/// <summary> /// Gets claims identities from the specified SAML token as a GenericXmlSecurityToken /// </summary> /// <param name="token">SAML token to get identities from</param> /// <param name="audienceUri">Audience URI used to obtain the token</param> /// <param name="trustIssuer">True to automatically trust the issuer. /// False to validate the issuer against the app configuration</param> /// <returns>A collection of claims identities from the SAML token.</returns> public static IEnumerable <ClaimsIdentity> GetIdentitiesFromSamlToken(SecurityToken token, string audienceUri, bool trustIssuer) { SamlSecurityTokenHandler handler = new SamlSecurityTokenHandler { Configuration = new SecurityTokenHandlerConfiguration() }; SamlSecurityToken samlToken = token as SamlSecurityToken; if (samlToken == null && token is GenericXmlSecurityToken) { samlToken = handler.ReadToken(new XmlNodeReader(((GenericXmlSecurityToken)token).TokenXml)) as SamlSecurityToken; } if (samlToken == null) { throw new ArgumentException("The token must be a SAML token or a generic XML SAML token"); } handler.SamlSecurityTokenRequirement.CertificateValidator = X509CertificateValidator.None; handler.Configuration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(audienceUri)); if (trustIssuer) { // configure to auto-trust the issuer ConfigurationBasedIssuerNameRegistry issuers = handler.Configuration.IssuerNameRegistry as ConfigurationBasedIssuerNameRegistry; issuers.AddTrustedIssuer(((X509SecurityToken)samlToken.Assertion.SigningToken).Certificate.Thumbprint, "sts"); } else { handler.Configuration.IssuerNameRegistry.LoadCustomConfiguration( SystemIdentityModelSection.DefaultIdentityConfigurationElement.IssuerNameRegistry.ChildNodes); } return(handler.ValidateToken(samlToken)); }
/// <summary> /// Validates the token using the wrapped token handler and generates IAuthorizationPolicy /// wrapping the returned ClaimsIdentities. /// </summary> /// <param name="token">Token to be validated.</param> /// <returns>Read-only collection of IAuthorizationPolicy</returns> protected override ReadOnlyCollection <IAuthorizationPolicy> ValidateTokenCore(SecurityToken token) { IEnumerable <ClaimsIdentity> identities = null; try { identities = _wrappedSaml11SecurityTokenHandler.ValidateToken(token); } catch (Exception ex) { if (!_exceptionMapper.HandleSecurityTokenProcessingException(ex)) { throw; } } List <IAuthorizationPolicy> policies = new List <IAuthorizationPolicy>(1); policies.Add(new AuthorizationPolicy(identities)); return(policies.AsReadOnly()); }
public void ReadEpamSignedSamlToken() { var tokenHandler = new SamlSecurityTokenHandler(); var issuerRegistry = new ConfigurationBasedIssuerNameRegistry(); issuerRegistry.AddTrustedIssuer(CERTIFICATE_THUMBPRINT, ISSUER_NAME); tokenHandler.Configuration = new SecurityTokenHandlerConfiguration() { AudienceRestriction = new AudienceRestriction(AudienceUriMode.Never), IssuerNameRegistry = issuerRegistry, MaxClockSkew = TimeSpan.MaxValue }; var xmlReader = XmlReader.Create(new StringReader(Resource.EpamToken)); var token = tokenHandler.ReadToken(xmlReader, new NamedKeyIssuerTokenResolver()) as SamlSecurityToken; var identity = tokenHandler.ValidateToken(token).First(); PrintIdentity(identity); }
public void Saml1TokenHandlerValidateToken() { _saml1SecurityTokenHandler.ValidateToken(_saml1Token, _tokenValidationParameters, out _); }
internal static ClaimsIdentity ValidateSaml(SamlSecurityToken token) { SamlSecurityTokenHandler handler = TokenHelper.GetSamlHandler(); return(handler.ValidateToken(token).FirstOrDefault <ClaimsIdentity>()); }