public abstract IAuthorizationPolicy CreatePolicy(
ClaimSet issuer, SamlSecurityTokenAuthenticator samlAuthenticator);
/// <summary>
/// Token Authentication. Translates the decrypted data into a AuthContext.
/// </summary>
/// <param name="reader">The token XML reader.</param>
/// <param name="audience">The audience that the token must be scoped for.
/// Use <c>null</c> to indicate any audience is acceptable.</param>
/// <returns>
/// The authorization context carried by the token.
/// </returns>
internal static AuthorizationContext AuthenticateToken(XmlReader reader, Uri audience)
{
Contract.Ensures(Contract.Result <AuthorizationContext>() != null);
// Extensibility Point:
// in order to accept different token types, you would need to add additional
// code to create an authenticationcontext from the security token.
// This code only supports SamlSecurityToken objects.
SamlSecurityToken token = WSSecurityTokenSerializer.DefaultInstance.ReadToken(reader, null) as SamlSecurityToken;
if (null == token)
{
throw new InformationCardException("Unable to read security token");
}
if (null != token.SecurityKeys && token.SecurityKeys.Count > 0)
{
throw new InformationCardException("Token Security Keys Exist");
}
if (audience == null)
{
Logger.InfoCard.Warn("SAML token Audience checking will be skipped.");
}
else
{
if (token.Assertion.Conditions != null &&
token.Assertion.Conditions.Conditions != null)
{
foreach (SamlCondition condition in token.Assertion.Conditions.Conditions)
{
SamlAudienceRestrictionCondition audienceCondition = condition as SamlAudienceRestrictionCondition;
if (audienceCondition != null)
{
Logger.InfoCard.DebugFormat("SAML token audience(s): {0}", audienceCondition.Audiences.ToStringDeferred());
bool match = audienceCondition.Audiences.Contains(audience);
if (!match && Logger.InfoCard.IsErrorEnabled)
{
Logger.InfoCard.ErrorFormat("Expected SAML token audience of {0} but found {1}.", audience.AbsoluteUri, audienceCondition.Audiences.Select(aud => aud.AbsoluteUri).ToStringDeferred());
}
// The token is invalid if any condition is not valid.
// An audience restriction condition is valid if any audience
// matches the Relying Party.
InfoCardErrorUtilities.VerifyInfoCard(match, InfoCardStrings.AudienceMismatch);
}
}
}
}
var samlAuthenticator = new SamlSecurityTokenAuthenticator(
new List <SecurityTokenAuthenticator>(
new SecurityTokenAuthenticator[] {
new RsaSecurityTokenAuthenticator(),
new X509SecurityTokenAuthenticator(),
}),
MaximumClockSkew);
if (audience != null)
{
samlAuthenticator.AllowedAudienceUris.Add(audience.AbsoluteUri);
}
return(AuthorizationContext.CreateDefaultAuthorizationContext(samlAuthenticator.ValidateToken(token)));
}
public virtual ClaimSet ExtractSubjectKeyClaimSet(
SamlSecurityTokenAuthenticator samlAuthenticator)
{
throw new NotImplementedException();
}
SamlSecurityTokenAuthenticator CreateSamlTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (recipientRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("recipientRequirement");
}
Collection <SecurityToken> outOfBandTokens = new Collection <SecurityToken>();
if (parent.ServiceCertificate.Certificate != null)
{
outOfBandTokens.Add(new X509SecurityToken(parent.ServiceCertificate.Certificate));
}
List <SecurityTokenAuthenticator> supportingAuthenticators = new List <SecurityTokenAuthenticator>();
if ((parent.IssuedTokenAuthentication.KnownCertificates != null) && (parent.IssuedTokenAuthentication.KnownCertificates.Count > 0))
{
for (int i = 0; i < parent.IssuedTokenAuthentication.KnownCertificates.Count; ++i)
{
outOfBandTokens.Add(new X509SecurityToken(parent.IssuedTokenAuthentication.KnownCertificates[i]));
}
}
X509CertificateValidator validator = parent.IssuedTokenAuthentication.GetCertificateValidator();
supportingAuthenticators.Add(new X509SecurityTokenAuthenticator(validator));
if (parent.IssuedTokenAuthentication.AllowUntrustedRsaIssuers)
{
supportingAuthenticators.Add(new RsaSecurityTokenAuthenticator());
}
outOfBandTokenResolver = (outOfBandTokens.Count > 0) ? SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection <SecurityToken>(outOfBandTokens), false) : null;
SamlSecurityTokenAuthenticator ssta;
if ((recipientRequirement.SecurityBindingElement == null) || (recipientRequirement.SecurityBindingElement.LocalServiceSettings == null))
{
ssta = new SamlSecurityTokenAuthenticator(supportingAuthenticators);
}
else
{
ssta = new SamlSecurityTokenAuthenticator(supportingAuthenticators, recipientRequirement.SecurityBindingElement.LocalServiceSettings.MaxClockSkew);
}
// set audience uri restrictions
ssta.AudienceUriMode = parent.IssuedTokenAuthentication.AudienceUriMode;
IList <string> allowedAudienceUris = ssta.AllowedAudienceUris;
if (parent.IssuedTokenAuthentication.AllowedAudienceUris != null)
{
for (int i = 0; i < parent.IssuedTokenAuthentication.AllowedAudienceUris.Count; i++)
{
allowedAudienceUris.Add(parent.IssuedTokenAuthentication.AllowedAudienceUris[i]);
}
}
if (recipientRequirement.ListenUri != null)
{
allowedAudienceUris.Add(recipientRequirement.ListenUri.AbsoluteUri);
}
return(ssta);
}
public override IAuthorizationPolicy CreatePolicy(
ClaimSet issuer, SamlSecurityTokenAuthenticator samlAuthenticator)
{
throw new NotImplementedException();
}
