public GenericXmlSecurityToken Authenticate(ClaimsIdentity identity, string appliesTo)
{
var encryptingCert = _configuration.AdfsIntegration.EncryptionCertificate;
// create new token
var proof = CreateProofDescriptor(encryptingCert);
var outputToken = CreateOutputSamlToken(identity, proof, encryptingCert);
// turn token into a generic xml security token
var outputTokenString = outputToken.ToTokenXmlString();
// create attached and unattached references
var handler = new SamlSecurityTokenHandler();
var ar = handler.CreateSecurityTokenReference(outputToken, true);
var uar = handler.CreateSecurityTokenReference(outputToken, false);
var xmlToken = new GenericXmlSecurityToken(
GetElement(outputTokenString),
new BinarySecretSecurityToken(proof.GetKeyBytes()),
DateTime.UtcNow,
DateTime.UtcNow.AddHours(1),
ar,
uar,
new ReadOnlyCollection<IAuthorizationPolicy>(new List<IAuthorizationPolicy>()));
// send to ADFS federation endpoint
return RequestFederationToken(xmlToken, appliesTo) as GenericXmlSecurityToken;
}
/// <summary>
/// Requests an SWT Token using an input SAML token.
/// </summary>
/// <param name="token">The input SAML token.</param>
/// <param name="scope">The requested scope.</param>
/// <returns>The requested SWT token</returns>
public SimpleWebToken Issue(SamlSecurityToken token, Uri scope)
{
var handler = new SamlSecurityTokenHandler();
var sb = new StringBuilder(128);
handler.WriteToken(new XmlTextWriter(new StringWriter(sb)), token);
return IssueAssertion(sb.ToString(), "SAML", scope);
}
public void CrossToken_ValidateToken()
{
JwtSecurityTokenHandler jwtHandler = new JwtSecurityTokenHandler();
IMSaml2TokenHandler imSaml2Handler = new IMSaml2TokenHandler();
IMSamlTokenHandler imSamlHandler = new IMSamlTokenHandler();
SMSaml2TokenHandler smSaml2Handler = new SMSaml2TokenHandler();
SMSamlTokenHandler smSamlHandler = new SMSamlTokenHandler();
JwtSecurityTokenHandler.InboundClaimFilter.Add("aud");
JwtSecurityTokenHandler.InboundClaimFilter.Add("exp");
JwtSecurityTokenHandler.InboundClaimFilter.Add("iat");
JwtSecurityTokenHandler.InboundClaimFilter.Add("iss");
JwtSecurityTokenHandler.InboundClaimFilter.Add("nbf");
string jwtToken = IdentityUtilities.CreateJwtToken(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, jwtHandler);
// saml tokens created using Microsoft.IdentityModel.Extensions
string imSaml2Token = IdentityUtilities.CreateSaml2Token(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, imSaml2Handler);
string imSamlToken = IdentityUtilities.CreateSamlToken(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, imSamlHandler);
// saml tokens created using System.IdentityModel.Tokens
string smSaml2Token = IdentityUtilities.CreateSaml2Token(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, smSaml2Handler);
string smSamlToken = IdentityUtilities.CreateSamlToken(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, smSamlHandler);
ClaimsPrincipal jwtPrincipal = ValidateToken(jwtToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, jwtHandler, ExpectedException.NoExceptionExpected);
ClaimsPrincipal imSaml2Principal = ValidateToken(imSaml2Token, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSaml2Handler, ExpectedException.NoExceptionExpected);
ClaimsPrincipal imSamlPrincipal = ValidateToken(imSamlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSamlHandler, ExpectedException.NoExceptionExpected);
ClaimsPrincipal smSaml2Principal = ValidateToken(smSaml2Token, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSaml2Handler, ExpectedException.NoExceptionExpected);
ClaimsPrincipal smSamlPrincipal = ValidateToken(smSamlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSamlHandler, ExpectedException.NoExceptionExpected);
Assert.IsTrue(IdentityComparer.AreEqual <ClaimsPrincipal>(imSamlPrincipal, imSaml2Principal, new CompareContext {
IgnoreSubject = true
}));
Assert.IsTrue(IdentityComparer.AreEqual <ClaimsPrincipal>(smSamlPrincipal, imSaml2Principal, new CompareContext {
IgnoreSubject = true
}));
Assert.IsTrue(IdentityComparer.AreEqual <ClaimsPrincipal>(smSaml2Principal, imSaml2Principal, new CompareContext {
IgnoreSubject = true
}));
// false = ignore type of objects, we expect all objects in the principal to be of same type (no derived types)
// true = ignore subject, claims have a backpointer to their ClaimsIdentity. Most of the time this will be different as we are comparing two different ClaimsIdentities.
// true = ignore properties of claims, any mapped claims short to long for JWT's will have a property that represents the short type.
Assert.IsTrue(IdentityComparer.AreEqual <ClaimsPrincipal>(jwtPrincipal, imSaml2Principal, new CompareContext {
IgnoreType = false, IgnoreSubject = true, IgnoreProperties = true
}));
JwtSecurityTokenHandler.InboundClaimFilter.Clear();
}
/// <summary>
/// Initializes an instance of <see cref="WrappedSaml11SecurityTokenAuthenticator"/>
/// </summary>
/// <param name="saml11SecurityTokenHandler">The Saml11SecurityTokenHandler to wrap.</param>
/// <param name="exceptionMapper">Converts token validation exceptions to SOAP faults.</param>
public WrappedSaml11SecurityTokenAuthenticator(
SamlSecurityTokenHandler saml11SecurityTokenHandler,
ExceptionMapper exceptionMapper )
: base( new List<SecurityTokenAuthenticator>() )
{
if ( saml11SecurityTokenHandler == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "wrappedSaml11SecurityTokenHandler" );
}
if ( exceptionMapper == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "exceptionMapper" );
}
_wrappedSaml11SecurityTokenHandler = saml11SecurityTokenHandler;
_exceptionMapper = exceptionMapper;
}
public void CrossToken_ValidateToken()
{
JwtSecurityTokenHandler jwtHandler = new JwtSecurityTokenHandler();
IMSaml2TokenHandler imSaml2Handler = new IMSaml2TokenHandler();
IMSamlTokenHandler imSamlHandler = new IMSamlTokenHandler();
SMSaml2TokenHandler smSaml2Handler = new SMSaml2TokenHandler();
SMSamlTokenHandler smSamlHandler = new SMSamlTokenHandler();
JwtSecurityTokenHandler.InboundClaimFilter.Add("aud");
JwtSecurityTokenHandler.InboundClaimFilter.Add("exp");
JwtSecurityTokenHandler.InboundClaimFilter.Add("iat");
JwtSecurityTokenHandler.InboundClaimFilter.Add("iss");
JwtSecurityTokenHandler.InboundClaimFilter.Add("nbf");
string jwtToken = IdentityUtilities.CreateJwtToken(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, jwtHandler);
// saml tokens created using Microsoft.IdentityModel.Extensions
string imSaml2Token = IdentityUtilities.CreateSaml2Token(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, imSaml2Handler);
string imSamlToken = IdentityUtilities.CreateSamlToken(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, imSamlHandler);
// saml tokens created using System.IdentityModel.Tokens
string smSaml2Token = IdentityUtilities.CreateSaml2Token(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, smSaml2Handler);
string smSamlToken = IdentityUtilities.CreateSamlToken(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, smSamlHandler);
ClaimsPrincipal jwtPrincipal = ValidateToken(jwtToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, jwtHandler, ExpectedException.NoExceptionExpected);
ClaimsPrincipal imSaml2Principal = ValidateToken(imSaml2Token, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSaml2Handler, ExpectedException.NoExceptionExpected);
ClaimsPrincipal imSamlPrincipal = ValidateToken(imSamlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSamlHandler, ExpectedException.NoExceptionExpected);
ClaimsPrincipal smSaml2Principal = ValidateToken(smSaml2Token, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSaml2Handler, ExpectedException.NoExceptionExpected);
ClaimsPrincipal smSamlPrincipal = ValidateToken(smSamlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSamlHandler, ExpectedException.NoExceptionExpected);
Assert.IsTrue(IdentityComparer.AreEqual<ClaimsPrincipal>(imSamlPrincipal, imSaml2Principal, new CompareContext { IgnoreSubject = true }));
Assert.IsTrue(IdentityComparer.AreEqual<ClaimsPrincipal>(smSamlPrincipal, imSaml2Principal, new CompareContext { IgnoreSubject = true }));
Assert.IsTrue(IdentityComparer.AreEqual<ClaimsPrincipal>(smSaml2Principal, imSaml2Principal, new CompareContext { IgnoreSubject = true }));
// false = ignore type of objects, we expect all objects in the principal to be of same type (no derived types)
// true = ignore subject, claims have a backpointer to their ClaimsIdentity. Most of the time this will be different as we are comparing two different ClaimsIdentities.
// true = ignore properties of claims, any mapped claims short to long for JWT's will have a property that represents the short type.
Assert.IsTrue(IdentityComparer.AreEqual<ClaimsPrincipal>(jwtPrincipal, imSaml2Principal, new CompareContext{IgnoreType = false, IgnoreSubject = true, IgnoreProperties=true}));
JwtSecurityTokenHandler.InboundClaimFilter.Clear();
}
protected virtual SecurityTokenHandler GetSecurityTokenHandler()
{
var authPlugin = PluginManager.GetSingleton<SamlOAuthClient>();
//var config = System.IdentityModel.Services.Configuration..FederationConfiguration..;
SecurityTokenHandler handler = null;
var securityRequirements = new SamlSecurityTokenRequirement();
var securityTokenHandlerConfig = new SecurityTokenHandlerConfiguration();
switch (authPlugin.IdpBindingType)
{
case SamlBinding.SAML11_POST:
handler = new SamlSecurityTokenHandler(securityRequirements) { Configuration = securityTokenHandlerConfig };
break;
case SamlBinding.SAML20_POST:
handler = new SubjectConfirmationDataSaml2SecurityTokenHandler(securityRequirements, authPlugin.SubjectRecipientValidationMode) { Configuration = securityTokenHandlerConfig };
break;
}
if (handler == null)
throw new InvalidOperationException(
string.Format("No suitable token handler was loaded for the SAML binding type : {0}",
tokenProcessorConfiguration.IdpBindingType));
handler.Configuration.IssuerNameRegistry = new CodeBasedIssuerNameRegistry(tokenProcessorConfiguration.TrustedIssuerThumbprint.Split(','));
handler.Configuration.CertificateValidationMode = tokenProcessorConfiguration.CertificateValidationMode;
if (typeof(SamlSecurityTokenHandler).IsAssignableFrom(handler.GetType()))
((SamlSecurityTokenHandler)handler).CertificateValidator = GetCertificateValidator(handler.Configuration.CertificateValidationMode);
if (typeof(Saml2SecurityTokenHandler).IsAssignableFrom(handler.GetType()))
((Saml2SecurityTokenHandler)handler).CertificateValidator = GetCertificateValidator(handler.Configuration.CertificateValidationMode);
handler.Configuration.AudienceRestriction.AudienceMode = System.IdentityModel.Selectors.AudienceUriMode.Never;
return handler;
}
public WrappedSerializer(SamlSecurityTokenHandler parent, SamlAssertion assertion)
{
if (parent == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("parent");
}
_parent = parent;
_assertion = assertion;
}
private void CreateSamlTokens( SecurityTokenDescriptor tokenDescriptor )
{
SamlSecurityTokenHandler samlTokenHandler = new SamlSecurityTokenHandler();
SamlSecurityToken token = samlTokenHandler.CreateToken( tokenDescriptor ) as SamlSecurityToken;
MemoryStream ms = new MemoryStream();
XmlDictionaryWriter writer = XmlDictionaryWriter.CreateTextWriter( ms );
samlTokenHandler.WriteToken( writer, token );
}