public static ExternalAuthentication GetCurrent()
{
if (ExternalAuthentication.instance == null)
{
ExternalAuthentication.instance = ExternalAuthentication.CreateExternalAuthentication();
}
return(ExternalAuthentication.instance);
}
private static bool IsRequiredPropertyAvailable(X509Certificate2 certificate, string name)
{
return(ExternalAuthentication.IsRequiredPropertyAvailable((certificate == null) ? null : certificate.Thumbprint, name));
}
private static ExternalAuthentication.FederationTrustResults TryCreateSecurityTokenService(FederationTrust federationTrust, WebProxy webProxy)
{
if (!ExternalAuthentication.IsRequiredPropertyAvailable(federationTrust.TokenIssuerUri, "TokenIssuerUri"))
{
return(new ExternalAuthentication.FederationTrustResults
{
FailureType = ExternalAuthentication.ExternalAuthenticationFailureType.MisconfiguredFederationTrust,
SubFailureType = ExternalAuthentication.ExternalAuthenticationSubFailureType.MissingTokenIssuerUri
});
}
if (!ExternalAuthentication.IsRequiredPropertyAvailable(federationTrust.TokenIssuerEpr, "TokenIssuerEpr"))
{
return(new ExternalAuthentication.FederationTrustResults
{
FailureType = ExternalAuthentication.ExternalAuthenticationFailureType.MisconfiguredFederationTrust,
SubFailureType = ExternalAuthentication.ExternalAuthenticationSubFailureType.MissingTokenIssuerEpr
});
}
if (!ExternalAuthentication.IsRequiredPropertyAvailable(federationTrust.ApplicationUri, "ApplicationUri"))
{
return(new ExternalAuthentication.FederationTrustResults
{
FailureType = ExternalAuthentication.ExternalAuthenticationFailureType.MisconfiguredFederationTrust,
SubFailureType = ExternalAuthentication.ExternalAuthenticationSubFailureType.MissingApplicationUri
});
}
if (!ExternalAuthentication.IsRequiredPropertyAvailable(federationTrust.TokenIssuerCertificate, "TokenIssuerCertificate"))
{
return(new ExternalAuthentication.FederationTrustResults
{
FailureType = ExternalAuthentication.ExternalAuthenticationFailureType.MisconfiguredFederationTrust,
SubFailureType = ExternalAuthentication.ExternalAuthenticationSubFailureType.MissingTokenIssuerCertificate
});
}
X509Certificate2[] tokenSignatureCertificates = (federationTrust.TokenIssuerPrevCertificate != null) ? new X509Certificate2[]
{
federationTrust.TokenIssuerCertificate,
federationTrust.TokenIssuerPrevCertificate
} : new X509Certificate2[]
{
federationTrust.TokenIssuerCertificate
};
if (!ExternalAuthentication.HasAtLeastOneValidCertificate(tokenSignatureCertificates, federationTrust.Id, "TokenIssuerCertificate and TokenIssuerPrevCertificate"))
{
return(new ExternalAuthentication.FederationTrustResults
{
FailureType = ExternalAuthentication.ExternalAuthenticationFailureType.InvalidTokenIssuerCertificate,
SubFailureType = ExternalAuthentication.ExternalAuthenticationSubFailureType.NoSubCode
});
}
if (!ExternalAuthentication.IsRequiredPropertyAvailable(federationTrust.OrgPrivCertificate, "OrgPrivCertificate"))
{
return(new ExternalAuthentication.FederationTrustResults
{
FailureType = ExternalAuthentication.ExternalAuthenticationFailureType.MisconfiguredFederationTrust,
SubFailureType = ExternalAuthentication.ExternalAuthenticationSubFailureType.MissingOrgPrivCertificate
});
}
X509Store x509Store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
x509Store.Open(OpenFlags.ReadOnly);
X509Certificate2 certificate;
X509Certificate2[] tokenDecryptionCertificates;
try
{
ExternalAuthentication.ExternalAuthenticationSubFailureType externalAuthenticationSubFailureType;
certificate = ExternalAuthentication.GetCertificate(x509Store, federationTrust.OrgPrivCertificate, federationTrust.Id, "OrgPrivCertificate", true, out externalAuthenticationSubFailureType);
if (certificate == null)
{
ExternalAuthentication.ConfigurationTracer.TraceError <string>(0L, "Federation trust is misconfigured. Unable to find certificate corresponding to OrgPrivCertificate={0}", federationTrust.OrgPrivCertificate);
return(new ExternalAuthentication.FederationTrustResults
{
FailureType = ExternalAuthentication.ExternalAuthenticationFailureType.MisconfiguredFederationTrust,
SubFailureType = externalAuthenticationSubFailureType
});
}
X509Certificate2 x509Certificate = null;
if (!string.IsNullOrEmpty(federationTrust.OrgPrevPrivCertificate))
{
x509Certificate = ExternalAuthentication.GetCertificate(x509Store, federationTrust.OrgPrevPrivCertificate, federationTrust.Id, "OrgPrevPrivCertificate", false, out externalAuthenticationSubFailureType);
}
tokenDecryptionCertificates = ((x509Certificate != null) ? new X509Certificate2[]
{
certificate,
x509Certificate
} : new X509Certificate2[]
{
certificate
});
}
finally
{
x509Store.Close();
}
SecurityTokenService securityTokenService = new SecurityTokenService(federationTrust.TokenIssuerEpr, webProxy, certificate, federationTrust.TokenIssuerUri, federationTrust.PolicyReferenceUri, federationTrust.ApplicationUri.OriginalString);
ExternalAuthentication.ConfigurationTracer.TraceDebug(0L, "New instance of SecurityTokenService successfully built.");
return(new ExternalAuthentication.FederationTrustResults
{
FailureType = ExternalAuthentication.ExternalAuthenticationFailureType.NoFailure,
SubFailureType = ExternalAuthentication.ExternalAuthenticationSubFailureType.NoFailure,
SecurityTokenService = securityTokenService,
TokenSignatureCertificates = tokenSignatureCertificates,
TokenDecryptionCertificates = tokenDecryptionCertificates
});
}
private static ExternalAuthentication CreateExternalAuthentication()
{
ExternalAuthentication.InitializeNotificationsIfNeeded();
ExternalAuthentication.ConfigurationTracer.TraceDebug(0L, "Searching for federation trust configuration in AD");
WebProxy webProxy = null;
Server localServer = LocalServerCache.LocalServer;
Uri uri = null;
if (localServer != null && localServer.InternetWebProxy != null)
{
ExternalAuthentication.ConfigurationTracer.TraceDebug <Uri>(0L, "Using custom InternetWebProxy {0}.", localServer.InternetWebProxy);
uri = localServer.InternetWebProxy;
webProxy = new WebProxy(localServer.InternetWebProxy);
}
ExternalAuthentication.currentWebProxy = uri;
IEnumerable <FederationTrust> enumerable = null;
try
{
enumerable = FederationTrustCache.GetFederationTrusts();
}
catch (LocalizedException arg)
{
ExternalAuthentication.ConfigurationTracer.TraceError <LocalizedException>(0L, "Unable to get federation trust. Exception: {0}", arg);
return(new ExternalAuthentication(ExternalAuthentication.ExternalAuthenticationFailureType.ErrorReadingFederationTrust, ExternalAuthentication.ExternalAuthenticationSubFailureType.DirectoryReadError));
}
Uri uri2 = null;
List <X509Certificate2> list = new List <X509Certificate2>(4);
List <X509Certificate2> list2 = new List <X509Certificate2>(4);
Dictionary <ADObjectId, SecurityTokenService> dictionary = new Dictionary <ADObjectId, SecurityTokenService>(2);
ExternalAuthentication.ExternalAuthenticationFailureType externalAuthenticationFailureType = ExternalAuthentication.ExternalAuthenticationFailureType.NoFederationTrust;
ExternalAuthentication.ExternalAuthenticationSubFailureType externalAuthenticationSubFailureType = ExternalAuthentication.ExternalAuthenticationSubFailureType.NoFailure;
int num = 0;
bool flag = false;
if (enumerable != null)
{
foreach (FederationTrust federationTrust in enumerable)
{
num++;
ExternalAuthentication.FederationTrustResults federationTrustResults = ExternalAuthentication.TryCreateSecurityTokenService(federationTrust, webProxy);
if (federationTrustResults.FailureType == ExternalAuthentication.ExternalAuthenticationFailureType.NoFailure)
{
dictionary.Add(federationTrust.Id, federationTrustResults.SecurityTokenService);
list.AddRange(federationTrustResults.TokenSignatureCertificates);
list2.AddRange(federationTrustResults.TokenDecryptionCertificates);
if (uri2 == null)
{
uri2 = federationTrust.ApplicationUri;
ExternalAuthentication.ConfigurationTracer.TraceDebug <Uri>(0L, "Using {0} as applicationUri", uri2);
}
else if (!federationTrust.ApplicationUri.Equals(uri2))
{
ExternalAuthentication.ConfigurationTracer.TraceError <Uri>(0L, "Cannot have multiple FederationTrust with different ApplicationUri values: {0}. Uri will be ignored", federationTrust.ApplicationUri);
flag = true;
}
}
else
{
externalAuthenticationFailureType = federationTrustResults.FailureType;
externalAuthenticationSubFailureType = federationTrustResults.SubFailureType;
}
}
}
if (dictionary.Count == 0)
{
return(new ExternalAuthentication(externalAuthenticationFailureType, externalAuthenticationSubFailureType));
}
if (dictionary.Count != num)
{
ExternalAuthentication.ConfigurationTracer.TraceError <string, string>(0L, "Number of Security Token Service clients {0} does not match number of federation trusts {1}", dictionary.Count.ToString(), num.ToString());
}
TokenValidator tokenValidator = new TokenValidator(uri2, list, list2);
List <X509Certificate2> list3 = new List <X509Certificate2>(list.Count + list2.Count);
list3.AddRange(list);
list3.AddRange(list2);
if (flag)
{
return(new ExternalAuthentication(dictionary, tokenValidator, list3, uri2, ExternalAuthentication.ExternalAuthenticationFailureType.NoFailure, ExternalAuthentication.ExternalAuthenticationSubFailureType.WarningApplicationUriSkipped));
}
return(new ExternalAuthentication(dictionary, tokenValidator, list3, uri2));
}
