public void DefaultValues () { SamlAttributeStatement s = new SamlAttributeStatement (); Assert.IsNull (s.SamlSubject, "#1"); Assert.AreEqual (0, s.Attributes.Count, "#2"); }
public virtual SamlStatement LoadStatement(XmlDictionaryReader reader, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver) { if (reader == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader"); } if (reader.IsStartElement(DictionaryManager.SamlDictionary.AuthenticationStatement, DictionaryManager.SamlDictionary.Namespace)) { SamlAuthenticationStatement authStatement = new SamlAuthenticationStatement(); authStatement.ReadXml(reader, this, keyInfoSerializer, outOfBandTokenResolver); return(authStatement); } else if (reader.IsStartElement(DictionaryManager.SamlDictionary.AttributeStatement, DictionaryManager.SamlDictionary.Namespace)) { SamlAttributeStatement attrStatement = new SamlAttributeStatement(); attrStatement.ReadXml(reader, this, keyInfoSerializer, outOfBandTokenResolver); return(attrStatement); } else if (reader.IsStartElement(DictionaryManager.SamlDictionary.AuthorizationDecisionStatement, DictionaryManager.SamlDictionary.Namespace)) { SamlAuthorizationDecisionStatement authDecisionStatement = new SamlAuthorizationDecisionStatement(); authDecisionStatement.ReadXml(reader, this, keyInfoSerializer, outOfBandTokenResolver); return(authDecisionStatement); } else { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.GetString(SR.SAMLUnableToLoadUnknownElement, reader.LocalName))); } }
public virtual SamlStatement LoadStatement(XmlDictionaryReader reader, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver) { if (reader == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader"); } if (reader.IsStartElement(this.DictionaryManager.SamlDictionary.AuthenticationStatement, this.DictionaryManager.SamlDictionary.Namespace)) { SamlAuthenticationStatement statement = new SamlAuthenticationStatement(); statement.ReadXml(reader, this, keyInfoSerializer, outOfBandTokenResolver); return(statement); } if (reader.IsStartElement(this.DictionaryManager.SamlDictionary.AttributeStatement, this.DictionaryManager.SamlDictionary.Namespace)) { SamlAttributeStatement statement2 = new SamlAttributeStatement(); statement2.ReadXml(reader, this, keyInfoSerializer, outOfBandTokenResolver); return(statement2); } if (!reader.IsStartElement(this.DictionaryManager.SamlDictionary.AuthorizationDecisionStatement, this.DictionaryManager.SamlDictionary.Namespace)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(System.IdentityModel.SR.GetString("SAMLUnableToLoadUnknownElement", new object[] { reader.LocalName }))); } SamlAuthorizationDecisionStatement statement3 = new SamlAuthorizationDecisionStatement(); statement3.ReadXml(reader, this, keyInfoSerializer, outOfBandTokenResolver); return(statement3); }
/// <summary> /// Creates a SAML Token with the input parameters /// </summary> /// <param name="stsName">Name of the STS issuing the SAML Token</param> /// <param name="proofToken">Associated Proof Token</param> /// <param name="issuerToken">Associated Issuer Token</param> /// <param name="proofKeyEncryptionToken">Token to encrypt the proof key with</param> /// <param name="samlConditions">The Saml Conditions to be used in the construction of the SAML Token</param> /// <param name="samlAttributes">The Saml Attributes to be used in the construction of the SAML Token</param> /// <returns>A SAML Token</returns> public static SamlSecurityToken CreateSamlToken(string stsName, BinarySecretSecurityToken proofToken, SecurityToken issuerToken, SecurityToken proofKeyEncryptionToken, SamlConditions samlConditions, IEnumerable<SamlAttribute> samlAttributes) { // Create a security token reference to the issuer certificate SecurityKeyIdentifierClause skic = issuerToken.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>(); SecurityKeyIdentifier issuerKeyIdentifier = new SecurityKeyIdentifier(skic); // Create an encrypted key clause containing the encrypted proof key byte[] wrappedKey = proofKeyEncryptionToken.SecurityKeys[0].EncryptKey(SecurityAlgorithms.RsaOaepKeyWrap, proofToken.GetKeyBytes()); SecurityKeyIdentifierClause encryptingTokenClause = proofKeyEncryptionToken.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>(); EncryptedKeyIdentifierClause encryptedKeyClause = new EncryptedKeyIdentifierClause(wrappedKey, SecurityAlgorithms.RsaOaepKeyWrap, new SecurityKeyIdentifier(encryptingTokenClause) ); SecurityKeyIdentifier proofKeyIdentifier = new SecurityKeyIdentifier(encryptedKeyClause); // Create a comfirmationMethod for HolderOfKey List<string> confirmationMethods = new List<string>(1); confirmationMethods.Add(SamlConstants.HolderOfKey); // Create a SamlSubject with proof key and confirmation method from above SamlSubject samlSubject = new SamlSubject(null, null, null, confirmationMethods, null, proofKeyIdentifier); // Create a SamlAttributeStatement from the passed in SamlAttribute collection and the SamlSubject from above SamlAttributeStatement samlAttributeStatement = new SamlAttributeStatement(samlSubject, samlAttributes); // Put the SamlAttributeStatement into a list of SamlStatements List<SamlStatement> samlSubjectStatements = new List<SamlStatement>(); samlSubjectStatements.Add(samlAttributeStatement); // Create a SigningCredentials instance from the key associated with the issuerToken. SigningCredentials signingCredentials = new SigningCredentials(issuerToken.SecurityKeys[0], SecurityAlgorithms.RsaSha1Signature, SecurityAlgorithms.Sha1Digest, issuerKeyIdentifier); // Create a SamlAssertion from the list of SamlStatements created above and the passed in // SamlConditions. SamlAssertion samlAssertion = new SamlAssertion("_" + Guid.NewGuid().ToString(), stsName, DateTime.UtcNow, samlConditions, new SamlAdvice(), samlSubjectStatements ); // Set the SigningCredentials for the SamlAssertion samlAssertion.SigningCredentials = signingCredentials; // Create a SamlSecurityToken from the SamlAssertion and return it return new SamlSecurityToken(samlAssertion); }
public void WriteXml1 () { SamlAttribute attr = new SamlAttribute (Claim.CreateNameClaim ("myname")); SamlSubject subject = new SamlSubject ( SamlConstants.UserNameNamespace, "urn:myqualifier", "myname"); SamlAttributeStatement s = new SamlAttributeStatement ( subject, new SamlAttribute [] {attr}); StringWriter sw = new StringWriter (); using (XmlDictionaryWriter dw = CreateWriter (sw)) { s.WriteXml (dw, new SamlSerializer (), null); } Assert.AreEqual (String.Format ("<?xml version=\"1.0\" encoding=\"utf-16\"?><saml:AttributeStatement xmlns:saml=\"urn:oasis:names:tc:SAML:1.0:assertion\"><saml:Subject><saml:NameIdentifier Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName\" NameQualifier=\"urn:myqualifier\">myname</saml:NameIdentifier></saml:Subject><saml:Attribute AttributeName=\"name\" AttributeNamespace=\"{0}\"><saml:AttributeValue>myname</saml:AttributeValue></saml:Attribute></saml:AttributeStatement>", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims"), sw.ToString ()); }
SamlSecurityToken GetSamlToken () { SamlAssertion a = new SamlAssertion (); SamlSubject subject = new SamlSubject ( SamlConstants.UserNameNamespace, "urn:myqualifier", "myname"); SamlAttribute attr = new SamlAttribute (Claim.CreateNameClaim ("myname")); SamlAttributeStatement statement = new SamlAttributeStatement (subject, new SamlAttribute [] {attr}); a.Statements.Add (statement); a.Issuer = "my_hero"; X509Certificate2 cert = new X509Certificate2 ("Test/Resources/test.pfx", "mono"); X509AsymmetricSecurityKey key = new X509AsymmetricSecurityKey (cert); a.SigningCredentials = new SigningCredentials (key, SecurityAlgorithms.HmacSha1Signature, SecurityAlgorithms.Sha256Digest); XmlDocument doc = new XmlDocument (); XmlWriter w = doc.CreateNavigator ().AppendChild (); using (XmlDictionaryWriter dw = XmlDictionaryWriter.CreateDictionaryWriter (w)) { a.WriteXml (dw, new SamlSerializer (), new MySecurityTokenSerializer ()); } Console.Error.WriteLine (doc.OuterXml); return new SamlSecurityToken (a); }
/// <summary> /// Creates a SAML assertion based on input parameters /// </summary> /// <param name="claims">A ClaimSet containing the claims to be placed into the SAML assertion</param> /// <param name="signatureKey">The SecurityKey that will be used to sign the SAML assertion</param> /// <param name="signatureKeyIdentifier">A key identifier for the signature key</param> /// <param name="proofKeyIdentifier">A key identifier for the proof key</param> /// <param name="algoSuite">The algorithm suite to use when performing cryptographic operations</param> /// <returns>A SAML assertion containing the passed in claims and proof key, signed by the provided signature key</returns> private static SamlAssertion CreateAssertion(ClaimSet claims, SecurityKey signatureKey, SecurityKeyIdentifier signatureKeyIdentifier, SecurityKeyIdentifier proofKeyIdentifier, SecurityAlgorithmSuite algoSuite) { List<string> confirmationMethods = new List<string>(1); // Create a confirmationMethod for HolderOfKey confirmationMethods.Add(SamlConstants.HolderOfKey); // Create a SamlSubject with proof key and confirmation method from above SamlSubject samlSubject = new SamlSubject(null, null, "Self", confirmationMethods, null, proofKeyIdentifier); IList<SamlAttribute> samlAttributes = new List<SamlAttribute>(); foreach (Claim c in claims) { if ( typeof(string) == c.Resource.GetType()) samlAttributes.Add(new SamlAttribute(c)); } // Create a SamlAttributeStatement from the passed in SamlAttribute collection and the // SamlSubject from above SamlAttributeStatement samlAttributeStatement = new SamlAttributeStatement(samlSubject, samlAttributes); // Put the SamlAttributeStatement into a list of SamlStatements List<SamlStatement> samlSubjectStatements = new List<SamlStatement>(); samlSubjectStatements.Add(samlAttributeStatement); // Create a SigningCredentials instance from the signature key SigningCredentials signingCredentials = new SigningCredentials(signatureKey, algoSuite.DefaultAsymmetricSignatureAlgorithm, algoSuite.DefaultDigestAlgorithm, signatureKeyIdentifier); // Create a SamlAssertion from the list of SamlStatements created above DateTime issueInstant = DateTime.UtcNow; // Create the Saml condition with allowed audience Uris SamlConditions conditions = new SamlConditions(issueInstant, issueInstant + new TimeSpan(10, 0, 0)); conditions.Conditions.Add(new SamlAudienceRestrictionCondition(new Uri[] { new Uri("http://localhost:8000/servicemodelsamples/service/calc/symm"), new Uri("http://localhost:8000/servicemodelsamples/service/calc/asymm") })); SamlAssertion samlAssertion = new SamlAssertion("_" + Guid.NewGuid().ToString(), "Self", issueInstant, conditions, new SamlAdvice(), samlSubjectStatements ); // Set the SigningCredentials for the SamlAssertion samlAssertion.SigningCredentials = signingCredentials; // Return the SamlAssertion return samlAssertion; }
/// <summary> /// Serialize a SamlAttributeStatement. /// </summary> /// <param name="writer">XmlWriter to serialize the given statement.</param> /// <param name="statement">SamlAttributeStatement to write to the XmlWriter.</param> /// <exception cref="ArgumentNullException">The input parameter 'writer' or 'statement' is null.</exception> protected virtual void WriteAttributeStatement(XmlWriter writer, SamlAttributeStatement statement) { if (writer == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("writer"); } if (statement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("statement"); } writer.WriteStartElement(SamlConstants.Prefix, SamlConstants.ElementNames.AttributeStatement, SamlConstants.Namespace); WriteSubject(writer, statement.SamlSubject); for (int i = 0; i < statement.Attributes.Count; i++) { WriteAttribute(writer, statement.Attributes[i]); } writer.WriteEndElement(); }
/// <summary> /// Read saml:AttributeStatement from the given XmlReader. /// </summary> /// <param name="reader">XmlReader positioned at a saml:AttributeStatement element.</param> /// <returns>SamlAttributeStatement</returns> /// <exception cref="ArgumentNullException">Input parameter 'reader' is null.</exception> /// <exception cref="XmlException">XmlReader is not positioned at a saml:AttributeStatement element or /// the AttributeStatement contains unrecognized elements.</exception> protected virtual SamlAttributeStatement ReadAttributeStatement(XmlReader reader) { if (reader == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader"); } if (!reader.IsStartElement(SamlConstants.ElementNames.AttributeStatement, SamlConstants.Namespace)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.GetString(SR.ID4082, SamlConstants.ElementNames.AttributeStatement, SamlConstants.Namespace, reader.LocalName, reader.NamespaceURI))); } reader.ReadStartElement(); SamlAttributeStatement attributeStatement = new SamlAttributeStatement(); if (reader.IsStartElement(SamlConstants.ElementNames.Subject, SamlConstants.Namespace)) { attributeStatement.SamlSubject = ReadSubject(reader); } else { // SAML Subject is a required Attribute Statement clause. throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.GetString(SR.ID4092))); } while (reader.IsStartElement()) { if (reader.IsStartElement(SamlConstants.ElementNames.Attribute, SamlConstants.Namespace)) { // SAML Attribute is a extensibility point. So ask the SAML serializer // to load this part. attributeStatement.Attributes.Add(ReadAttribute(reader)); } else { break; } } if (attributeStatement.Attributes.Count == 0) { // Each Attribute statement should have at least one attribute. throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.GetString(SR.ID4093))); } reader.MoveToContent(); reader.ReadEndElement(); return attributeStatement; }
/// <summary> /// Override this virtual to provide custom processing of SamlAttributeStatements. /// </summary> /// <param name="samlStatement">The SamlAttributeStatement to process.</param> /// <param name="subject">The identity that should be modified to reflect the statement.</param> /// <param name="issuer">The subject that identifies the issuer.</param> /// <exception cref="ArgumentNullException">The input parameter 'samlStatement' or 'subject' is null.</exception> protected virtual void ProcessAttributeStatement(SamlAttributeStatement samlStatement, ClaimsIdentity subject, string issuer) { if (samlStatement == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("samlStatement"); } if (subject == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("subject"); } // We will be adding the nameid claim only once for multiple attribute and/or authn statements. // As of now, we put the nameId claim both inside the saml subject and the saml attribute statement as assertion. // When generating claims, we will only pick up the saml subject of a saml statement, not the attribute statement value. ProcessSamlSubject(samlStatement.SamlSubject, subject, issuer); foreach (SamlAttribute attr in samlStatement.Attributes) { string claimType = null; if (string.IsNullOrEmpty(attr.Namespace)) { claimType = attr.Name; } else if (StringComparer.Ordinal.Equals(attr.Name, SamlConstants.ElementNames.NameIdentifier)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotSupportedException(SR.GetString(SR.ID4094))); } else { // check if Namespace end with slash don't add it // If no slash or last char is not a slash, add it. int lastSlashIndex = attr.Namespace.LastIndexOf('/'); if ((lastSlashIndex == -1) || (!(lastSlashIndex == attr.Namespace.Length - 1))) { claimType = attr.Namespace + "/" + attr.Name; } else { claimType = attr.Namespace + attr.Name; } } if (claimType == ClaimTypes.Actor) { if (subject.Actor != null) { throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4034)); } SetDelegateFromAttribute(attr, subject, issuer); } else { for (int k = 0; k < attr.AttributeValues.Count; ++k) { // Check if we already have a nameId claim. if (StringComparer.Ordinal.Equals(ClaimTypes.NameIdentifier, claimType) && GetClaim(subject, ClaimTypes.NameIdentifier) != null) { continue; } string originalIssuer = issuer; SamlAttribute SamlAttribute = attr as SamlAttribute; if ((SamlAttribute != null) && (SamlAttribute.OriginalIssuer != null)) { originalIssuer = SamlAttribute.OriginalIssuer; } string claimValueType = ClaimValueTypes.String; if (SamlAttribute != null) { claimValueType = SamlAttribute.AttributeValueXsiType; } subject.AddClaim(new Claim(claimType, attr.AttributeValues[k], claimValueType, issuer, originalIssuer)); } } } }
public virtual SamlStatement LoadStatement(XmlDictionaryReader reader, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver) { if (reader == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader"); if (reader.IsStartElement(DictionaryManager.SamlDictionary.AuthenticationStatement, DictionaryManager.SamlDictionary.Namespace)) { SamlAuthenticationStatement authStatement = new SamlAuthenticationStatement(); authStatement.ReadXml(reader, this, keyInfoSerializer, outOfBandTokenResolver); return authStatement; } else if (reader.IsStartElement(DictionaryManager.SamlDictionary.AttributeStatement, DictionaryManager.SamlDictionary.Namespace)) { SamlAttributeStatement attrStatement = new SamlAttributeStatement(); attrStatement.ReadXml(reader, this, keyInfoSerializer, outOfBandTokenResolver); return attrStatement; } else if (reader.IsStartElement(DictionaryManager.SamlDictionary.AuthorizationDecisionStatement, DictionaryManager.SamlDictionary.Namespace)) { SamlAuthorizationDecisionStatement authDecisionStatement = new SamlAuthorizationDecisionStatement(); authDecisionStatement.ReadXml(reader, this, keyInfoSerializer, outOfBandTokenResolver); return authDecisionStatement; } else throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(SR.GetString(SR.SAMLUnableToLoadUnknownElement, reader.LocalName))); }
public virtual SamlStatement LoadStatement(XmlDictionaryReader reader, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver) { if (reader == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader"); } if (reader.IsStartElement(this.DictionaryManager.SamlDictionary.AuthenticationStatement, this.DictionaryManager.SamlDictionary.Namespace)) { SamlAuthenticationStatement statement = new SamlAuthenticationStatement(); statement.ReadXml(reader, this, keyInfoSerializer, outOfBandTokenResolver); return statement; } if (reader.IsStartElement(this.DictionaryManager.SamlDictionary.AttributeStatement, this.DictionaryManager.SamlDictionary.Namespace)) { SamlAttributeStatement statement2 = new SamlAttributeStatement(); statement2.ReadXml(reader, this, keyInfoSerializer, outOfBandTokenResolver); return statement2; } if (!reader.IsStartElement(this.DictionaryManager.SamlDictionary.AuthorizationDecisionStatement, this.DictionaryManager.SamlDictionary.Namespace)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new XmlException(System.IdentityModel.SR.GetString("SAMLUnableToLoadUnknownElement", new object[] { reader.LocalName }))); } SamlAuthorizationDecisionStatement statement3 = new SamlAuthorizationDecisionStatement(); statement3.ReadXml(reader, this, keyInfoSerializer, outOfBandTokenResolver); return statement3; }
public void WriteXmlValid () { SamlAssertion a = new SamlAssertion (); SamlSubject subject = new SamlSubject ( SamlConstants.UserNameNamespace, "urn:myqualifier", "myname"); SamlAttribute attr = new SamlAttribute (Claim.CreateNameClaim ("myname")); SamlAttributeStatement statement = new SamlAttributeStatement (subject, new SamlAttribute [] {attr}); a.Advice = new SamlAdvice (new string [] {"urn:testadvice1"}); DateTime notBefore = DateTime.SpecifyKind (new DateTime (2000, 1, 1), DateTimeKind.Utc); DateTime notOnAfter = DateTime.SpecifyKind (new DateTime (2006, 1, 1), DateTimeKind.Utc); a.Conditions = new SamlConditions (notBefore, notOnAfter); a.Statements.Add (statement); a.Issuer = "my_hero"; StringWriter sw = new StringWriter (); string id = a.AssertionId; DateTime instant = a.IssueInstant; using (XmlDictionaryWriter dw = CreateWriter (sw)) { a.WriteXml (dw, new SamlSerializer (), null); } string expected = String.Format ("<?xml version=\"1.0\" encoding=\"utf-16\"?><saml:Assertion MajorVersion=\"1\" MinorVersion=\"1\" AssertionID=\"{0}\" Issuer=\"my_hero\" IssueInstant=\"{1}\" xmlns:saml=\"urn:oasis:names:tc:SAML:1.0:assertion\"><saml:Conditions NotBefore=\"{3}\" NotOnOrAfter=\"{4}\" /><saml:Advice><saml:AssertionIDReference>urn:testadvice1</saml:AssertionIDReference></saml:Advice><saml:AttributeStatement><saml:Subject><saml:NameIdentifier Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName\" NameQualifier=\"urn:myqualifier\">myname</saml:NameIdentifier></saml:Subject><saml:Attribute AttributeName=\"name\" AttributeNamespace=\"{2}\"><saml:AttributeValue>myname</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>", id, instant.ToString ("yyyy-MM-ddTHH:mm:ss.fff'Z'", CultureInfo.InvariantCulture), "http://schemas.xmlsoap.org/ws/2005/05/identity/claims", notBefore.ToString ("yyyy-MM-ddTHH:mm:ss.fff'Z'", CultureInfo.InvariantCulture), notOnAfter.ToString ("yyyy-MM-ddTHH:mm:ss.fff'Z'", CultureInfo.InvariantCulture)); Assert.AreEqual (expected, sw.ToString ()); }