public RequestDetailsScope(RequestDetails details, SigningCredentials signingCredentials, bool requireEncryption) : base(details.Realm.Uri.AbsoluteUri, signingCredentials) { RequestDetails = details; if (RequestDetails.UsesEncryption) { EncryptingCredentials = new X509EncryptingCredentials(details.EncryptingCertificate); } if (RequestDetails.TokenType == SimpleWebToken.OasisTokenProfile) { SigningCredentials = new SymmetricSigningCredentials(details.RelyingPartyRegistration.SymmetricSigningKey); } ReplyToAddress = RequestDetails.ReplyToAddress.AbsoluteUri; TokenEncryptionRequired = requireEncryption; }
public RequestDetailsScope(RequestDetails details, SigningCredentials signingCredentials, bool requireEncryption) : base(details.Realm.Uri.AbsoluteUri, signingCredentials) { RequestDetails = details; if (RequestDetails.UsesEncryption) { EncryptingCredentials = new X509EncryptingCredentials(details.EncryptingCertificate); } if (RequestDetails.TokenType == TokenTypes.SimpleWebToken || RequestDetails.TokenType == TokenTypes.JsonWebToken) { if (details.RelyingPartyRegistration.SymmetricSigningKey != null && details.RelyingPartyRegistration.SymmetricSigningKey.Length > 0) { SigningCredentials = new HmacSigningCredentials(details.RelyingPartyRegistration.SymmetricSigningKey); } } ReplyToAddress = RequestDetails.ReplyToAddress.AbsoluteUri; TokenEncryptionRequired = requireEncryption; }
public StsConfiguration(String host) { SecurityTokenService = typeof(Sts); // this.DefaultTokenType = "http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/Rsa"; // this.SecurityTokenHandlers.AddOrReplace(new SimpleWebTokenHandler()); settings = SecurityTokenServicesSection.Current.GetConfiguration(host); // Configure token issuer TokenIssuerName = settings.IssuerName; // Configure signing and encrypting certificates X509Store store = new X509Store(settings.StoreName, settings.StoreLocation); try { store.Open(OpenFlags.ReadOnly); SigningCredentials = new X509SigningCredentials( store.FindExactlyOne(settings.SigningCertificateName)); if (false == String.IsNullOrEmpty(settings.EncryptingCertificateName)) { EncryptingCredentials = new X509EncryptingCredentials( store.FindExactlyOne(settings.EncryptingCertificateName)); } } finally { store.Close(); } // Load standard claims foreach (FieldInfo claim in typeof(ClaimTypes).GetFields()) { standardClaims.Add(claim.Name, claim.GetValue(null) as String); } }
/// <summary> /// This method returns the configuration for the token issuance request. The configuration /// is represented by the Scope class. In our case, we are only capable of issuing a token for a /// single RP identity represented by the EncryptingCertificateName. /// </summary> /// <param name="principal">The caller's principal.</param> /// <param name="request">The incoming RST.</param> /// <returns>The scope information to be used for the token issuance.</returns> protected override Scope GetScope(IClaimsPrincipal principal, RequestSecurityToken request) { // TEMP //ClaimsUtil.LogClaimsPrincipal(principal, "IdpSts.CustomSecurityTokenService.GetScope"); CustomTextTraceSource ts = new CustomTextTraceSource("IdpSts.CustomSecurityTokenService.GetScope", "MyTraceSource", SourceLevels.Information); ValidateAppliesTo(request.AppliesTo); X509Certificate2 signingCert = CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, WebConfigurationManager.AppSettings["SigningCertificateName"]); if (signingCert != null) { ts.TraceInformation("signingCert: " + signingCert.SubjectName); ts.TraceInformation("\tthumbPrint: " + signingCert.Thumbprint); } else { ts.TraceInformation("signingCert: NULL"); } //SecurityKeyIdentifier signingSki = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { // new X509SecurityToken(signingCert).CreateKeyIdentifierClause<X509SubjectKeyIdentifierClause>() }); SecurityKeyIdentifier signingSki = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { new X509SecurityToken(signingCert).CreateKeyIdentifierClause<X509RawDataKeyIdentifierClause>() }); X509SigningCredentials signingCredentialss = new X509SigningCredentials(signingCert, signingSki); Scope scope = new Scope(request.AppliesTo.Uri.OriginalString, signingCredentialss); //string encryptingCertificateName = ""; string encryptingCertificateName = WebConfigurationManager.AppSettings["EncryptingCertificateName"]; if (!string.IsNullOrEmpty(encryptingCertificateName)) { // Important note on setting the encrypting credentials. // In a production deployment, you would need to select a certificate that is specific to the RP that is requesting the token. // You can examine the 'request' to obtain information to determine the certificate to use. (AppliesTo) // Original SV //scope.EncryptingCredentials = new X509EncryptingCredentials(CertificateUtil.GetCertificateByCommonName(StoreName.TrustedPeople, // StoreLocation.LocalMachine, request.AppliesTo.Uri.Host)); // New HoK X509Certificate2 cert = CertificateUtil.GetCertificate(StoreName.TrustedPeople, StoreLocation.LocalMachine, encryptingCertificateName); var ski = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { //new X509SecurityToken(cert).CreateKeyIdentifierClause<X509SubjectKeyIdentifierClause>() new X509SecurityToken(cert).CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>() } ); X509EncryptingCredentials encryptingCredentials = new X509EncryptingCredentials(cert, ski); scope.EncryptingCredentials = encryptingCredentials; } else { // If there is no encryption certificate specified, the STS will not perform encryption. // This will succeed for tokens that are created without keys (BearerTokens) or asymmetric keys. Symmetric keys are // required to be 'wrapped' and the STS will throw. scope.TokenEncryptionRequired = false; // Symmetric keys are required to be 'wrapped' or the STS will throw, uncomment the code below to turn off proof key encryption. // Turning off proof key encryption is not secure and should not be used in a deployment scenario. scope.SymmetricKeyEncryptionRequired = false; } //ts.TraceInformation("request.RequestType: " + request.RequestType); //ts.TraceInformation("request.TokenType: " + request.TokenType); //ts.TraceInformation("request.KeyType: " + request.KeyType); //ts.TraceInformation("request.KeySizeInBits: " + request.KeySizeInBits); //ts.TraceInformation("request.SecondaryParameters.TokenType: " + request.SecondaryParameters.TokenType); //ts.TraceInformation("request.SecondaryParameters.KeyType: " + request.SecondaryParameters.KeyType); //ts.TraceInformation("Principal Name: " + principal.Identity.Name); //if (request.SecondaryParameters != null) //{ // if (!string.IsNullOrEmpty(request.SecondaryParameters.TokenType)) // { // if (string.IsNullOrEmpty(request.TokenType)) // { // request.TokenType = request.SecondaryParameters.TokenType; // } // } // if (!string.IsNullOrEmpty(request.SecondaryParameters.KeyType)) // { // if (string.IsNullOrEmpty(request.KeyType)) // { // request.TokenType = request.SecondaryParameters.KeyType; // } // } // if (StringComparer.Ordinal.Equals(request.KeyType, "http://schemas.microsoft.com/idfx/keytype/bearer")) // { // if (request.KeySizeInBits.HasValue) // { // if (request.KeySizeInBits.Value > 0) // { // string errorMsg = string.Format("The request has a KeySize '{0}' that is greater than 0, which, when specified in the request is the required value for sender-vouches assertions.", // request.KeySizeInBits.Value); // ts.TraceInformation(errorMsg); // request.KeySizeInBits = new int?(0); // } // } // else // { // // the key size for an assertion with Sender-vouches confirmation must be 0 // request.KeySizeInBits = new int?(0); // } // ts.TraceInformation("KeySizeInBits: " + request.KeySizeInBits.Value.ToString()); // } //} //if ((StringComparer.Ordinal.Equals(request.KeyType, "http://schemas.microsoft.com/idfx/keytype/bearer") && request.KeySizeInBits.HasValue) && (request.KeySizeInBits.Value != 0)) //{ // ts.TraceInformation("Still Have problems with KeySize!!!"); //} return scope; }
protected override Scope GetScope(ClaimsPrincipal principal, RequestSecurityToken request) { ValidateAppliesTo(request.AppliesTo); var scope = new Scope(request.AppliesTo.Uri.OriginalString, SecurityTokenServiceConfiguration.SigningCredentials); if (!string.IsNullOrEmpty(ConfigurationManager.AppSettings["EncryptionCertificate"])) { // Important note on setting the encrypting credentials. // In a production deployment, you would need to select a certificate that is specific to the RP that is requesting the token. // You can examine the 'request' to obtain information to determine the certificate to use. var encryptingCertificate = GetCertificate(ConfigurationManager.AppSettings["EncryptionCertificate"]); var encryptingCredentials = new X509EncryptingCredentials(encryptingCertificate); scope.EncryptingCredentials = encryptingCredentials; } else { // If there is no encryption certificate specified, the STS will not perform encryption. // This will succeed for tokens that are created without keys (BearerTokens) or asymmetric keys. scope.TokenEncryptionRequired = false; } scope.ReplyToAddress = request.ReplyTo; return scope; }