public static ExtendedEntityDescriptor CreateIdpMetadata(bool includeCacheDuration = true) { var metadata = new ExtendedEntityDescriptor() { EntityId = new EntityId(UrlResolver.MetadataUrl.ToString()) }; if (includeCacheDuration) { metadata.CacheDuration = new TimeSpan(0, 15, 0); } var idpSsoDescriptor = new IdentityProviderSingleSignOnDescriptor(); idpSsoDescriptor.ProtocolsSupported.Add(new Uri("urn:oasis:names:tc:SAML:2.0:protocol")); metadata.RoleDescriptors.Add(idpSsoDescriptor); idpSsoDescriptor.SingleSignOnServices.Add(new ProtocolEndpoint() { Binding = Saml2Binding.HttpRedirectUri, Location = UrlResolver.SsoServiceUrl }); idpSsoDescriptor.ArtifactResolutionServices.Add(0, new IndexedProtocolEndpoint() { Index = 0, IsDefault = true, Binding = Saml2Binding.SoapUri, Location = UrlResolver.ArtifactServiceUrl }); idpSsoDescriptor.Keys.Add(CertificateHelper.SigningKey); return(metadata); }
public void IdentityProvider_ConstructedFromEntityDescriptor_DoesntReloadMetadataWhenDisabled() { var ed = new ExtendedEntityDescriptor { ValidUntil = DateTime.UtcNow.AddYears(-1), EntityId = new EntityId("someEntityId") }; var idpSsoDescriptor = new IdentityProviderSingleSignOnDescriptor(); idpSsoDescriptor.ProtocolsSupported.Add(new Uri("urn:oasis:names:tc:SAML:2.0:protocol")); ed.RoleDescriptors.Add(idpSsoDescriptor); idpSsoDescriptor.SingleSignOnServices.Add(new ProtocolEndpoint() { Binding = Saml2Binding.HttpRedirectUri, Location = new Uri("http://idp.example.com/sso") }); idpSsoDescriptor.Keys.Add(SignedXmlHelper.TestKeyDescriptor); var subject = new IdentityProvider(ed.EntityId, StubFactory.CreateSPOptions()); Action a = () => { var b = subject.Binding; }; subject.LoadMetadata.Should().BeFalse(); // Will throw invalid Uri if it tries to use EntityId as metadata url. a.ShouldNotThrow(); }
public void MetadatabaseExtensions_ToXmlString_IncludesKeyInfo() { var metadata = new ExtendedEntityDescriptor { EntityId = new EntityId("http://idp.example.com/metadata"), CacheDuration = new TimeSpan(1, 0, 0) }; var idpSsoDescriptor = new IdentityProviderSingleSignOnDescriptor(); idpSsoDescriptor.ProtocolsSupported.Add(new Uri("urn:oasis:names:tc:SAML:2.0:protocol")); metadata.RoleDescriptors.Add(idpSsoDescriptor); idpSsoDescriptor.SingleSignOnServices.Add(new ProtocolEndpoint { Binding = Saml2Binding.HttpRedirectUri, Location = new Uri("http://idp.example.com/sso") }); idpSsoDescriptor.Keys.Add(SignedXmlHelper.TestKeyDescriptor); var subject = XDocument.Parse((metadata.ToXmlString(null, ""))); var ds = XNamespace.Get(SignedXml.XmlDsigNamespaceUrl); subject.Element(Saml2Namespaces.Saml2Metadata + "EntityDescriptor") .Element(Saml2Namespaces.Saml2Metadata + "IDPSSODescriptor") .Element(Saml2Namespaces.Saml2Metadata + "KeyDescriptor") .Element(ds + "KeyInfo") .Element(ds + "X509Data") .Element(ds + "X509Certificate") .Value.Should().StartWith("MIIDIzCCAg+gAwIBAgIQg7mOjTf994NAVxZu4jqXpzAJBgUrDgM"); }
public void MetadatabaseExtensions_ToXmlString_ShouldUseSuppliedEntityDescriptorId() { var metadata = new ExtendedEntityDescriptor { EntityId = new EntityId("http://idp.example.com/metadata"), CacheDuration = new TimeSpan(1, 0, 0), EntityDescriptorId = Guid.NewGuid().ToString() }; var idpSsoDescriptor = new IdentityProviderSingleSignOnDescriptor(); idpSsoDescriptor.ProtocolsSupported.Add(new Uri("urn:oasis:names:tc:SAML:2.0:protocol")); metadata.RoleDescriptors.Add(idpSsoDescriptor); idpSsoDescriptor.SingleSignOnServices.Add(new ProtocolEndpoint { Binding = Saml2Binding.HttpRedirectUri, Location = new Uri("http://idp.example.com/sso") }); idpSsoDescriptor.Keys.Add(SignedXmlHelper.TestKeyDescriptor); var subject = XDocument.Parse((metadata.ToXmlString(null))); var ds = XNamespace.Get(SignedXml.XmlDsigNamespaceUrl); subject.Element(Saml2Namespaces.Saml2Metadata + "EntityDescriptor").Attribute("ID") .Value.Should().BeEquivalentTo(metadata.EntityDescriptorId); }
public static EntityDescriptor GetEntityDescriptor() { var descriptor = new EntityDescriptor(); var cert = EntityDescriptorProviderMock.GetMockCertificate(); var idpRole = new IdentityProviderSingleSignOnDescriptor(); idpRole.SingleSignOnServices.Add(new ProtocolEndpoint(new Uri(ProtocolBindings.HttpRedirect), new Uri("http://localhost:60879"))); descriptor.RoleDescriptors.Add(idpRole); return(descriptor); }
public static EntityDescriptor GetIdpEntityDescriptor(string entityId) { var descriptor = new EntityDescriptor(new EntityId(entityId)); var cert = EntityDescriptorProviderMock.GetMockCertificate(); var idpRole = new IdentityProviderSingleSignOnDescriptor(); idpRole.ProtocolsSupported.Add(new Uri("urn:oasis:names:tc:SAML:2.0:protocol")); idpRole.SingleSignOnServices.Add(new ProtocolEndpoint(new Uri(ProtocolBindings.HttpRedirect), new Uri("http://localhost:60879"))); descriptor.RoleDescriptors.Add(idpRole); return(descriptor); }
private ExtendedEntityDescriptor CreateIdpMetadata(IOwinRequest request, bool includeCacheDuration = true) { var metadata = new ExtendedEntityDescriptor { EntityId = new EntityId(GetAbsoluteUri(request, MetadataPath).AbsoluteUri) }; if (includeCacheDuration) { metadata.CacheDuration = new TimeSpan(0, 15, 0); metadata.ValidUntil = DateTime.UtcNow.AddDays(1); } var idpSsoDescriptor = new IdentityProviderSingleSignOnDescriptor(); idpSsoDescriptor.ProtocolsSupported.Add(new Uri("urn:oasis:names:tc:SAML:2.0:protocol")); metadata.RoleDescriptors.Add(idpSsoDescriptor); idpSsoDescriptor.SingleSignOnServices.Add(new ProtocolEndpoint { Binding = Saml2Binding.HttpRedirectUri, Location = GetAbsoluteUri(request, AuthorizePath) }); idpSsoDescriptor.ArtifactResolutionServices.Add(0, new IndexedProtocolEndpoint { Index = 0, IsDefault = true, Binding = Saml2Binding.SoapUri, Location = GetAbsoluteUri(request, ArtifactPath) }); idpSsoDescriptor.SingleLogoutServices.Add(new ProtocolEndpoint { Binding = Saml2Binding.HttpRedirectUri, Location = GetAbsoluteUri(request, LogoutPath) }); idpSsoDescriptor.SingleLogoutServices.Add(new ProtocolEndpoint { Binding = Saml2Binding.HttpPostUri, Location = GetAbsoluteUri(request, LogoutPath) }); var key = new KeyDescriptor( new SecurityKeyIdentifier( new X509SecurityToken(Options.SigningCertificate) .CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause>())); idpSsoDescriptor.Keys.Add(key); return(metadata); }
private MetadataBase GetMetadata() { var entity = new EntityDescriptor(new EntityId("local")); var idp = new IdentityProviderSingleSignOnDescriptor(); var certificate = AssertionFactroryMock.GetMockCertificate(); var ski = new SecurityKeyIdentifier(new X509RawDataKeyIdentifierClause(certificate)); idp.Keys.Add(new KeyDescriptor(ski) { Use = KeyType.Signing }); entity.RoleDescriptors.Add(idp); return(entity); }
public Uri GetIdentityProviderSingleSignOnServices(IdentityProviderSingleSignOnDescriptor descriptor, Uri binding) { if (descriptor == null) { throw new ArgumentNullException("descriptor"); } var endPoint = descriptor.SingleSignOnServices.FirstOrDefault(x => x.Binding == binding); if (endPoint == null) { throw new InvalidOperationException(String.Format("No endpoint found for binding: {0}.", binding)); } return(endPoint.Location); }
public void ExtendedMetadataSerializer_Write_EntitiesDescriptorCacheDuration() { var metadata = new ExtendedEntitiesDescriptor { Name = "Federation Name", CacheDuration = new TimeSpan(0, 42, 0) }; var entity = new ExtendedEntityDescriptor { EntityId = new EntityId("http://some.entity.example.com") }; var idpSsoDescriptor = new IdentityProviderSingleSignOnDescriptor(); idpSsoDescriptor.ProtocolsSupported.Add(new Uri("urn:oasis:names:tc:SAML:2.0:protocol")); idpSsoDescriptor.SingleSignOnServices.Add(new ProtocolEndpoint { Binding = Saml2Binding.HttpRedirectUri, Location = new Uri("http://some.entity.example.com/sso") }); entity.RoleDescriptors.Add(idpSsoDescriptor); metadata.ChildEntities.Add(entity); var stream = new MemoryStream(); ExtendedMetadataSerializer.ReaderInstance.WriteMetadata(stream, metadata); stream.Seek(0, SeekOrigin.Begin); var result = XDocument.Load(stream).Root; result.Name.Should().Be(Saml2Namespaces.Saml2Metadata + "EntitiesDescriptor"); result.Attribute("cacheDuration").Value.Should().Be("PT42M"); result.Element(Saml2Namespaces.Saml2Metadata + "EntityDescriptor").Attribute("cacheDuration") .Should().BeNull(); }
public void IdentityProvider_ConstructedFromEntityDescriptor_DoesntScheduleMedataRefresh() { MetadataRefreshScheduler.minInterval = new TimeSpan(0, 0, 0, 0, 1); var ed = new ExtendedEntityDescriptor { ValidUntil = DateTime.UtcNow.AddYears(-1), EntityId = new EntityId("http://localhost:13428/idpMetadata") }; var idpSsoDescriptor = new IdentityProviderSingleSignOnDescriptor(); idpSsoDescriptor.ProtocolsSupported.Add(new Uri("urn:oasis:names:tc:SAML:2.0:protocol")); ed.RoleDescriptors.Add(idpSsoDescriptor); var pe = new ProtocolEndpoint() { Binding = Saml2Binding.HttpRedirectUri, Location = new Uri("http://idp.example.com/sso") }; idpSsoDescriptor.SingleSignOnServices.Add(pe); idpSsoDescriptor.Keys.Add(SignedXmlHelper.TestKeyDescriptor); var subject = new IdentityProvider(ed.EntityId, StubFactory.CreateSPOptions()); subject.ReadMetadata(ed); // Ugly, but have to wait and see that nothing happened. Have tried // some different timeouts but need 100 to ensure fail before bug // is fixed :-( Thread.Sleep(100); // Would be changed if metadata was reloaded. subject.SingleSignOnServiceUrl.Should().Be(pe.Location); }
public MetadataSerializerTests() { idp = new IdentityProviderSingleSignOnDescriptor { ErrorUrl = new Uri("http://localhost/uh-oh"), WantAuthenticationRequestsSigned = true, ProtocolsSupported = { new Uri("urn:oasis:names:tc:SAML:2.0:protocol") }, SingleSignOnServices = { new ProtocolEndpoint(new Uri("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"), new Uri("http://*****:*****@rocksolidknowledge.com" }, TelephoneNumbers ={ "441174220515" } } } }; }
private static void CreateIdentityProviderMetadata(SamlIdpData idpData, string fileName, Encoding encoding) { if ( string.IsNullOrEmpty(idpData.SigninCertificateCn)) throw new ApplicationException("no CN for a Certificate supplied"); string signingCertificateSubjectName = idpData.SigninCertificateCn; Constants.NameIdType nidFmt = idpData.NameIdType; MetadataSerializer serializer = new MetadataSerializer(); IdentityProviderSingleSignOnDescriptor item = new IdentityProviderSingleSignOnDescriptor(); EntityDescriptor metadata = new EntityDescriptor(); metadata.EntityId = new EntityId(idpData.EntityId); X509Certificate2 certificate = CertificateHelper.RetrieveCertificate(signingCertificateSubjectName); KeyDescriptor descriptor = new KeyDescriptor( new SecurityKeyIdentifier( new SecurityKeyIdentifierClause[] { new X509SecurityToken(certificate).CreateKeyIdentifierClause<X509RawDataKeyIdentifierClause>() })); descriptor.Use = KeyType.Signing; item.Keys.Add(descriptor); //using 2.0 if (Constants.NameIdType.Saml20 == nidFmt) item.NameIdentifierFormats.Add(Saml2Constants.NameIdentifierFormats.Transient); //using 1.1 if (Constants.NameIdType.Saml11 == nidFmt) item.NameIdentifierFormats.Add(Saml2Constants.NameIdentifierFormats.Unspecified); foreach (var attributeName in idpData.AttributeNames) { Saml2Attribute at1 = new Saml2Attribute(attributeName.Name) { NameFormat = new Uri(Constants.Saml20AttributeNameFormat) }; item.SupportedAttributes.Add(at1); } item.ProtocolsSupported.Add(new Uri(Constants.Saml20Protocol)); item.SingleSignOnServices.Add(new ProtocolEndpoint(new Uri(idpData.BindingType), new Uri(idpData.BindingLocation))); metadata.RoleDescriptors.Add(item); metadata.Contacts.Add(new ContactPerson(ContactType.Technical) { Company = idpData.MainContact.Company, GivenName = idpData.MainContact.GivenName, Surname = idpData.MainContact.SurName, EmailAddresses = { idpData.MainContact.Email }, TelephoneNumbers = { idpData.MainContact.Phone } }); XmlTextWriter writer = new XmlTextWriter(fileName, encoding); serializer.WriteMetadata(writer, metadata); writer.Close(); }
private static void CreateIdentityProviderMetadata(SamlIdpData idpData, string fileName, Encoding encoding) { if (string.IsNullOrEmpty(idpData.SigninCertificateCn)) { throw new ApplicationException("no CN for a Certificate supplied"); } string signingCertificateSubjectName = idpData.SigninCertificateCn; Constants.NameIdType nidFmt = idpData.NameIdType; MetadataSerializer serializer = new MetadataSerializer(); IdentityProviderSingleSignOnDescriptor item = new IdentityProviderSingleSignOnDescriptor(); EntityDescriptor metadata = new EntityDescriptor(); metadata.EntityId = new EntityId(idpData.EntityId); X509Certificate2 certificate = CertificateHelper.RetrieveCertificate(signingCertificateSubjectName); KeyDescriptor descriptor = new KeyDescriptor( new SecurityKeyIdentifier( new SecurityKeyIdentifierClause[] { new X509SecurityToken(certificate).CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause>() })); descriptor.Use = KeyType.Signing; item.Keys.Add(descriptor); //using 2.0 if (Constants.NameIdType.Saml20 == nidFmt) { item.NameIdentifierFormats.Add(Saml2Constants.NameIdentifierFormats.Transient); } //using 1.1 if (Constants.NameIdType.Saml11 == nidFmt) { item.NameIdentifierFormats.Add(Saml2Constants.NameIdentifierFormats.Unspecified); } foreach (var attributeName in idpData.AttributeNames) { Saml2Attribute at1 = new Saml2Attribute(attributeName.Name) { NameFormat = new Uri(Constants.Saml20AttributeNameFormat) }; item.SupportedAttributes.Add(at1); } item.ProtocolsSupported.Add(new Uri(Constants.Saml20Protocol)); item.SingleSignOnServices.Add(new ProtocolEndpoint(new Uri(idpData.BindingType), new Uri(idpData.BindingLocation))); metadata.RoleDescriptors.Add(item); metadata.Contacts.Add(new ContactPerson(ContactType.Technical) { Company = idpData.MainContact.Company, GivenName = idpData.MainContact.GivenName, Surname = idpData.MainContact.SurName, EmailAddresses = { idpData.MainContact.Email }, TelephoneNumbers = { idpData.MainContact.Phone } }); XmlTextWriter writer = new XmlTextWriter(fileName, encoding); serializer.WriteMetadata(writer, metadata); writer.Close(); }