internal IdentityProvider(IdentityProviderElement config, ISPOptions spOptions)
{
singleSignOnServiceUrl = config.DestinationUrl;
EntityId = new EntityId(config.EntityId);
binding = config.Binding;
AllowUnsolicitedAuthnResponse = config.AllowUnsolicitedAuthnResponse;
metadataUrl = config.MetadataUrl;
LoadMetadata = config.LoadMetadata;
this.spOptions = spOptions;
var certificate = config.SigningCertificate.LoadCertificate();
if (certificate != null)
{
signingKey = certificate.PublicKey.Key;
}
try
{
if (LoadMetadata)
{
DoLoadMetadata();
}
Validate();
}
catch (WebException)
{
// If we had a web exception, the metadata failed. It will
// be automatically retried.
}
}
/// <summary>
/// Gets the certificate specifications.
/// </summary>
/// <param name="endpoint">The endpoint.</param>
/// <returns>A list of certificate validation specifications for this endpoint</returns>
public static List <ICertificateSpecification> GetCertificateSpecifications(IdentityProviderElement endpoint)
{
var specs = new List <ICertificateSpecification>();
if (endpoint.CertificateValidations != null && endpoint.CertificateValidations.Count > 0)
{
foreach (var elem in endpoint.CertificateValidations)
{
try
{
var val = (ICertificateSpecification)Activator.CreateInstance(Type.GetType(elem.Type));
specs.Add(val);
}
catch (Exception e)
{
Logging.LoggerProvider.LoggerFor(typeof(SpecificationFactory)).Error(e.Message, e);
}
}
}
if (specs.Count == 0)
{
// Add default specification
specs.Add(new DefaultCertificateSpecification());
}
return(specs);
}
public IdentityProvider(IdentityProviderElement config)
{
DestinationUri = config.DestinationUri;
Issuer = config.Issuer;
Binding = config.Binding;
certificate = config.SigningCertificate.LoadCertificate();
}
internal IdentityProvider(IdentityProviderElement config, ISPOptions spOptions)
{
singleSignOnServiceUrl = config.DestinationUrl;
EntityId = new EntityId(config.EntityId);
binding = config.Binding;
AllowUnsolicitedAuthnResponse = config.AllowUnsolicitedAuthnResponse;
metadataUrl = config.MetadataUrl;
var certificate = config.SigningCertificate.LoadCertificate();
if (certificate != null)
{
signingKeys.AddConfiguredItem(certificate.PublicKey.Key);
}
// If configured to load metadata, this will immediately do the load.
LoadMetadata = config.LoadMetadata;
this.spOptions = spOptions;
// Validate if values are only from config. If metadata is loaded, validation
// is done on metadata load.
if (!LoadMetadata)
{
Validate();
}
}
internal IdentityProvider(IdentityProviderElement config, SPOptions spOptions)
{
singleSignOnServiceUrl = config.SignOnUrl;
SingleLogoutServiceUrl = config.LogoutUrl;
EntityId = new EntityId(config.EntityId);
binding = config.Binding;
AllowUnsolicitedAuthnResponse = config.AllowUnsolicitedAuthnResponse;
metadataLocation = string.IsNullOrEmpty(config.MetadataLocation)
? null : config.MetadataLocation;
WantAuthnRequestsSigned = config.WantAuthnRequestsSigned;
var certificate = config.SigningCertificate.LoadCertificate();
if (certificate != null)
{
signingKeys.AddConfiguredKey(
new X509RawDataKeyIdentifierClause(certificate));
}
foreach (var ars in config.ArtifactResolutionServices)
{
ArtifactResolutionServiceUrls[ars.Index] = ars.Location;
}
// If configured to load metadata, this will immediately do the load.
this.spOptions = spOptions;
LoadMetadata = config.LoadMetadata;
// Validate if values are only from config. If metadata is loaded, validation
// is done on metadata load.
if (!LoadMetadata)
{
Validate();
}
}
private static void TestMissingConfig(IdentityProviderElement config, string missingElement)
{
Action a = () => new IdentityProvider(config, Options.FromConfiguration.SPOptions);
string expectedMessage = "Missing " + missingElement + " configuration on Idp " + config.EntityId + ".";
a.ShouldThrow <ConfigurationErrorsException>(expectedMessage);
}
/// <summary>
/// Performs the attribute query against the specified IdP endpoint and adds the resulting attributes to <c>Saml20Identity.Current</c>.
/// </summary>
/// <param name="context">The http context.</param>
/// <param name="endPoint">The IdP to perform the query against.</param>
public void PerformQuery(HttpContext context, IdentityProviderElement endPoint)
{
var nameIdFormat = StateService.Get <string>(Saml20AbstractEndpointHandler.IdpNameIdFormat);
if (string.IsNullOrEmpty(nameIdFormat))
{
nameIdFormat = Saml20Constants.NameIdentifierFormats.Persistent;
}
PerformQuery(context, endPoint, nameIdFormat);
}
/// <summary>
/// Performs the attribute query against the specified IdP endpoint and adds the resulting attributes to <c>Saml20Identity.Current</c>.
/// </summary>
/// <param name="context">The http context.</param>
/// <param name="endPoint">The IdP to perform the query against.</param>
/// <param name="nameIdFormat">The name id format.</param>
public void PerformQuery(HttpContext context, IdentityProviderElement endPoint, string nameIdFormat)
{
Logger.DebugFormat("{0}.{1} called", GetType(), "PerformQuery()");
var builder = new HttpSoapBindingBuilder(context);
var name = new NameId
{
Value = Saml20Identity.Current.Name,
Format = nameIdFormat
};
_attrQuery.Subject.Items = new object[] { name };
_attrQuery.SamlAttribute = _attributes.ToArray();
var query = new XmlDocument();
query.LoadXml(Serialization.SerializeToXmlString(_attrQuery));
XmlSignatureUtils.SignDocument(query, Id);
if (query.FirstChild is XmlDeclaration)
{
query.RemoveChild(query.FirstChild);
}
Logger.DebugFormat(TraceMessages.AttrQuerySent, endPoint.Metadata.GetAttributeQueryEndpointLocation(), query.OuterXml);
Stream s;
try
{
s = builder.GetResponse(endPoint.Metadata.GetAttributeQueryEndpointLocation(), query.OuterXml, endPoint.AttributeQuery);
}
catch (Exception e)
{
Logger.Error(e.Message, e);
throw;
}
var parser = new HttpSoapBindingParser(s);
var status = parser.GetStatus();
if (status.StatusCode.Value != Saml20Constants.StatusCodes.Success)
{
Logger.ErrorFormat(ErrorMessages.AttrQueryStatusNotSuccessful, Serialization.SerializeToXmlString(status));
throw new Saml20Exception(status.StatusMessage);
}
bool isEncrypted;
var xmlAssertion = Saml20SignonHandler.GetAssertion(parser.SamlMessage, out isEncrypted);
if (isEncrypted)
{
var ass = new Saml20EncryptedAssertion((RSA)Saml2Config.GetConfig().ServiceProvider.SigningCertificat
private static void AddIdP(SustainsysSaml2Section section, IdentityProviderElement newProvider)
{
var isReadonly = typeof(ConfigurationElementCollection).GetField("bReadOnly",
System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Instance);
isReadonly.SetValue(section.IdentityProviders, false);
var providers = typeof(ConfigurationElementCollection).GetMethod("BaseAdd",
System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Instance,
null, new[] { typeof(ConfigurationElement) }, null);
providers.Invoke(section.IdentityProviders, new[] { newProvider });
}
private IdentityProviderElement CreateConfig()
{
var config = new IdentityProviderElement();
config.AllowConfigEdit(true);
config.Binding = Saml2BindingType.HttpPost;
config.SigningCertificate = new CertificateElement();
config.SigningCertificate.AllowConfigEdit(true);
config.SigningCertificate.FileName = "Kentor.AuthServices.Tests.pfx";
config.SignOnUrl = new Uri("http://idp.example.com/acs");
config.EntityId = "http://idp.example.com";
return(config);
}
/// <summary>
/// Handles a request.
/// </summary>
/// <param name="context">The context.</param>
protected override void Handle(HttpContext context)
{
Logger.Debug(TraceMessages.LogoutHandlerCalled);
// Some IDP's are known to fail to set an actual value in the SOAPAction header
// so we just check for the existence of the header field.
if (Array.Exists(context.Request.Headers.AllKeys, s => s == SoapConstants.SoapAction))
{
HandleSoap(context, context.Request.InputStream);
return;
}
if (!string.IsNullOrEmpty(context.Request.Params["SAMLart"]))
{
HandleArtifact(context);
return;
}
if (!string.IsNullOrEmpty(context.Request.Params["SAMLResponse"]))
{
HandleResponse(context);
}
else if (!string.IsNullOrEmpty(context.Request.Params["SAMLRequest"]))
{
HandleRequest(context);
}
else
{
IdentityProviderElement idpEndpoint = null;
var idpId = StateService.Get <string>(IdpSessionIdKey);
if (!string.IsNullOrEmpty(idpId))
{
idpEndpoint = RetrieveIDPConfiguration(StateService.Get <string>(IdpLoginSessionKey));
}
if (idpEndpoint == null)
{
// TODO: Reconsider how to accomplish this.
context.User = null;
FormsAuthentication.SignOut();
Logger.ErrorFormat(ErrorMessages.UnknownIdentityProvider, string.Empty);
throw new Saml20Exception(string.Format(ErrorMessages.UnknownIdentityProvider, string.Empty));
}
TransferClient(idpEndpoint, context);
}
}
internal IdentityProvider(IdentityProviderElement config)
{
AssertionConsumerServiceUrl = config.DestinationUri;
EntityId = new EntityId(config.EntityId);
Binding = config.Binding;
AllowUnsolicitedAuthnResponse = config.AllowUnsolicitedAuthnResponse;
var certificate = config.SigningCertificate.LoadCertificate();
if (certificate != null)
{
SigningKey = certificate.PublicKey.Key;
}
if (config.LoadMetadata)
{
LoadMetadata();
}
Validate();
}
/// <summary>
/// This method converts the received SAML assertion into an <see cref="IPrincipal"/>.
/// </summary>
/// <param name="assertion">The assertion.</param>
/// <param name="point">The point.</param>
/// <returns>The <see cref="IPrincipal"/>.</returns>
internal static IPrincipal InitSaml20Identity(Saml20Assertion assertion, IdentityProviderElement point)
{
var isPersistentPseudonym = assertion.Subject.Format == Saml20Constants.NameIdentifierFormats.Persistent;
// Protocol-level support for persistent pseudonyms: If a mapper has been configured, use it here before constructing the principal.
var subjectIdentifier = assertion.Subject.Value;
if (isPersistentPseudonym && point.PersistentPseudonym != null)
{
var persistentPseudonymMapper = point.PersistentPseudonym.GetMapper();
if (persistentPseudonymMapper != null)
{
subjectIdentifier = persistentPseudonymMapper.MapIdentity(assertion.Subject);
}
}
// Create identity
var identity = new Saml20Identity(subjectIdentifier, assertion.Attributes, isPersistentPseudonym ? assertion.Subject.Value : null);
return(new GenericPrincipal(identity, new string[] { }));
}
private IdentityProvider ToIdentityProvider(IdentityProviderElement idp)
{
return(new IdentityProvider
{
AllowIdPInitiatedSso = idp.AllowIdPInitiatedSso,
AllowReplayAttacks = idp.AllowReplayAttacks,
ArtifactResolution = ToArtifactResolution(idp.ArtifactResolution),
AttributeQuery = ToAttributeQuery(idp.AttributeQuery),
CertificateValidationTypes = idp.CertificateValidations.Select(v => v.Type).ToList(),
CommonDomainCookie = idp.CommonDomainCookie.AllKeys.ToDictionary(k => k, k => idp.CommonDomainCookie[k].Value),
Default = idp.Default,
Endpoints = new IdentityProviderEndpoints(idp.Endpoints.Select(e => ToIdentityProviderEndpoint(e))),
ForceAuth = idp.ForceAuth,
Id = idp.Id,
IsPassive = idp.IsPassive,
Metadata = idp.Metadata,
Name = idp.Name,
OmitAssertionSignatureCheck = idp.OmitAssertionSignatureCheck,
PersistentPseudonym = ToPersistentPseudonym(idp.PersistentPseudonym),
QuirksMode = idp.QuirksMode,
ResponseEncoding = idp.ResponseEncoding
});
}
/// <summary>
/// Transfers the client.
/// </summary>
/// <param name="idp">The identity provider.</param>
/// <param name="context">The context.</param>
private void TransferClient(IdentityProviderElement idp, HttpContext context)
{
var request = Saml20LogoutRequest.GetDefault();
// Determine which endpoint to use from the configuration file or the endpoint metadata.
var destination = DetermineEndpointConfiguration(BindingType.Redirect, idp.Endpoints.LogoutEndpoint, idp.Metadata.IDPSLOEndpoints);
request.Destination = destination.Url;
var nameIdFormat = StateService.Get <string>(IdpNameIdFormat);
request.SubjectToLogOut.Format = nameIdFormat;
// Handle POST binding
if (destination.Binding == BindingType.Post)
{
var builder = new HttpPostBindingBuilder(destination);
request.Destination = destination.Url;
request.Reason = Saml20Constants.Reasons.User;
request.SubjectToLogOut.Value = StateService.Get <string>(IdpNameId);
request.SessionIndex = StateService.Get <string>(IdpSessionIdKey);
var requestDocument = request.GetXml();
XmlSignatureUtils.SignDocument(requestDocument, request.Id);
builder.Request = requestDocument.OuterXml;
Logger.DebugFormat(TraceMessages.LogoutRequestSent, idp.Id, "POST", builder.Request);
builder.GetPage().ProcessRequest(context);
context.Response.End();
return;
}
// Handle Redirect binding
if (destination.Binding == BindingType.Redirect)
{
request.Destination = destination.Url;
request.Reason = Saml20Constants.Reasons.User;
request.SubjectToLogOut.Value = StateService.Get <string>(IdpNameId);
request.SessionIndex = StateService.Get <string>(IdpSessionIdKey);
var builder = new HttpRedirectBindingBuilder
{
Request = request.GetXml().OuterXml,
SigningKey = Saml2Config.GetConfig().ServiceProvider.SigningCertificate.GetCertificate().PrivateKey
};
var redirectUrl = destination.Url + "?" + builder.ToQuery();
Logger.DebugFormat(TraceMessages.LogoutRequestSent, idp.Id, "REDIRECT", redirectUrl);
context.Response.Redirect(redirectUrl, true);
return;
}
// Handle Artifact binding
if (destination.Binding == BindingType.Artifact)
{
request.Destination = destination.Url;
request.Reason = Saml20Constants.Reasons.User;
request.SubjectToLogOut.Value = StateService.Get <string>(IdpNameId);
request.SessionIndex = StateService.Get <string>(IdpSessionIdKey);
Logger.DebugFormat(TraceMessages.LogoutRequestSent, idp.Id, "ARTIFACT", request.GetXml().OuterXml);
var builder = new HttpArtifactBindingBuilder(context);
builder.RedirectFromLogout(destination, request, Guid.NewGuid().ToString("N"));
}
Logger.Error(ErrorMessages.EndpointBindingInvalid);
throw new Saml20Exception(ErrorMessages.EndpointBindingInvalid);
}
private static void WriteIdPSettings(string samlLoginUrl, string samlThumbprint, string idp, IdentityProviderElement newProvider, CertificateElement newCert)
{
var providerReadonly = typeof(IdentityProviderElement).GetField("isReadOnly", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Instance);
providerReadonly.SetValue(newProvider, false);
var providerIndexer = typeof(IdentityProviderElement).GetProperties(System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Instance)
.First(p => p.GetIndexParameters().Select(i => i.ParameterType).SequenceEqual(new[] { typeof(string) }));
providerIndexer.SetValue(newProvider, idp, new[] { "entityId" });
providerIndexer.SetValue(newProvider, new System.Uri(samlLoginUrl), new[] { "signOnUrl" });
providerIndexer.SetValue(newProvider, true, new[] { "allowUnsolicitedAuthnResponse" });
providerIndexer.SetValue(newProvider, Saml2BindingType.HttpRedirect, new[] { "binding" });
var certReadonly = typeof(CertificateElement).GetField("isReadOnly", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Instance);
certReadonly.SetValue(newCert, false);
var certIndexer = typeof(IdentityProviderElement).GetProperties(System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Instance)
.First(p => p.GetIndexParameters().Select(i => i.ParameterType).SequenceEqual(new[] { typeof(string) }));
certIndexer.SetValue(newCert, StoreName.My, new[] { "storeName" });
certIndexer.SetValue(newCert, StoreLocation.CurrentUser, new[] { "storeLocation" });
certIndexer.SetValue(newCert, X509FindType.FindByThumbprint, new[] { "x509FindType" });
certIndexer.SetValue(newCert, samlThumbprint, new[] { "findValue" });
providerIndexer.SetValue(newProvider, newCert, new[] { "signingCertificate" });
}
/// <summary>
/// Gets the trusted signers.
/// </summary>
/// <param name="keys">The keys.</param>
/// <param name="identityProvider">The identity provider.</param>
/// <returns>List of trusted certificate signers.</returns>
public static IEnumerable <AsymmetricAlgorithm> GetTrustedSigners(ICollection <KeyDescriptor> keys, IdentityProviderElement identityProvider)
{
if (keys == null)
{
throw new ArgumentNullException("keys");
}
var result = new List <AsymmetricAlgorithm>(keys.Count);
foreach (var keyDescriptor in keys)
{
foreach (KeyInfoClause clause in (KeyInfo)keyDescriptor.KeyInfo)
{
// Check certificate specifications
if (clause is KeyInfoX509Data)
{
var cert = XmlSignatureUtils.GetCertificateFromKeyInfo((KeyInfoX509Data)clause);
if (!CertificateSatisfiesSpecifications(identityProvider, cert))
{
continue;
}
}
var key = XmlSignatureUtils.ExtractKey(clause);
result.Add(key);
}
}
return(result);
}
public static string SetIdpConfiguration(Context context, int tenantId, bool startup = false)
{
var contractSettings = TenantUtilities.GetContractSettings(context, tenantId);
if (contractSettings == null ||
contractSettings.SamlCompanyCode.IsNullOrEmpty() ||
contractSettings.SamlLoginUrl.IsNullOrEmpty() ||
contractSettings.SamlThumbprint.IsNullOrEmpty())
{
return(null);
}
if (!FindCert(context, contractSettings.SamlThumbprint))
{
return(null);
}
try
{
var section = (SustainsysSaml2Section)ConfigurationManager.GetSection("sustainsys.saml2");
var loginUrl = contractSettings.SamlLoginUrl;
var idp = loginUrl.TrimEnd(new[] { '/' }).Substring(0, loginUrl.LastIndexOf('/') + 1);
if (processing)
{
System.Threading.Thread.Sleep(300);
}
if (processing == false)
{
processing = true;
try
{
IdentityProviderElement newProvider = null;
CertificateElement newCert = null;
var provider = section.IdentityProviders.FirstOrDefault(p => p.EntityId == idp);
if (provider != null)
{
string signOnUrl = provider.SignOnUrl.ToString();
string findValue = provider.SigningCertificate.FindValue;
if (signOnUrl == contractSettings.SamlLoginUrl &&
findValue == contractSettings.SamlThumbprint)
{
return($"~/Saml2/SignIn?idp={idp}");
}
else
{
newProvider = provider;
newCert = provider.SigningCertificate;
WriteIdPSettings(contractSettings?.SamlLoginUrl, contractSettings?.SamlThumbprint, idp, newProvider, newCert);
try
{
var spOptions = new SPOptions(SustainsysSaml2Section.Current);
var options = new Options(spOptions);
SustainsysSaml2Section.Current.IdentityProviders.RegisterIdentityProviders(options);
SustainsysSaml2Section.Current.Federations.RegisterFederations(options);
var optionsFromConfiguration = typeof(Options).GetField("optionsFromConfiguration",
System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Static);
optionsFromConfiguration.SetValue(null, new Lazy <Options>(() => options, true));
Sustainsys.Saml2.Mvc.Saml2Controller.Options = Options.FromConfiguration;
}
catch
{
WriteIdPSettings(signOnUrl, findValue, idp, newProvider, newCert);
throw;
}
}
}
else
{
newProvider = new IdentityProviderElement();
newCert = new CertificateElement();
WriteIdPSettings(contractSettings?.SamlLoginUrl, contractSettings?.SamlThumbprint, idp, newProvider, newCert);
AddIdP(section, newProvider);
if (startup == false)
{
var spOptions = new SPOptions(SustainsysSaml2Section.Current);
var options = new Options(spOptions);
SustainsysSaml2Section.Current.IdentityProviders.RegisterIdentityProviders(options);
SustainsysSaml2Section.Current.Federations.RegisterFederations(options);
var optionsFromConfiguration = typeof(Options).GetField("optionsFromConfiguration",
System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Static);
optionsFromConfiguration.SetValue(null, new Lazy <Options>(() => options, true));
Sustainsys.Saml2.Mvc.Saml2Controller.Options = Options.FromConfiguration;
}
}
}
finally
{
processing = false;
}
}
return($"~/Saml2/SignIn?idp={idp}");
}
catch (System.Exception e)
{
new SysLogModel(context, e);
return(null);
}
}
/// <summary>
/// Transfers the client.
/// </summary>
/// <param name="identityProvider">The identity provider.</param>
/// <param name="request">The request.</param>
/// <param name="context">The context.</param>
private void TransferClient(IdentityProviderElement identityProvider, Saml20AuthnRequest request, HttpContext context)
{
// Set the last IDP we attempted to login at.
StateService.Set(IdpTempSessionKey, identityProvider.Id);
// Determine which endpoint to use from the configuration file or the endpoint metadata.
var destination = DetermineEndpointConfiguration(BindingType.Redirect, identityProvider.Endpoints.SignOnEndpoint, identityProvider.Metadata.SSOEndpoints);
request.Destination = destination.Url;
if (identityProvider.ForceAuth)
{
request.ForceAuthn = true;
}
// Check isPassive status
var isPassiveFlag = StateService.Get <bool?>(IdpIsPassive);
if (isPassiveFlag != null && (bool)isPassiveFlag)
{
request.IsPassive = true;
StateService.Set(IdpIsPassive, null);
}
if (identityProvider.IsPassive)
{
request.IsPassive = true;
}
// Check if request should forceAuthn
var forceAuthnFlag = StateService.Get <bool?>(IdpForceAuthn);
if (forceAuthnFlag != null && (bool)forceAuthnFlag)
{
request.ForceAuthn = true;
StateService.Set(IdpForceAuthn, null);
}
// Check if protocol binding should be forced
if (identityProvider.Endpoints.SignOnEndpoint != null)
{
if (!string.IsNullOrEmpty(identityProvider.Endpoints.SignOnEndpoint.ForceProtocolBinding))
{
request.ProtocolBinding = identityProvider.Endpoints.SignOnEndpoint.ForceProtocolBinding;
}
}
// Save request message id to session
StateService.Set(ExpectedInResponseToSessionKey, request.Id);
switch (destination.Binding)
{
case BindingType.Redirect:
Logger.DebugFormat(TraceMessages.AuthnRequestPrepared, identityProvider.Id, Saml20Constants.ProtocolBindings.HttpRedirect);
var redirectBuilder = new HttpRedirectBindingBuilder
{
SigningKey = _certificate.PrivateKey,
Request = request.GetXml().OuterXml
};
Logger.DebugFormat(TraceMessages.AuthnRequestSent, redirectBuilder.Request);
var redirectLocation = request.Destination + (request.Destination.Contains("?") ? "&" : "?") + redirectBuilder.ToQuery();
context.Response.Redirect(redirectLocation, true);
break;
case BindingType.Post:
Logger.DebugFormat(TraceMessages.AuthnRequestPrepared, identityProvider.Id, Saml20Constants.ProtocolBindings.HttpPost);
var postBuilder = new HttpPostBindingBuilder(destination);
// Honor the ForceProtocolBinding and only set this if it's not already set
if (string.IsNullOrEmpty(request.ProtocolBinding))
{
request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpPost;
}
var requestXml = request.GetXml();
XmlSignatureUtils.SignDocument(requestXml, request.Id);
postBuilder.Request = requestXml.OuterXml;
Logger.DebugFormat(TraceMessages.AuthnRequestSent, postBuilder.Request);
postBuilder.GetPage().ProcessRequest(context);
break;
case BindingType.Artifact:
Logger.DebugFormat(TraceMessages.AuthnRequestPrepared, identityProvider.Id, Saml20Constants.ProtocolBindings.HttpArtifact);
var artifactBuilder = new HttpArtifactBindingBuilder(context);
// Honor the ForceProtocolBinding and only set this if it's not already set
if (string.IsNullOrEmpty(request.ProtocolBinding))
{
request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpArtifact;
}
Logger.DebugFormat(TraceMessages.AuthnRequestSent, request.GetXml().OuterXml);
artifactBuilder.RedirectFromLogin(destination, request);
break;
default:
Logger.Error(ErrorMessages.EndpointBindingInvalid);
throw new Saml20Exception(ErrorMessages.EndpointBindingInvalid);
}
}
/// <summary>
/// Determines whether the certificate is satisfied by all specifications.
/// </summary>
/// <param name="idp">The identity provider.</param>
/// <param name="cert">The cert.</param>
/// <returns><c>true</c> if certificate is satisfied by all specifications; otherwise, <c>false</c>.</returns>
private static bool CertificateSatisfiesSpecifications(IdentityProviderElement idp, X509Certificate2 cert)
{
return(SpecificationFactory.GetCertificateSpecifications(idp).All(spec => spec.IsSatisfiedBy(cert)));
}
private IdentityProvider ToIdentityProvider(IdentityProviderElement idp)
{
return new IdentityProvider
{
AllowIdPInitiatedSso = idp.AllowIdPInitiatedSso,
AllowReplayAttacks = idp.AllowReplayAttacks,
ArtifactResolution = ToArtifactResolution(idp.ArtifactResolution),
AttributeQuery = ToAttributeQuery(idp.AttributeQuery),
CertificateValidationTypes = idp.CertificateValidations.Select(v => v.Type).ToList(),
CommonDomainCookie = idp.CommonDomainCookie.AllKeys.ToDictionary(k => k, k => idp.CommonDomainCookie[k].Value),
Default = idp.Default,
Endpoints = new IdentityProviderEndpoints(idp.Endpoints.Select(e => ToIdentityProviderEndpoint(e))),
ForceAuth = idp.ForceAuth,
Id = idp.Id,
IsPassive = idp.IsPassive,
Metadata = idp.Metadata,
Name = idp.Name,
OmitAssertionSignatureCheck = idp.OmitAssertionSignatureCheck,
PersistentPseudonym = ToPersistentPseudonym(idp.PersistentPseudonym),
QuirksMode = idp.QuirksMode,
ResponseEncoding = idp.ResponseEncoding
};
}
/// <summary>
/// Is called before the assertion is made into a strongly typed representation
/// </summary>
/// <param name="context">The HttpContext.</param>
/// <param name="elem">The assertion element.</param>
/// <param name="endpoint">The endpoint.</param>
protected virtual void PreHandleAssertion(HttpContext context, XmlElement elem, IdentityProviderElement endpoint)
{
Logger.DebugFormat(TraceMessages.AssertionPrehandlerCalled);
if (endpoint != null && endpoint.Endpoints.LogoutEndpoint != null && !string.IsNullOrEmpty(endpoint.Endpoints.LogoutEndpoint.TokenAccessor))
{
var idpTokenAccessor = Activator.CreateInstance(Type.GetType(endpoint.Endpoints.LogoutEndpoint.TokenAccessor, false)) as ISaml20IdpTokenAccessor;
if (idpTokenAccessor != null)
{
Logger.DebugFormat("{0}.{1} called", idpTokenAccessor.GetType(), "ReadToken");
idpTokenAccessor.ReadToken(elem);
Logger.DebugFormat("{0}.{1} finished", idpTokenAccessor.GetType(), "ReadToken");
}
}
}
