
if (message.SignOut)
{
if (!subject.Identity.IsAuthenticated)
{
LogError("Signout requested for user not signed in.", result);
return(new SignInValidationResult
{
IsError = true,
Error = "signout_requested_when_not_signedin"
});
}
return(new SignInValidationResult
{
IsSignout = true,
});
}
if (!subject.Identity.IsAuthenticated)
{
result.IsSignInRequired = true;
return(result);
}
var rp = await _siteFinityRelyingPartyService.GetByRealmAsync(message.Realm);
if (rp == null || rp.Enabled == false)
{
LogError("SiteFinity Relying party not found: " + message.Realm, result);
return(new SignInValidationResult
{
IsError = true,
Error = "invalid_sitefinity_relying_party"
});
}
if (string.IsNullOrWhiteSpace(message.RedirectUri))
{
if (!string.IsNullOrWhiteSpace(rp.ReplyUrl))
{
result.ReplyUrl = rp.ReplyUrl;
}
else
{
LogError("Reply url is defined or provided for : " + message.Realm, result);
return(new SignInValidationResult
{
IsError = true,
Error = "missing_replyUrl"
});
}
}
else
{
result.ReplyUrl = message.RedirectUri;
}
result.Issuer = GetIssuerFromRequestUri(requestAbsoluteUri);
result.SiteFinityRelyingParty = rp;
result.SignInRequestMessage = message;
result.Subject = subject;
LogSuccess(result);
return(result);
}
public string Issue(string relayingPartyName, string realm, string userName, string userId)
{
if (string.IsNullOrWhiteSpace(relayingPartyName))
{
throw new ArgumentNullException("relayingPartyName");
}
if (string.IsNullOrWhiteSpace(realm))
{
throw new ArgumentNullException("realm");
}
if (string.IsNullOrWhiteSpace(userName))
{
throw new ArgumentNullException("userName");
}
if (string.IsNullOrWhiteSpace(userId))
{
throw new ArgumentNullException("userId");
}
ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity(new List <Claim> {
new Claim(ClaimTypes.Name, userName), new Claim(ClaimTypes.Sid, userId)
}));
// Signin message for cross service -> issuer realm == home realm == issuer url
SignInRequestMessage signInRequestMessage = new SignInRequestMessage(new Uri(realm), realm)
{
CurrentTime = DateTime.UtcNow.ToString("s", CultureInfo.InvariantCulture) + "Z",
HomeRealm = realm
};
IRelyingParty rp = STSConfiguration <RelyingParty> .Current.RelyingParties.FindByName(relayingPartyName);
if (rp == null)
{
throw new ConfigurationErrorsException(string.Format("Relying party with name {0} was not found", relayingPartyName));
}
if (FederatedAuthentication.WSFederationAuthenticationModule == null)
{
throw new ConfigurationErrorsException("WSFederationAuthenticationModule was not found");
}
var sts = new SimpleSts(rp.GetStsConfiguration());
SignInResponseMessage signInResponseMessage = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(signInRequestMessage, principal, sts);
string tokenXml = signInResponseMessage.Result;
XmlDocument xml = new XmlDocument();
xml.LoadXml(tokenXml);
string xmlSecurityToken = xml.DocumentElement.GetElementsByTagName("trust:RequestedSecurityToken").Item(0).InnerXml; // <Assertion>
//WSFederationSerializer ser = new WSFederationSerializer();
//GenericXmlSecurityToken xmlt = new GenericXmlSecurityToken()
//string xmlSecurityToken = FederatedAuthentication.WSFederationAuthenticationModule.GetXmlTokenFromMessage(signInResponseMessage);
var xmlSecurityTokenBase64Encoded = Convert.ToBase64String(Encoding.UTF8.GetBytes(xmlSecurityToken));
return(xmlSecurityTokenBase64Encoded);
}
void WSFederationAuthenticationModule_RedirectingToIdentityProvider(object sender, RedirectingToIdentityProviderEventArgs e)
{
SignInRequestMessage signInRequestMessage = e.SignInRequestMessage;
}
private ActionResult RedirectToWSFedIdentityProvider(IdentityProvider identityProvider, SignInRequestMessage request)
{
var message = new SignInRequestMessage(new Uri(identityProvider.WSFederationEndpoint), ConfigurationRepository.Global.IssuerUri);
SetContextCookie(request.Context, request.Realm, identityProvider.WSFederationEndpoint);
return(new RedirectResult(message.WriteQueryString()));
}
public async Task <ActionResult> Login(LoginModel login)
{
if (login.UserName.IndexOf('@') < 0)
{
//incorrect format
Session["Error"] = @"Enter your user ID in the format ""domain\user"" or ""user @domain"". ";
return(RedirectToAction("Index", new { Request.Url.Query }));
}
string domain = login.UserName.Split('@')[1];
InitSTS(domain);
ValidationResponse user;
try
{
//validate identity
user = await LoginValidate.ValidateAsync(login, HttpRuntime.Cache);
if (!user.IsValid)
{
Session["Error"] = "Incorrect user ID or password. Type the correct user ID and password, and try again.";
return(RedirectToAction("Index", new { Request.Url.Query }));
}
}
catch (Exception ex)
{
Common.Utils.AddLogEntry("Error during user authentication", System.Diagnostics.EventLogEntryType.Error, 0, ex);
Session["Error"] = string.Format("An error occured during authentication ({0})", ex.Message);
return(RedirectToAction("Index", new { Request.Url.Query }));
}
//identity validated
string fullRequest = String.Format("{0}{1}{2}?{3}",
Settings.HttpLocalhost,
Settings.Port,
Settings.WSFedStsIssue,
Request.Url.Query
);
//todo:
var immutableId = user.UserProperties.MasterGuid;
//var immutableId = user.UserProperties.LocalGuid;
SignInRequestMessage requestMessage = (SignInRequestMessage)WSFederationMessage.CreateFromUri(new Uri(fullRequest));
//todo:
requestMessage.Reply = string.Format("https://login.microsoftonline.com:443/login.srf?client-request-id={0}", Request.QueryString["client-request-id"]);
ClaimsIdentity identity = new ClaimsIdentity(AuthenticationTypes.Federation);
identity.AddClaim(new Claim("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID", immutableId));
identity.AddClaim(new Claim("http://schemas.xmlsoap.org/claims/UPN", user.UserProperties.Upn));
//TODO: verify the source of this flag in ADFS
//identity.AddClaim(new Claim("http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", "true", typeof(bool).ToString()));
ClaimsPrincipal principal = new ClaimsPrincipal(identity);
SignInResponseMessage responseMessage = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(requestMessage, principal, this.securityTokenService);
MemoryStream stream = new MemoryStream();
StreamWriter writer = new StreamWriter(stream, Encoding.UTF8);
responseMessage.Write(writer);
writer.Flush();
stream.Position = 0;
var res = new ContentResult()
{
ContentType = "text/html",
ContentEncoding = Encoding.UTF8,
Content = Encoding.UTF8.GetString(stream.ToArray())
};
return(res);
}
