private static CommandResult ProcessResponse(IOptions options, Saml2Response samlResponse) { var principal = new ClaimsPrincipal(samlResponse.GetClaims(options)); principal = options.SPOptions.SystemIdentityModelIdentityConfiguration .ClaimsAuthenticationManager.Authenticate(null, principal); var requestState = samlResponse.GetRequestState(options); if(requestState == null && options.SPOptions.ReturnUrl == null) { throw new ConfigurationErrorsException(MissingReturnUrlMessage); } return new CommandResult() { HttpStatusCode = HttpStatusCode.SeeOther, Location = requestState?.ReturnUrl ?? options.SPOptions.ReturnUrl, Principal = principal, RelayData = requestState == null ? null : requestState.RelayData }; }
private static CommandResult ProcessResponse(IOptions options, Saml2Response samlResponse, string returnURL) { var principal = new ClaimsPrincipal(samlResponse.GetClaims(options)); principal = options.SPOptions.SystemIdentityModelIdentityConfiguration .ClaimsAuthenticationManager.Authenticate(null, principal); var requestState = samlResponse.GetRequestState(options); UriBuilder builder = new UriBuilder(requestState != null && requestState.ReturnUrl != null ? requestState.ReturnUrl : options.SPOptions.ReturnUrl); if (!string.IsNullOrEmpty(returnURL) && builder.Path.ToString().IndexOf(returnURL, StringComparison.OrdinalIgnoreCase) < 0) { builder = new UriBuilder(returnURL); } return new CommandResult() { HttpStatusCode = HttpStatusCode.SeeOther, Location = builder.Uri, Principal = principal, RelayData = requestState == null ? null : requestState.RelayData }; }
public CommandResult Run(HttpRequestData request, IOptions options) { if(request == null) { throw new ArgumentNullException(nameof(request)); } if(options == null) { throw new ArgumentNullException(nameof(options)); } var binding = Saml2Binding.Get(request); if (binding != null) { UnbindResult unbindResult = null; try { unbindResult = binding.Unbind(request, options); var samlResponse = new Saml2Response(unbindResult.Data, request.StoredRequestState?.MessageId); var result = ProcessResponse(options, samlResponse, request.StoredRequestState); if(unbindResult.RelayState != null) { result.ClearCookieName = "Kentor." + unbindResult.RelayState; } return result; } catch (FormatException ex) { throw new BadFormatSamlResponseException( "The SAML Response did not contain valid BASE64 encoded data.", ex); } catch (XmlException ex) { var newEx = new BadFormatSamlResponseException( "The SAML response contains incorrect XML", ex); // Add the payload to the exception if (unbindResult != null) { newEx.Data["Saml2Response"] = unbindResult.Data.OuterXml; } throw newEx; } catch (Exception ex) { if (unbindResult != null) { // Add the payload to the existing exception ex.Data["Saml2Response"] = unbindResult.Data.OuterXml; } throw; } } throw new NoSamlResponseFoundException(); }
public void Saml2Response_Ctor_FromData() { var issuer = new EntityId("http://idp.example.com"); var identity = new ClaimsIdentity(new Claim[] { new Claim(ClaimTypes.NameIdentifier, "JohnDoe") }); var response = new Saml2Response(issuer, null, null, null, identity); response.Issuer.Should().Be(issuer); response.GetClaims(Options.FromConfiguration) .Single() .ShouldBeEquivalentTo(identity); }
private static CommandResult ProcessResponse(IOptions options, Saml2Response samlResponse) { var principal = new ClaimsPrincipal(samlResponse.GetClaims(options)); principal = options.SPOptions.SystemIdentityModelIdentityConfiguration .ClaimsAuthenticationManager.Authenticate(null, principal); var requestState = samlResponse.GetRequestState(options); return new CommandResult() { HttpStatusCode = HttpStatusCode.SeeOther, Location = requestState != null && requestState.ReturnUrl != null ? requestState.ReturnUrl : options.SPOptions.ReturnUrl, Principal = principal, RelayData = requestState == null ? null : requestState.RelayData }; }
private static CommandResult ProcessResponse( IOptions options, Saml2Response samlResponse, StoredRequestState storedRequestState) { var principal = new ClaimsPrincipal(samlResponse.GetClaims(options)); principal = options.SPOptions.SystemIdentityModelIdentityConfiguration .ClaimsAuthenticationManager.Authenticate(null, principal); if(options.SPOptions.ReturnUrl == null) { if (storedRequestState == null) { throw new ConfigurationErrorsException(UnsolicitedMissingReturnUrlMessage); } if(storedRequestState.ReturnUrl == null) { throw new ConfigurationErrorsException(SpInitiatedMissingReturnUrl); } } return new CommandResult() { HttpStatusCode = HttpStatusCode.SeeOther, Location = storedRequestState?.ReturnUrl ?? options.SPOptions.ReturnUrl, Principal = principal, RelayData = storedRequestState?.RelayData, SessionNotOnOrAfter = samlResponse.SessionNotOnOrAfter }; }
public void Saml2Response_Xml_FromData_ContainsStatus_Success() { var identity = new ClaimsIdentity(new Claim[] { new Claim(ClaimTypes.NameIdentifier, "JohnDoe") }); var response = new Saml2Response(new EntityId("issuer"), SignedXmlHelper.TestCert, new Uri("http://destination.example.com"), null, identity); var xml = response.XmlElement; var subject = xml["Status", Saml2Namespaces.Saml2PName]; subject["StatusCode", Saml2Namespaces.Saml2PName].GetAttribute("Value") .Should().Be("urn:oasis:names:tc:SAML:2.0:status:Success"); }
public void Saml2Response_Xml_FromData_ContainsInResponseTo() { var identity = new ClaimsIdentity(new Claim[] { new Claim(ClaimTypes.NameIdentifier, "JohnDoe") }); var response = new Saml2Response(new EntityId("issuer"), SignedXmlHelper.TestCert, new Uri("http://destination.example.com"), new Saml2Id("InResponseToID"), identity); var xml = response.XmlElement; xml.GetAttribute("InResponseTo").Should().Be("InResponseToID"); }
public void Saml2Response_Xml_FromData_ContainsBasicData() { var issuer = new EntityId("http://idp.example.com"); var nameId = "JohnDoe"; var destination = "http://destination.example.com/"; var identity = new ClaimsIdentity(new Claim[] { new Claim(ClaimTypes.NameIdentifier, nameId) }); // Grab current time both before and after generating the response // to avoid heisenbugs if the second counter is updated while creating // the response. string before = DateTime.UtcNow.ToSaml2DateTimeString(); var response = new Saml2Response(issuer, SignedXmlHelper.TestCert, new Uri(destination), null, identity); string after = DateTime.UtcNow.ToSaml2DateTimeString(); var xml = response.XmlElement; xml.LocalName.Should().Be("Response"); xml.NamespaceURI.Should().Be(Saml2Namespaces.Saml2PName); xml.Prefix.Should().Be("saml2p"); xml["Issuer", Saml2Namespaces.Saml2Name].InnerText.Should().Be(issuer.Id); xml["Assertion", Saml2Namespaces.Saml2Name] ["Subject", Saml2Namespaces.Saml2Name]["NameID", Saml2Namespaces.Saml2Name] .InnerText.Should().Be(nameId); xml.GetAttribute("Destination").Should().Be(destination); xml.GetAttribute("ID").Should().NotBeNullOrWhiteSpace(); xml.GetAttribute("Version").Should().Be("2.0"); xml.GetAttribute("IssueInstant").Should().Match( i => i == before || i == after); }
public void Saml2Response_Xml_FromData_ContainsAudienceRestriction() { var identity = new ClaimsIdentity(new Claim[] { new Claim(ClaimTypes.NameIdentifier, "JohnDoe") }); var audience = "http://sp.example.com"; var subject = new Saml2Response( new EntityId("issuer"), SignedXmlHelper.TestCert, new Uri("http://destination.example.com"), new Saml2Id("InResponseToID"), null, new Uri(audience), identity); var actual = subject.XmlElement; actual["Assertion", Saml2Namespaces.Saml2Name].Should().NotBeNull("Assertion element should be present") .And.Subject["Conditions", Saml2Namespaces.Saml2Name].Should().NotBeNull("Conditions element should be present") .And.Subject["AudienceRestriction", Saml2Namespaces.Saml2Name].Should().NotBeNull("AudienceRestriction element should be present") .And.Subject["Audience", Saml2Namespaces.Saml2Name].Should().NotBeNull("Audience element should be present") .And.Subject.InnerText.Should().Be(audience); }
public void Saml2Response_MessageName() { var subject = new Saml2Response(new EntityId("issuer"), null, null, null); subject.MessageName.Should().Be("SAMLResponse"); }
public void Saml2Response_FromData_RelayState() { var subject = new Saml2Response(new EntityId("issuer"), null, null, null, "ABC123"); subject.RelayState.Should().Be("ABC123"); }
public void Saml2Response_Xml_FromData_IsSigned() { var issuer = new EntityId("http://idp.example.com"); var nameId = "JohnDoe"; var identity = new ClaimsIdentity(new Claim[] { new Claim(ClaimTypes.NameIdentifier, nameId) }); var response = new Saml2Response(issuer, SignedXmlHelper.TestCert, null, null, claimsIdentities: identity); var xml = response.XmlDocument; var signedXml = new SignedXml(xml); var signature = xml.DocumentElement["Signature", SignedXml.XmlDsigNamespaceUrl]; signedXml.LoadXml(signature); signature.Should().NotBeNull(); signedXml.CheckSignature(SignedXmlHelper.TestCert, true).Should().BeTrue(); }