private string GetDecryptedSamlToken()
{
var encryptedSamlToken = GetSamlTokenXml();
var decryptedSamlToken = "";
using (var reader = new StringReader(encryptedSamlToken))
{
using (var xmlReader = XmlReader.Create(reader))
{
var samlHandler = new Saml2SecurityTokenHandler
{
Configuration = new SecurityTokenHandlerConfiguration
{
ServiceTokenResolver = new X509CertificateStoreTokenResolver()
}
};
var token = samlHandler.ReadToken(xmlReader);
using (var writer = new StringWriter())
{
using (var xmlWriter = XmlWriter.Create(writer))
{
samlHandler.WriteToken(xmlWriter, token);
}
decryptedSamlToken = writer.GetStringBuilder().ToString();
}
}
}
return(decryptedSamlToken);
}
private static SecurityToken GetBootstrapToken()
{
string rawToken = Saml20Identity.Current["urn:liberty:disco:2006-08:DiscoveryEPR"][0].AttributeValue[0];
byte[] raw = Convert.FromBase64String(rawToken);
using (var memoryStream = new MemoryStream(raw))
{
string content;
using (StreamReader reader = new StreamReader(memoryStream, Encoding.Unicode))
{
content = reader.ReadToEnd();
}
}
SecurityToken bootstrapToken;
using (var memoryStream = new MemoryStream(raw))
{
using (var streamReader = new StreamReader(memoryStream))
{
using (var xmlTextReader = new XmlTextReader(streamReader))
{
SecurityTokenHandler handler = new Saml2SecurityTokenHandler();
handler.Configuration = new SecurityTokenHandlerConfiguration();
bootstrapToken = handler.ReadToken(xmlTextReader);
}
}
}
return(bootstrapToken);
}
public void LoginAction(AbstractEndpointHandler handler, HttpContext context, Saml20Assertion assertion)
{
if (handler == null)
{
Logging.Instance.Error("SamlPrincipalAction - LogOnAction handler is null");
throw new ArgumentNullException("handler");
}
if (context == null)
{
Logging.Instance.Error("SamlPrincipalAction - LogOnAction context is null");
throw new ArgumentNullException("context");
}
if (assertion == null)
{
Logging.Instance.Error("SamlPrincipalAction - LogOnAction assertion is null");
throw new ArgumentNullException("assertion");
}
Saml2SecurityTokenHandler securityTokenHandler =
this.sessionAuthModule.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlers[
typeof(Saml2SecurityToken)] as Saml2SecurityTokenHandler;
//Generate bootstraptoken from assertion xml
if (securityTokenHandler != null)
{
var assertionXml = assertion.XmlAssertion;
using (System.IO.StringReader reader = new System.IO.StringReader(assertionXml.OuterXml))
{
XmlReader xReader = XmlReader.Create(reader);
var bootstraptoken = securityTokenHandler.ReadToken(xReader);
HttpContext.Current.Session["boostraptoken"] = bootstraptoken;
}
}
BuildClaimsPrincipal(assertion);
}
static void TransportTransportMessageReceived(object sender, TransportMessageReceivedEventArgs e)
{
if (!ConfigureClaimFlow.Flow)
{
return;
}
if (!e.Message.Headers.ContainsKey(SecurityTokenKey))
{
return;
}
var serializedToken = e.Message.Headers[SecurityTokenKey];
var certificate = ExtractCertificate(serializedToken);
var handler = new Saml2SecurityTokenHandler(new SamlSecurityTokenRequirement());
var tokens = new List <SecurityToken> {
new X509SecurityToken(certificate)
};
var resolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(tokens.AsReadOnly(), false);
handler.Configuration = new SecurityTokenHandlerConfiguration
{
IssuerTokenResolver = resolver,
IssuerNameRegistry = new InternalIssuerNameRegistry(),
CertificateValidator = X509CertificateValidator.None
};
using (var reader = XmlReader.Create(new StringReader(serializedToken)))
{
var bootstrapToken = handler.ReadToken(reader);
handler.Configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
handler.Configuration.MaxClockSkew = TimeSpan.MaxValue;
var collection = handler.ValidateToken(bootstrapToken);
Thread.CurrentPrincipal = new ClaimsPrincipal(collection);
}
}
private Saml2SecurityToken ParseToken(string token, Saml2SecurityTokenHandler samlHandler)
{
using (var reader = new StringReader(token))
{
using (var xmlReader = XmlReader.Create(reader))
{
//Parses the token, as well as decrypting it
return((Saml2SecurityToken)samlHandler.ReadToken(xmlReader));
}
}
}
public static Saml2Assertion MakeNemIdAssertion(X509Certificate2 certificate)
{
var doc = Global.SignedTokenXml();
Saml2Assertion sa;
using (var rd = doc.CreateReader())
{
var s2sth = new Saml2SecurityTokenHandler
{
/*Configuration = new SecurityTokenHandlerConfiguration
* {
* IssuerTokenResolver = new Saml2IssuerTokenResolver()
* }*/
};
var s2st = s2sth.ReadToken(rd) as Saml2SecurityToken;
sa = s2st.Assertion;
}
var ass = new Saml2Assertion(new Saml2NameIdentifier(sa.Issuer.Value))
{
Conditions = new Saml2Conditions
{
NotOnOrAfter = DateTime.Now + TimeSpan.FromHours(8),
NotBefore = DateTime.Now
},
Subject = new Saml2Subject(new Saml2NameIdentifier(certificate.SubjectName.Name))
};
ass.Subject.SubjectConfirmations.Add(new Saml2SubjectConfirmation(new Uri("urn:oasis:names:tc:SAML:2.0:cm:bearer"))
{
SubjectConfirmationData = new Saml2SubjectConfirmationData
{
NotOnOrAfter = DateTime.Now + TimeSpan.FromHours(8),
Recipient = new Uri("https://staging.fmk-online.dk/fmk/saml/SAMLAssertionConsumer")
}
});
var q = from att in sa.Statements.OfType <Saml2AttributeStatement>().First().Attributes
select new Saml2Attribute(att.Name, att.Values.First())
{
NameFormat = att.NameFormat
};
ass.Statements.Add(new Saml2AttributeStatement(q));
ass.Statements.Add(new Saml2AuthenticationStatement(new Saml2AuthenticationContext(new Uri("element:urn:oasis:names:tc:SAML:2.0:ac:classes:X509")), DateTime.Now));
/*var secClause = new X509RawDataKeyIdentifierClause(certificate);
* var issuerKeyIdentifier = new SecurityKeyIdentifier(secClause);
* issuerKeyIdentifier.Add(secClause);*/
ass.SigningCredentials = new X509SigningCredentials(certificate); //, SignedXml.XmlDsigRSASHA1Url, SignedXml.XmlDsigSHA1Url);
return(ass);
}
/// <summary>
/// Authenticates the specified message.
/// </summary>
/// <returns>
/// Returns <see cref="T:System.Collections.ObjectModel.ReadOnlyCollection`1"/>.
/// </returns>
/// <param name="authPolicy">The authorization policy.</param><param name="listenUri">The URI at which the message was received.</param><param name="message">The message to be authenticated.</param>
public override ReadOnlyCollection <IAuthorizationPolicy> Authenticate(ReadOnlyCollection <IAuthorizationPolicy> authPolicy, Uri listenUri, ref Message message)
{
if (WebOperationContext.Current != null && WebOperationContext.Current.IncomingRequest.Headers["fedAuth"] != null)
{
var tokenString = WebOperationContext.Current.IncomingRequest.Headers["fedAuth"];
var handler = new Saml2SecurityTokenHandler();
var token = handler.ReadToken(tokenString);
var identities = handler.ValidateToken(token);
var principal = new ClaimsPrincipal(identities);
Thread.CurrentPrincipal = principal;
}
return(base.Authenticate(authPolicy, listenUri, ref message));
}
public void TempAssertionTest1()
{
//ARRANGE
var foo = new StreamReader(@"D:\Dan\Software\ECA-Interenational\Temp\Base64.txt");
var base64 = foo.ReadToEnd();
var boo = Convert.FromBase64String(base64);
var requestFromBase64 = Encoding.UTF8.GetString(boo);
var reader = XmlReader.Create(new StringReader(requestFromBase64));
var reader1 = XmlReader.Create(new StringReader(requestFromBase64));
reader1.MoveToContent();
var signatureManager = new XmlSignatureManager();
var document = new XmlDocument {
PreserveWhitespace = false
};
//document.Load(@"D:\Dan\Software\ECA-Interenational\Temp\TestResponse.xml");
var xml = reader1.ReadOuterXml();
document.LoadXml(xml);
var assertion = (XmlElement)document.GetElementsByTagName("Assertion", Saml20Constants.Assertion)[0];
var signEl = document.GetElementsByTagName("Signature", "http://www.w3.org/2000/09/xmldsig#")
.Cast <XmlElement>()
.First(x => x.ParentNode == document.DocumentElement);
var certEl = (XmlElement)signEl.GetElementsByTagName("X509Certificate", "http://www.w3.org/2000/09/xmldsig#")[0];
var dcert2 = new X509Certificate2(Convert.FromBase64String(certEl.InnerText));
//var document1 = new XmlDocument();
//document1.LoadXml(assertion.OuterXml);
var handler = new Saml2SecurityTokenHandler();
var config = this.GetConfiguration();
handler.Configuration = config;
//var reader = XmlReader.Create(new StringReader(document.OuterXml));
//var reader = XmlReader.Create(@"D:\Dan\Software\ECA-Interenational\Temp\TestResponse.xml", new XmlReaderSettings { });
this.MoveToToken(reader);
//var reader1 = XmlReader.Create(new StringReader(document1.OuterXml));
var token = handler.ReadToken(reader);
//var token1 = handler.ReadToken(reader1);
//ACT
//var isValid = signatureManager.VerifySignature(document1, signEl, dcert2.PublicKey.Key);
var isValid = signatureManager.VerifySignature(document, signEl, dcert2.PublicKey.Key);
//ASSERT
Assert.True(isValid);
}
private void RunValidationTests(SecurityTokenDescriptor tokenDescriptor, SecurityToken securityToken, SecurityKey key, int iterations, bool display = true)
{
// Create jwts using wif
// Create Saml2 tokens
// Create Saml tokens
DateTime started;
string validating = "Validating, signed: '{0}', '{1}' Tokens. Time: '{2}'";
SetReturnSecurityTokenResolver str = new Test.SetReturnSecurityTokenResolver(securityToken, key);
SecurityTokenHandlerConfiguration tokenHandlerConfiguration = new SecurityTokenHandlerConfiguration()
{
IssuerTokenResolver = str,
SaveBootstrapContext = true,
CertificateValidator = AlwaysSucceedCertificateValidator.New,
AudienceRestriction = new AudienceRestriction(AudienceUriMode.Never),
IssuerNameRegistry = new SetNameIssuerNameRegistry(Issuers.GotJwt),
};
Saml2SecurityTokenHandler samlTokenHandler = new Saml2SecurityTokenHandler();
Saml2SecurityToken token = samlTokenHandler.CreateToken(tokenDescriptor) as Saml2SecurityToken;
StringBuilder sb = new StringBuilder();
XmlWriter writer = XmlWriter.Create(sb);
samlTokenHandler.WriteToken(writer, token);
writer.Flush();
writer.Close();
string tokenXml = sb.ToString();
samlTokenHandler.Configuration = tokenHandlerConfiguration;
started = DateTime.UtcNow;
for (int i = 0; i < iterations; i++)
{
StringReader sr = new StringReader(tokenXml);
XmlDictionaryReader reader = XmlDictionaryReader.CreateDictionaryReader(XmlReader.Create(sr));
reader.MoveToContent();
SecurityToken saml2Token = samlTokenHandler.ReadToken(reader);
samlTokenHandler.ValidateToken(saml2Token);
}
if (display)
{
Console.WriteLine(string.Format(validating, "Saml2SecurityTokenHandler", iterations, DateTime.UtcNow - started));
}
JwtSecurityTokenHandler jwtTokenHandler = new JwtSecurityTokenHandler();
JwtSecurityToken jwt = jwtTokenHandler.CreateToken(tokenDescriptor) as JwtSecurityToken;
jwtTokenHandler.Configuration = tokenHandlerConfiguration;
started = DateTime.UtcNow;
for (int i = 0; i < iterations; i++)
{
jwtTokenHandler.ValidateToken(jwt.RawData);
}
if (display)
{
Console.WriteLine(string.Format(validating, "JwtSecurityTokenHandle - ValidateToken( jwt.RawData )", iterations, DateTime.UtcNow - started));
}
jwt = jwtTokenHandler.CreateToken(tokenDescriptor) as JwtSecurityToken;
sb = new StringBuilder();
writer = XmlWriter.Create(sb);
jwtTokenHandler.WriteToken(writer, jwt);
writer.Flush();
writer.Close();
tokenXml = sb.ToString();
started = DateTime.UtcNow;
for (int i = 0; i < iterations; i++)
{
StringReader sr = new StringReader(tokenXml);
XmlDictionaryReader reader = XmlDictionaryReader.CreateDictionaryReader(XmlReader.Create(sr));
reader.MoveToContent();
SecurityToken jwtToken = jwtTokenHandler.ReadToken(reader);
jwtTokenHandler.ValidateToken(jwtToken);
}
if (display)
{
Console.WriteLine(string.Format(validating, "JwtSecurityTokenHandle - ReadToken( reader ), ValidateToken( jwtToken )", iterations, DateTime.UtcNow - started));
}
started = DateTime.UtcNow;
for (int i = 0; i < iterations; i++)
{
StringReader sr = new StringReader(tokenXml);
XmlDictionaryReader reader = XmlDictionaryReader.CreateDictionaryReader(XmlReader.Create(sr));
reader.MoveToContent();
JwtSecurityToken jwtToken = jwtTokenHandler.ReadToken(reader) as JwtSecurityToken;
jwtTokenHandler.ValidateToken(jwtToken.RawData);
}
if (display)
{
Console.WriteLine(string.Format(validating, "JwtSecurityTokenHandle - ReadToken( reader ), ValidateToken( jwtToken.RawData )", iterations, DateTime.UtcNow - started));
}
}
static void TransportTransportMessageReceived(object sender, TransportMessageReceivedEventArgs e)
{
if (!ConfigureClaimFlow.Flow) return;
if (!e.Message.Headers.ContainsKey(SecurityTokenKey)) return;
var serializedToken = e.Message.Headers[SecurityTokenKey];
var certificate = ExtractCertificate(serializedToken);
var handler = new Saml2SecurityTokenHandler(new SamlSecurityTokenRequirement());
var tokens = new List<SecurityToken> {new X509SecurityToken(certificate)};
var resolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(tokens.AsReadOnly(), false);
handler.Configuration = new SecurityTokenHandlerConfiguration
{
IssuerTokenResolver = resolver,
IssuerNameRegistry = new InternalIssuerNameRegistry(),
CertificateValidator = X509CertificateValidator.None
};
using (var reader = XmlReader.Create(new StringReader(serializedToken)))
{
var bootstrapToken = handler.ReadToken(reader);
handler.Configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
handler.Configuration.MaxClockSkew = TimeSpan.MaxValue;
var collection = handler.ValidateToken(bootstrapToken);
Thread.CurrentPrincipal = new ClaimsPrincipal(collection);
}
}
