private static AudienceRestriction GetAudienceRestriction(Saml2AuthenticationOptions options)
{
if (!options.TokenValidationParameters.ValidateAudience)
{
return(new AudienceRestriction(AudienceUriMode.Never));
}
var audienceRestriction = new AudienceRestriction(AudienceUriMode.Always);
if (!string.IsNullOrWhiteSpace(options.Wtrealm))
{
audienceRestriction.AllowedAudienceUris.Add(new Uri(options.Wtrealm));
}
if (!string.IsNullOrWhiteSpace(options.TokenValidationParameters.ValidAudience))
{
audienceRestriction.AllowedAudienceUris.Add(new Uri(options.TokenValidationParameters.ValidAudience));
}
if (options.TokenValidationParameters.ValidAudiences != null)
{
foreach (var audience in options.TokenValidationParameters.ValidAudiences)
{
audienceRestriction.AllowedAudienceUris.Add(new Uri(audience));
}
}
return(audienceRestriction);
}
/// <summary>
/// Adds the <see cref="Saml2AuthenticationMiddleware"/> into the OWIN runtime.
/// </summary>
/// <param name="app">The <see cref="IAppBuilder"/> passed to the configuration method</param>
/// <param name="options">SamlAuthenticationOptions configuration options</param>
/// <returns>The updated <see cref="IAppBuilder"/></returns>
public static IAppBuilder UseSaml2Authentication(this IAppBuilder app, Saml2AuthenticationOptions options)
{
if (app == null)
{
throw new ArgumentNullException("app");
}
if (options == null)
{
throw new ArgumentNullException("options");
}
app.Use(typeof(Saml2AuthenticationMiddleware), app, options);
return(app);
}
private static HttpMessageHandler ResolveHttpMessageHandler(Saml2AuthenticationOptions options)
{
var handler = options.BackchannelHttpHandler ?? new WebRequestHandler();
if (options.BackchannelCertificateValidator != null)
{
var webRequestHandler = handler as WebRequestHandler;
if (webRequestHandler == null)
{
throw new InvalidOperationException("An ICertificateValidator cannot be specified at the same time as an HttpMessageHandler unless it is a WebRequestHandler.");
}
webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate;
}
return(handler);
}
private static string GetRedirectUri(Saml2Binding binding, Saml2AuthenticationOptions options)
{
var relayState = binding.GetRelayStateQuery();
if (relayState.ContainsKey(_relayStateRedirectUri))
{
var redirectUri = relayState[_relayStateRedirectUri];
return(redirectUri);
}
if (relayState.ContainsKey(_relayStateReturnUrl))
{
var returnUrl = relayState[_relayStateReturnUrl];
var redirectUri = options.ExternalLoginCallbackPath.Add(new QueryString(_relayStateReturnUrl, returnUrl));
return(redirectUri);
}
return(options.ExternalLoginCallbackPath.Value);
}
private static Saml2AuthnResponse GetSaml2AuthnResponse(Saml2AuthenticationOptions options)
{
var handler = new Saml2ResponseSecurityTokenHandler
{
Configuration = new SecurityTokenHandlerConfiguration
{
SaveBootstrapContext = false,
AudienceRestriction = GetAudienceRestriction(options),
IssuerNameRegistry = new Saml2ResponseIssuerNameRegistry(),
CertificateValidationMode = X509CertificateValidationMode.None,
RevocationMode = X509RevocationMode.NoCheck,
CertificateValidator = options.TokenValidationParameters.CertificateValidator ?? X509CertificateValidator.None,
DetectReplayedTokens = false,
},
SamlSecurityTokenRequirement = { NameClaimType = ClaimTypes.NameIdentifier }
};
return(new InternalSaml2AuthnResponse(handler));
}
public Saml2AuthenticationMiddleware(OwinMiddleware next, IAppBuilder app, Saml2AuthenticationOptions options)
: base(next, app, options)
{
_logger = app.CreateLogger <Saml2AuthenticationMiddleware>();
Options.SecurityTokenHandlers.AddOrReplace(new Saml2ResponseSecurityTokenHandler());
var configurationManager = options.ConfigurationManager as ConfigurationManager <WsFederationConfiguration>;
if (configurationManager != null)
{
var httpClient = new HttpClient(ResolveHttpMessageHandler(options))
{
Timeout = Options.BackchannelTimeout,
MaxResponseContentBufferSize = 1024 * 1024 * 10
};
options.ConfigurationManager = new Saml2ConfigurationManager(options.MetadataAddress, httpClient);
ADXTrace.Instance.TraceInfo(TraceCategory.Application, string.Format("MetadataAddress={0}", options.MetadataAddress));
}
}
