protected override Saml2Subject CreateSubject(SecurityTokenDescriptor tokenDescriptor)
{
var subject = base.CreateSubject(tokenDescriptor);
if (subject.NameId != null && subject.NameId.Format == null)
{
subject.NameId.Format = Saml2Constants.NameIdentifierFormats.Unspecified;
}
if (tokenDescriptor is RequestedSecurityTokenDescriptor requestedTokenDescriptor)
{
var keyInfo = CreateProofKeyInfo(requestedTokenDescriptor);
if (keyInfo != null)
{
var data = new Saml2SubjectConfirmationData
{
};
data.KeyInfos.Add(keyInfo);
var holderOfKey = new Saml2SubjectConfirmation(Saml2Constants.ConfirmationMethods.HolderOfKey, data);
var bearer = subject.SubjectConfirmations.FirstOrDefault(c => c.Method == Saml2Constants.ConfirmationMethods.Bearer);
if (bearer != null)
{
subject.SubjectConfirmations.Remove(bearer);
}
subject.SubjectConfirmations.Add(holderOfKey);
}
}
return(subject);
}
public void Saml2SubjectExtensions_ToXElement_SubjectConfirmation()
{
var saml2SubjectConfirmation = new Saml2SubjectConfirmation(new Uri("urn:oasis:names:tc:SAML:2.0:cm:bearer"));
var confirmation = saml2SubjectConfirmation.ToXElement();
confirmation.Attribute("Method").Value.Should().Be("urn:oasis:names:tc:SAML:2.0:cm:bearer");
}
public void Saml2SubjectExtensions_ToXElement_SubjectConfirmation_CheckNull()
{
Saml2SubjectConfirmation saml2SubjectConfirmation = null;
Action a = () => saml2SubjectConfirmation.ToXElement();
a.ShouldThrow <ArgumentNullException>().And.ParamName.Should().Be("subjectConfirmation");
}
/// <summary>
/// Writes out the subject confirmation as an XElement.
/// </summary>
/// <param name="subjectConfirmation"></param>
/// <returns></returns>
/// <exception cref="ArgumentNullException"></exception>
public static XElement ToXElement(this Saml2SubjectConfirmation subjectConfirmation)
{
if (subjectConfirmation == null)
{
throw new ArgumentNullException(nameof(subjectConfirmation));
}
var element = new XElement(Saml2Namespaces.Saml2 + "SubjectConfirmation",
new XAttribute("Method", subjectConfirmation.Method.OriginalString));
if (subjectConfirmation.SubjectConfirmationData != null)
{
element.Add(subjectConfirmation.SubjectConfirmationData.ToXElement());
}
return(element);
}
private static Saml2Assertion CreateAssertion(SigningCredentials samlpTokenSigningCredentials)
{
var assertion = new Saml2Assertion(new Saml2NameIdentifier("https://mojeid.regtest.nic.cz/saml/idp.xml", new Uri("urn:oasis:names:tc:SAML:2.0:nameid-format:entity")))
{
InclusiveNamespacesPrefixList = "ns1 ns2",
IssueInstant = DateTime.Parse("2019-04-08T10:30:49Z"),
SigningCredentials = samlpTokenSigningCredentials,
Id = new Saml2Id("id-2bMsOPOKIqeVIDLqJ")
};
var saml2SubjectConfirmationData = new Saml2SubjectConfirmationData
{
InResponseTo = new Saml2Id("ida5714d006fcc430c92aacf34ab30b166"),
NotOnOrAfter = DateTime.Parse("2019-04-08T10:45:49Z"),
Recipient = new Uri("https://tnia.eidentita.cz/fpsts/processRequest.aspx")
};
var saml2SubjectConfirmation = new Saml2SubjectConfirmation(new Uri("urn:oasis:names:tc:SAML:2.0:cm:bearer"), saml2SubjectConfirmationData);
var saml2Subject = new Saml2Subject(new Saml2NameIdentifier("6dfe0399103d11411b1fa00772b6a13e0858605b80c20ea845769c57b41479ed", new Uri("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent")));
saml2Subject.SubjectConfirmations.Add(saml2SubjectConfirmation);
assertion.Subject = saml2Subject;
var saml2AudienceRestrictions = new Saml2AudienceRestriction("urn:microsoft: cgg2010: fpsts");
var saml2Conditions = new Saml2Conditions();
saml2Conditions.AudienceRestrictions.Add(saml2AudienceRestrictions);
saml2Conditions.NotBefore = DateTime.Parse("2019-04-08T10:30:49Z");
saml2Conditions.NotOnOrAfter = DateTime.Parse("2019-04-08T10:45:49Z");
assertion.Conditions = saml2Conditions;
var saml2AuthenticationContext = new Saml2AuthenticationContext(new Uri("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"));
var saml2Statement = new Saml2AuthenticationStatement(saml2AuthenticationContext)
{
AuthenticationInstant = DateTime.Parse("2019-04-08T10:30:49Z"),
SessionIndex = "id-oTnhrqWtcTTEntvMy"
};
assertion.Statements.Add(saml2Statement);
return(assertion);
}
internal ReadOnlyCollection <SecurityKey> ResolveSecurityKeys(Saml2Assertion assertion, SecurityTokenResolver resolver)
{
Saml2Subject subject = assertion.Subject;
Saml2SubjectConfirmation confirmation = subject.SubjectConfirmations[0];
if (confirmation.SubjectConfirmationData != null)
{
this.ValidateConfirmationData(confirmation.SubjectConfirmationData);
}
List <SecurityKey> list = new List <SecurityKey>();
foreach (SecurityKeyIdentifier identifier in confirmation.SubjectConfirmationData.KeyIdentifiers)
{
SecurityKey key = null;
foreach (SecurityKeyIdentifierClause clause in identifier)
{
if ((resolver != null) && resolver.TryResolveSecurityKey(clause, out key))
{
list.Add(key);
break;
}
}
if (key == null)
{
if (identifier.CanCreateKey)
{
key = identifier.CreateKey();
list.Add(key);
continue;
}
list.Add(new SecurityKeyElement(identifier, resolver));
}
}
return(list.AsReadOnly());
}
private void AddSubjectConfirmation(Saml2SubjectConfirmation subjectConfirmation)
{
Saml2SecurityToken.Assertion.Subject.SubjectConfirmations.Clear();
Saml2SecurityToken.Assertion.Subject.SubjectConfirmations.Add(subjectConfirmation);
}
/// <summary>
/// Creates the Security Token and add it to the response.
/// </summary>
/// <param name="tokenDescriptor">This is a place holder for all the attributes related to the issued token.</param>
/// <param name="authenticationStatement">Represents the AuthnStatement element specified in [Saml2Core, 2.7.2].</param>
/// <param name="subjectConfirmation">Represents the SubjectConfirmation element specified in [Saml2Core, 2.4.1.1].</param>
/// <returns>The SAML 2.0 Security Token.</returns>
public Saml2SecurityToken CreateSecurityToken(SecurityTokenDescriptor tokenDescriptor, Saml2AuthenticationStatement authenticationStatement, Saml2SubjectConfirmation subjectConfirmation)
{
if (tokenDescriptor == null)
{
throw new ArgumentNullException(nameof(tokenDescriptor));
}
if (authenticationStatement == null)
{
throw new ArgumentNullException(nameof(authenticationStatement));
}
if (subjectConfirmation == null)
{
throw new ArgumentNullException(nameof(subjectConfirmation));
}
Saml2SecurityToken = Saml2SecurityTokenHandler.CreateToken(tokenDescriptor) as Saml2SecurityToken;
AddNameIdFormat();
AddAuthenticationStatement(authenticationStatement);
AddSubjectConfirmation(subjectConfirmation);
return(Saml2SecurityToken);
}
public Task CreateSecurityTokenAsync(SecurityTokenDescriptor tokenDescriptor, Saml2AuthenticationStatement authenticationStatement, Saml2SubjectConfirmation subjectConfirmation)
{
return(Task.FromResult(CreateSecurityToken(tokenDescriptor, authenticationStatement, subjectConfirmation)));
}
private async Task <Saml2SecurityToken> CreateSecurityTokenAsync(SignInRequest request, RelyingParty rp, ClaimsIdentity outgoingSubject)
{
var now = DateTime.Now;
var outgoingNameId = outgoingSubject.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier);
if (outgoingNameId == null)
{
_logger.LogError("The user profile does not have a name id");
throw new SignInException("The user profile does not have a name id");
}
var issuer = new Saml2NameIdentifier(_options.IssuerName);
var nameId = new Saml2NameIdentifier(outgoingNameId.Value);
var subjectConfirmationData = new Saml2SubjectConfirmationData();
subjectConfirmationData.NotOnOrAfter = now.AddMinutes(
rp.TokenLifetimeInMinutes.GetValueOrDefault(_options.DefaultNotOnOrAfterInMinutes));
if (request.Parameters.ContainsKey("Recipient"))
{
subjectConfirmationData.Recipient = new Uri(request.Parameters["Recipient"]);
}
else
{
subjectConfirmationData.Recipient = new Uri(rp.ReplyUrl);
}
var subjectConfirmation = new Saml2SubjectConfirmation(new Uri("urn:oasis:names:tc:SAML:2.0:cm:bearer"),
subjectConfirmationData);
subjectConfirmation.NameIdentifier = nameId;
var subject = new Saml2Subject(subjectConfirmation);
var conditions = new Saml2Conditions(new Saml2AudienceRestriction[]
{
new Saml2AudienceRestriction(request.Realm)
});
conditions.NotOnOrAfter = now.AddMinutes(
rp.TokenLifetimeInMinutes.GetValueOrDefault(_options.DefaultNotOnOrAfterInMinutes));
conditions.NotBefore = now.Subtract(TimeSpan.FromMinutes(_options.DefaultNotBeforeInMinutes));
var authContext = new Saml2AuthenticationContext(new Uri("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"));
var authStatement = new Saml2AuthenticationStatement(authContext, now);
authStatement.SessionIndex = (request.Parameters.ContainsKey("SessionIndex")) ? request.Parameters["SessionIndex"] : null;
var attributeStament = new Saml2AttributeStatement();
foreach (var claim in outgoingSubject.Claims)
{
_logger.LogDebug("Adding attribute in SAML token '{0} - {1}'", claim.Type, claim.Value);
attributeStament.Attributes.Add(new Saml2Attribute(claim.Type, claim.Value));
}
var assertion = new Saml2Assertion(issuer);
assertion.Id = new Saml2Id();
assertion.Subject = subject;
assertion.Conditions = conditions;
assertion.Statements.Add(attributeStament);
assertion.Statements.Add(authStatement);
assertion.IssueInstant = now;
assertion.SigningCredentials = await _keyService.GetSigningCredentialsAsync();
var token = new Saml2SecurityToken(assertion);
token.SigningKey = assertion.SigningCredentials.Key;
return(token);
}
