// Since the issued token is an endorsing token it will not be used for identity checks
// hence we do not need to persist the authorization policies that represent the target service.
static void SerializeCachedToken(Stream stream, Uri target, Uri issuer, GenericXmlSecurityToken token)
{
XmlTextWriter writer = new XmlTextWriter(stream, Encoding.UTF8);
writer.WriteStartElement("Entry");
writer.WriteElementString("Target", target.AbsoluteUri);
writer.WriteElementString("Issuer", (issuer == null) ? "" : issuer.AbsoluteUri);
writer.WriteStartElement("Token");
writer.WriteStartElement("XML");
token.TokenXml.WriteTo(writer);
writer.WriteEndElement();
SymmetricSecurityKey key = (SymmetricSecurityKey)(token.SecurityKeys[0]);
writer.WriteElementString("Key", Convert.ToBase64String(key.GetSymmetricKey()));
writer.WriteElementString("Id", token.Id);
writer.WriteElementString("ValidFrom", Convert.ToString(token.ValidFrom));
writer.WriteElementString("ValidTo", Convert.ToString(token.ValidTo));
WSSecurityTokenSerializer serializer = new WSSecurityTokenSerializer();
writer.WriteStartElement("InternalTokenReference");
serializer.WriteKeyIdentifierClause(writer, token.InternalTokenReference);
writer.WriteEndElement();
writer.WriteStartElement("ExternalTokenReference");
serializer.WriteKeyIdentifierClause(writer, token.ExternalTokenReference);
writer.WriteEndElement();
writer.WriteEndElement(); // token
writer.WriteEndElement(); // entry
writer.Flush();
stream.Flush();
}
// Methods of BodyWriter
/// <summary>
/// Writes out an XML representation of the instance.
/// </summary>
/// <param name="writer">The writer to be used to write out the XML content</param>
protected override void OnWriteBodyContents(XmlDictionaryWriter writer)
{
// Write out the wst:RequestSecurityTokenResponse start tag
writer.WriteStartElement(Constants.Trust.Elements.RequestSecurityTokenResponse, Constants.Trust.NamespaceUri);
// If we have a non-null, non-empty tokenType...
if (this.TokenType != null && this.TokenType.Length > 0)
{
// Write out the wst:TokenType start tag
writer.WriteStartElement(Constants.Trust.Elements.TokenType, Constants.Trust.NamespaceUri);
// Write out the tokenType string
writer.WriteString(this.TokenType);
writer.WriteEndElement(); // wst:TokenType
}
// Create a serializer that knows how to write out security tokens
WSSecurityTokenSerializer ser = new WSSecurityTokenSerializer();
// If we have a requestedSecurityToken...
if (this.requestedSecurityToken != null)
{
// Write out the wst:RequestedSecurityToken start tag
writer.WriteStartElement(Constants.Trust.Elements.RequestedSecurityToken, Constants.Trust.NamespaceUri);
// Write out the requested token using the serializer
ser.WriteToken(writer, requestedSecurityToken);
writer.WriteEndElement(); // wst:RequestedSecurityToken
}
// If we have a requestedAttachedReference...
if ( this.requestedAttachedReference != null )
{
// Write out the wst:RequestedAttachedReference start tag
writer.WriteStartElement(Constants.Trust.Elements.RequestedAttachedReference, Constants.Trust.NamespaceUri);
// Write out the reference using the serializer
ser.WriteKeyIdentifierClause ( writer, this.requestedAttachedReference );
writer.WriteEndElement(); // wst:RequestedAttachedReference
}
// If we have a requestedUnattachedReference...
if ( this.requestedUnattachedReference != null )
{
// Write out the wst:RequestedUnattachedReference start tag
writer.WriteStartElement(Constants.Trust.Elements.RequestedUnattachedReference, Constants.Trust.NamespaceUri);
// Write out the reference using the serializer
ser.WriteKeyIdentifierClause ( writer, this.requestedUnattachedReference );
writer.WriteEndElement(); // wst:RequestedAttachedReference
}
// If we have a non-null appliesTo
if (this.AppliesTo != null)
{
// Write out the wsp:AppliesTo start tag
writer.WriteStartElement(Constants.Policy.Elements.AppliesTo, Constants.Policy.NamespaceUri);
// Write the appliesTo in WS-Addressing 1.0 format
this.AppliesTo.WriteTo(AddressingVersion.WSAddressing10, writer);
writer.WriteEndElement(); // wsp:AppliesTo
}
// If the requestedProofToken is non-null, then the STS is providing all the key material...
if (this.requestedProofToken != null)
{
// Write the wst:RequestedProofToken start tag
writer.WriteStartElement(Constants.Trust.Elements.RequestedProofToken, Constants.Trust.NamespaceUri);
// Write the proof token using the serializer
ser.WriteToken(writer, requestedProofToken);
writer.WriteEndElement(); // wst:RequestedSecurityToken
}
// If issuerEntropy is non-null and computeKey is true, then combined entropy is being used...
if(this.issuerEntropy != null && this.computeKey )
{
// Write the wst:RequestedProofToken start tag
writer.WriteStartElement(Constants.Trust.Elements.RequestedProofToken, Constants.Trust.NamespaceUri);
// Write the wst:ComputeKey start tag
writer.WriteStartElement(Constants.Trust.Elements.ComputedKey, Constants.Trust.NamespaceUri);
// Write the PSHA1 algorithm value
writer.WriteValue(Constants.Trust.ComputedKeyAlgorithms.PSHA1);
writer.WriteEndElement(); // wst:ComputedKey
writer.WriteEndElement(); // wst:RequestedSecurityToken
// Write the wst:Entropy start tag
writer.WriteStartElement(Constants.Trust.Elements.Entropy, Constants.Trust.NamespaceUri);
// Write the issuerEntropy out using the serializer
ser.WriteToken(writer, this.issuerEntropy);
writer.WriteEndElement(); // wst:Entropy
}
writer.WriteEndElement(); // wst:RequestSecurityTokenResponse
}
// Methods of BodyWriter
protected override void OnWriteBodyContents(XmlDictionaryWriter writer)
{
writer.WriteStartElement(Constants.Trust.Elements.RequestSecurityTokenResponse, Constants.Trust.NamespaceUri);
if (this.TokenType != null && this.TokenType.Length > 0)
{
writer.WriteStartElement(Constants.Trust.Elements.TokenType, Constants.Trust.NamespaceUri);
writer.WriteString(this.TokenType);
writer.WriteEndElement(); // wst:TokenType
}
WSSecurityTokenSerializer ser = new WSSecurityTokenSerializer();
if (this.RequestedSecurityToken != null)
{
writer.WriteStartElement(Constants.Trust.Elements.RequestedSecurityToken, Constants.Trust.NamespaceUri);
ser.WriteToken(writer, this.RequestedSecurityToken);
writer.WriteEndElement(); // wst:RequestedSecurityToken
}
if ( this.RequestedAttachedReference != null )
{
writer.WriteStartElement(Constants.Trust.Elements.RequestedAttachedReference, Constants.Trust.NamespaceUri);
ser.WriteKeyIdentifierClause ( writer, this.RequestedAttachedReference);
writer.WriteEndElement(); // wst:RequestedAttachedReference
}
if ( this.RequestedUnattachedReference != null )
{
writer.WriteStartElement(Constants.Trust.Elements.RequestedUnattachedReference, Constants.Trust.NamespaceUri);
ser.WriteKeyIdentifierClause ( writer, this.RequestedUnattachedReference);
writer.WriteEndElement(); // wst:RequestedAttachedReference
}
if (this.AppliesTo != null)
{
writer.WriteStartElement(Constants.Policy.Elements.AppliesTo, Constants.Policy.NamespaceUri);
this.AppliesTo.WriteTo(AddressingVersion.WSAddressing10, writer);
writer.WriteEndElement(); // wsp:AppliesTo
}
if (this.RequestedProofToken != null)// Issuer entropy; write RPT only
{
writer.WriteStartElement(Constants.Trust.Elements.RequestedProofToken, Constants.Trust.NamespaceUri);
ser.WriteToken(writer, this.RequestedProofToken);
writer.WriteEndElement(); // wst:RequestedSecurityToken
}
if(this.IssuerEntropy != null && this.ComputeKey) // Combined entropy; write RPT and Entropy
{
writer.WriteStartElement(Constants.Trust.Elements.RequestedProofToken, Constants.Trust.NamespaceUri);
writer.WriteStartElement(Constants.Trust.Elements.ComputedKey, Constants.Trust.NamespaceUri);
writer.WriteValue(Constants.Trust.ComputedKeyAlgorithms.PSHA1);
writer.WriteEndElement(); // wst:ComputedKey
writer.WriteEndElement(); // wst:RequestedSecurityToken
if (this.IssuerEntropy!= null)
{
writer.WriteStartElement(Constants.Trust.Elements.Entropy, Constants.Trust.NamespaceUri);
ser.WriteToken(writer, this.IssuerEntropy);
writer.WriteEndElement(); // wst:Entropy
}
}
writer.WriteEndElement(); // wst:RequestSecurityTokenResponse
}
/// <summary>
/// Build the contents of the SAML token
/// </summary>
/// <param name="writer"><b>XmlDictionaryWriter</b> to write the contents of this token to</param>
protected override void OnWriteBodyContents(XmlDictionaryWriter writer)
{
// Subject
SamlSubject subject = new SamlSubject();
if ( this.useKey != null )
{
// Add the key and the Holder-Of-Key confirmation method
subject.KeyIdentifier = this.useKey;
subject.ConfirmationMethods.Add( SamlConstants.HolderOfKey );
}
else
{
// This is a bearer token
subject.ConfirmationMethods.Add( SamlConstants.SenderVouches );
}
// Attributes, statements, conditions, and assertions
List<SamlStatement> statements = new List<SamlStatement>();
List<SamlAttribute> attributes = GetTokenAttributes();
statements.Add(new SamlAuthenticationStatement(subject, Constants.Saml.AuthenticationMethods.Unspecified, DateTime.Now, null, null, null));
statements.Add(new SamlAttributeStatement(subject, attributes));
SamlConditions conditions = new SamlConditions(DateTime.Now, (DateTime.Now + TimeSpan.FromHours(8.0)));
SamlAssertion assertion = new SamlAssertion("uuid-" + Guid.NewGuid(), Program.Issuer, DateTime.Now, conditions, null, statements);
// Build the signing token
SecurityToken signingToken = new X509SecurityToken(Program.SigningCertificate);
SecurityKeyIdentifier keyIdentifier = new SecurityKeyIdentifier(signingToken.CreateKeyIdentifierClause<X509RawDataKeyIdentifierClause>());
SigningCredentials signingCredentials = new SigningCredentials(signingToken.SecurityKeys[0], SecurityAlgorithms.RsaSha1Signature, SecurityAlgorithms.Sha1Digest, keyIdentifier);
assertion.SigningCredentials = signingCredentials;
// Build the SAML token
SamlSecurityToken token = new SamlSecurityToken(assertion);
SecurityKeyIdentifierClause attachedReference = token.CreateKeyIdentifierClause<SamlAssertionKeyIdentifierClause>();
SecurityKeyIdentifierClause unattachedReference = token.CreateKeyIdentifierClause<SamlAssertionKeyIdentifierClause>();
//
// Write the XML
//
//writer = XmlDictionaryWriter.CreateTextWriter(File.CreateText("output.xml").BaseStream);
// RSTR
writer.WriteStartElement(Constants.WSTrust.NamespaceUri.Prefix, Constants.WSTrust.Elements.RequestSecurityTokenResponse, Constants.WSTrust.NamespaceUri.Uri);
if (context != null)
{
writer.WriteAttributeString(Constants.WSTrust.Attributes.Context, context);
}
// TokenType
writer.WriteElementString(Constants.WSTrust.NamespaceUri.Prefix, Constants.WSTrust.Elements.TokenType, Constants.WSTrust.NamespaceUri.Uri, Constants.WSTrust.TokenTypes.Saml10Assertion);
// RequestedSecurityToken (the SAML token)
SecurityTokenSerializer tokenSerializer = new WSSecurityTokenSerializer();
writer.WriteStartElement(Constants.WSTrust.NamespaceUri.Prefix, Constants.WSTrust.Elements.RequestedSecurityToken, Constants.WSTrust.NamespaceUri.Uri);
tokenSerializer.WriteToken(writer, token);
writer.WriteEndElement();
// RequestedAttachedReference
writer.WriteStartElement(Constants.WSTrust.NamespaceUri.Prefix, Constants.WSTrust.Elements.RequestedAttachedReference, Constants.WSTrust.NamespaceUri.Uri);
tokenSerializer.WriteKeyIdentifierClause(writer, attachedReference);
writer.WriteEndElement();
// RequestedUnattachedReference
writer.WriteStartElement(Constants.WSTrust.NamespaceUri.Prefix, Constants.WSTrust.Elements.RequestedUnattachedReference, Constants.WSTrust.NamespaceUri.Uri);
tokenSerializer.WriteKeyIdentifierClause(writer, unattachedReference);
writer.WriteEndElement();
// RequestedDisplayToken (display token)
string displayTokenNS = "http://schemas.xmlsoap.org/ws/2005/05/identity";
writer.WriteStartElement("wsid", "RequestedDisplayToken", displayTokenNS);
writer.WriteStartElement("wsid", "DisplayToken", displayTokenNS);
foreach (SamlAttribute attribute in attributes)
{
writer.WriteStartElement("wsid", "DisplayClaim", displayTokenNS);
writer.WriteAttributeString("Uri", attribute.Namespace + "/" + attribute.Name);
writer.WriteStartElement("wsid", "DisplayTag", displayTokenNS);
writer.WriteValue(attribute.Name);
writer.WriteEndElement();
writer.WriteStartElement("wsid", "Description", displayTokenNS);
writer.WriteValue(attribute.Namespace + "/" + attribute.Name);
writer.WriteEndElement();
foreach (string attributeValue in attribute.AttributeValues)
{
writer.WriteStartElement("wsid", "DisplayValue", displayTokenNS);
writer.WriteValue(attributeValue);
writer.WriteEndElement();
}
writer.WriteEndElement();
}
writer.WriteEndElement();
writer.WriteEndElement();
// RSTR End
writer.WriteEndElement();
//writer.Close();
}
