/// <summary> /// [SAML2.0std] section 2.7.2 /// </summary> /// <param name="statement"></param> private void ValidateAuthnStatement(AuthnStatement statement) { if (statement.AuthnInstant == null) throw new Saml20FormatException("AuthnStatement MUST have an AuthnInstant attribute"); if (!Saml20Utils.ValidateOptionalString(statement.SessionIndex)) throw new Saml20FormatException("SessionIndex attribute of AuthnStatement must contain at least one non-whitespace character"); if (statement.SubjectLocality != null) { if (!Saml20Utils.ValidateOptionalString(statement.SubjectLocality.Address)) throw new Saml20FormatException("Address attribute of SubjectLocality must contain at least one non-whitespace character"); if (!Saml20Utils.ValidateOptionalString(statement.SubjectLocality.DNSName)) throw new Saml20FormatException("DNSName attribute of SubjectLocality must contain at least one non-whitespace character"); } ValidateAuthnContext(statement.AuthnContext); }
/// <summary> /// Assembles our basic test assertion /// </summary> /// <returns></returns> public static Assertion GetBasicAssertion() { Assertion assertion = new Assertion(); { assertion.Issuer = new NameID(); assertion.ID = "_b8977dc86cda41493fba68b32ae9291d"; assertion.IssueInstant = DateTime.UtcNow; assertion.Version = "2.0"; assertion.Issuer.Value = GetBasicIssuer(); } { assertion.Subject = new Subject(); SubjectConfirmation subjectConfirmation = new SubjectConfirmation(); subjectConfirmation.Method = SubjectConfirmation.BEARER_METHOD; subjectConfirmation.SubjectConfirmationData = new SubjectConfirmationData(); subjectConfirmation.SubjectConfirmationData.NotOnOrAfter = new DateTime(2008, 12, 31, 12, 0, 0, 0); subjectConfirmation.SubjectConfirmationData.Recipient = "http://borger.dk"; assertion.Subject.Items = new object[] { subjectConfirmation }; } { assertion.Conditions = new Conditions(); assertion.Conditions.NotOnOrAfter = new DateTime(2008, 12, 31, 12, 0, 0, 0); AudienceRestriction audienceRestriction = new AudienceRestriction(); audienceRestriction.Audience = GetAudiences(); assertion.Conditions.Items = new List<ConditionAbstract>(new ConditionAbstract[] { audienceRestriction }); } AuthnStatement authnStatement; { authnStatement = new AuthnStatement(); assertion.Items = new StatementAbstract[] { authnStatement }; authnStatement.AuthnInstant = new DateTime(2008, 1, 8); authnStatement.SessionIndex = "70225885"; authnStatement.AuthnContext = new AuthnContext(); authnStatement.AuthnContext.Items = new object[] { "urn:oasis:names:tc:SAML:2.0:ac:classes:X509", "http://www.safewhere.net/authncontext/declref" }; authnStatement.AuthnContext.ItemsElementName = new ItemsChoiceType5[] { ItemsChoiceType5.AuthnContextClassRef, ItemsChoiceType5.AuthnContextDeclRef}; } AttributeStatement attributeStatement; { attributeStatement = new AttributeStatement(); SamlAttribute surName = new SamlAttribute(); surName.FriendlyName = "SurName"; surName.Name = "urn:oid:2.5.4.4"; surName.NameFormat = SamlAttribute.NAMEFORMAT_URI; surName.AttributeValue = new string[] { "Fry" }; SamlAttribute commonName = new SamlAttribute(); commonName.FriendlyName = "CommonName"; commonName.Name = "urn:oid:2.5.4.3"; commonName.NameFormat = SamlAttribute.NAMEFORMAT_URI; commonName.AttributeValue = new string[] { "Philip J. Fry" }; SamlAttribute userName = new SamlAttribute(); userName.Name = "urn:oid:0.9.2342.19200300.100.1.1"; userName.NameFormat = SamlAttribute.NAMEFORMAT_URI; userName.AttributeValue = new string[] { "fry" }; SamlAttribute eMail = new SamlAttribute(); eMail.FriendlyName = "Email"; eMail.Name = "urn:oid:0.9.2342.19200300.100.1.3"; eMail.NameFormat = SamlAttribute.NAMEFORMAT_URI; eMail.AttributeValue = new string[] { "*****@*****.**" }; attributeStatement.Items = new object[] { surName, commonName, userName, eMail }; } assertion.Items = new StatementAbstract[] { authnStatement, attributeStatement }; return assertion; }
private void ValidateAuthnStatement(AuthnStatement authnStatement) { if (!Saml20Utils.ValidateRequiredString(authnStatement.SessionIndex)) throw new DKSaml20FormatException( "The DK-SAML 2.0 profile requires that the \"AuthnStatement\" element contains the \"SessionIndex\" attribute."); }
private Assertion CreateAssertion(User user, string receiver) { Assertion assertion = new Assertion(); { // Subject element assertion.Subject = new Subject(); assertion.ID = "id" + Guid.NewGuid().ToString("N"); assertion.IssueInstant = DateTime.Now.AddMinutes(10); assertion.Issuer = new NameID(); assertion.Issuer.Value = IDPConfig.ServerBaseUrl; SubjectConfirmation subjectConfirmation = new SubjectConfirmation(); subjectConfirmation.Method = SubjectConfirmation.BEARER_METHOD; subjectConfirmation.SubjectConfirmationData = new SubjectConfirmationData(); subjectConfirmation.SubjectConfirmationData.NotOnOrAfter = DateTime.Now.AddHours(1); subjectConfirmation.SubjectConfirmationData.Recipient = receiver; NameID nameId = new NameID(); nameId.Format = Saml20Constants.NameIdentifierFormats.Persistent; nameId.Value = user.ppid; assertion.Subject.Items = new object[] { nameId, subjectConfirmation }; } { // Conditions element assertion.Conditions = new Conditions(); assertion.Conditions.Items = new List<ConditionAbstract>(); assertion.Conditions.NotOnOrAfter = DateTime.Now.AddHours(1); AudienceRestriction audienceRestriction = new AudienceRestriction(); audienceRestriction.Audience = new List<string>(); audienceRestriction.Audience.Add(receiver); assertion.Conditions.Items.Add(audienceRestriction); } List<StatementAbstract> statements = new List<StatementAbstract>(2); { // AuthnStatement element AuthnStatement authnStatement = new AuthnStatement(); authnStatement.AuthnInstant = DateTime.Now; authnStatement.SessionIndex = Convert.ToString(new Random().Next()); authnStatement.AuthnContext = new AuthnContext(); authnStatement.AuthnContext.Items = new object[] {"urn:oasis:names:tc:SAML:2.0:ac:classes:X509"}; // Wow! Setting the AuthnContext is .... verbose. authnStatement.AuthnContext.ItemsElementName = new ItemsChoiceType5[] { ItemsChoiceType5.AuthnContextClassRef }; statements.Add(authnStatement); } { // Generate attribute list. AttributeStatement attributeStatement = new AttributeStatement(); List<SamlAttribute> attributes = new List<SamlAttribute>(user.Attributes.Count); foreach (KeyValuePair<string, string> att in user.Attributes) { SamlAttribute attribute = new SamlAttribute(); attribute.Name = att.Key; attribute.AttributeValue = new string[] { att.Value }; attribute.NameFormat = SamlAttribute.NAMEFORMAT_BASIC; attributes.Add(attribute); } attributeStatement.Items = attributes.ToArray(); statements.Add(attributeStatement); } assertion.Items = statements.ToArray(); return assertion; }
public void AuthnStatement_Invalid_AuthnContextAuthenticatingAuthorityUri() { Assertion saml20Assertion = AssertionUtil.GetBasicAssertion(); List<StatementAbstract> statements = new List<StatementAbstract>(saml20Assertion.Items); AuthnStatement sas = new AuthnStatement(); sas.AuthnInstant = DateTime.UtcNow; sas.SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1); sas.AuthnContext = new AuthnContext(); sas.AuthnContext.Items = new object[2] { "urn:a:valid.uri:string", "http://another/valid/uri.string" }; sas.AuthnContext.ItemsElementName = new ItemsChoiceType5[2] { ItemsChoiceType5.AuthnContextClassRef, ItemsChoiceType5.AuthnContextDeclRef }; sas.AuthnContext.AuthenticatingAuthority = new string[2] { "urn:aksdlfj", "urn/invalid" }; statements.Add(sas); saml20Assertion.Items = statements.ToArray(); CreateSaml20Token(saml20Assertion); }
public void AuthnStatement_Invalid_AuthnContextDecl() { Assertion saml20Assertion = AssertionUtil.GetBasicAssertion(); List<StatementAbstract> statements = new List<StatementAbstract>(saml20Assertion.Items); AuthnStatement sas = new AuthnStatement(); sas.AuthnInstant = DateTime.UtcNow; sas.SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1); sas.AuthnContext = new AuthnContext(); sas.AuthnContext.Items = new object[1] { new AuthnStatement() }; sas.AuthnContext.ItemsElementName = new ItemsChoiceType5[1] { ItemsChoiceType5.AuthnContextDecl }; statements.Add(sas); saml20Assertion.Items = statements.ToArray(); CreateSaml20Token(saml20Assertion); }
public void AuthnStatement_Invalid_AuthnContextDeclRefUri() { Assertion saml20Assertion = AssertionUtil.GetBasicAssertion(); List<StatementAbstract> statements = new List<StatementAbstract>(saml20Assertion.Items); AuthnStatement sas = new AuthnStatement(); sas.AuthnInstant = DateTime.UtcNow; sas.SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1); sas.AuthnContext = new AuthnContext(); sas.AuthnContext.Items = new object[2] { "urn:a.valid.uri:string", "an/invalid/uri/string.aspx" }; sas.AuthnContext.ItemsElementName = new ItemsChoiceType5[2] { ItemsChoiceType5.AuthnContextClassRef, ItemsChoiceType5.AuthnContextDeclRef }; statements.Add(sas); saml20Assertion.Items = statements.ToArray(); CreateSaml20Token(saml20Assertion); }
public void AuthnStatement_Invalid_AuthnContextNoContextItems() { Assertion saml20Assertion = AssertionUtil.GetBasicAssertion(); List<StatementAbstract> statements = new List<StatementAbstract>(saml20Assertion.Items); AuthnStatement sas = new AuthnStatement(); sas.AuthnInstant = DateTime.UtcNow; sas.SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1); sas.AuthnContext = new AuthnContext(); statements.Add(sas); saml20Assertion.Items = statements.ToArray(); CreateSaml20Token(saml20Assertion); }
public void AuthnStatement_Invalid_SessionNotOnOrAfter() { Assertion saml20Assertion = AssertionUtil.GetBasicAssertion(); List<StatementAbstract> statements = new List<StatementAbstract>(saml20Assertion.Items); AuthnStatement sas = new AuthnStatement(); sas.AuthnInstant = DateTime.UtcNow; sas.SessionNotOnOrAfter = DateTime.UtcNow.AddHours(-1); statements.Add(sas); saml20Assertion.Items = statements.ToArray(); Saml20AssertionValidator validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false); validator.ValidateTimeRestrictions(saml20Assertion, new TimeSpan(0, 0, 0)); }