public void Initiazlize()
{
CfCacheIndex.Initialize();
CfPerfCache.Initialize();
var cIdentity = new ClaimsIdentity(new List<Claim>() { new Claim("http://climbfind.com/claims/userid",jsk.ToString()) });
var ids = new ClaimsIdentityCollection(new List<ClaimsIdentity>() { cIdentity });
CfIdentity.Inject(new ClaimsPrincipal(ids));
}
IClaimsPrincipal AuthenticateSecurityToken(string endpoint, SecurityToken token)
{
ClaimsIdentityCollection claims = _handlers.ValidateToken(token);
IClaimsPrincipal principal = ClaimsPrincipal.CreateFromIdentities(claims);
return(CustomSecurityTokenServiceConfiguration.Current.ClaimsAuthenticationManager.Authenticate(endpoint, principal));
}
public override ClaimsIdentityCollection ValidateToken(SecurityToken token)
{
ClaimsIdentityCollection idColl = new ClaimsIdentityCollection();
IClaimsIdentity id = new ClaimsIdentity((token as MyCustomToken).Claims);
idColl.Add(id);
return(idColl);
}
private ClaimsIdentityCollection ValidateTokenCore(System.IdentityModel.Tokens.SecurityToken token, bool isActorToken)
{
JsonWebSecurityToken jsonWebSecurityToken = token as JsonWebSecurityToken;
if (jsonWebSecurityToken == null)
{
return(base.ValidateToken(token));
}
if (base.Configuration == null)
{
throw new System.InvalidOperationException("No configuration.");
}
if (base.Configuration.IssuerNameRegistry == null)
{
throw new System.InvalidOperationException("No issuername registry configured.");
}
this.ValidateLifetime(jsonWebSecurityToken);
this.ValidateAudience(jsonWebSecurityToken);
System.IdentityModel.Tokens.X509SecurityToken x509SecurityToken = jsonWebSecurityToken.IssuerToken as System.IdentityModel.Tokens.X509SecurityToken;
if (x509SecurityToken != null)
{
base.Configuration.CertificateValidator.Validate(x509SecurityToken.Certificate);
}
ClaimsIdentityCollection claimsIdentityCollection = new ClaimsIdentityCollection();
ClaimsIdentity claimsIdentity = new ClaimsIdentity("Federation");
if (!isActorToken && jsonWebSecurityToken.ActorToken != null)
{
ValidateActorTokenForAppOnly(jsonWebSecurityToken.ActorToken);
ClaimsIdentityCollection claimsIdentityCollection2 = this.ValidateActorToken(jsonWebSecurityToken.ActorToken);
if (claimsIdentityCollection2.Count > 1)
{
throw new System.IdentityModel.Tokens.SecurityTokenException("Invalid JWT token. Actor has multiple identities.");
}
claimsIdentity.Actor = claimsIdentityCollection2[0];
}
string issuerName = this.GetIssuerName(jsonWebSecurityToken);
foreach (JsonWebTokenClaim current in jsonWebSecurityToken.Claims)
{
if (claimsIdentity.Actor == null || !System.StringComparer.Ordinal.Equals("actortoken", current.ClaimType))
{
string text = current.Value;
if (text == null)
{
text = "NULL";
}
claimsIdentity.Claims.Add(new Claim(current.ClaimType, text, "http://www.w3.org/2001/XMLSchema#string", issuerName));
}
}
if (!isActorToken && base.Configuration.SaveBootstrapTokens)
{
claimsIdentity.BootstrapToken = token;
}
claimsIdentityCollection.Add(claimsIdentity);
return(claimsIdentityCollection);
}
/// <summary>
/// Validate the token received and create a ClaimsPrincipal accordingly.
/// </summary>
IClaimsPrincipal AuthenticateSecurityToken(string endpoint, SecurityToken token)
{
ClaimsIdentityCollection claims = _serviceConfiguration.SecurityTokenHandlers.ValidateToken(token);
IClaimsPrincipal principal = ClaimsPrincipal.CreateFromIdentities(claims);
//
// the ClaimsAuthenticationManager may be provided to adjust the claims received specifically for this RP
//
return(_serviceConfiguration.ClaimsAuthenticationManager.Authenticate(endpoint, principal));
}
/// <summary>
/// This method parses the incoming token and validates it.
/// </summary>
/// <param name="accessToken">The incoming access token.</param>
/// <param name="error">This out paramter is set if any error occurs.</param>
/// <returns>True on success, False on error.</returns>
protected bool ReadAndValidateToken(string accessToken, out ResourceAccessErrorResponse error)
{
bool tokenValid = false;
error = null;
SecurityToken token = null;
ClaimsIdentityCollection claimsIdentityCollection = null;
try
{
var handler = new SimpleWebTokenHandler(_issuer, _tokenSigningKey);
// read the token
token = handler.ReadToken(accessToken);
// validate the token
claimsIdentityCollection = handler.ValidateToken(token, _realm);
// create a claims Principal from the token
var claimsPrincipal = ClaimsPrincipal.CreateFromIdentities(claimsIdentityCollection);
if (claimsPrincipal != null)
{
tokenValid = true;
// push it through the pipeline
foreach (var step in authenticationPipeline)
{
claimsPrincipal = step.Authenticate(token, claimsPrincipal);
}
// assign to threads
if (HttpContext.Current != null)
{
HttpContext.Current.User = claimsPrincipal;
}
Thread.CurrentPrincipal = claimsPrincipal;
}
}
catch (InvalidTokenReceivedException ex)
{
error = new ResourceAccessErrorResponse(_realm, ex.ErrorCode, ex.ErrorDescription);
}
catch (ExpiredTokenReceivedException ex)
{
error = new ResourceAccessErrorResponse(_realm, ex.ErrorCode, ex.ErrorDescription);
}
catch (Exception)
{
error = new ResourceAccessErrorResponse(_realm, "SWT401", "Token validation failed");
}
return(tokenValid);
}
/// <summary>
/// Validates the token.
/// </summary>
/// <param name="token">The token.</param>
/// <returns>Collection of identity claims</returns>
public override ClaimsIdentityCollection ValidateToken(System.IdentityModel.Tokens.SecurityToken token)
{
UserNameSecurityToken userNameSecurityToken = token as UserNameSecurityToken;
MembershipProvider provider = Membership.Provider;
bool isValidated = provider.ValidateUser(userNameSecurityToken.UserName, userNameSecurityToken.Password);
ClaimsIdentity claimsIdentity = new ClaimsIdentity(new Claim[] { new Claim(System.IdentityModel.Claims.ClaimTypes.Name, userNameSecurityToken.UserName) });
ClaimsIdentityCollection claimIdentityCollection = new ClaimsIdentityCollection(new IClaimsIdentity[] { claimsIdentity });
return(claimIdentityCollection);
}
public override IClaimsIdentity ProcessSignInResponse(string realm, string originalUrl, HttpContextBase httpContext)
{
var token = FederatedAuthentication.WSFederationAuthenticationModule.GetSecurityToken(HttpContext.Current.Request);
FederatedAuthentication.ServiceConfiguration.AudienceRestriction.AllowedAudienceUris.Add(this.MultiProtocolIssuer.Identifier);
FederatedAuthentication.ServiceConfiguration.SecurityTokenHandlers.Configuration.CertificateValidator = X509CertificateValidator.None;
FederatedAuthentication.ServiceConfiguration.SecurityTokenHandlers.Configuration.IssuerNameRegistry = new SimpleIssuerNameRegistry(this.signingKeyThumbprint);
ClaimsIdentityCollection identities = FederatedAuthentication.ServiceConfiguration.SecurityTokenHandlers.ValidateToken(token);
return(identities[0]);
}
public void TestThatIssueAppendsClaimsToCallingClaimsPrincipal(string trustedUri, string identityCertificate, string mailAddress, int expectedAppendedClaims)
{
var fixture = new Fixture();
var identifyMock = MockRepository.GenerateMock <IIdentity>();
identifyMock.Expect(m => m.Name)
.Return(fixture.Create <string>())
.Repeat.Any();
identifyMock.Expect(m => m.IsAuthenticated)
.Return(true)
.Repeat.Any();
var claimsIdentityMock = MockRepository.GenerateMock <IClaimsIdentity>();
var claimsCollection = new ClaimCollection(claimsIdentityMock)
{
new Claim(ClaimTypes.Email, mailAddress)
};
claimsIdentityMock.Stub(m => m.Claims)
.Return(claimsCollection)
.Repeat.Any();
var claimsIdentityCollection = new ClaimsIdentityCollection(new List <IClaimsIdentity> {
claimsIdentityMock
});
var claimPrincipalMock = MockRepository.GenerateMock <IClaimsPrincipal>();
claimPrincipalMock.Stub(m => m.Identity)
.Return(identifyMock)
.Repeat.Any();
claimPrincipalMock.Stub(m => m.Identities)
.Return(claimsIdentityCollection)
.Repeat.Any();
var basicSecurityTokenService = new BasicSecurityTokenService(new BasicSecurityTokenServiceConfiguration());
Assert.That(basicSecurityTokenService, Is.Not.Null);
var request = new RequestSecurityToken
{
AppliesTo = new EndpointAddress(new Uri(trustedUri), new X509CertificateEndpointIdentity(TestHelper.GetCertificate(identityCertificate)), new AddressHeaderCollection())
};
var response = basicSecurityTokenService.Issue(claimPrincipalMock, request);
Assert.That(response, Is.Not.Null);
Assert.That(claimsCollection.Count, Is.EqualTo(1 + expectedAppendedClaims));
}
public override IClaimsIdentity ProcessSignInResponse(string realm, string originalUrl, HttpContextBase httpContext)
{
string localAuthorityRealm = realmFormat
.Replace("{tenantId}", tenantId)
.Replace("{appPrincipalId}", appPrincipalId);
var token = FederatedAuthentication.WSFederationAuthenticationModule.GetSecurityToken(HttpContext.Current.Request);
FederatedAuthentication.ServiceConfiguration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(localAuthorityRealm));
FederatedAuthentication.ServiceConfiguration.SecurityTokenHandlers.Configuration.CertificateValidator = X509CertificateValidator.None;
FederatedAuthentication.ServiceConfiguration.SecurityTokenHandlers.Configuration.IssuerNameRegistry = new SimpleIssuerNameRegistry(this.signingKeyThumbprint);
ClaimsIdentityCollection identities = FederatedAuthentication.ServiceConfiguration.SecurityTokenHandlers.ValidateToken(token);
return(identities[0]);
}
public void Initiazlize()
{
CfCacheIndex.Initialize();
CfPerfCache.Initialize();
var cIdentity = new ClaimsIdentity(new List <Claim>()
{
new Claim("http://climbfind.com/claims/userid", jsk.ToString())
});
var ids = new ClaimsIdentityCollection(new List <ClaimsIdentity>()
{
cIdentity
});
CfIdentity.Inject(new ClaimsPrincipal(ids));
}
protected override void EstablishContext()
{
claimsIdentity = mocks.Stub<IClaimsIdentity>();
suppliedClaims = GetDefaultClaims(IncludeLeaClaim(), IncludeLeaCodeClaim());
suppliedClaimsCollect = new ClaimCollection(claimsIdentity);
suppliedClaimsCollect.AddRange(suppliedClaims);
identityCollection = new ClaimsIdentityCollection(Enumerable.Repeat(claimsIdentity, 1));
Expect.Call(claimsIdentity.Claims).Return(suppliedClaimsCollect);
principal = mocks.Stub<IClaimsPrincipal>();
Expect.Call(principal.Identity).Return(claimsIdentity);
Expect.Call(principal.Identities).Return(identityCollection);
}
/// <summary>
/// This method parses the incoming token and validates it.
/// </summary>
/// <param name="accessToken">The incoming access token.</param>
/// <param name="error">This out paramter is set if any error occurs.</param>
/// <returns>True on success, False on error.</returns>
protected bool ReadAndValidateToken(string accessToken, out ResourceAccessErrorResponse error)
{
bool tokenValid = false;
error = null;
SecurityToken token = null;
ClaimsIdentityCollection claimsIdentityCollection = null;
try
{
SimpleWebTokenHandler handler = new SimpleWebTokenHandler();
// read the token
token = handler.ReadToken(accessToken);
// validate the token
claimsIdentityCollection = handler.ValidateToken(token);
// create a claims Principal from the token
IClaimsPrincipal authenticatedClaimsPrincipal =
ServiceConfiguration.ClaimsAuthenticationManager.Authenticate(
HttpContext.Current.Request.Url.AbsoluteUri, new ClaimsPrincipal(claimsIdentityCollection));
if (authenticatedClaimsPrincipal != null)
{
tokenValid = true;
// Set the ClaimsPrincipal so that it is accessible to the application
SetPrincipal(authenticatedClaimsPrincipal);
}
}
catch (InvalidTokenReceivedException ex)
{
error = new ResourceAccessErrorResponse(realm, ex.ErrorCode, ex.ErrorDescription);
}
catch (ExpiredTokenReceivedException ex)
{
error = new ResourceAccessErrorResponse(realm, ex.ErrorCode, ex.ErrorDescription);
}
catch (Exception)
{
error = new ResourceAccessErrorResponse(realm, OAuthConstants.ErrorCode.InvalidToken, "Token validation failed");
}
return(tokenValid);
}
/// <summary>
/// This methos validates the Simple Web Token.
/// </summary>
/// <param name="token">A simple web token.</param>
/// <returns>A Claims Collection which contains all the claims from the token.</returns>
public ClaimsIdentityCollection ValidateToken(SecurityToken token, string key)
{
SimpleWebToken realToken = token as SimpleWebToken;
if (realToken == null)
{
throw new InvalidTokenReceivedException("The received token is of incorrect token type.Expected SimpleWebToken");
}
if (realToken.AudienceUri != OAuthConfiguration.Configuration.ServiceSettings.Realm)
{
throw new InvalidTokenReceivedException("The Audience Uri of the incoming token is not expected. Expected AudienceUri is " + OAuthConfiguration.Configuration.ServiceSettings.Realm);
}
if (StringComparer.OrdinalIgnoreCase.Compare(realToken.Issuer, OAuthConfiguration.Configuration.StsSettings.IssuerUri.ToString()) != 0)
{
throw new InvalidTokenReceivedException("The Issuer of the token is not trusted. Trusted issuer is " + OAuthConfiguration.Configuration.StsSettings.IssuerUri);
}
if (!realToken.SignVerify(Convert.FromBase64String(key)))
{
throw new InvalidTokenReceivedException("Signature verification of the incoming token failed.");
}
if (DateTime.Compare(realToken.ValidTo, DateTime.UtcNow) <= 0)
{
throw new ExpiredTokenReceivedException("The incoming token has expired. Get a new access token from the Authorization Server.");
}
ClaimsIdentityCollection identities = new ClaimsIdentityCollection();
ClaimsIdentity identity = new ClaimsIdentity();
foreach (var claim in realToken.Claims)
{
identity.Claims.Add(claim);
}
identities.Add(identity);
return(identities);
}
/// <summary>
/// Get Claims Principal from incoming response.
/// </summary>
/// <param name="rstr"></param>
/// <returns></returns>
private static IClaimsPrincipal GetClaimsIdentity(RequestSecurityTokenResponse rstr)
{
var rstrXml = rstr.RequestedSecurityToken.SecurityTokenXml;
if (rstrXml.OwnerDocument != null)
{
var xnm = new XmlNamespaceManager(rstrXml.OwnerDocument.NameTable);
xnm.AddNamespace(Microsoft.IdentityModel.Tokens.Saml2.Saml2Constants.Prefix, Microsoft.IdentityModel.Tokens.Saml2.Saml2Constants.Namespace);
}
XNamespace ast = "urn:oasis:names:tc:SAML:2.0:assertion";
var xElement = ToXElement(rstrXml);
var xElement1 = xElement.Element(ast + "Assertion");
if (xElement1 != null)
{
var attributeStatement1 = xElement1.Element(ast + "AttributeStatement");
if (attributeStatement1 != null)
{
var attributes1 = attributeStatement1.Elements(ast + "Attribute");
IClaimsIdentity claimsIdentity1 = new ClaimsIdentity();
foreach (var element in attributes1)
{
var claimType = element.Attribute("NameFormat") + "/" + element.Attribute("Name");
var value = element.Value;
var xAttribute = element.Attribute("Name");
if (xAttribute != null && xAttribute.Value == "urn:FirstName")
{
claimsIdentity1.Claims.Add(new Claim(ClaimTypes.Name, element.Value));
}
claimsIdentity1.Claims.Add(new Claim(claimType, value));
}
var claimsIdentitycol = new ClaimsIdentityCollection(new[] { claimsIdentity1 });
return(ClaimsPrincipal.CreateFromIdentities(claimsIdentitycol));
}
}
return(null);
}
public override ClaimsIdentityCollection ValidateToken(SecurityToken token)
{
UserNameSecurityToken unToken = token as UserNameSecurityToken;
if (unToken == null)
{
throw new ArgumentException("token");
}
// replace with proper password validation!
if (!(unToken.UserName == "demouser" && unToken.Password == "demouser"))
{
throw new SecurityTokenValidationException();
}
ClaimsIdentity id = new ClaimsIdentity(new List<Claim>
{
new Claim(WSIdentityConstants.ClaimTypes.Name, unToken.UserName)
}, "UserName");
var ids = new ClaimsIdentityCollection();
ids.Add(id);
return ids;
}
private ClaimDescriptionList ValidateToken(string authToken)
{
ClaimDescriptionList claimList = new ClaimDescriptionList();
ClaimsIdentityCollection claimsResult = this.dstsManager.ValidateToken(authToken);
List <ClaimDescription> claims = new List <ClaimDescription>();
for (int i = 0; i < claimsResult.Count; i++)
{
IClaimsIdentity claimIdentity = claimsResult[i];
foreach (Claim claim in claimIdentity.Claims)
{
ClaimDescription claimDescription = new ClaimDescription(
claim.ClaimType,
claim.Issuer,
claim.OriginalIssuer,
claim.Subject.ToString(),
claim.Value,
claim.ValueType);
claims.Add(claimDescription);
}
}
claimList.AddClaims(claims);
return(claimList);
}
protected R22ClaimsPrincipal(ClaimsIdentityCollection identityCollection, JsonWebToken token, string encryptedToken)
: base(identityCollection)
{
Token = token;
EncryptedToken = encryptedToken;
}
/// <summary>
/// Issues security token.
/// </summary>
/// <param name="requestParameters">
/// The request containing all information required to issue security token
/// according to OAuth v2 specification.
/// </param>
/// <returns>Issued token.</returns>
private Stream Issue(string requestParameters)
{
// That is not real issuer. Big idea here is to accept
// REST token request (OAuth has nothing in common with WSTrust)
// perform necessary validations/transformations, call real
// issuer and than make transformations again to form response.
var parameters = HttpUtility.ParseQueryString(requestParameters);
var grantType = GetParameterOrThrow(parameters, OAuthParameters.GrantType);
// Creating security token depending on grant type.
var securityToken = GetSecurityToken(parameters, grantType);
var wifConfiguration = ((OAuthIssuerServiceHost)OperationContext.Current.Host).Configuration;
ClaimsIdentityCollection identities = null;
try
{
// WIF would do this automatically but in RESTful case we are on our own.
identities = wifConfiguration.SecurityTokenHandlerCollectionManager[GetTokenUsage()].ValidateToken(securityToken);
}
catch (AudienceUriValidationFailedException)
{
throw new OAuthWebException(OAuthError.InvalidScope);
}
catch (SecurityTokenValidationException)
{
throw new OAuthWebException(OAuthError.InvalidGrant);
}
catch (Exception)
{
throw new OAuthWebException(HttpStatusCode.InternalServerError);
}
// Making things look like client called real issuer directly.
RequestSecurityTokenResponse rstr = null;
try
{
var rst = new RequestSecurityToken(RequestTypes.Issue)
{
TokenType = TokenTypeIdentifier,
AppliesTo = ContainsKey(parameters, OAuthParameters.Scope)
? new EndpointAddress(parameters[OAuthParameters.Scope])
: null
};
PrepareRequestSecurityToken(rst);
var securityTokenService = wifConfiguration.CreateSecurityTokenService();
rstr = securityTokenService.Issue(new ClaimsPrincipal(identities), rst);
}
catch (InvalidRequestException)
{
throw new OAuthWebException(OAuthError.InvalidScope);
}
catch (Exception)
{
throw new OAuthWebException(OAuthError.InvalidClient, "Failed to issue security token");
}
// Transforming issued token back to form that is expected by client.
var token = GetResponse(rstr.RequestedSecurityToken.SecurityToken);
if (token == null || !token.Validate())
{
throw new OAuthWebException(HttpStatusCode.InternalServerError);
}
var tokenString = JsonConvert.SerializeObject(token);
return(new MemoryStream(Encoding.ASCII.GetBytes(tokenString)));
}
/// <summary>
///
/// </summary>
/// <param name="token"></param>
/// <returns></returns>
public override ClaimsIdentityCollection ValidateToken(SecurityToken token)
{
if (null == token)
throw new ArgumentNullException("token");
SimpleWebToken webToken = token as SimpleWebToken;
if (null == webToken)
throw new SecurityTokenException("The token provided to ValidateToken must be a SimpleWebToken.");
if (false == webToken.IsSignatureValid())
throw new SecurityTokenException("Signature is invalid.");
if (webToken.ValidTo < DateTime.Now)
throw new SecurityTokenException("Token is expired");
if (false == IsIssuerTrusted(webToken))
throw new SecurityTokenException("Issuer not trusted");
if (false == IsAudienceTrusted(webToken))
throw new SecurityTokenException("Invalid audience");
ClaimsIdentityCollection identities = new ClaimsIdentityCollection();
identities.Add(CreateClaims(webToken.Values));
return identities;
}
private ClaimsIdentityCollection GetIdentitiesFromClaim(IClaimsPrincipal incomingPrincipal, string claimType, string claimValue)
{
ClaimsIdentityCollection ids = new ClaimsIdentityCollection();
foreach ( IClaimsIdentity identity in incomingPrincipal.Identities )
{
foreach (Claim c in identity.Claims)
{
if (c.ClaimType == claimType && c.Value == claimValue)
{
ids.Add(identity);
}
}
}
return ids;
}
/// <summary>
/// This methos validates the Simple Web Token.
/// </summary>
/// <param name="token">A simple web token.</param>
/// <returns>A Claims Collection which contains all the claims from the token.</returns>
public ClaimsIdentityCollection ValidateToken(SecurityToken token, string key)
{
SimpleWebToken realToken = token as SimpleWebToken;
if (realToken == null)
{
throw new InvalidTokenReceivedException("The received token is of incorrect token type.Expected SimpleWebToken");
}
if (realToken.AudienceUri != OAuthConfiguration.Configuration.ServiceSettings.Realm)
{
throw new InvalidTokenReceivedException("The Audience Uri of the incoming token is not expected. Expected AudienceUri is " + OAuthConfiguration.Configuration.ServiceSettings.Realm);
}
if (StringComparer.OrdinalIgnoreCase.Compare(realToken.Issuer, OAuthConfiguration.Configuration.StsSettings.IssuerUri.ToString()) != 0)
{
throw new InvalidTokenReceivedException("The Issuer of the token is not trusted. Trusted issuer is " + OAuthConfiguration.Configuration.StsSettings.IssuerUri);
}
if (!realToken.SignVerify(Convert.FromBase64String(key)))
{
throw new InvalidTokenReceivedException("Signature verification of the incoming token failed.");
}
if (DateTime.Compare(realToken.ValidTo, DateTime.UtcNow) <= 0)
{
throw new ExpiredTokenReceivedException("The incoming token has expired. Get a new access token from the Authorization Server.");
}
ClaimsIdentityCollection identities = new ClaimsIdentityCollection();
ClaimsIdentity identity = new ClaimsIdentity();
foreach (var claim in realToken.Claims)
{
identity.Claims.Add(claim);
}
identities.Add(identity);
return identities;
}
public ActionResult Authenticate(string ReturnUrl)
{
if (Request.Form.Get(WSFederationConstants.Parameters.Result) != null)
{
var settings = this.SettingsService.Retrieve();
// Parse sign-in response
SignInResponseMessage message =
WSFederationMessage.CreateFromFormPost(System.Web.HttpContext.Current.Request) as
SignInResponseMessage;
XmlTextReader xmlReader = new XmlTextReader(
new StringReader(message.Result));
XDocument xDoc = XDocument.Load(xmlReader);
XNamespace xNs = "http://schemas.xmlsoap.org/ws/2005/02/trust";
var rst = xDoc.Descendants(xNs + "RequestedSecurityToken").FirstOrDefault();
if (rst == null)
{
throw new ApplicationException("No RequestedSecurityToken element was found in the returned XML token. Ensure an unencrypted SAML 2.0 token is issued.");
}
var rstDesc = rst.Descendants().FirstOrDefault();
if (rstDesc == null)
{
throw new ApplicationException("No valid RequestedSecurityToken element was found in the returned XML token. Ensure an unencrypted SAML 2.0 token is issued.");
}
var config = new SecurityTokenHandlerConfiguration();
config.AudienceRestriction.AllowedAudienceUris.Add(new Uri(settings.AudienceUrl));
config.CertificateValidator = X509CertificateValidator.None;
config.IssuerNameRegistry = new AccessControlServiceIssuerRegistry(
settings.StsIssuerUrl, settings.X509CertificateThumbprint);
var securityTokenHandlers = new SecurityTokenHandlerCollection(config);
securityTokenHandlers.Add(new Saml11SecurityTokenHandler());
securityTokenHandlers.Add(new Saml2SecurityTokenHandler());
securityTokenHandlers.Add(new EncryptedSecurityTokenHandler());
var token = securityTokenHandlers.ReadToken(rstDesc.CreateReader());
ClaimsIdentityCollection claims = securityTokenHandlers.ValidateToken(token);
IPrincipal principal = new ClaimsPrincipal(claims);
// Map claims to local users
string roleClaimValue = "";
string usernameClaimValue = "";
string emailClaimValue = "";
foreach (var claimsIdentity in claims)
{
foreach (var claim in claimsIdentity.Claims)
{
if (claim.ClaimType == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" && settings.TranslateClaimsToOrchardRoles)
{
roleClaimValue = claim.Value;
}
else if (claim.ClaimType == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" && settings.TranslateClaimsToOrchardUserProperties)
{
emailClaimValue = claim.Value;
}
else if (claim.ClaimType == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name")
{
usernameClaimValue = claim.Value;
}
else if (claim.ClaimType == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" && string.IsNullOrEmpty(usernameClaimValue))
{
usernameClaimValue = claim.Value;
}
}
}
if (string.IsNullOrEmpty(usernameClaimValue))
{
throw new SecurityException("Could not determine username from input claims. Ensure a \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\" or \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\" claim is issued by the STS.");
}
IUser user = MembershipService.GetUser(settings.FederatedUsernamePrefix + usernameClaimValue);
if (user == null)
{
user = MembershipService.CreateUser(new CreateUserParams(settings.FederatedUsernamePrefix + usernameClaimValue,
Guid.NewGuid().ToString(), emailClaimValue,
Guid.NewGuid().ToString(), Guid.NewGuid().ToString(), true));
}
AuthenticationService.SignIn(user, false);
if (!string.IsNullOrEmpty(roleClaimValue))
{
var role = RoleService.GetRoleByName(roleClaimValue);
if (role != null)
{
UserRolesPartRecord currentRole =
UserRolesRepository.Get(r => r.UserId == user.Id && r.Role == role);
if (currentRole == null)
{
UserRolesRepository.Create(new UserRolesPartRecord {
UserId = user.Id, Role = role
});
}
}
}
}
return(new RedirectResult(ReturnUrl));
}
public CustomerClaimsPrincipal(ClaimsIdentityCollection identityCollection, JsonWebToken token, string encryptedToken)
: base(identityCollection, token, encryptedToken)
{
}
/// <summary>
/// Override this method to return the content of the issued token. The content is represented as a set of
/// IClaimIdentity instances. Each instance corresponds to a single issued token.
/// </summary>
/// <param name="scope">The scope that was previously returned by GetScope</param>
/// <param name="principal">The caller's principal</param>
/// <param name="request">The incoming RST, actual token request</param>
/// <returns>A collection of ClaimsIdentity that contain claims so that they can be sent back inside the issued token</returns>
protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
IClaimsIdentity callerIdentity = principal.Identity as IClaimsIdentity;
List <Claim> claims = new List <Claim>();
Claim nameValue = new Claim(ClaimTypes.Name, callerIdentity.Name);
claims.Add(nameValue);
//
// Find the authentication method claim.
//
string authenticationMethod = GetAuthStrengthClaim(callerIdentity);
//
// If no authentication method claim was found, use the AuthenticationType that was set on the caller's identity.
//
if (String.IsNullOrEmpty(authenticationMethod))
{
authenticationMethod = callerIdentity.AuthenticationType;
}
//
// Add an authentication method claim if found.
//
if (!String.IsNullOrEmpty(authenticationMethod))
{
//
// Propagate the original authentication method claim. This may be used at the RP to verify authentication strength.
//
claims.Add(new Claim(ClaimTypes.AuthenticationMethod, authenticationMethod));
}
//
// Add an authentication instant claim.
//
claims.Add(new Claim(ClaimTypes.AuthenticationInstant, XmlConvert.ToString(DateTime.Now.ToUniversalTime(), "yyyy-MM-ddTHH:mm:ss.fffZ")));
//
// We send back high assurance claims only when the authentication method is X509.
// The authenticationMethod value dictates whether high assurance claims need to be sent or not.
//
if (authenticationMethod == AuthenticationMethods.X509)
{
//
// Date of Birth claim
//
Claim dobClaim = new Claim(ClaimTypes.DateOfBirth, "Jan 01, 1980");
claims.Add(dobClaim);
//
// Resident zip code claim
//
Claim zipClaim = new Claim(ClaimTypes.PostalCode, "98052");
claims.Add(zipClaim);
//
// Phone number claim
//
Claim phoneClaim = new Claim(ClaimTypes.MobilePhone, "425-123-0000");
claims.Add(phoneClaim);
}
ClaimsIdentityCollection collection = new ClaimsIdentityCollection();
ClaimsIdentity outputIdentity = new ClaimsIdentity(claims);
return(outputIdentity);
}
/// <summary>
/// Get Claims Principal from incoming response.
/// </summary>
/// <param name="rstr"></param>
/// <returns></returns>
private static IClaimsPrincipal GetClaimsIdentity(RequestSecurityTokenResponse rstr)
{
var rstrXml = rstr.RequestedSecurityToken.SecurityTokenXml;
if (rstrXml.OwnerDocument != null)
{
var xnm = new XmlNamespaceManager(rstrXml.OwnerDocument.NameTable);
xnm.AddNamespace(Microsoft.IdentityModel.Tokens.Saml2.Saml2Constants.Prefix, Microsoft.IdentityModel.Tokens.Saml2.Saml2Constants.Namespace);
}
XNamespace ast = "urn:oasis:names:tc:SAML:2.0:assertion";
var xElement = ToXElement(rstrXml);
var xElement1 = xElement.Element(ast + "Assertion");
if (xElement1 != null)
{
var attributeStatement1 = xElement1.Element(ast + "AttributeStatement");
if (attributeStatement1 != null)
{
var attributes1 = attributeStatement1.Elements(ast + "Attribute");
IClaimsIdentity claimsIdentity1 = new ClaimsIdentity();
foreach (var element in attributes1)
{
var claimType = element.Attribute("NameFormat") + "/" + element.Attribute("Name");
var value = element.Value;
var xAttribute = element.Attribute("Name");
if (xAttribute != null && xAttribute.Value == "urn:FirstName")
claimsIdentity1.Claims.Add(new Claim(ClaimTypes.Name, element.Value));
claimsIdentity1.Claims.Add(new Claim(claimType, value));
}
var claimsIdentitycol = new ClaimsIdentityCollection(new[] { claimsIdentity1 });
return ClaimsPrincipal.CreateFromIdentities(claimsIdentitycol);
}
}
return null;
}
public override ClaimsIdentityCollection ValidateToken(SecurityToken token)
{
CustomTextTraceSource ts = new CustomTextTraceSource("IdpSts.CustomUserNameSecurityTokenHandler.ValidateToken",
"MyTraceSource", SourceLevels.Information);
//StackTracer.TraceStack(ts);
UserNameSecurityToken usernameToken = token as UserNameSecurityToken;
if (usernameToken == null)
{
throw new ArgumentException("usernameToken", "The security token is not a valid username security token.");
}
// will throw if fails
UsernameCredentialStore.AuthenticateUser(usernameToken.UserName, usernameToken.Password);
ClaimsIdentityCollection identities = new ClaimsIdentityCollection();
IClaimsIdentity claimsIdentity = new ClaimsIdentity("CustomUserNameSecurityTokenHandler");
claimsIdentity.Claims.Add(new Claim(System.IdentityModel.Claims.ClaimTypes.Name, usernameToken.UserName));
identities.Add(claimsIdentity);
return identities;
}
