public Saml2AssertionFactory(ISaml2AssertionValidationOptions options)
{
if (options.Audience == null)
throw new ArgumentNullException("Audience");
if (options.Recipient == null)
throw new ArgumentNullException("Recipient");
if (options.Certificate == null)
throw new ArgumentNullException("certificate");
configuration = GetSecurityTokenHandlerConfiguration(options);
tokenHandler = new Saml2BearerGrantSecurityTokenHandler(options.Recipient);
tokenHandler.Configuration = configuration;
}
protected virtual SecurityTokenHandlerConfiguration GetSecurityTokenHandlerConfiguration(ISaml2AssertionValidationOptions options)
{
var serviceTokens = new List<SecurityToken>();
serviceTokens.Add(new X509SecurityToken(options.Certificate));
var issuers = new ConfigurationBasedIssuerNameRegistry();
issuers.AddTrustedIssuer(options.Certificate.Thumbprint, options.Certificate.Issuer);
var conf = new SecurityTokenHandlerConfiguration
{
AudienceRestriction = new AudienceRestriction(AudienceUriMode.Always),
CertificateValidator = X509CertificateValidator.ChainTrust,
RevocationMode = X509RevocationMode.NoCheck,
IssuerNameRegistry = issuers,
MaxClockSkew = TimeSpan.FromMinutes(5),
ServiceTokenResolver =
SecurityTokenResolver.CreateDefaultSecurityTokenResolver(serviceTokens.AsReadOnly(), false)
};
foreach (var y in options.Audience)
{
conf.AudienceRestriction.AllowedAudienceUris.Add(y);
}
return conf;
}
