public void SPOptionsExtensions_CreateMetadata_WithServiceCertificateConfigured()
{
var options = StubFactory.CreateOptions();
options.SPOptions.ServiceCertificates.Add(new ServiceCertificate {
Certificate = SignedXmlHelper.TestCert2
});
var metadata = options.SPOptions.CreateMetadata(StubFactory.CreateAuthServicesUrls());
var spMetadata = metadata.RoleDescriptors.OfType <ServiceProviderSingleSignOnDescriptor>().Single();
spMetadata.Should().NotBeNull();
spMetadata.Keys.Count.Should().Be(1);
spMetadata.Keys.Single().Use.Should().Be(KeyType.Unspecified);
// When there is a service certificate, expose SLO endpoints.
var sloRedirect = spMetadata.SingleLogoutServices.Single(
slo => slo.Binding == Saml2Binding.HttpRedirectUri);
sloRedirect.Location.Should().Be("http://localhost/AuthServices/Logout");
sloRedirect.ResponseLocation.Should().BeNull();
var sloPost = spMetadata.SingleLogoutServices.Single(
slo => slo.Binding == Saml2Binding.HttpPostUri);
sloPost.Location.Should().Be("http://localhost/AuthServices/Logout");
sloPost.ResponseLocation.Should().BeNull();
}
public void AcsCommand_Run_WithReturnUrl_SuccessfulResult()
{
var idp = Options.FromConfiguration.IdentityProviders.Default;
var request = idp.CreateAuthenticateRequest(
new Uri("http://localhost/testUrl.aspx"),
StubFactory.CreateAuthServicesUrls());
var response =
@"<saml2p:Response xmlns:saml2p=""urn:oasis:names:tc:SAML:2.0:protocol""
xmlns:saml2=""urn:oasis:names:tc:SAML:2.0:assertion""
ID = """ + MethodBase.GetCurrentMethod().Name + @""" InResponseTo = """ + request.Id + @""" Version=""2.0"" IssueInstant=""2013-01-01T00:00:00Z"">
<saml2:Issuer>
https://idp.example.com
</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value=""urn:oasis:names:tc:SAML:2.0:status:Success"" />
</saml2p:Status>
<saml2:Assertion
Version=""2.0"" ID=""" + MethodBase.GetCurrentMethod().Name + @"_Assertion2""
IssueInstant=""2013-09-25T00:00:00Z"">
<saml2:Issuer>https://idp.example.com</saml2:Issuer>
<saml2:Subject>
<saml2:NameID>SomeUser</saml2:NameID>
<saml2:SubjectConfirmation Method=""urn:oasis:names:tc:SAML:2.0:cm:bearer"" />
</saml2:Subject>
<saml2:Conditions NotOnOrAfter=""2100-01-01T00:00:00Z"" />
</saml2:Assertion>
</saml2p:Response>";
var responseFormValue = Convert.ToBase64String
(Encoding.UTF8.GetBytes(SignedXmlHelper.SignXml(response)));
var relayStateFormValue = request.RelayState;
var r = new HttpRequestData(
"POST",
new Uri("http://localhost"),
"/ModulePath",
new KeyValuePair <string, string[]>[]
{
new KeyValuePair <string, string[]>("SAMLResponse", new string[] { responseFormValue }),
new KeyValuePair <string, string[]>("RelayState", new string[] { relayStateFormValue })
},
Enumerable.Empty <KeyValuePair <string, string> >(),
null);
var ids = new ClaimsIdentity[] { new ClaimsIdentity("Federation"), new ClaimsIdentity("ClaimsAuthenticationManager") };
ids[0].AddClaim(new Claim(ClaimTypes.NameIdentifier, "SomeUser", null, "https://idp.example.com"));
ids[1].AddClaim(new Claim(ClaimTypes.Role, "RoleFromClaimsAuthManager", null, "ClaimsAuthenticationManagerStub"));
var expected = new CommandResult()
{
Principal = new ClaimsPrincipal(ids),
HttpStatusCode = HttpStatusCode.SeeOther,
Location = new Uri("http://localhost/testUrl.aspx")
};
new AcsCommand().Run(r, StubFactory.CreateOptions())
.ShouldBeEquivalentTo(expected, opt => opt.IgnoringCyclicReferences());
}
public void SPOptionsExtensions_CreateMetadata_IncludesContactPersons()
{
var spOptions = StubFactory.CreateSPOptions();
var subject = spOptions.CreateMetadata(StubFactory.CreateAuthServicesUrls()).Contacts;
subject.Should().Contain(spOptions.Contacts);
}
public void SPOptionsExtensions_CreateMetadata_IncludesOrganization()
{
var subject = StubFactory
.CreateSPOptions()
.CreateMetadata(StubFactory.CreateAuthServicesUrls())
.Organization;
subject.Should().NotBeNull();
subject.Names.First().Name.Should().Be("Kentor.AuthServices");
}
public void SPOPtionsExtensions_CreateMetadata_ServiceCertificate()
{
var options = Options.FromConfiguration;
options.SPOptions.ServiceCertificate = SignedXmlHelper.TestCert2;
var metadata = options.SPOptions.CreateMetadata(StubFactory.CreateAuthServicesUrls());
var spMetadata = metadata.RoleDescriptors.OfType <ServiceProviderSingleSignOnDescriptor>().Single();
spMetadata.Should().NotBeNull();
spMetadata.Keys.Count.Should().Be(1);
}
public void SPOptionsExtensions_CreateMetadata_MultipleServiceCertificate()
{
var options = StubFactory.CreateOptions();
options.SPOptions.ServiceCertificates.Add(new ServiceCertificate { Certificate = SignedXmlHelper.TestCert2, Use = CertificateUse.Encryption });
options.SPOptions.ServiceCertificates.Add(new ServiceCertificate { Certificate = SignedXmlHelper.TestCert2, Use = CertificateUse.Signing });
var metadata = options.SPOptions.CreateMetadata(StubFactory.CreateAuthServicesUrls());
var spMetadata = metadata.RoleDescriptors.OfType<ServiceProviderSingleSignOnDescriptor>().Single();
spMetadata.Should().NotBeNull();
spMetadata.Keys.Count.Should().Be(2);
spMetadata.Keys.Where(k => k.Use == KeyType.Encryption).Count().Should().Be(1);
spMetadata.Keys.Where(k => k.Use == KeyType.Signing).Count().Should().Be(1);
}
public void SPOptionsExtensions_CreateMetadata_ServiceCertificate()
{
var options = StubFactory.CreateOptions();
options.SPOptions.ServiceCertificates.Add(new ServiceCertificate {
Certificate = SignedXmlHelper.TestCert2
});
var metadata = options.SPOptions.CreateMetadata(StubFactory.CreateAuthServicesUrls());
var spMetadata = metadata.RoleDescriptors.OfType <ServiceProviderSingleSignOnDescriptor>().Single();
spMetadata.Should().NotBeNull();
spMetadata.Keys.Count.Should().Be(1);
spMetadata.Keys.First().Use.Should().Be(KeyType.Unspecified);
}
public void SPOPtionsExtensions_CreateMetadata_RequiredFields()
{
var metadata = Options.FromConfiguration.SPOptions.CreateMetadata(StubFactory.CreateAuthServicesUrls());
metadata.CacheDuration.Should().Be(new TimeSpan(0, 0, 42));
metadata.EntityId.Id.Should().Be("https://github.com/KentorIT/authservices");
var spMetadata = metadata.RoleDescriptors.OfType <ServiceProviderSingleSignOnDescriptor>().Single();
spMetadata.Should().NotBeNull();
var acs = spMetadata.AssertionConsumerServices.First().Value;
acs.Index.Should().Be(0);
acs.IsDefault.Should().HaveValue();
acs.Binding.ToString().Should().Be("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
acs.Location.ToString().Should().Be("http://localhost/AuthServices/Acs");
}
public void SPOptionsExtensions_CreateMetadata_IncludeAttributeConsumingService()
{
var spOptions = StubFactory.CreateSPOptions();
var urls = StubFactory.CreateAuthServicesUrls();
var attributeConsumingService = new AttributeConsumingService("Name");
spOptions.AttributeConsumingServices.Clear();
spOptions.AttributeConsumingServices.Add(attributeConsumingService);
attributeConsumingService.RequestedAttributes.Add(new RequestedAttribute("AttributeName"));
var subject = spOptions
.CreateMetadata(urls)
.RoleDescriptors
.Cast <ExtendedServiceProviderSingleSignOnDescriptor>()
.First();
subject.AttributeConsumingServices.First().Should().BeSameAs(attributeConsumingService);
}
public void SPOptionsExtensions_CreateMetadata_IncludeDiscoveryServiceResponse()
{
var spOptions = StubFactory.CreateSPOptions();
var urls = StubFactory.CreateAuthServicesUrls();
spOptions.DiscoveryServiceUrl = new Uri("http://ds.example.com");
var subject = spOptions.CreateMetadata(urls).Extensions.DiscoveryResponse;
var expected = new IndexedProtocolEndpoint
{
Binding = Saml2Binding.DiscoveryResponseUri,
Index = 0,
IsDefault = true,
Location = urls.SignInUrl
};
subject.ShouldBeEquivalentTo(expected);
}
public void SignInCommand_Run_MapsReturnUrl()
{
var defaultDestination = Options.FromConfiguration.IdentityProviders.Default.SingleSignOnServiceUrl;
var httpRequest = new HttpRequestData("GET", new Uri("http://localhost/signin?ReturnUrl=%2FReturn.aspx"));
var subject = new SignInCommand().Run(httpRequest, Options.FromConfiguration);
var idp = Options.FromConfiguration.IdentityProviders.Default;
var authnRequest = idp.CreateAuthenticateRequest(null, StubFactory.CreateAuthServicesUrls());
var requestId = AuthnRequestHelper.GetRequestId(subject.Location);
StoredRequestState storedAuthnData;
idp.PendingAuthStorageContainer.TryRemove(new System.IdentityModel.Tokens.Saml2Id(requestId), out storedAuthnData);
storedAuthnData.ReturnUrl.Should().Be("http://localhost/Return.aspx");
}