/// <summary>
/// Creates a System.ServiceModel.ServiceHost for a specified type of service with a specific base address.
/// </summary>
/// <param name="serviceType">Specifies the type of service to host.</param>
/// <param name="baseAddresses">The System.Array of type System.Uri that contains the base addresses for the service hosted.</param>
/// <returns></returns>
protected override ServiceHost CreateServiceHost(Type serviceType, Uri[] baseAddresses)
{
IServiceProvider sp = DI.DefaultServiceProvider;
Type stsc = typeof(SecurityTokenServiceConfiguration);
if (stsc.IsAssignableFrom(serviceType))
{
// try resolving concrete or base STS configuration first to enable DI for it
SecurityTokenServiceConfiguration stsConfig = sp.GetService(serviceType) as SecurityTokenServiceConfiguration;
if (stsConfig == null)
{
stsConfig = sp.GetService(stsc) as SecurityTokenServiceConfiguration;
}
if (stsConfig == null)
{
stsConfig = Activator.CreateInstance(serviceType) as SecurityTokenServiceConfiguration;
}
ServiceHost host = new WSTrustServiceHost(stsConfig, baseAddresses);
if (stsConfig.ServiceCertificate != null)
{
host.Credentials.ServiceCertificate.Certificate = stsConfig.ServiceCertificate;
}
return(host);
}
return(new ServiceProviderHost(sp, serviceType, baseAddresses));
}
public CustomSecurityTokenService(string loginProviderName, SecurityTokenServiceConfiguration securityTokenServiceConfiguration, EncryptingCredentials encryptingCredentials, IDragonUserStore <T> userStore)
: base(securityTokenServiceConfiguration)
{
_loginProviderName = loginProviderName;
_encryptingCredentials = encryptingCredentials;
_userStore = userStore;
}
static void Main(string[] args)
{
SigningCredentials signingCreds = new X509SigningCredentials("CN=MySTS".ToCertificate());
SecurityTokenServiceConfiguration config =
new SecurityTokenServiceConfiguration("http://MySTS", signingCreds);
config.SecurityTokenHandlers.AddOrReplace(new CustomUsernameTokenHandler());
config.SecurityTokenService = typeof(MySecurityTokenService);
// Create the WS-Trust service host with our STS configuration
var host = new WSTrustServiceHost(config, new Uri("http://localhost:6000/MySTS"));
try
{
host.Open();
Console.WriteLine("STS is ready to issue tokens… Press ENTER to shutdown");
Console.ReadLine();
host.Close();
}
finally
{
if (host.State != CommunicationState.Faulted)
{
host.Close();
}
else
{
host.Abort();
}
}
}
/// <summary>
/// Creates a ServiceHost instance. To register a Security Token Service in IIS create
/// a .svc file in the following format.
/// <%@ServiceHost language=c# Debug="true" Factory="UserNameCardStsHostFactory" Service="<CustomSecurityTokenServiceConfiguration>" %>
/// </summary>
/// <param name="constructorString">The STSConfiguration name that is passed to the Service argument in the .svc file.</param>
/// <param name="baseAddresses">The address under which the .svc file is registered.</param>
/// <returns>Instance of Service Host.</returns>
/// <exception cref="ArgumentNullException">One of the input arguments is either null or is an empty string.</exception>
/// <exception cref="InvalidOperationException">The 'constructorString' parameter does not refer to a type 'SecurityTokenServiceConfiguration'.</exception>
public override ServiceHostBase CreateServiceHost( string constructorString, Uri[] baseAddresses )
{
if ( String.IsNullOrEmpty( constructorString ) )
{
throw new ArgumentNullException( "constructorString" );
}
if ( baseAddresses == null )
{
throw new ArgumentNullException( "baseAddresses" );
}
SecurityTokenServiceConfiguration securityTokenServiceConfiguration = CreateSecurityTokenServiceConfiguration( constructorString );
if ( securityTokenServiceConfiguration == null )
{
throw new InvalidOperationException( "CreateSecurityTokenServiceConfiguration return a null SecurityTokenServiceConfiguration object" );
}
WSTrustServiceHost serviceHost = new WSTrustServiceHost( securityTokenServiceConfiguration, baseAddresses );
//
// Configure an EndpointIdentity for the service host.
// If no EndpointIdentity is required, you may wish to set the SecurityTokenServiceConfiguration.TrustEndpoints property instead.
//
serviceHost.Description.Endpoints.Add( new ServiceEndpoint(
ContractDescription.GetContract( typeof( IWSTrust13SyncContract ) ),
new UserNameWSTrustBinding( SecurityMode.TransportWithMessageCredential ),
new EndpointAddress( new Uri( StsAddress ), EndpointIdentity.CreateX509CertificateIdentity( SslCert ) ) ) );
serviceHost.Description.Behaviors.Find<ServiceMetadataBehavior>().HttpsGetUrl = new Uri( StsMexAddress );
return serviceHost;
}
/// <summary>
/// Call the STS to get an appropriate token for a request and build a response.
/// </summary>
/// <param name="requestMessage"></param>
/// <returns>The <see cref="SignInResponseMessage"/></returns>
private SignInResponseMessage ProcessSignInRequest(SignInRequestMessage requestMessage)
{
// Ensure that the requestMessage has the required wtrealm parameter
if (String.IsNullOrEmpty(requestMessage.Realm))
{
throw new InvalidOperationException("Missing realm");
}
SecurityTokenServiceConfiguration stsconfig = new SecurityTokenServiceConfiguration("PassiveFlowSTS");
// Create our STS backend
SecurityTokenService sts = new CustomSecurityTokenService(stsconfig);
// Create the WS-Federation serializer to process the request and create the response
WSFederationSerializer federationSerializer = new WSFederationSerializer();
// Create RST from the request
RequestSecurityToken request = federationSerializer.CreateRequest(requestMessage, new WSTrustSerializationContext());
// Get RSTR from our STS backend
RequestSecurityTokenResponse response = sts.Issue((ClaimsPrincipal)Thread.CurrentPrincipal, request);
// Create Response message from the RSTR
return(new SignInResponseMessage(new Uri(response.ReplyTo),
federationSerializer.GetResponseAsString(response, new WSTrustSerializationContext())));
}
static void Main(string[] args)
{
// Create and setup the configuration for our STS
SecurityTokenServiceConfiguration config = new SecurityTokenServiceConfiguration("STS");
// Add the STS endpoint information
config.TrustEndpoints.Add(
new ServiceHostEndpointConfiguration(typeof(IWSTrust13SyncContract), GetSTSBinding(), "http://localhost:6000/STS"));
// Set the STS implementation class type
config.SecurityTokenService = typeof(CustomSecurityTokenService);
SecurityTokenHandlerCollection actAsHandlerCollection = config.SecurityTokenHandlerCollectionManager[SecurityTokenHandlerCollectionManager.Usage.ActAs];
actAsHandlerCollection.Configuration.IssuerNameRegistry = new ActAsIssuerNameRegistry();
// The token that we receive in the <RequestSecurityToken><ActAs> element was issued to the service proxies.
// By adding the proxy audience URIs here we are enforcing the implicit contract that the STS will accept
// only tokens issued to the proxy as an ActAs token.
actAsHandlerCollection.Configuration.AudienceRestriction.AllowedAudienceUris.Add(new Uri("https://localhost/WFE/default.aspx"));
actAsHandlerCollection.Configuration.AudienceRestriction.AllowedAudienceUris.Add(new Uri("http://localhost/Service1/Service1.svc"));
// Create the WS-Trust service host with our STS configuration
using (WSTrustServiceHost host = new WSTrustServiceHost(config, new Uri("http://localhost:6000/STS")))
{
host.Open();
Console.WriteLine("STS started, press ENTER to stop ...");
Console.ReadLine();
host.Close();
}
}
/// <summary>
///
/// </summary>
/// <param name="requestMessage"></param>
/// <param name="config"></param>
/// <param name="withRefreshToken"></param>
/// <returns></returns>
public static AccessTokenResponse ProcessAccessTokenRequest(AccessTokenRequest requestMessage, SecurityTokenServiceConfiguration config, Boolean withRefreshToken)
{
ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, errors) => true;
// Call issuer to create token
WSTrustChannelFactory factory = new WSTrustChannelFactory("issuer");
// TODO: factory.Credentials.UserName.UserName = requestMessage.Name ?? requestMessage.ClientId;
// TODO: factory.Credentials.UserName.Password = requestMessage.Password ?? requestMessage.ClientSecret;
WSTrustChannel issuer = factory.CreateChannel() as WSTrustChannel;
RequestSecurityToken rst = new RequestSecurityToken(WSTrust13Constants.RequestTypes.Issue);
rst.AppliesTo = new EndpointAddress("https://wrap.client");
rst.KeyType = WSTrust13Constants.KeyTypes.Bearer;
RequestSecurityTokenResponse response = null;
issuer.Issue(rst, out response);
WSTrustSerializationContext context = new WSTrustSerializationContext(
config.SecurityTokenHandlerCollectionManager,
config.CreateAggregateTokenResolver(),
config.IssuerTokenResolver);
// Create response
var token = response.RequestedSecurityToken.SecurityToken;
if (null == token)
{
using (XmlReader reader = new XmlNodeReader(response.RequestedSecurityToken.SecurityTokenXml))
{
token = FederatedAuthentication.ServiceConfiguration.SecurityTokenHandlers.ReadToken(reader);
}
token = ConvertToSimpleWebToken(token, response);
}
// Write token
return WriteToken(token, withRefreshToken);
}
protected override ServiceHost CreateServiceHost(Type serviceType, Uri[] baseAddresses)
{
SecurityTokenServiceConfiguration config = GetSecureTokenServiceConfiguration();
var host = new UnityWSTrustServiceHost(_unityContainer, config, baseAddresses);
return(host);
}
private ActionResult SignIn(string replyToAddress)
{
var user = HttpContext.Current.User.Identity.IsAuthenticated ? PreviouslyAuthenticated(replyToAddress) : AuthenticateAndCreateCookie(replyToAddress);
var config = new SecurityTokenServiceConfiguration("http://sts.local", new X509SigningCredentials(LoadCertificate()));
FederatedPassiveSecurityTokenServiceOperations.ProcessRequest(HttpContext.Current.Request, (ClaimsPrincipal)user, new CustomTokenService(config), HttpContext.Current.Response);
return(new HttpStatusCodeResult(HttpStatusCode.OK));
}
public static TestSts Create()
{
var signingCredentials = new X509SigningCredentials(GetCertificate());
var configuration = new SecurityTokenServiceConfiguration(Issuer, signingCredentials);
return(new TestSts(configuration));
}
/// <summary>
/// Use this constructor to initialize scope provider and token issuer certificate.
/// </summary>
/// <param name="securityTokenServiceConfiguration">The SecurityTokenServiceConfiguration that will have the related settings for the STS.</param>
protected SecurityTokenService(SecurityTokenServiceConfiguration securityTokenServiceConfiguration)
{
if (securityTokenServiceConfiguration == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("securityTokenServiceConfiguration");
}
_securityTokenServiceConfiguration = securityTokenServiceConfiguration;
}
public SamlTokenService(SecurityTokenServiceConfiguration configuration, IConfigurationRepository configurationRepository, IUserRepository userRepository, IClaimsRepository claimsRepository, IIdentityProviderRepository identityProviderRepository, IClaimsTransformationRulesRepository claimsTransformationRulesRepository)
: base(configuration)
{
UserRepository = userRepository;
ClaimsRepository = claimsRepository;
IdentityProviderRepository = identityProviderRepository;
ClaimsTransformationRulesRepository = claimsTransformationRulesRepository;
ConfigurationRepository = configurationRepository;
}
public FederationSecurityTokenService(SecurityTokenServiceConfiguration configuration)
: base(configuration)
{
using (var container = new UnityContainer())
{
ContainerBootstraper.RegisterTypes(container);
this.tenantStore = container.Resolve<ITenantStore>();
}
}
public TokenService(SecurityTokenServiceConfiguration configuration, IConfigurationRepository configurationRepository, IUserRepository userRepository, IClaimsRepository claimsRepository, IIdentityProviderRepository identityProviderRepository, IClaimsTransformationRulesRepository claimsTransformationRulesRepository)
: base(configuration)
{
UserRepository = userRepository;
ClaimsRepository = claimsRepository;
IdentityProviderRepository = identityProviderRepository;
ClaimsTransformationRulesRepository = claimsTransformationRulesRepository;
ConfigurationRepository = configurationRepository;
}
public MySecurityTokenService(SecurityTokenServiceConfiguration configuration)
: base(configuration)
{
// Setup the certificate our STS is going to use to sign the issued tokens
_signingCreds = new X509SigningCredentials(CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, SigningCertificateName));
// We only support a single RP identity represented by the _encryptingCreds
_encryptingCreds = new X509EncryptingCredentials(CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, EncryptingCertificateName));
}
private string ProcessSignIn(Uri url, ClaimsPrincipal user)
{
var requestMessage = (SignInRequestMessage)WSFederationMessage.CreateFromUri(url);
var config = new SecurityTokenServiceConfiguration(ConfigurationManager.AppSettings["SecurityTokenServiceEndpointUrl"], SecurityHelper.CreateSignupCredentialsFromConfig());
var encryptionCredentials = SecurityHelper.CreateEncryptingCredentialsFromConfig();
var sts = new CustomSecurityTokenService <AppMember>(WebConfigurationManager.AppSettings["LoginProviderName"], config, encryptionCredentials, _userStore);
var responseMessage = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(requestMessage, user, sts);
return(responseMessage.WriteFormPost());
}
private SecurityTokenServiceConfiguration GetSecureTokenServiceConfiguration()
{
var signingCredentials = new X509SigningCredentials(CertificateHelper.GetCertificate(_tokenServiceOptions.CertificateStoreName, _tokenServiceOptions.CertificateStoreLocation, _tokenServiceOptions.CertificateSubject));
var config = new SecurityTokenServiceConfiguration(_tokenServiceOptions.CertificateIssuer, signingCredentials);
config.SecurityTokenHandlers.AddOrReplace(_unityContainer.Resolve <CustomAuthenticationHandler>());
config.SecurityTokenService = typeof(TokenService);
config.CertificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust;
return(config);
}
public static string ProcessSignIn(Uri url, ClaimsPrincipal user)
{
var requestMessage = (SignInRequestMessage)WSFederationMessage.CreateFromUri(url);
var signingCredentials = new X509SigningCredentials(CustomSecurityTokenService.GetCertificate2());
var config = new SecurityTokenServiceConfiguration($"{url.Scheme}://{url.Authority}/FederatedLogin/", signingCredentials);
var sts = new CustomSecurityTokenService(config);
var responseMessage = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(requestMessage, user, sts);
return(responseMessage.WriteFormPost());
}
private static string ProcessSignIn(Uri url, ClaimsPrincipal user)
{
var requestMessage = (SignInRequestMessage)WSFederationMessage.CreateFromUri(url);
var signingCredentials = new X509SigningCredentials(CustomSecurityTokenService.GetCertificate(ConfigurationManager.AppSettings["SigningCertificateName"]));
var config = new SecurityTokenServiceConfiguration(ConfigurationManager.AppSettings["IssuerName"], signingCredentials);
var sts = new CustomSecurityTokenService(config);
var responseMessage = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(requestMessage, user, sts);
return(responseMessage.WriteFormPost());
}
/// <summary>
/// The constructor.
/// </summary>
/// <param name="config">The <see cref="SecurityTokenServiceConfiguration"/> object to be
/// passed to the base class.</param>
public CustomSecurityTokenService(SecurityTokenServiceConfiguration config)
: base(config)
{
// Set up the localized DisplayClaim table for the "Given Name" display-tag in English, Italian, Spanish, and French locales
localizedDisplayClaimTable = new Dictionary <string, string>();
localizedDisplayClaimTable.Add("en-US", "Given Name");
localizedDisplayClaimTable.Add("it-IT", "Nome di Battesimo");
localizedDisplayClaimTable.Add("es-ES", "Nombre de Pila");
localizedDisplayClaimTable.Add("fr-FR", "Prénom");
}
/// <summary>
/// Processes a WS-Federation request.
/// </summary>
/// <param name="request">The WS-Federation request message.</param>
/// <param name="principal">The client principal.</param>
/// <param name="configuration">The token service configuration.</param>
public static void ProcessRequest(WSFederationMessage request, IClaimsPrincipal principal, SecurityTokenServiceConfiguration configuration)
{
Contract.Requires(request != null);
Contract.Requires(principal != null);
Contract.Requires(configuration != null);
HttpContext context = HttpContext.Current;
if (request.Action == WSFederationConstants.Actions.SignIn)
{
var response = ProcessSignInRequest(
(SignInRequestMessage)request,
principal,
configuration);
response.Write(context.Response.Output);
context.Response.Flush();
context.Response.End();
}
else if (request.Action == WSFederationConstants.Actions.SignOut)
{
var signOut = (SignOutRequestMessage)request;
ProcessSignOutRequest();
if (!String.IsNullOrEmpty(signOut.Reply))
{
context.Response.Redirect(signOut.Reply);
}
else
{
context.Response.Redirect("~/");
}
}
else if (request.Action == WSFederationConstants.Actions.SignOutCleanup)
{
var signOut = (SignOutCleanupRequestMessage)request;
ProcessSignOutRequest();
if (!String.IsNullOrEmpty(signOut.Reply))
{
context.Response.Redirect(signOut.Reply);
}
else
{
context.Response.Redirect("~/");
}
}
else
{
throw new InvalidOperationException(String.Format(
CultureInfo.InvariantCulture,
"Unsupported Action: {0}", request.Action));
}
}
public static System.IdentityModel.SecurityTokenService GetSecurityTokenService()
{
var config = new SecurityTokenServiceConfiguration(
ConfigurationManager.AppSettings["stsName"],
CertificateFactory.GetSigningCredentials())
{
DefaultTokenLifetime = new TimeSpan(1, 0, 0, 0)
};
return(new CustomSecurityTokenService(config));
}
/// <summary>
/// Initializes a new instance of the GenesisSecurityTokenService class.
/// </summary>
/// <param name="configuration">Configuration for the service.</param>
public STSService(SecurityTokenServiceConfiguration configuration)
: base(configuration)
{
_signingCreds = new X509SigningCredentials(
CertificateUtil.GetCertificateByThumbprint(StoreName.My, StoreLocation.LocalMachine, WebConfigurationManager.AppSettings[Common.SigningCertificateThumbprint]));
if (!string.IsNullOrWhiteSpace(WebConfigurationManager.AppSettings[Common.EncryptingCertificateName]))
{
_encryptingCreds = new X509EncryptingCredentials(
CertificateUtil.GetCertificateByThumbprint(StoreName.My, StoreLocation.LocalMachine, WebConfigurationManager.AppSettings[Common.EncryptingCertificateName]));
}
}
public CustomSecurityTokenService(SecurityTokenServiceConfiguration config)
: base(config)
{
this.signingCreds = new X509SigningCredentials(
CertificateUtil.GetCertificate(StoreName.Root, StoreLocation.LocalMachine, WebConfigurationManager.AppSettings[Common.SigningCertificateName]));
if (!string.IsNullOrWhiteSpace(WebConfigurationManager.AppSettings[Common.EncryptingCertificateName]))
{
this.encryptingCreds = new X509EncryptingCredentials(
CertificateUtil.GetCertificate(StoreName.Root, StoreLocation.LocalMachine, WebConfigurationManager.AppSettings[Common.EncryptingCertificateName]));
}
}
public TokenService(SecurityTokenServiceConfiguration securityTokenServiceConfiguration)
: base(securityTokenServiceConfiguration)
{
var options = new TokenServiceOptions();
options.CertificateStoreName = StoreName.Root;
options.CertificateStoreLocation = StoreLocation.LocalMachine;
options.CertificateIssuer = "CN=SecureTokenServiceTest";
options.CertificateSubject = "CN=SecureTokenServiceTest";
_tokenServiceOptions = options;
}
public CustomSecurityTokenService(SecurityTokenServiceConfiguration configuration)
: base(configuration)
{
// Setup the certificate our STS is going to use to sign the issued tokens
_signingCreds = new X509SigningCredentials(CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, SIGNING_CERTIFICATE_NAME));
// Note: In this sample app only a si ngle RP identity is shown, which is localhost, and the certificate of that RP is
// populated as _encryptingCreds
// If you have multiple RPs for the STS you would select the certificate that is specific to
// the RP that requests the token and then use that for _encryptingCreds
_encryptingCreds = new X509EncryptingCredentials(CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, ENCRYPTING_CERTIFICATE_NAME));
}
public CustomSecurityTokenService(SecurityTokenServiceConfiguration configuration)
: base(configuration)
{
_trustFabric = OpenTrustFabric();
// Setup certificate the STS is going to use to sign the issued tokens
configuration.SigningCredentials = new X509SigningCredentials(CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, SigningCertificateName));
//configuration.SigningCredentials = new X509SigningCredentials(CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, SigningCertificateName),
// "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
// "http://www.w3.org/2000/09/xmldsig#sha1");
}
public CustomSecurityTokenService(SecurityTokenServiceConfiguration securityTokenServiceConfiguration)
: base(securityTokenServiceConfiguration)
{
//this.SigningCredentials = new X509SigningCredentials(
// GetCertificate(WebConfigurationManager.AppSettings["SigningCertificateName"])
// );
//if (!string.IsNullOrWhiteSpace(WebConfigurationManager.AppSettings["EncryptingCertificateName"]))
//{
// this.encryptingCreds = new X509EncryptingCredentials(
// GetCertificate( WebConfigurationManager.AppSettings["EncryptingCertificateName"])
// );
//}
}
private void SignIn(LoginModel model)
{
var claims = GetClaims(model.UserId);
var config = new SecurityTokenServiceConfiguration(
"SimIssuer",
new X509SigningCredentials(
new X509Certificate2(Server.MapPath(VirtualPathUtility.ToAbsolute("~/app_data/simissuer.pfx")), "SimIssuer", X509KeyStorageFlags.MachineKeySet),
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
"http://www.w3.org/2001/04/xmlenc#sha256"));
var tokenService = new TokenService(config);
var principal = new ClaimsPrincipal(new ClaimsIdentity(claims.Select(x => new System.Security.Claims.Claim(String.Concat(x.Namespace, "/", x.Name), x.Value))));
var requestUri = new Uri(BuildRequestUrl(model));
tokenService.ProcessSignIn(principal, requestUri);
}
private static string ProcessSignIn(Uri url, ClaimsPrincipal principal)
{
SignInRequestMessage requestMSG = (SignInRequestMessage)WSFederationMessage.CreateFromUri(url);
X509SigningCredentials credentials = new X509SigningCredentials
(GetX509Cert(ConfigurationManager.AppSettings["SigningCertificateName"]));
SecurityTokenServiceConfiguration config =
new SecurityTokenServiceConfiguration(ConfigurationManager.AppSettings["IssuerName"], credentials);
CustomSecurityTokenService sts = new CustomSecurityTokenService(config);
SignInResponseMessage finalResponse =
FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(requestMSG, principal, sts);
return(finalResponse.WriteFormPost());
}
protected CustomSecurityTokenService(SecurityTokenServiceConfiguration securityTokenServiceConfiguration)
: base(securityTokenServiceConfiguration)
{
var certificate = CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine,
WebConfigurationManager.AppSettings[Common.SigningCertificateName]);
_signingCredentials = new X509SigningCredentials(certificate);
if (!string.IsNullOrWhiteSpace(WebConfigurationManager.AppSettings[Common.EncryptingCertificateName]))
{
_encryptingCredentials = new X509EncryptingCredentials(
CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine
, WebConfigurationManager.AppSettings[Common.EncryptingCertificateName]));
}
}
private string ProcessSignIn(Uri url, ClaimsPrincipal user)
{
var requestMessage = (SignInRequestMessage)WSFederationMessage.CreateFromUri(url);
//var _signingCreds = new X509SigningCredentials(CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, "CN=localhost"));
//var _signingCreds = new X509SigningCredentials(CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, "CN=MySTSCert2"));
var _signingCreds = new X509SigningCredentials(CertificateUtil.GetCertificateFromFile(System.Web.HttpContext.Current.Server.MapPath(ConfigurationManager.AppSettings["CertName"])));
var config = new SecurityTokenServiceConfiguration("http://localhost:5000", _signingCreds);
var sts = new CustomSecurityTokenService(config);
var responseMessage = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(requestMessage, user, sts);
return(responseMessage.WriteFormPost());
}
public static SecurityTokenServiceConfiguration CreateConfigurationFromExpectedUrl(string url)
{
var config = new SecurityTokenServiceConfiguration();
config.TokenIssuerName = "sts.test.larionov"; // hard-coded for testing purposes only !
config.SecurityTokenService = typeof(MySecurityTokenService);
config.DefaultTokenLifetime = TimeSpan.FromHours(2);
config.SecurityTokenHandlers.Add(new SimpleWebTokenHandler());
config.DefaultTokenType = SimpleWebTokenHandler.SimpleWebTokenTypeUri;
config.SigningCredentials = new SigningCredentials(new InMemorySymmetricSecurityKey(
Encoding.UTF8.GetBytes("wAVkldQiFypTQ+ddNdGWCBCHRcee9XmXxXvgmak8vSDm")), // hard-coded for testing purposes only !
SymmetricKeySignatureAlgorithm,
SymmetricKeyDigestAlgorithm);
return(config);
}
private static WSTrustServiceHost CreateSecurityTokenServiceHost()
{
var signingCredentials = new X509SigningCredentials(STSCertificate);
var stsConfig = new SecurityTokenServiceConfiguration(STSAddress, signingCredentials);
stsConfig.SecurityTokenService = typeof(CustomSecurityTokenService);
// Add the STS endpoint information
stsConfig.TrustEndpoints.Add(
new ServiceHostEndpointConfiguration(typeof(IWSTrust13SyncContract), GetSecurityTokenServiceBinding(), STSAddress));
// Setting the certificate will automatically populate the token resolver
// that is used to decrypt the client entropy in the RST.
stsConfig.ServiceCertificate = STSCertificate;
WSTrustServiceHost stsHost = new WSTrustServiceHost(stsConfig, new Uri(STSAddress));
return(stsHost);
}
public CustomSecurityTokenService(SecurityTokenServiceConfiguration configuration)
: base(configuration)
{
//
// Setup the certificate our STS is going to use to sign the issued tokens
//
_signingCreds = new X509SigningCredentials(
CertificateUtil.GetCertificate(
StoreName.My, StoreLocation.LocalMachine, SigningCertificateName));
//
// In this sample, we only support a single RP identity represented by the _encryptingCreds.
// However, this encrypting credential may differ based on the RP identity requesting a token in
// a production STS. See the comments in GetScope() for more details.
//
_encryptingCreds = new X509EncryptingCredentials(
CertificateUtil.GetCertificate(
StoreName.My, StoreLocation.LocalMachine, EncryptingCertificateName));
}
public override ServiceHostBase CreateServiceHost(string constructorString, Uri[] baseAddresses)
{
StreamWriter file = new StreamWriter("c:\\temp\\IdentityProviderSts.OnBehalfOfSecurityTokenServiceFactory - CreateServiceHost.txt", true);
file.WriteLine("_________________________________________");
file.WriteLine("DateTime: " + DateTime.Now.ToString());
file.WriteLine("constructorString:" + constructorString);
file.Close();
SecurityTokenServiceConfiguration config = new SecurityTokenServiceConfiguration("https://ha50idp:8544/IDP-STS/Issue.svc");
//Uri baseUri = baseAddresses.FirstOrDefault(a => a.Scheme == "https");
//if (baseUri == null)
// throw new InvalidOperationException("The STS should be hosted under https");
//config.TrustEndpoints.Add(new ServiceHostEndpointConfiguration(typeof(IWSTrust13SyncContract), GetCertificateCredentialsBinding(), baseUri + ""));
// Set the STS implementation class type
config.SecurityTokenService = typeof(CustomSecurityTokenService);
// Create a security token handler collection and then provide with a SAML11 security token
// handler and set the Audience restriction to Never
SecurityTokenHandlerCollection onBehalfOfHandlers = new SecurityTokenHandlerCollection();
Saml2SecurityTokenHandler onBehalfOfTokenHandler = new Saml2SecurityTokenHandler();
onBehalfOfHandlers.Add(onBehalfOfTokenHandler);
//onBehalfOfHandlers.Add(userNameTokenHandler);
onBehalfOfHandlers.Configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
// Set the appropriate issuer name registry
//onBehalfOfHandlers.Configuration.IssuerNameRegistry = new IdentityProviderIssuerNameRegistry();
// Set the token handlers collection
config.SecurityTokenHandlerCollectionManager[SecurityTokenHandlerCollectionManager.Usage.OnBehalfOf] = onBehalfOfHandlers;
// WindowsUserNameSecurityTokenHandler userNameTokenHandler = new WindowsUserNameSecurityTokenHandler();
// config.SecurityTokenHandlerCollectionManager[SecurityTokenHandlerCollectionManager.Usage.Default].Add(userNameTokenHandler);
WSTrustServiceHost host = new WSTrustServiceHost(config, baseAddresses);
return host;
}
public WrapIssuer(SecurityTokenServiceConfiguration configuration)
: this(configuration, null)
{
}
/// <summary>
/// Creates an instance of CustomSecurityTokenService.
/// </summary>
/// <param name="configuration">The SecurityTokenServiceConfiguration.</param>
/// <param name="encryptingCertificateName"></param>
public CustomSecurityTokenService(SecurityTokenServiceConfiguration configuration, string encryptingCertificateName)
: base(configuration)
{
_encryptingCertificateName = encryptingCertificateName;
}
public TokenService(SecurityTokenServiceConfiguration configuration, IUserRepository userRepository, IClaimsRepository claimsRepository)
: base(configuration)
{
UserRepository = userRepository;
ClaimsRepository = claimsRepository;
}
public MultiProtocolSecurityTokenService(SecurityTokenServiceConfiguration configuration, IConfigurationRepository multiProtocolConfiguration)
: base(configuration)
{
this.multiProtocolConfiguration = multiProtocolConfiguration;
}
/// <summary>
///
/// </summary>
/// <param name="requestMessage"></param>
/// <param name="config"></param>
/// <returns></returns>
public static AccessTokenResponse ProcessAccessTokenRequest(AccessTokenRequest requestMessage, SecurityTokenServiceConfiguration config)
{
return ProcessAccessTokenRequest(requestMessage, config, false);
}
// ToDo: Set enableAppliesToValidation to true to enable only the RP Url's specified in the ActiveClaimsAwareApps array to get a token from this STS
/// <summary>
/// The enable applies to validation.
/// </summary>
//private const bool EnableAppliesToValidation = false;
// ToDo: Add relying party Url's that will be allowed to get token from this STS
//static readonly string[] ActiveClaimsAwareApps = { ConfigurationManager.AppSettings["IssuerName"] };
/// <summary>
/// Creates an instance of CustomSecurityTokenService.
/// </summary>
/// <param name="configuration">The SecurityTokenServiceConfiguration.</param>
public WindowsSecurityTokenService(SecurityTokenServiceConfiguration configuration) : base(configuration)
{
}
public Sts(SecurityTokenServiceConfiguration configuration)
: this(configuration, null)
{
}
/// <summary>
/// Processes a WS-Federation sign in request.
/// </summary>
/// <param name="request">The request.</param>
/// <param name="principal">The client principal.</param>
/// <param name="configuration">The token service configuration.</param>
/// <returns>A SignInResponseMessage</returns>
public static SignInResponseMessage ProcessSignInRequest(SignInRequestMessage request, IClaimsPrincipal principal, SecurityTokenServiceConfiguration configuration)
{
Contract.Requires(request != null);
Contract.Requires(principal != null);
Contract.Requires(configuration != null);
Contract.Ensures(Contract.Result<SignInResponseMessage>() != null);
// create token service and serializers
var sts = configuration.CreateSecurityTokenService();
var context = new WSTrustSerializationContext(
sts.SecurityTokenServiceConfiguration.SecurityTokenHandlerCollectionManager,
sts.SecurityTokenServiceConfiguration.ServiceTokenResolver,
sts.SecurityTokenServiceConfiguration.IssuerTokenResolver);
var federationSerializer = new WSFederationSerializer(
sts.SecurityTokenServiceConfiguration.WSTrust13RequestSerializer,
sts.SecurityTokenServiceConfiguration.WSTrust13ResponseSerializer);
// convert ws-fed message to RST and call issue pipeline
var rst = federationSerializer.CreateRequest(request, context);
var rstr = sts.Issue(principal, rst);
// check ReplyTo
Uri result = null;
if (!Uri.TryCreate(rstr.ReplyTo, UriKind.Absolute, out result))
{
throw new InvalidOperationException("Invalid ReplyTo");
}
var response = new SignInResponseMessage(result, rstr, federationSerializer, context);
// copy the incoming context data (as required by the WS-Federation spec)
if (!String.IsNullOrEmpty(request.Context))
{
response.Context = request.Context;
}
return response;
}
/// <summary>
/// Creates an instance of CustomSecurityTokenService.
/// </summary>
/// <param name="configuration">The SecurityTokenServiceConfiguration.</param>
public CustomSecurityTokenService(SecurityTokenServiceConfiguration configuration)
: base(configuration)
{
}
public WrapIssuer(SecurityTokenServiceConfiguration configuration, ReadOnlyCollection<Claim> claimSet)
: base(configuration)
{
this.claimSet = claimSet;
}
public MultiProtocolSecurityTokenService(SecurityTokenServiceConfiguration configuration)
: this(configuration, new DefaultConfigurationRepository())
{
}
public TokenService(SecurityTokenServiceConfiguration configuration, IUserRepository userRepository)
: base(configuration)
{
_userRepository = userRepository;
}
/// <summary>
/// The constructor.
/// </summary>
/// <param name="config">The <see cref="SecurityTokenServiceConfiguration"/> object to be
/// passed to the base class.</param>
public RealmSecurityTokenService(SecurityTokenServiceConfiguration config)
: base(config)
{
}
/// <summary>
/// Initializes a new instance of the <see cref="TracingSecurityTokenService"/> class.
/// </summary>
/// <param name="configuration">The configuration.</param>
public TracingSecurityTokenService(SecurityTokenServiceConfiguration configuration)
: base(configuration)
{ }
public SimpleSecurityTokenService(SecurityTokenServiceConfiguration configuration)
: base( configuration )
{
}
public IdentityProviderSecurityTokenService(SecurityTokenServiceConfiguration configuration)
: base(configuration)
{
}
public SparkleTokenService(SecurityTokenServiceConfiguration securityTokenServiceConfiguration)
: base(securityTokenServiceConfiguration)
{
}
/// <summary>
/// Creates an instance of StotaxSecurityTokenService.
/// </summary>
/// <param name="configuration">The SecurityTokenServiceConfiguration.</param>
public DotnetKoelnSecurityTokenService(SecurityTokenServiceConfiguration configuration)
: base(configuration)
{
}
public InMemorySts(SecurityTokenServiceConfiguration configuration, X509Certificate2 encryptionKey)
: base(configuration)
{
_encryptionkey = encryptionKey;
}
public SamlTokenService(SecurityTokenServiceConfiguration configuration)
: base(configuration)
{
Container.Current.SatisfyImportsOnce(this);
}
public JwtSecurityTokenService(SecurityTokenServiceConfiguration securityTokenServiceConfiguration)
: base(securityTokenServiceConfiguration)
{
}
