private IEnumerable <ClaimsIdentity> CreateClaims(StoredRequestState storedRequestState, IOptions options)
{
Validate(storedRequestState, options);
if (status != Saml2StatusCode.Success)
{
throw new InvalidOperationException("The Saml2Response must have status success to extract claims.");
}
foreach (XmlElement assertionNode in AllAssertionElementNodes)
{
using (var reader = new FilteringXmlNodeReader(SignedXml.XmlDsigNamespaceUrl, "Signature", assertionNode))
{
var handler = options.SPOptions.Saml2PSecurityTokenHandler;
var token = (Saml2SecurityToken)handler.ReadToken(reader);
handler.DetectReplayedToken(token);
var validateAudience = token.Assertion.Conditions.AudienceRestrictions.Count > 0;
handler.ValidateConditions(token.Assertion.Conditions, validateAudience);
yield return(handler.CreateClaims(token));
}
}
}
private IEnumerable <ClaimsIdentity> CreateClaims(IOptions options)
{
Validate(options);
if (status != Saml2StatusCode.Success)
{
throw new UnsuccessfulSamlOperationException(string.Format("The Saml2Response must have status success to extract claims. Status: {0}.{1}"
, status.ToString(), statusMessage != null ? " Message: " + statusMessage + "." : string.Empty),
status, statusMessage, secondLevelStatus);
}
foreach (XmlElement assertionNode in GetAllAssertionElementNodes(options))
{
using (var reader = new FilteringXmlNodeReader(SignedXml.XmlDsigNamespaceUrl, "Signature", assertionNode))
{
var handler = options.SPOptions.Saml2PSecurityTokenHandler;
var token = (Saml2SecurityToken)handler.ReadToken(reader);
handler.DetectReplayedToken(token);
var validateAudience = options.SPOptions
.Saml2PSecurityTokenHandler
.SamlSecurityTokenRequirement
.ShouldEnforceAudienceRestriction(options.SPOptions
.SystemIdentityModelIdentityConfiguration
.AudienceRestriction.AudienceMode, token);
handler.ValidateConditions(token.Assertion.Conditions, validateAudience);
yield return(handler.CreateClaims(token));
}
}
}
void FilteringXmlNodeReader_RemovesFilteredOutNode(bool preserveWhiteSpace)
{
var xmlData =
@"<a:root xmlns:a=""urn:a"" xmlns:b=""urn:b"">
<a:preserveChild>Preserve</a:preserveChild>
<a:removeChild>
<b:removeThisToo>Remove this!</b:removeThisToo>
</a:removeChild>
<b:removeChild>Just kidding, this should be kept.</b:removeChild>
</a:root>";
var xmlDoc = new XmlDocument()
{
PreserveWhitespace = preserveWhiteSpace
};
xmlDoc.LoadXml(xmlData);
var subject = new FilteringXmlNodeReader("urn:a", "removeChild", xmlDoc.DocumentElement);
subject.ReadStartElement("root", "urn:a");
subject.ReadStartElement("preserveChild", "urn:a");
subject.Skip();
subject.ReadEndElement();
subject.ReadStartElement("removeChild", "urn:b");
subject.Skip();
subject.ReadEndElement();
subject.MoveToContent();
subject.NodeType.Should().Be(XmlNodeType.EndElement);
subject.Name.Should().Be("a:root");
}
private IEnumerable <ClaimsIdentity> CreateClaims(IOptions options)
{
Validate(options);
if (status != Saml2StatusCode.Success)
{
throw new UnsuccessfulSamlOperationException(
"The Saml2Response must have status success to extract claims.",
status, statusMessage, secondLevelStatus);
}
foreach (XmlElement assertionNode in GetAllAssertionElementNodes(options))
{
using (var reader = new FilteringXmlNodeReader(SignedXml.XmlDsigNamespaceUrl, "Signature", assertionNode))
{
var handler = options.SPOptions.Saml2PSecurityTokenHandler;
var token = (Saml2SecurityToken)handler.ReadToken(reader);
options.SPOptions.Logger.WriteVerbose("Extracted SAML assertion " + token.Id);
handler.DetectReplayedToken(token);
var validateAudience = options.SPOptions
.Saml2PSecurityTokenHandler
.SamlSecurityTokenRequirement
.ShouldEnforceAudienceRestriction(options.SPOptions
.SystemIdentityModelIdentityConfiguration
.AudienceRestriction.AudienceMode, token);
handler.ValidateConditions(token.Assertion.Conditions, validateAudience);
options.SPOptions.Logger.WriteVerbose("Validated conditions for SAML2 Response " + Id);
sessionNotOnOrAfter = DateTimeHelper.EarliestTime(sessionNotOnOrAfter,
token.Assertion.Statements.OfType <Saml2AuthenticationStatement>()
.SingleOrDefault()?.SessionNotOnOrAfter);
yield return(handler.CreateClaims(token));
}
}
}
private IEnumerable<ClaimsIdentity> CreateClaims(IOptions options)
{
Validate(options);
if (status != Saml2StatusCode.Success)
{
throw new InvalidOperationException(string.Format("The Saml2Response must have status success to extract claims. Status: {0}.{1}"
, status.ToString(), statusMessage != null ? " Message: " + statusMessage + "." : string.Empty));
}
foreach (XmlElement assertionNode in AllAssertionElementNodes)
{
using (var reader = new FilteringXmlNodeReader(SignedXml.XmlDsigNamespaceUrl, "Signature", assertionNode))
{
var handler = options.SPOptions.Saml2PSecurityTokenHandler;
var token = (Saml2SecurityToken)handler.ReadToken(reader);
handler.DetectReplayedToken(token);
var validateAudience = token.Assertion.Conditions.AudienceRestrictions.Count > 0;
handler.ValidateConditions(token.Assertion.Conditions, validateAudience);
yield return handler.CreateClaims(token);
}
}
}