Exemplo n.º 1
0
 public abstract IAuthorizationPolicy CreatePolicy(
     ClaimSet issuer, SamlSecurityTokenAuthenticator samlAuthenticator);
Exemplo n.º 2
0
        /// <summary>
        /// Token Authentication.  Translates the decrypted data into a AuthContext.
        /// </summary>
        /// <param name="reader">The token XML reader.</param>
        /// <param name="audience">The audience that the token must be scoped for.
        /// Use <c>null</c> to indicate any audience is acceptable.</param>
        /// <returns>
        /// The authorization context carried by the token.
        /// </returns>
        internal static AuthorizationContext AuthenticateToken(XmlReader reader, Uri audience)
        {
            Contract.Ensures(Contract.Result <AuthorizationContext>() != null);

            // Extensibility Point:
            // in order to accept different token types, you would need to add additional
            // code to create an authenticationcontext from the security token.
            // This code only supports SamlSecurityToken objects.
            SamlSecurityToken token = WSSecurityTokenSerializer.DefaultInstance.ReadToken(reader, null) as SamlSecurityToken;

            if (null == token)
            {
                throw new InformationCardException("Unable to read security token");
            }

            if (null != token.SecurityKeys && token.SecurityKeys.Count > 0)
            {
                throw new InformationCardException("Token Security Keys Exist");
            }

            if (audience == null)
            {
                Logger.InfoCard.Warn("SAML token Audience checking will be skipped.");
            }
            else
            {
                if (token.Assertion.Conditions != null &&
                    token.Assertion.Conditions.Conditions != null)
                {
                    foreach (SamlCondition condition in token.Assertion.Conditions.Conditions)
                    {
                        SamlAudienceRestrictionCondition audienceCondition = condition as SamlAudienceRestrictionCondition;

                        if (audienceCondition != null)
                        {
                            Logger.InfoCard.DebugFormat("SAML token audience(s): {0}", audienceCondition.Audiences.ToStringDeferred());
                            bool match = audienceCondition.Audiences.Contains(audience);

                            if (!match && Logger.InfoCard.IsErrorEnabled)
                            {
                                Logger.InfoCard.ErrorFormat("Expected SAML token audience of {0} but found {1}.", audience.AbsoluteUri, audienceCondition.Audiences.Select(aud => aud.AbsoluteUri).ToStringDeferred());
                            }

                            // The token is invalid if any condition is not valid.
                            // An audience restriction condition is valid if any audience
                            // matches the Relying Party.
                            InfoCardErrorUtilities.VerifyInfoCard(match, InfoCardStrings.AudienceMismatch);
                        }
                    }
                }
            }
            var samlAuthenticator = new SamlSecurityTokenAuthenticator(
                new List <SecurityTokenAuthenticator>(
                    new SecurityTokenAuthenticator[] {
                new RsaSecurityTokenAuthenticator(),
                new X509SecurityTokenAuthenticator(),
            }),
                MaximumClockSkew);

            if (audience != null)
            {
                samlAuthenticator.AllowedAudienceUris.Add(audience.AbsoluteUri);
            }

            return(AuthorizationContext.CreateDefaultAuthorizationContext(samlAuthenticator.ValidateToken(token)));
        }
Exemplo n.º 3
0
 public virtual ClaimSet ExtractSubjectKeyClaimSet(
     SamlSecurityTokenAuthenticator samlAuthenticator)
 {
     throw new NotImplementedException();
 }
        SamlSecurityTokenAuthenticator CreateSamlTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver outOfBandTokenResolver)
        {
            if (recipientRequirement == null)
            {
                throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("recipientRequirement");
            }

            Collection <SecurityToken> outOfBandTokens = new Collection <SecurityToken>();

            if (parent.ServiceCertificate.Certificate != null)
            {
                outOfBandTokens.Add(new X509SecurityToken(parent.ServiceCertificate.Certificate));
            }
            List <SecurityTokenAuthenticator> supportingAuthenticators = new List <SecurityTokenAuthenticator>();

            if ((parent.IssuedTokenAuthentication.KnownCertificates != null) && (parent.IssuedTokenAuthentication.KnownCertificates.Count > 0))
            {
                for (int i = 0; i < parent.IssuedTokenAuthentication.KnownCertificates.Count; ++i)
                {
                    outOfBandTokens.Add(new X509SecurityToken(parent.IssuedTokenAuthentication.KnownCertificates[i]));
                }
            }

            X509CertificateValidator validator = parent.IssuedTokenAuthentication.GetCertificateValidator();

            supportingAuthenticators.Add(new X509SecurityTokenAuthenticator(validator));

            if (parent.IssuedTokenAuthentication.AllowUntrustedRsaIssuers)
            {
                supportingAuthenticators.Add(new RsaSecurityTokenAuthenticator());
            }

            outOfBandTokenResolver = (outOfBandTokens.Count > 0) ? SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection <SecurityToken>(outOfBandTokens), false) : null;

            SamlSecurityTokenAuthenticator ssta;

            if ((recipientRequirement.SecurityBindingElement == null) || (recipientRequirement.SecurityBindingElement.LocalServiceSettings == null))
            {
                ssta = new SamlSecurityTokenAuthenticator(supportingAuthenticators);
            }
            else
            {
                ssta = new SamlSecurityTokenAuthenticator(supportingAuthenticators, recipientRequirement.SecurityBindingElement.LocalServiceSettings.MaxClockSkew);
            }

            // set audience uri restrictions
            ssta.AudienceUriMode = parent.IssuedTokenAuthentication.AudienceUriMode;
            IList <string> allowedAudienceUris = ssta.AllowedAudienceUris;

            if (parent.IssuedTokenAuthentication.AllowedAudienceUris != null)
            {
                for (int i = 0; i < parent.IssuedTokenAuthentication.AllowedAudienceUris.Count; i++)
                {
                    allowedAudienceUris.Add(parent.IssuedTokenAuthentication.AllowedAudienceUris[i]);
                }
            }

            if (recipientRequirement.ListenUri != null)
            {
                allowedAudienceUris.Add(recipientRequirement.ListenUri.AbsoluteUri);
            }

            return(ssta);
        }
Exemplo n.º 5
0
 public override IAuthorizationPolicy CreatePolicy(
     ClaimSet issuer, SamlSecurityTokenAuthenticator samlAuthenticator)
 {
     throw new NotImplementedException();
 }