/// <summary>
/// Create an authenticate request aimed for this idp.
/// </summary>
/// <param name="returnUrl">The return url where the browser should be sent after
/// successful authentication.</param>
/// <param name="authServicesUrls">Urls for AuthServices, used to populate fields
/// in the created AuthnRequest</param>
/// <param name="relayData">Aux data that should be preserved across the authentication</param>
/// <returns>AuthnRequest</returns>
public Saml2AuthenticationRequest CreateAuthenticateRequest(
Uri returnUrl,
AuthServicesUrls authServicesUrls,
object relayData)
{
if (authServicesUrls == null)
{
throw new ArgumentNullException(nameof(authServicesUrls));
}
var authnRequest = new Saml2AuthenticationRequest()
{
DestinationUrl = SingleSignOnServiceUrl,
AssertionConsumerServiceUrl = authServicesUrls.AssertionConsumerServiceUrl,
Issuer = spOptions.EntityId,
// For now we only support one attribute consuming service.
AttributeConsumingServiceIndex = spOptions.AttributeConsumingServices.Any() ? 0 : (int?)null
};
var responseData = new StoredRequestState(EntityId, returnUrl, relayData);
PendingAuthnRequests.Add(new Saml2Id(authnRequest.Id), responseData);
return(authnRequest);
}
public Saml2AuthenticationRequest CreateAuthenticateRequest()
{
var request = new Saml2AuthenticationRequest()
{
DestinationUri = DestinationUri,
AssertionConsumerServiceUrl = KentorAuthServicesSection.Current.AssertionConsumerServiceUrl,
Issuer = KentorAuthServicesSection.Current.Issuer
};
PendingAuthnRequests.Add(new Saml2Id(request.Id), Issuer);
return(request);
}
public Saml2AuthenticationRequest CreateAuthenticateRequest(Uri returnUri)
{
var request = new Saml2AuthenticationRequest()
{
DestinationUri = AssertionConsumerServiceUrl,
AssertionConsumerServiceUrl = KentorAuthServicesSection.Current.AssertionConsumerServiceUrl,
Issuer = KentorAuthServicesSection.Current.EntityId
};
var responseData = new StoredRequestState(EntityId, returnUri);
PendingAuthnRequests.Add(new Saml2Id(request.Id), responseData);
return(request);
}
public Saml2AuthenticationRequest CreateAuthenticateRequest(
Uri returnUrl,
AuthServicesUrls authServicesUrls,
object relayData)
{
if (authServicesUrls == null)
{
throw new ArgumentNullException(nameof(authServicesUrls));
}
var authnRequest = new Saml2AuthenticationRequest()
{
DestinationUrl = SingleSignOnServiceUrl,
AssertionConsumerServiceUrl = authServicesUrls.AssertionConsumerServiceUrl,
Issuer = spOptions.EntityId,
// For now we only support one attribute consuming service.
AttributeConsumingServiceIndex = spOptions.AttributeConsumingServices.Any() ? 0 : (int?)null,
NameIdPolicy = spOptions.NameIdPolicy,
RequestedAuthnContext = spOptions.RequestedAuthnContext
};
if (spOptions.AuthenticateRequestSigningBehavior == SigningBehavior.Always ||
(spOptions.AuthenticateRequestSigningBehavior == SigningBehavior.IfIdpWantAuthnRequestsSigned &&
WantAuthnRequestsSigned))
{
if (spOptions.SigningServiceCertificate == null)
{
throw new ConfigurationErrorsException(
string.Format(
CultureInfo.InvariantCulture,
"Idp \"{0}\" is configured for signed AuthenticateRequests, but ServiceCertificates configuration contains no certificate with usage \"Signing\" or \"Both\".",
EntityId.Id));
}
authnRequest.SigningCertificate = spOptions.SigningServiceCertificate;
}
var requestState = new StoredRequestState(EntityId, returnUrl, authnRequest.Id, relayData);
PendingAuthnRequests.Add(authnRequest.RelayState, requestState);
return(authnRequest);
}
private bool ValidateInResponseTo()
{
if (InResponseTo == null &&
KentorAuthServicesSection.Current.IdentityProviders
.Single(idpConfig => idpConfig.Issuer == this.Issuer).AllowUnsolicitedAuthnResponse)
{
return(true);
}
else
{
string sentToIdp;
bool knownInResponseToId = PendingAuthnRequests.TryRemove(InResponseTo, out sentToIdp);
if (!knownInResponseToId)
{
return(false);
}
if (sentToIdp != Issuer)
{
return(false);
}
return(true);
}
}
/// <summary>
/// Validates the in response to.
/// </summary>
/// <returns></returns>
private bool ValidateInResponseTo()
{
if (InResponseTo == null &&
IdentityProvider.ActiveIdentityProviders[Issuer].AllowUnsolicitedAuthnResponse)
{
return(true);
}
else
{
StoredRequestState storedRequestState;
bool knownInResponseToId = PendingAuthnRequests.TryRemove(InResponseTo, out storedRequestState);
if (!knownInResponseToId)
{
return(false);
}
RequestState = storedRequestState;
if (RequestState.Idp.Id != Issuer.Id)
{
return(false);
}
return(true);
}
}
