private static void AddAttributeToStatement(string attrName, string attrValue, Saml2AttributeStatement statement)
{
var attribute = new Saml2Attribute(attrName);
attribute.Values.Add(attrValue);
statement.Attributes.Add(attribute);
}
protected override string ReadAttributeValue(XmlReader reader, Saml2Attribute attribute)
{
if (attribute.Name != null)
{
return(base.ReadAttributeValue(reader, attribute));
}
return("empty");
}
public static IEnumerable <Claim> ToClaims(this Saml2Attribute attribute, string issuer)
{
if (attribute == null)
{
throw new ArgumentNullException("value");
}
return(attribute.Values.Select(x => new Claim(attribute.FriendlyName, x, attribute.AttributeValueXsiType, issuer)));
}
private static Saml2Attribute GetAttribute(string attrName, string attrValue)
{
var attribute = new Saml2Attribute(attrName, attrValue)
{
NameFormat = new Uri(SAML2_Basic)
};
return attribute;
}
private Saml2Assertion CreateSamlAssertion(SecurityKey signatureKey, SecurityKeyIdentifier signatureKeyIdentifier, SecurityKeyIdentifier proofKeyIdentifier)
{
Claim claim = base.ClientCredentials.Claims.FirstOrDefault((Claim c) => c.Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier");
if (claim == null)
{
throw new ArgumentException("At least one NameIdentifier/Identity claim must be present in the claimset", "ClaimsClientCredentials.Claims");
}
Saml2Subject saml2Subject = new Saml2Subject
{
NameId = new Saml2NameIdentifier(claim.Value, new Uri("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"))
};
Saml2SubjectConfirmationData saml2SubjectConfirmationData = new Saml2SubjectConfirmationData();
saml2SubjectConfirmationData.KeyIdentifiers.Add(proofKeyIdentifier);
saml2Subject.SubjectConfirmations.Add(new Saml2SubjectConfirmation(new Uri("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"), saml2SubjectConfirmationData));
IEnumerable <Saml2Attribute> enumerable = from c in base.ClientCredentials.Claims.Except(new Claim[]
{
claim
})
select new Saml2Attribute(c.Type, c.Value);
Claim claim2 = base.ClientCredentials.Claims.FirstOrDefault((Claim c) => c.Type == "http://www.tridion.com/2009/08/directoryservice/claims/directoryServiceName");
Saml2NameIdentifier issuer;
if (claim2 == null)
{
Saml2Attribute saml2Attribute = new Saml2Attribute("http://www.tridion.com/2009/08/directoryservice/claims/directoryServiceName", claim.Issuer);
enumerable = enumerable.Concat(new Saml2Attribute[]
{
saml2Attribute
});
issuer = new Saml2NameIdentifier(claim.Issuer);
}
else
{
issuer = new Saml2NameIdentifier(claim2.Value);
}
DateTime utcNow = DateTime.UtcNow;
Saml2Assertion saml2Assertion = new Saml2Assertion(issuer)
{
Subject = saml2Subject,
IssueInstant = utcNow,
Conditions = new Saml2Conditions
{
NotBefore = new DateTime?(utcNow),
NotOnOrAfter = new DateTime?(utcNow + base.TokenValidityTimeSpan)
},
Advice = new Saml2Advice(),
SigningCredentials = new SigningCredentials(signatureKey, base.SecurityAlgorithmSuite.DefaultAsymmetricSignatureAlgorithm, base.SecurityAlgorithmSuite.DefaultDigestAlgorithm, signatureKeyIdentifier)
};
saml2Assertion.Statements.Add(new Saml2AttributeStatement(enumerable));
if (base.ClientCredentials.AudienceUris != null)
{
saml2Assertion.Conditions.AudienceRestrictions.Add(new Saml2AudienceRestriction(base.ClientCredentials.AudienceUris));
}
return(saml2Assertion);
}
public static SecurityToken MakeBootstrapSecurityToken()
{
Saml2NameIdentifier identifier = new Saml2NameIdentifier("http://localhost/Echo");
Saml2Assertion assertion = new Saml2Assertion(identifier);
assertion.Issuer = new Saml2NameIdentifier("idp1.test.oio.dk");
assertion.Subject = new Saml2Subject(new Saml2NameIdentifier("Casper", new Uri("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified")));
Saml2Attribute atribute = new Saml2Attribute("dk:gov:saml:attribute:AssuranceLevel", "2");
atribute.NameFormat = new Uri("urn:oasis:names:tc:SAML:2.0:attrname-format:basic");
assertion.Statements.Add(new Saml2AttributeStatement(atribute));
return(new Saml2SecurityToken(assertion));
}
public override void WriteAttribute(XmlWriter writer, Saml2Attribute attribute)
{
if (string.IsNullOrEmpty(attribute.AttributeValueXsiType))
{
base.WriteAttribute(writer, attribute);
return;
}
var dictionaryWriter = null as XmlDictionaryWriter;
if (writer is XmlDictionaryWriter w)
{
dictionaryWriter = w;
}
else
{
dictionaryWriter = XmlDictionaryWriter.CreateDictionaryWriter(writer);
}
var xsi = "http://www.w3.org/2001/XMLSchema-instance";
dictionaryWriter.WriteStartElement(Saml2Constants.Elements.Attribute, Saml2Constants.Namespace);
dictionaryWriter.WriteAttributeString(Saml2Constants.Attributes.Name, attribute.Name);
dictionaryWriter.WriteAttributeString(Saml2Constants.Attributes.NameFormat, attribute.NameFormat?.ToString() ?? Saml2Constants.NameIdentifierFormats.UnspecifiedString);
foreach (var value in attribute.Values)
{
dictionaryWriter.WriteStartElement(Saml2Constants.Elements.AttributeValue, Saml2Constants.Namespace);
var fqtn = attribute.AttributeValueXsiType?.Split('#');
if (fqtn?.Length == 2)
{
if (string.IsNullOrEmpty(dictionaryWriter.LookupPrefix("xs")))
{
dictionaryWriter.WriteAttributeString("xmlns", "xs", null, fqtn[0]);
}
dictionaryWriter.WriteStartAttribute("xsi", "type", xsi);
dictionaryWriter.WriteQualifiedName(fqtn[1], fqtn[0]);
dictionaryWriter.WriteEndAttribute();
}
dictionaryWriter.WriteString(value);
dictionaryWriter.WriteEndElement();
}
dictionaryWriter.WriteEndElement();
}
protected override void WriteAttributeValue(XmlWriter writer, string value, Saml2Attribute attribute)
{
var sb = new StringBuilder("<a>");
sb.Append(value);
sb.Append("</a>");
byte[] rawValue = new UTF8Encoding().GetBytes(sb.ToString());
using (var reader = XmlDictionaryReader.CreateTextReader(rawValue, XmlDictionaryReaderQuotas.Max))
{
reader.ReadStartElement("a");
while (reader.NodeType != XmlNodeType.EndElement ||
(reader.NodeType == XmlNodeType.EndElement && reader.Name != "a"))
{
writer.WriteNode(reader, false);
}
reader.ReadEndElement();
reader.Close();
}
}
protected virtual void WriteAttribute(XmlWriter writer, Saml2Attribute attribute)
{
if (writer == null)
{
throw new ArgumentNullException(nameof(writer));
}
if (attribute == null)
{
throw new ArgumentNullException(nameof(attribute));
}
writer.WriteStartElement(Saml2Constants.Elements.Attribute, Saml2Constants.Namespace);
writer.WriteAttributeString(Saml2Constants.Attributes.Name, attribute.Name);
writer.WriteAttributeIfPresent(Saml2Constants.Attributes.NameFormat, null, attribute.NameFormat.AbsoluteUri);
writer.WriteAttributeIfPresent(Saml2Constants.Attributes.FriendlyName, null, attribute.FriendlyName);
foreach (var value in attribute.Values)
{
writer.WriteStartElement(Saml2Constants.Elements.AttributeValue, Saml2Constants.Namespace);
if (null == value)
{
writer.WriteAttributeString("nil", XmlSchema.InstanceNamespace, XmlConvert.ToString(true));
}
else if (value.Length > 0)
{
writer.WriteString(value);
}
writer.WriteEndElement();
}
writer.WriteEndElement();
}
private static void CreateIdentityProviderMetadata(SamlIdpData idpData, string fileName, Encoding encoding)
{
if (string.IsNullOrEmpty(idpData.SigninCertificateCn))
{
throw new ApplicationException("no CN for a Certificate supplied");
}
string signingCertificateSubjectName = idpData.SigninCertificateCn;
Constants.NameIdType nidFmt = idpData.NameIdType;
MetadataSerializer serializer = new MetadataSerializer();
IdentityProviderSingleSignOnDescriptor item = new IdentityProviderSingleSignOnDescriptor();
EntityDescriptor metadata = new EntityDescriptor();
metadata.EntityId = new EntityId(idpData.EntityId);
X509Certificate2 certificate = CertificateHelper.RetrieveCertificate(signingCertificateSubjectName);
KeyDescriptor descriptor = new KeyDescriptor(
new SecurityKeyIdentifier(
new SecurityKeyIdentifierClause[]
{
new X509SecurityToken(certificate).CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause>()
}));
descriptor.Use = KeyType.Signing;
item.Keys.Add(descriptor);
//using 2.0
if (Constants.NameIdType.Saml20 == nidFmt)
{
item.NameIdentifierFormats.Add(Saml2Constants.NameIdentifierFormats.Transient);
}
//using 1.1
if (Constants.NameIdType.Saml11 == nidFmt)
{
item.NameIdentifierFormats.Add(Saml2Constants.NameIdentifierFormats.Unspecified);
}
foreach (var attributeName in idpData.AttributeNames)
{
Saml2Attribute at1 = new Saml2Attribute(attributeName.Name)
{
NameFormat = new Uri(Constants.Saml20AttributeNameFormat)
};
item.SupportedAttributes.Add(at1);
}
item.ProtocolsSupported.Add(new Uri(Constants.Saml20Protocol));
item.SingleSignOnServices.Add(new ProtocolEndpoint(new Uri(idpData.BindingType), new Uri(idpData.BindingLocation)));
metadata.RoleDescriptors.Add(item);
metadata.Contacts.Add(new ContactPerson(ContactType.Technical)
{
Company = idpData.MainContact.Company,
GivenName = idpData.MainContact.GivenName,
Surname = idpData.MainContact.SurName,
EmailAddresses = { idpData.MainContact.Email },
TelephoneNumbers = { idpData.MainContact.Phone }
});
XmlTextWriter writer = new XmlTextWriter(fileName, encoding);
serializer.WriteMetadata(writer, metadata);
writer.Close();
}
public void Saml2Attribute_RelativeNameFormat_ArgumentException()
{
var attr = new Saml2Attribute("Country");
Assert.Throws <ArgumentException>(() => attr.NameFormat = new Uri("resource", UriKind.Relative));
}