public static SecurityToken GetToken(SecurityToken dobstsToken, string endpointUri, string spRealm) { // WSTrust call over SSL with credentails sent in the message. var binding = new IssuedTokenWSTrustBinding(); binding.SecurityMode = SecurityMode.TransportWithMessageCredential; var factory = new WSTrustChannelFactory( binding, endpointUri); factory.TrustVersion = TrustVersion.WSTrust13; factory.Credentials.SupportInteractive = false; // Request Bearer Token so no keys or encryption required. var rst = new RequestSecurityToken { RequestType = RequestTypes.Issue, AppliesTo = new EndpointAddress(spRealm), KeyType = KeyTypes.Bearer }; // Make the request with the DobstsToken. factory.ConfigureChannelFactory(); var channel = factory.CreateChannelWithIssuedToken(dobstsToken); return channel.Issue(rst) as GenericXmlSecurityToken; }
private static SecurityToken GetRSTSToken(SecurityToken token, string tokenType) { var binding = new IssuedTokenWSTrustBinding(); binding.SecurityMode = SecurityMode.TransportWithMessageCredential; var issuredTokenEP = ConfigurationManager.AppSettings["issuedtokenEP"].ToString(); if (issuredTokenEP.ToLower().EndsWith("issuedtokenmixedasymmetricbasic256sha256") || issuredTokenEP.ToLower().EndsWith("issuedtokenmixedsymmetricbasic256sha256")) { binding.AlgorithmSuite = SecurityAlgorithmSuite.Basic256Sha256; } var factory = new WSTrustChannelFactory(binding, issuredTokenEP); factory.TrustVersion = TrustVersion.WSTrust13; factory.Credentials.SupportInteractive = false; factory.Credentials.UseIdentityConfiguration = true; var rst = new RequestSecurityToken { RequestType = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue", AppliesTo = new EndpointReference(ConfigurationManager.AppSettings["issuedtokenAppliesTo"].ToString()), KeyType = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer", TokenType = tokenType, }; var channel = factory.CreateChannelWithIssuedToken(token); return(channel.Issue(rst)); }
private SecurityToken RequestFederationToken(GenericXmlSecurityToken xmlToken, string appliesTo) { var adfsEndpoint = _configuration.AdfsIntegration.FederationEndpoint; var rst = new RequestSecurityToken { RequestType = RequestTypes.Issue, AppliesTo = new EndpointReference(appliesTo), KeyType = KeyTypes.Bearer }; var binding = new IssuedTokenWSTrustBinding(); binding.SecurityMode = SecurityMode.TransportWithMessageCredential; var factory = new WSTrustChannelFactory( binding, new EndpointAddress(adfsEndpoint)); factory.TrustVersion = TrustVersion.WSTrust13; factory.Credentials.SupportInteractive = false; var channel = factory.CreateChannelWithIssuedToken(xmlToken); return(channel.Issue(rst)); }
public SecurityToken Login(string userName, string password, string schoolId, string tenantId, string applicationServerUrl, string securityServerUrl) { SecurityToken identityToken; using (WSTrustChannelFactory factory = GetTrustChannelFactory(securityServerUrl)) { if (factory.Credentials == null) { throw new Exception("Credentails are null"); } factory.Credentials.UserName.UserName = userName; factory.Credentials.UserName.Password = password; factory.Credentials.SupportInteractive = false; var rst = new RequestSecurityToken( RequestTypes.Issue, KeyTypes.Bearer) { AppliesTo = new EndpointReference(applicationServerUrl) }; IWSTrustChannelContract channel = factory.CreateChannel(); RequestSecurityTokenResponse response; identityToken = channel.Issue(rst, out response); } using (WSTrustChannelFactory factory = GetTrustChannelFactory(securityServerUrl)) { if (factory.Credentials == null) { throw new Exception("Credentails are null"); } factory.Credentials.UserName.UserName = userName; factory.Credentials.UserName.Password = password; factory.Credentials.SupportInteractive = false; factory.Credentials.UseIdentityConfiguration = true; factory.CreateChannelWithIssuedToken(identityToken); var channel = factory.CreateChannel(); var rst = new RequestSecurityToken( RequestTypes.Issue, KeyTypes.Bearer) { AdditionalContext = new AdditionalContext() }; rst.AdditionalContext.Items.Add(new ContextItem(new Uri(SimsLoginContextSchoolClaimUrl), schoolId)); rst.AdditionalContext.Items.Add(new ContextItem(new Uri(SimsLoginContextTenantClaimUrl), tenantId)); rst.AppliesTo = new EndpointReference(applicationServerUrl); rst.ActAs = new SecurityTokenElement(identityToken); RequestSecurityTokenResponse response; return(channel.Issue(rst, out response)); } }
public SecurityToken IssueOAuth2SecurityToken(SecurityToken foreignToken, string rpEndpoint, string appliesTo, string localTokenType, out RequestSecurityTokenResponse rstr, string keyType) { ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12; // Authenticate with a SAML Bearer token var wsHttpBinding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential); wsHttpBinding.Security.Message.EstablishSecurityContext = false; wsHttpBinding.Security.Message.NegotiateServiceCredential = false; wsHttpBinding.Security.Message.IssuedKeyType = SecurityKeyType.BearerKey; Binding binding = wsHttpBinding; // Define the STS endpoint var endpoint = new EndpointAddress(new Uri(rpEndpoint)); var factory = new WSTrustChannelFactory(binding, endpoint) { TrustVersion = TrustVersion.WSTrust13 }; if (factory.Credentials != null) { factory.Credentials.SupportInteractive = false; // avoid that Cardspace dialog //http://stackoverflow.com/questions/11312314/cannot-serialize-saml2assertionkeyidentifierclause factory.Credentials.UseIdentityConfiguration = true; } // Now we define the Request for Security Token (RST) var rst = new RequestSecurityToken() { //identifiy which local token we want AppliesTo = new EndpointReference(appliesTo), //identify what type of request this is (Issue or Validate) RequestType = RequestTypes.Issue, //set what kind of token we want returned (appliesTo will override this) TokenType = localTokenType, //set the keytype (symmetric, asymmetric (pub key) or bearer - null = Sender Vouches) KeyType = null }; //create the channel (using the SAML token received from the WSC) var channel = factory.CreateChannelWithIssuedToken(foreignToken); //send the token issuance command var token = channel.Issue(rst, out rstr); return(token); }
/// <summary> /// Requester et security token fra AD FS 2.0 sts'en via /// Issued Token authentication /// Token'et kan derpå vedhæftes et kald til en service. /// Der kan angives et optionelt ActAs security token. /// Hvis dette token angives vil kaldet til STS'en blive et ActAs kald /// </summary> public static SecurityToken RequestSecurityTokenWithIssuedTokenAuth( EndpointAddress stsAddress, EndpointAddress serviceAddress, EndpointAddress localStsAddress, SecurityToken localToken, X509Certificate2 stsEncryptionCert) { // What binding should I use here for the issuer binding? var stsBinding = CreateBindingForAdfs2IssuedTokenBinding(localStsAddress); // Lav channel factory var channelFactory = new WSTrustChannelFactory( stsBinding, stsAddress); if (channelFactory.Credentials != null) { channelFactory.Credentials.ServiceCertificate.ScopedCertificates.Add( stsAddress.Uri, stsEncryptionCert); } // Lav channel og brug act as hvis der er et act as token med var channel = (WSTrustChannel)channelFactory.CreateChannelWithIssuedToken(localToken); try { // Lav RST med symmetric keys og saml 1.1 token var requestSecurityToken = new RequestSecurityToken(RequestTypes.Issue) { AppliesTo = new EndpointReference(serviceAddress.ToString()), TokenType = SecurityTokenTypes.Saml11TokenProfile11, KeyType = KeyTypes.Symmetric }; // Send request (RST) og modtag response (RSTR) var securityToken = channel.Issue(requestSecurityToken); return(securityToken); } finally { CloseChannel(channel); } }
private static SecurityToken IssueLocalSecurityToken(SecurityToken foreignToken, string RP_Endpoint, string appliesTo, out RequestSecurityTokenResponse RSTR, string keyType = KeyTypes.Bearer) { if (String.IsNullOrWhiteSpace(RP_Endpoint)) throw new ArgumentNullException("RP_Endpoint"); Binding binding = null; // Authenticate with a SAML Bearer token var WsHttpBinding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential); WsHttpBinding.Security.Message.EstablishSecurityContext = false; WsHttpBinding.Security.Message.NegotiateServiceCredential = false; WsHttpBinding.Security.Message.IssuedKeyType = SecurityKeyType.BearerKey; binding = WsHttpBinding; // Define the STS endpoint EndpointAddress endpoint = new EndpointAddress(new Uri(RP_Endpoint)); var factory = new WSTrustChannelFactory(binding, endpoint) { TrustVersion = TrustVersion.WSTrust13 }; factory.Credentials.SupportInteractive = false; // avoid that Cardspace dialog // Now we define the Request for Security Token (RST) RequestSecurityToken RST = new RequestSecurityToken() { //identifiy which local token we want AppliesTo = new EndpointReference(appliesTo), //identify what type of request this is (Issue or Validate) RequestType = RequestTypes.Issue, //set what kind of token we want returned (appliesTo will override this) TokenType = tokenType, //set the keytype (symmetric, asymmetric (pub key) or bearer - null = Sender Vouches) KeyType = null }; //create the channel (using the SAML token received from the WSC) IWSTrustChannelContract channel = factory.CreateChannelWithIssuedToken(foreignToken); //send the token issuance command SecurityToken token = channel.Issue(RST, out RSTR); return token; }
private static RequestSecurityTokenResponse ValidateSecurityToken(SecurityToken foreignToken, string RP_Endpoint, string keyType = KeyTypes.Bearer) { if (String.IsNullOrWhiteSpace(RP_Endpoint)) throw new ArgumentNullException("RP_Endpoint"); Binding binding = null; // Using a SAML bearer token var WsHttpBinding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential); WsHttpBinding.Security.Message.EstablishSecurityContext = false; WsHttpBinding.Security.Message.NegotiateServiceCredential = false; WsHttpBinding.Security.Message.IssuedKeyType = SecurityKeyType.BearerKey; binding = WsHttpBinding; // Define the STS endpoint EndpointAddress endpoint = new EndpointAddress(new Uri(RP_Endpoint)); var factory = new WSTrustChannelFactory(binding, endpoint) { TrustVersion = TrustVersion.WSTrust13 }; factory.Credentials.SupportInteractive = false; // Avoid that CardSpace popup... IWSTrustChannelContract channel = factory.CreateChannelWithIssuedToken(foreignToken); // When we create the Channel we specify the SAML token received from the WSC // Build the RST RequestSecurityToken RST = new RequestSecurityToken() { //identify what type of request this is (Issue or Validate) RequestType = RequestTypes.Validate }; // Send the Validate RST RequestSecurityTokenResponse RSTR = channel.Validate(RST); return RSTR; }
private SecurityToken RequestFederationToken(GenericXmlSecurityToken xmlToken, string appliesTo) { var adfsEndpoint = this._configuration.AdfsIntegration.FederationEndpoint; var rst = new RequestSecurityToken { RequestType = RequestTypes.Issue, AppliesTo = new EndpointReference(appliesTo), KeyType = KeyTypes.Bearer }; var binding = new IssuedTokenWSTrustBinding(); binding.SecurityMode = SecurityMode.TransportWithMessageCredential; var factory = new WSTrustChannelFactory( binding, new EndpointAddress(adfsEndpoint)); factory.TrustVersion = TrustVersion.WSTrust13; factory.Credentials.SupportInteractive = false; var channel = factory.CreateChannelWithIssuedToken(xmlToken); return channel.Issue(rst); }
private static SecurityToken RequestServiceToken(SecurityToken identityToken) { "Requesting service token".ConsoleYellow(); var binding = new IssuedTokenWSTrustBinding(); binding.SecurityMode = SecurityMode.TransportWithMessageCredential; var factory = new WSTrustChannelFactory( binding, _acsEndpoint); factory.TrustVersion = TrustVersion.WSTrust13; factory.Credentials.SupportInteractive = false; var rst = new RequestSecurityToken { RequestType = RequestTypes.Issue, AppliesTo = new EndpointAddress("https://" + Constants.WebHost + "/webservicesecurity/"), KeyType = KeyTypes.Symmetric }; factory.ConfigureChannelFactory(); var channel = factory.CreateChannelWithIssuedToken(identityToken); var token = channel.Issue(rst); return token; }
/// <summary> /// Login to the application. /// /// The login process takes two steps - /// First; establish the identity of the user using standard credentials. /// Second; use this identity to login to SIMS for the purpose of carrying out data querying. /// </summary> internal SecurityToken Login(string userName, string password, string schoolId, string tenantId) { // Temporaryily store the Identity Token issued by the identity server so that we can use it to prove our identity to the application login server. // Note that; although iSIMS provides both Identity and Application logins on the same service endpoint (iSIMSSTS) the Identity Service might have // a different endpoint where iSIMS has been integrated with an external identity management system such as ADFS, Shibboleth etc // ReSharper disable once RedundantAssignment SecurityToken identityToken = null; // Step 1 : Pass credentials to the identity server to get a token bearing our verified identity. using (WSTrustChannelFactory factory = GetTrustChannelFactory()) { // Set up credentials if (factory.Credentials == null) { throw new Exception("Credentails are null"); } factory.Credentials.UserName.UserName = userName; factory.Credentials.UserName.Password = password; factory.Credentials.SupportInteractive = false; // Create a "request for token" SOAP message. RequestSecurityToken rst = new RequestSecurityToken( // We want the security server to Issue us with a token RequestTypes.Issue, // We want the token type to be a Bearer token (i.e. not symmetric key or other mutually guaranteed certificate based mechanism) KeyTypes.Bearer); // We want a token that will permit us to communicate with the application server rst.AppliesTo = new EndpointReference(_applicationServerAddress); // Create the communicaiton channel IWSTrustChannelContract channel = factory.CreateChannel(); // Request an identity token RequestSecurityTokenResponse response; identityToken = channel.Issue(rst, out response); } // Step 2 : Use the identity token to get a further token which can be used to access resources within the system. This token is obtained from the same // location in this example, but the Application Identity Server (here) and the Identity Verification Server (above) might be different URLs in Single Sign-on // implementations. using (WSTrustChannelFactory factory = GetTrustChannelFactory()) { // Provide the credentials again. if (factory.Credentials == null) { throw new Exception("Credentails are null"); } factory.Credentials.UserName.UserName = userName; factory.Credentials.UserName.Password = password; factory.Credentials.SupportInteractive = false; // Because our communication now will be secured using our Identity Token we need to use some WIF extension methods to make sure the identity token // is sent as a Cookie on the SOAP call that WCF will be generating. factory.Credentials.UseIdentityConfiguration = true; factory.CreateChannelWithIssuedToken(identityToken); // Create the communication channel IWSTrustChannelContract channel = factory.CreateChannel(); // create token request RequestSecurityToken rst = new RequestSecurityToken( // We want the security server to Issue us with a token RequestTypes.Issue, // We want the token type to be a Bearer token (i.e. not symmetric key or other mutually guaranteed certificate based mechanism) KeyTypes.Bearer); // Add the school ID that we claim to have access to. rst.AdditionalContext = new AdditionalContext(); rst.AdditionalContext.Items.Add(new ContextItem(new Uri(SimsLoginContextSchoolClaimUrl), schoolId)); rst.AdditionalContext.Items.Add(new ContextItem(new Uri(SimsLoginContextTenantClaimUrl), tenantId)); // This is the endpoint for which the token will be valid. rst.AppliesTo = new EndpointReference(_applicationServerAddress); // Becuase we have already established our identity, we want this call to "Act As" us. This enables the receving web service to be passed our // identity in the thread principal. rst.ActAs = new SecurityTokenElement(identityToken); // Request an application session token. RequestSecurityTokenResponse response; return(channel.Issue(rst, out response)); } }