public static SecurityToken GetToken(SecurityToken dobstsToken, string endpointUri, string spRealm)
{
// WSTrust call over SSL with credentails sent in the message.
var binding = new IssuedTokenWSTrustBinding();
binding.SecurityMode = SecurityMode.TransportWithMessageCredential;
var factory = new WSTrustChannelFactory(
binding,
endpointUri);
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.SupportInteractive = false;
// Request Bearer Token so no keys or encryption required.
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
AppliesTo = new EndpointAddress(spRealm),
KeyType = KeyTypes.Bearer
};
// Make the request with the DobstsToken.
factory.ConfigureChannelFactory();
var channel = factory.CreateChannelWithIssuedToken(dobstsToken);
return channel.Issue(rst) as GenericXmlSecurityToken;
}
private static SecurityToken GetRSTSToken(SecurityToken token, string tokenType)
{
var binding = new IssuedTokenWSTrustBinding();
binding.SecurityMode = SecurityMode.TransportWithMessageCredential;
var issuredTokenEP = ConfigurationManager.AppSettings["issuedtokenEP"].ToString();
if (issuredTokenEP.ToLower().EndsWith("issuedtokenmixedasymmetricbasic256sha256") ||
issuredTokenEP.ToLower().EndsWith("issuedtokenmixedsymmetricbasic256sha256"))
{
binding.AlgorithmSuite = SecurityAlgorithmSuite.Basic256Sha256;
}
var factory = new WSTrustChannelFactory(binding, issuredTokenEP);
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.SupportInteractive = false;
factory.Credentials.UseIdentityConfiguration = true;
var rst = new RequestSecurityToken
{
RequestType = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue",
AppliesTo = new EndpointReference(ConfigurationManager.AppSettings["issuedtokenAppliesTo"].ToString()),
KeyType = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer",
TokenType = tokenType,
};
var channel = factory.CreateChannelWithIssuedToken(token);
return(channel.Issue(rst));
}
private SecurityToken RequestFederationToken(GenericXmlSecurityToken xmlToken, string appliesTo)
{
var adfsEndpoint = _configuration.AdfsIntegration.FederationEndpoint;
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
AppliesTo = new EndpointReference(appliesTo),
KeyType = KeyTypes.Bearer
};
var binding = new IssuedTokenWSTrustBinding();
binding.SecurityMode = SecurityMode.TransportWithMessageCredential;
var factory = new WSTrustChannelFactory(
binding,
new EndpointAddress(adfsEndpoint));
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.SupportInteractive = false;
var channel = factory.CreateChannelWithIssuedToken(xmlToken);
return(channel.Issue(rst));
}
public SecurityToken Login(string userName, string password, string schoolId, string tenantId, string applicationServerUrl, string securityServerUrl)
{
SecurityToken identityToken;
using (WSTrustChannelFactory factory = GetTrustChannelFactory(securityServerUrl))
{
if (factory.Credentials == null)
{
throw new Exception("Credentails are null");
}
factory.Credentials.UserName.UserName = userName;
factory.Credentials.UserName.Password = password;
factory.Credentials.SupportInteractive = false;
var rst = new RequestSecurityToken(
RequestTypes.Issue,
KeyTypes.Bearer)
{
AppliesTo = new EndpointReference(applicationServerUrl)
};
IWSTrustChannelContract channel = factory.CreateChannel();
RequestSecurityTokenResponse response;
identityToken = channel.Issue(rst, out response);
}
using (WSTrustChannelFactory factory = GetTrustChannelFactory(securityServerUrl))
{
if (factory.Credentials == null)
{
throw new Exception("Credentails are null");
}
factory.Credentials.UserName.UserName = userName;
factory.Credentials.UserName.Password = password;
factory.Credentials.SupportInteractive = false;
factory.Credentials.UseIdentityConfiguration = true;
factory.CreateChannelWithIssuedToken(identityToken);
var channel = factory.CreateChannel();
var rst = new RequestSecurityToken(
RequestTypes.Issue,
KeyTypes.Bearer)
{
AdditionalContext = new AdditionalContext()
};
rst.AdditionalContext.Items.Add(new ContextItem(new Uri(SimsLoginContextSchoolClaimUrl), schoolId));
rst.AdditionalContext.Items.Add(new ContextItem(new Uri(SimsLoginContextTenantClaimUrl), tenantId));
rst.AppliesTo = new EndpointReference(applicationServerUrl);
rst.ActAs = new SecurityTokenElement(identityToken);
RequestSecurityTokenResponse response;
return(channel.Issue(rst, out response));
}
}
public SecurityToken IssueOAuth2SecurityToken(SecurityToken foreignToken, string rpEndpoint, string appliesTo, string localTokenType, out RequestSecurityTokenResponse rstr, string keyType)
{
ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;
// Authenticate with a SAML Bearer token
var wsHttpBinding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential);
wsHttpBinding.Security.Message.EstablishSecurityContext = false;
wsHttpBinding.Security.Message.NegotiateServiceCredential = false;
wsHttpBinding.Security.Message.IssuedKeyType = SecurityKeyType.BearerKey;
Binding binding = wsHttpBinding;
// Define the STS endpoint
var endpoint = new EndpointAddress(new Uri(rpEndpoint));
var factory = new WSTrustChannelFactory(binding, endpoint)
{
TrustVersion = TrustVersion.WSTrust13
};
if (factory.Credentials != null)
{
factory.Credentials.SupportInteractive = false; // avoid that Cardspace dialog
//http://stackoverflow.com/questions/11312314/cannot-serialize-saml2assertionkeyidentifierclause
factory.Credentials.UseIdentityConfiguration = true;
}
// Now we define the Request for Security Token (RST)
var rst = new RequestSecurityToken()
{
//identifiy which local token we want
AppliesTo = new EndpointReference(appliesTo),
//identify what type of request this is (Issue or Validate)
RequestType = RequestTypes.Issue,
//set what kind of token we want returned (appliesTo will override this)
TokenType = localTokenType,
//set the keytype (symmetric, asymmetric (pub key) or bearer - null = Sender Vouches)
KeyType = null
};
//create the channel (using the SAML token received from the WSC)
var channel = factory.CreateChannelWithIssuedToken(foreignToken);
//send the token issuance command
var token = channel.Issue(rst, out rstr);
return(token);
}
/// <summary>
/// Requester et security token fra AD FS 2.0 sts'en via
/// Issued Token authentication
/// Token'et kan derpå vedhæftes et kald til en service.
/// Der kan angives et optionelt ActAs security token.
/// Hvis dette token angives vil kaldet til STS'en blive et ActAs kald
/// </summary>
public static SecurityToken RequestSecurityTokenWithIssuedTokenAuth(
EndpointAddress stsAddress,
EndpointAddress serviceAddress,
EndpointAddress localStsAddress,
SecurityToken localToken,
X509Certificate2 stsEncryptionCert)
{
// What binding should I use here for the issuer binding?
var stsBinding = CreateBindingForAdfs2IssuedTokenBinding(localStsAddress);
// Lav channel factory
var channelFactory = new WSTrustChannelFactory(
stsBinding,
stsAddress);
if (channelFactory.Credentials != null)
{
channelFactory.Credentials.ServiceCertificate.ScopedCertificates.Add(
stsAddress.Uri, stsEncryptionCert);
}
// Lav channel og brug act as hvis der er et act as token med
var channel = (WSTrustChannel)channelFactory.CreateChannelWithIssuedToken(localToken);
try
{
// Lav RST med symmetric keys og saml 1.1 token
var requestSecurityToken = new RequestSecurityToken(RequestTypes.Issue)
{
AppliesTo = new EndpointReference(serviceAddress.ToString()),
TokenType = SecurityTokenTypes.Saml11TokenProfile11,
KeyType = KeyTypes.Symmetric
};
// Send request (RST) og modtag response (RSTR)
var securityToken = channel.Issue(requestSecurityToken);
return(securityToken);
}
finally
{
CloseChannel(channel);
}
}
private static SecurityToken IssueLocalSecurityToken(SecurityToken foreignToken, string RP_Endpoint, string appliesTo, out RequestSecurityTokenResponse RSTR, string keyType = KeyTypes.Bearer)
{
if (String.IsNullOrWhiteSpace(RP_Endpoint)) throw new ArgumentNullException("RP_Endpoint");
Binding binding = null;
// Authenticate with a SAML Bearer token
var WsHttpBinding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential);
WsHttpBinding.Security.Message.EstablishSecurityContext = false;
WsHttpBinding.Security.Message.NegotiateServiceCredential = false;
WsHttpBinding.Security.Message.IssuedKeyType = SecurityKeyType.BearerKey;
binding = WsHttpBinding;
// Define the STS endpoint
EndpointAddress endpoint = new EndpointAddress(new Uri(RP_Endpoint));
var factory = new WSTrustChannelFactory(binding, endpoint) { TrustVersion = TrustVersion.WSTrust13 };
factory.Credentials.SupportInteractive = false; // avoid that Cardspace dialog
// Now we define the Request for Security Token (RST)
RequestSecurityToken RST = new RequestSecurityToken()
{
//identifiy which local token we want
AppliesTo = new EndpointReference(appliesTo),
//identify what type of request this is (Issue or Validate)
RequestType = RequestTypes.Issue,
//set what kind of token we want returned (appliesTo will override this)
TokenType = tokenType,
//set the keytype (symmetric, asymmetric (pub key) or bearer - null = Sender Vouches)
KeyType = null
};
//create the channel (using the SAML token received from the WSC)
IWSTrustChannelContract channel = factory.CreateChannelWithIssuedToken(foreignToken);
//send the token issuance command
SecurityToken token = channel.Issue(RST, out RSTR);
return token;
}
private static RequestSecurityTokenResponse ValidateSecurityToken(SecurityToken foreignToken, string RP_Endpoint, string keyType = KeyTypes.Bearer)
{
if (String.IsNullOrWhiteSpace(RP_Endpoint)) throw new ArgumentNullException("RP_Endpoint");
Binding binding = null;
// Using a SAML bearer token
var WsHttpBinding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential);
WsHttpBinding.Security.Message.EstablishSecurityContext = false;
WsHttpBinding.Security.Message.NegotiateServiceCredential = false;
WsHttpBinding.Security.Message.IssuedKeyType = SecurityKeyType.BearerKey;
binding = WsHttpBinding;
// Define the STS endpoint
EndpointAddress endpoint = new EndpointAddress(new Uri(RP_Endpoint));
var factory = new WSTrustChannelFactory(binding, endpoint) { TrustVersion = TrustVersion.WSTrust13 };
factory.Credentials.SupportInteractive = false; // Avoid that CardSpace popup...
IWSTrustChannelContract channel = factory.CreateChannelWithIssuedToken(foreignToken); // When we create the Channel we specify the SAML token received from the WSC
// Build the RST
RequestSecurityToken RST = new RequestSecurityToken()
{
//identify what type of request this is (Issue or Validate)
RequestType = RequestTypes.Validate
};
// Send the Validate RST
RequestSecurityTokenResponse RSTR = channel.Validate(RST);
return RSTR;
}
private SecurityToken RequestFederationToken(GenericXmlSecurityToken xmlToken, string appliesTo)
{
var adfsEndpoint = this._configuration.AdfsIntegration.FederationEndpoint;
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
AppliesTo = new EndpointReference(appliesTo),
KeyType = KeyTypes.Bearer
};
var binding = new IssuedTokenWSTrustBinding();
binding.SecurityMode = SecurityMode.TransportWithMessageCredential;
var factory = new WSTrustChannelFactory(
binding,
new EndpointAddress(adfsEndpoint));
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.SupportInteractive = false;
var channel = factory.CreateChannelWithIssuedToken(xmlToken);
return channel.Issue(rst);
}
private static SecurityToken RequestServiceToken(SecurityToken identityToken)
{
"Requesting service token".ConsoleYellow();
var binding = new IssuedTokenWSTrustBinding();
binding.SecurityMode = SecurityMode.TransportWithMessageCredential;
var factory = new WSTrustChannelFactory(
binding,
_acsEndpoint);
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.SupportInteractive = false;
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
AppliesTo = new EndpointAddress("https://" + Constants.WebHost + "/webservicesecurity/"),
KeyType = KeyTypes.Symmetric
};
factory.ConfigureChannelFactory();
var channel = factory.CreateChannelWithIssuedToken(identityToken);
var token = channel.Issue(rst);
return token;
}
/// <summary>
/// Login to the application.
///
/// The login process takes two steps -
/// First; establish the identity of the user using standard credentials.
/// Second; use this identity to login to SIMS for the purpose of carrying out data querying.
/// </summary>
internal SecurityToken Login(string userName, string password, string schoolId, string tenantId)
{
// Temporaryily store the Identity Token issued by the identity server so that we can use it to prove our identity to the application login server.
// Note that; although iSIMS provides both Identity and Application logins on the same service endpoint (iSIMSSTS) the Identity Service might have
// a different endpoint where iSIMS has been integrated with an external identity management system such as ADFS, Shibboleth etc
// ReSharper disable once RedundantAssignment
SecurityToken identityToken = null;
// Step 1 : Pass credentials to the identity server to get a token bearing our verified identity.
using (WSTrustChannelFactory factory = GetTrustChannelFactory())
{
// Set up credentials
if (factory.Credentials == null)
{
throw new Exception("Credentails are null");
}
factory.Credentials.UserName.UserName = userName;
factory.Credentials.UserName.Password = password;
factory.Credentials.SupportInteractive = false;
// Create a "request for token" SOAP message.
RequestSecurityToken rst = new RequestSecurityToken(
// We want the security server to Issue us with a token
RequestTypes.Issue,
// We want the token type to be a Bearer token (i.e. not symmetric key or other mutually guaranteed certificate based mechanism)
KeyTypes.Bearer);
// We want a token that will permit us to communicate with the application server
rst.AppliesTo = new EndpointReference(_applicationServerAddress);
// Create the communicaiton channel
IWSTrustChannelContract channel = factory.CreateChannel();
// Request an identity token
RequestSecurityTokenResponse response;
identityToken = channel.Issue(rst, out response);
}
// Step 2 : Use the identity token to get a further token which can be used to access resources within the system. This token is obtained from the same
// location in this example, but the Application Identity Server (here) and the Identity Verification Server (above) might be different URLs in Single Sign-on
// implementations.
using (WSTrustChannelFactory factory = GetTrustChannelFactory())
{
// Provide the credentials again.
if (factory.Credentials == null)
{
throw new Exception("Credentails are null");
}
factory.Credentials.UserName.UserName = userName;
factory.Credentials.UserName.Password = password;
factory.Credentials.SupportInteractive = false;
// Because our communication now will be secured using our Identity Token we need to use some WIF extension methods to make sure the identity token
// is sent as a Cookie on the SOAP call that WCF will be generating.
factory.Credentials.UseIdentityConfiguration = true;
factory.CreateChannelWithIssuedToken(identityToken);
// Create the communication channel
IWSTrustChannelContract channel = factory.CreateChannel();
// create token request
RequestSecurityToken rst = new RequestSecurityToken(
// We want the security server to Issue us with a token
RequestTypes.Issue,
// We want the token type to be a Bearer token (i.e. not symmetric key or other mutually guaranteed certificate based mechanism)
KeyTypes.Bearer);
// Add the school ID that we claim to have access to.
rst.AdditionalContext = new AdditionalContext();
rst.AdditionalContext.Items.Add(new ContextItem(new Uri(SimsLoginContextSchoolClaimUrl), schoolId));
rst.AdditionalContext.Items.Add(new ContextItem(new Uri(SimsLoginContextTenantClaimUrl), tenantId));
// This is the endpoint for which the token will be valid.
rst.AppliesTo = new EndpointReference(_applicationServerAddress);
// Becuase we have already established our identity, we want this call to "Act As" us. This enables the receving web service to be passed our
// identity in the thread principal.
rst.ActAs = new SecurityTokenElement(identityToken);
// Request an application session token.
RequestSecurityTokenResponse response;
return(channel.Issue(rst, out response));
}
}
