private ClaimsPrincipal ParseToken(GenericXmlSecurityToken genericToken)
{
using (XmlReader samlReader = XmlReader.Create(new StringReader(genericToken.TokenXml.OuterXml)))
{
SecurityTokenHandlerCollection tokenHandlers = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
SecurityTokenHandlerConfiguration config = tokenHandlers.Configuration;
var securityTokens = new List <SecurityToken>
{
new X509SecurityToken(CertificateHelper.GetCertificate(_tokenClientOptions.StoreName, _tokenClientOptions.StoreLocation, _tokenClientOptions.SubjectDistinguishedName))
};
config.ServiceTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(securityTokens.AsReadOnly(), false);
config.CertificateValidator = X509CertificateValidator.PeerOrChainTrust;
config.IssuerTokenResolver = new X509CertificateStoreTokenResolver(_tokenClientOptions.StoreName, _tokenClientOptions.StoreLocation);
config.IssuerNameRegistry = _nameRegistry;
config.AudienceRestriction.AllowedAudienceUris.Add(_tokenClientOptions.AudienceUri);
SecurityToken samlToken = tokenHandlers.ReadToken(samlReader);
ClaimsIdentity tokenIdentity = tokenHandlers.ValidateToken(samlToken).FirstOrDefault();
return(new ClaimsPrincipal(tokenIdentity));
}
}
public static SecurityToken DeSerializeSecurityToken(string tokenString, string issuerThumbPrint, string issuerThumbprintName)
{
XmlTextReader xmlTextReader = new XmlTextReader(new StringReader(tokenString));
SecurityTokenHandlerConfiguration conf = new SecurityTokenHandlerConfiguration()
{
SaveBootstrapContext = true
};
conf.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
ConfigurationBasedIssuerNameRegistry actAsRegistry = new ConfigurationBasedIssuerNameRegistry();
actAsRegistry.AddTrustedIssuer(issuerThumbPrint, issuerThumbPrint);
conf.IssuerNameRegistry = actAsRegistry;
List <SecurityToken> tokens = new List <SecurityToken>()
{
new X509SecurityToken(Constants.DefaultCertificate)
};
conf.IssuerTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection <SecurityToken>(tokens), true);
SecurityTokenHandlerCollection handlers = new SecurityTokenHandlerCollection(conf)
{
new X509CertificateSessionSecurityTokenHandler(Constants.DefaultCertificate),
new UserNameTokenHandler(),
new SamlTokenHandler(),
new EncryptedSecurityTokenHandler()
};
return(handlers.ReadToken(xmlTextReader));
}
/// <summary>
/// The out-of-band token resolver to be used if the authenticator does
/// not provide another.
/// </summary>
/// <remarks>By default this will create the resolver with the service certificate and
/// know certificates collections specified in the service credentials when the STS is
/// hosted inside WCF.</remarks>
SecurityTokenResolver GetDefaultOutOfBandTokenResolver()
{
if (_defaultTokenResolver == null)
{
lock ( _syncObject )
{
if (_defaultTokenResolver == null)
{
//
// Create default Out-Of-Band SecurityResolver.
//
List <SecurityToken> outOfBandTokens = new List <SecurityToken>();
if (base.ServiceCredentials.ServiceCertificate.Certificate != null)
{
outOfBandTokens.Add(new X509SecurityToken(base.ServiceCredentials.ServiceCertificate.Certificate));
}
if ((base.ServiceCredentials.IssuedTokenAuthentication.KnownCertificates != null) && (base.ServiceCredentials.IssuedTokenAuthentication.KnownCertificates.Count > 0))
{
for (int i = 0; i < base.ServiceCredentials.IssuedTokenAuthentication.KnownCertificates.Count; ++i)
{
outOfBandTokens.Add(new X509SecurityToken(base.ServiceCredentials.IssuedTokenAuthentication.KnownCertificates[i]));
}
}
_defaultTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(outOfBandTokens.AsReadOnly(), false);
}
}
}
return(_defaultTokenResolver);
}
private JsonWebSecurityTokenHandler GetSecurityTokenHandler(string audience,
string authMetadataEndpoint,
X509Certificate2 currentCertificate)
{
JsonWebSecurityTokenHandler jsonTokenHandler = new JsonWebSecurityTokenHandler();
jsonTokenHandler.Configuration = new Microsoft.IdentityModel.Tokens.SecurityTokenHandlerConfiguration();
jsonTokenHandler.Configuration.AudienceRestriction = new Microsoft.IdentityModel.Tokens.AudienceRestriction(AudienceUriMode.Always);
jsonTokenHandler.Configuration.AudienceRestriction.AllowedAudienceUris.Add(
new Uri(audience, UriKind.RelativeOrAbsolute));
jsonTokenHandler.Configuration.CertificateValidator = X509CertificateValidator.None;
jsonTokenHandler.Configuration.IssuerTokenResolver =
SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
new ReadOnlyCollection <SecurityToken>(new List <SecurityToken>(
new SecurityToken[]
{
new X509SecurityToken(currentCertificate)
})), false);
Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry issuerNameRegistry =
new Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry();
issuerNameRegistry.AddTrustedIssuer(currentCertificate.Thumbprint, Config.ExchangeApplicationIdentifier);
jsonTokenHandler.Configuration.IssuerNameRegistry = issuerNameRegistry;
return(jsonTokenHandler);
}
private static JsonWebSecurityTokenHandler CreateJsonWebSecurityTokenHandler(string clientSecret)
{
JsonWebSecurityTokenHandler handler = new JsonWebSecurityTokenHandler();
handler.Configuration = new Microsoft.IdentityModel.Tokens.SecurityTokenHandlerConfiguration();
handler.Configuration.AudienceRestriction = new Microsoft.IdentityModel.Tokens.AudienceRestriction(AudienceUriMode.Never);
handler.Configuration.CertificateValidator = X509CertificateValidator.None;
List <byte[]> securityKeys = new List <byte[]>();
securityKeys.Add(Convert.FromBase64String(clientSecret));
List <SecurityToken> securityTokens = new List <SecurityToken>();
securityTokens.Add(new MultipleSymmetricKeySecurityToken(securityKeys));
handler.Configuration.IssuerTokenResolver =
SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
new ReadOnlyCollection <SecurityToken>(securityTokens),
false);
SymmetricKeyIssuerNameRegistry issuerNameRegistry = new SymmetricKeyIssuerNameRegistry();
foreach (byte[] securitykey in securityKeys)
{
issuerNameRegistry.AddTrustedIssuer(securitykey, GetAcsPrincipalName(""));
}
handler.Configuration.IssuerNameRegistry = issuerNameRegistry;
return(handler);
}
private static SecurityTokenResolver CreateSecurityTokenResolver(this X509Certificate2 certificate)
{
return(SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new List <SecurityToken>
{
new X509SecurityToken(certificate)
}.AsReadOnly(), true));
}
/// <summary>
/// Initializes the validator from the configuration for a token policy.
/// </summary>
/// <param name="issuerCertificate">The issuer certificate.</param>
private SecurityTokenResolver CreateSecurityTokenResolver(CertificateIdentifier issuerCertificate)
{
if (issuerCertificate == null)
{
throw new ArgumentNullException("issuerCertificate");
}
// find the certificate.
X509Certificate2 certificate = issuerCertificate.Find(false);
if (certificate == null)
{
throw ServiceResultException.Create(
StatusCodes.BadCertificateInvalid,
"Could not find issuer certificate: {0}",
issuerCertificate);
}
// create a security token representing the certificate.
List <SecurityToken> tokens = new List <SecurityToken>();
tokens.Add(new X509SecurityToken(certificate));
// create issued token resolver.
SecurityTokenResolver tokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
new System.Collections.ObjectModel.ReadOnlyCollection <SecurityToken>(tokens),
false);
return(tokenResolver);
}
public static void Methods_NonNullParam_InvokeAndReturn()
{
var xmlReader = XmlReader.Create(new MemoryStream());
var xmlWriter = XmlWriter.Create(new MemoryStream());
var dummyToken = new DummySecurityToken();
var keyIdentifier = new SecurityKeyIdentifier();
var keyIdentifierClause = new SecurityKeyIdentifierClauseImpl("DummyClause");
var sts = new SecurityTokenSerializerImpl();
Assert.NotNull(sts);
Assert.True(sts.CanReadKeyIdentifier(xmlReader));
Assert.True(sts.CanReadKeyIdentifierClause(xmlReader));
Assert.True(sts.CanReadToken(xmlReader));
Assert.True(sts.CanWriteKeyIdentifier(keyIdentifier));
Assert.True(sts.CanWriteKeyIdentifierClause(keyIdentifierClause));
Assert.True(sts.CanWriteToken(dummyToken));
SecurityToken token = sts.ReadToken(xmlReader, SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection <SecurityToken>(new List <SecurityToken>()
{
dummyToken
}), false));
SecurityKeyIdentifier identifier = sts.ReadKeyIdentifier(xmlReader);
SecurityKeyIdentifierClause identifierClause = sts.ReadKeyIdentifierClause(xmlReader);
Assert.IsType <DummySecurityToken>(token);
Assert.IsType <SecurityKeyIdentifier>(identifier);
Assert.IsType <SecurityKeyIdentifierClauseImpl>(identifierClause);
sts.WriteToken(xmlWriter, dummyToken);
sts.WriteKeyIdentifier(xmlWriter, keyIdentifier);
sts.WriteKeyIdentifierClause(xmlWriter, keyIdentifierClause);
Assert.True(sts.WriteTokenCoreCalled);
Assert.True(sts.WriteKeyIdentifierCoreCalled);
Assert.True(sts.WriteKeyIdentifierClauseCoreCalled);
}
private JsonWebSecurityTokenHandler CreateJsonWebSecurityTokenHandler()
{
JsonWebSecurityTokenHandler handler = new JsonWebSecurityTokenHandler();
handler.Configuration = new SecurityTokenHandlerConfiguration();
handler.Configuration.AudienceRestriction = new AudienceRestriction(AudienceUriMode.Never);
handler.Configuration.CertificateValidator = X509CertificateValidator.None;
List <byte[]> securityKeys = new List <byte[]>();
securityKeys.Add(Convert.FromBase64String(_clientSecret));
if (!string.IsNullOrEmpty(_secondaryClientSecret))
{
securityKeys.Add(Convert.FromBase64String(_secondaryClientSecret));
}
List <SecurityToken> securityTokens = new List <SecurityToken>();
securityTokens.Add(new MultipleSymmetricKeySecurityToken(securityKeys));
handler.Configuration.IssuerTokenResolver =
SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
new ReadOnlyCollection <SecurityToken>(securityTokens),
false);
SymmetricKeyIssuerNameRegistry issuerNameRegistry = new SymmetricKeyIssuerNameRegistry();
foreach (byte[] securitykey in securityKeys)
{
issuerNameRegistry.AddTrustedIssuer(securitykey, GetAcsPrincipalName(_serviceNamespace));
}
handler.Configuration.IssuerNameRegistry = issuerNameRegistry;
return(handler);
}
/// <summary>
/// Creates a <see cref="WSTrustSerializationContext" /> used by <see cref="WSTrustChannel" /> objects created
/// by this factory.
/// </summary>
/// <remarks>
/// <para>
/// If <see cref="WSTrustChannelFactory.SecurityTokenResolver" /> is set to null, the
/// ClientCertificate set on the factory's Endpoint's ClientCredentials behavior will be used to
/// create a resolver. If no such certificate is found, an empty resolver is used.
/// </para>
/// <para>
/// If <see cref="WSTrustChannelFactory.UseKeyTokenResolver" /> is set to null, an empty resolver
/// will be used.
/// </para>
/// </remarks>
/// <returns>A WSTrustSerializationContext initialized with the trust client's properties.</returns>
protected virtual WSTrustSerializationContext CreateSerializationContext()
{
//
// Create a resolver with the ClientCredential's ClientCertificate if a resolver is not set.
//
SecurityTokenResolver resolver = _securityTokenResolver;
if (resolver == null)
{
ClientCredentials factoryCredentials = Credentials;
if (null != factoryCredentials.ClientCertificate && null != factoryCredentials.ClientCertificate.Certificate)
{
List <SecurityToken> clientCredentialTokens = new List <SecurityToken>();
clientCredentialTokens.Add(new X509SecurityToken(factoryCredentials.ClientCertificate.Certificate));
resolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(clientCredentialTokens.AsReadOnly(), false);
}
}
//
// If it is _still_ null, then make it empty.
//
if (resolver == null)
{
resolver = EmptySecurityTokenResolver.Instance;
}
//
// UseKeyTokenResolver is empty if null.
//
SecurityTokenResolver useKeyResolver = _useKeyTokenResolver ?? EmptySecurityTokenResolver.Instance;
return(new WSTrustSerializationContext(_securityTokenHandlerCollectionManager, resolver, useKeyResolver));
}
static void TransportTransportMessageReceived(object sender, TransportMessageReceivedEventArgs e)
{
if (!ConfigureClaimFlow.Flow)
{
return;
}
if (!e.Message.Headers.ContainsKey(SecurityTokenKey))
{
return;
}
var serializedToken = e.Message.Headers[SecurityTokenKey];
var certificate = ExtractCertificate(serializedToken);
var handler = new Saml2SecurityTokenHandler(new SamlSecurityTokenRequirement());
var tokens = new List <SecurityToken> {
new X509SecurityToken(certificate)
};
var resolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(tokens.AsReadOnly(), false);
handler.Configuration = new SecurityTokenHandlerConfiguration
{
IssuerTokenResolver = resolver,
IssuerNameRegistry = new InternalIssuerNameRegistry(),
CertificateValidator = X509CertificateValidator.None
};
using (var reader = XmlReader.Create(new StringReader(serializedToken)))
{
var bootstrapToken = handler.ReadToken(reader);
handler.Configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
handler.Configuration.MaxClockSkew = TimeSpan.MaxValue;
var collection = handler.ValidateToken(bootstrapToken);
Thread.CurrentPrincipal = new ClaimsPrincipal(collection);
}
}
private HttpResponseMessage CreateTokenResponse(GenericXmlSecurityToken token, string scope)
{
var response = new TokenResponse();
if (ConfigurationRepository.AdfsIntegration.PassThruAuthenticationToken)
{
response.AccessToken = token.TokenXml.OuterXml;
response.ExpiresIn = (int)(token.ValidTo.Subtract(DateTime.UtcNow).TotalSeconds);
}
else
{
var bridge = new AdfsBridge(ConfigurationRepository);
if (ConfigurationRepository.Keys.DecryptionCertificate != null)
{
var configuration = new SecurityTokenHandlerConfiguration
{
AudienceRestriction = { AudienceMode = AudienceUriMode.Never },
CertificateValidationMode = X509CertificateValidationMode.None,
RevocationMode = X509RevocationMode.NoCheck,
CertificateValidator = X509CertificateValidator.None,
ServiceTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
new ReadOnlyCollection <SecurityToken>(new SecurityToken[] { new X509SecurityToken(ConfigurationRepository.Keys.DecryptionCertificate) }), false)
};
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(configuration);
response = bridge.ConvertSamlToJwt(token.ToSecurityToken(handler), scope);
}
else
{
response = bridge.ConvertSamlToJwt(token.ToSecurityToken(), scope);
}
}
return(Request.CreateResponse <TokenResponse>(HttpStatusCode.OK, response));
}
protected override void ValidateTestCase(string testCase)
{
IdentityConfiguration identityConfig = new IdentityConfiguration(IdentityConfiguration.DefaultServiceName);
JwtSecurityTokenHandler jwtHandler = identityConfig.SecurityTokenHandlers[typeof(JwtSecurityToken)] as JwtSecurityTokenHandler;
jwtHandler.RequireExpirationTime = false;
Assert.IsNotNull(jwtHandler);
SecurityTokenDescriptor tokenDescriptor = new SecurityTokenDescriptor()
{
TokenIssuerName = "https://wiftooling.accesscontrol.windows.net",
AppliesToAddress = "http://localhost",
SigningCredentials = KeyingMaterial.X509SigningCreds_2048_RsaSha2_Sha2,
};
try
{
SecurityToken jwtToken = jwtHandler.CreateToken(tokenDescriptor);
string tokenString = jwtHandler.WriteToken(jwtToken);
List <SecurityToken> tokens = new List <SecurityToken>(KeyingMaterial.AsymmetricTokens);
jwtHandler.Configuration.IssuerTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(tokens.AsReadOnly(), true);
jwtToken = jwtHandler.ReadToken(tokenString);
jwtHandler.CertificateValidator = X509CertificateValidator.None;
jwtHandler.Configuration.IssuerNameRegistry = new SetNameIssuerNameRegistry("https://wiftooling.accesscontrol.windows.net");
ClaimsPrincipal cp = new ClaimsPrincipal(jwtHandler.ValidateToken(jwtToken));
}
catch (Exception ex)
{
Assert.Fail(ex.Message);
}
}
/// <summary>
/// Decrpyts a security token from an XML EncryptedData
/// </summary>
/// <param name="reader">The encrypted token XML reader.</param>
/// <returns>A byte array of the contents of the encrypted token</returns>
internal byte[] DecryptToken(XmlReader reader)
{
Requires.NotNull(reader, "reader");
Contract.Ensures(Contract.Result <byte[]>() != null);
byte[] securityTokenData;
string encryptionAlgorithm;
SecurityKeyIdentifier keyIdentifier;
bool isEmptyElement;
ErrorUtilities.VerifyInternal(reader.IsStartElement(XmlEncryptionStrings.EncryptedData, XmlEncryptionStrings.Namespace), "Expected encrypted token starting XML element was not found.");
reader.Read(); // get started
// if it's not an encryption method, something is dreadfully wrong.
InfoCardErrorUtilities.VerifyInfoCard(reader.IsStartElement(XmlEncryptionStrings.EncryptionMethod, XmlEncryptionStrings.Namespace), InfoCardStrings.EncryptionAlgorithmNotFound);
// Looks good, let's grab the alg.
isEmptyElement = reader.IsEmptyElement;
encryptionAlgorithm = reader.GetAttribute(XmlEncryptionStrings.Algorithm);
reader.Read();
if (!isEmptyElement)
{
while (reader.IsStartElement())
{
reader.Skip();
}
reader.ReadEndElement();
}
// get the key identifier
keyIdentifier = WSSecurityTokenSerializer.DefaultInstance.ReadKeyIdentifier(reader);
// resolve the symmetric key
SymmetricSecurityKey decryptingKey = (SymmetricSecurityKey)SecurityTokenResolver.CreateDefaultSecurityTokenResolver(this.tokens.AsReadOnly(), false).ResolveSecurityKey(keyIdentifier[0]);
SymmetricAlgorithm algorithm = decryptingKey.GetSymmetricAlgorithm(encryptionAlgorithm);
// dig for the security token data itself.
reader.ReadStartElement(XmlEncryptionStrings.CipherData, XmlEncryptionStrings.Namespace);
reader.ReadStartElement(XmlEncryptionStrings.CipherValue, XmlEncryptionStrings.Namespace);
securityTokenData = Convert.FromBase64String(reader.ReadString());
reader.ReadEndElement(); // CipherValue
reader.ReadEndElement(); // CipherData
reader.ReadEndElement(); // EncryptedData
// decrypto-magic!
int blockSizeBytes = algorithm.BlockSize / 8;
byte[] iv = new byte[blockSizeBytes];
Buffer.BlockCopy(securityTokenData, 0, iv, 0, iv.Length);
algorithm.Padding = PaddingMode.ISO10126;
algorithm.Mode = CipherMode.CBC;
ICryptoTransform decrTransform = algorithm.CreateDecryptor(algorithm.Key, iv);
byte[] plainText = decrTransform.TransformFinalBlock(securityTokenData, iv.Length, securityTokenData.Length - iv.Length);
decrTransform.Dispose();
return(plainText);
}
private void ParseToken(string xmlToken, X509Certificate2 cert)
{
int skew = 300; // default to 5 minutes
string tokenskew = System.Configuration.ConfigurationManager.AppSettings["MaximumClockSkew"];
if (!string.IsNullOrEmpty(tokenskew))
{
skew = Int32.Parse(tokenskew);
}
XmlReader tokenReader = new XmlTextReader(new StringReader(xmlToken));
EncryptedData enc = new EncryptedData();
enc.TokenSerializer = WSSecurityTokenSerializer.DefaultInstance;
enc.ReadFrom(tokenReader);
List <SecurityToken> tokens = new List <SecurityToken>();
SecurityToken encryptingToken = new X509SecurityToken(cert);
tokens.Add(encryptingToken);
SecurityTokenResolver tokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(tokens.AsReadOnly(), false);
SymmetricSecurityKey encryptingCrypto;
// an error here usually means that you have selected the wrong key.
encryptingCrypto = (SymmetricSecurityKey)tokenResolver.ResolveSecurityKey(enc.KeyIdentifier[0]);
SymmetricAlgorithm algorithm = encryptingCrypto.GetSymmetricAlgorithm(enc.EncryptionMethod);
byte[] decryptedData = enc.GetDecryptedBuffer(algorithm);
SecurityTokenSerializer tokenSerializer = WSSecurityTokenSerializer.DefaultInstance;
XmlReader reader = new XmlTextReader(new StreamReader(new MemoryStream(decryptedData), Encoding.UTF8));
m_token = (SamlSecurityToken)tokenSerializer.ReadToken(reader, tokenResolver);
SamlSecurityTokenAuthenticator authenticator = new SamlSecurityTokenAuthenticator(new List <SecurityTokenAuthenticator>(
new SecurityTokenAuthenticator[] {
new RsaSecurityTokenAuthenticator(),
new X509SecurityTokenAuthenticator()
}), new TimeSpan(0, 0, skew));
if (authenticator.CanValidateToken(m_token))
{
ReadOnlyCollection <IAuthorizationPolicy> policies = authenticator.ValidateToken(m_token);
m_authorizationContext = AuthorizationContext.CreateDefaultAuthorizationContext(policies);
m_identityClaims = FindIdentityClaims(m_authorizationContext);
}
else
{
throw new Exception("Unable to validate the token.");
}
}
private SamlSecurityTokenAuthenticator CreateSamlTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
SamlSecurityTokenAuthenticator authenticator;
if (recipientRequirement == null)
{
throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("recipientRequirement");
}
Collection <SecurityToken> collection = new Collection <SecurityToken>();
if (this.parent.ServiceCertificate.Certificate != null)
{
collection.Add(new X509SecurityToken(this.parent.ServiceCertificate.Certificate));
}
List <SecurityTokenAuthenticator> supportingAuthenticators = new List <SecurityTokenAuthenticator>();
if ((this.parent.IssuedTokenAuthentication.KnownCertificates != null) && (this.parent.IssuedTokenAuthentication.KnownCertificates.Count > 0))
{
for (int i = 0; i < this.parent.IssuedTokenAuthentication.KnownCertificates.Count; i++)
{
collection.Add(new X509SecurityToken(this.parent.IssuedTokenAuthentication.KnownCertificates[i]));
}
}
X509CertificateValidator certificateValidator = this.parent.IssuedTokenAuthentication.GetCertificateValidator();
supportingAuthenticators.Add(new X509SecurityTokenAuthenticator(certificateValidator));
if (this.parent.IssuedTokenAuthentication.AllowUntrustedRsaIssuers)
{
supportingAuthenticators.Add(new RsaSecurityTokenAuthenticator());
}
outOfBandTokenResolver = (collection.Count > 0) ? SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection <SecurityToken>(collection), false) : null;
if ((recipientRequirement.SecurityBindingElement == null) || (recipientRequirement.SecurityBindingElement.LocalServiceSettings == null))
{
authenticator = new SamlSecurityTokenAuthenticator(supportingAuthenticators);
}
else
{
authenticator = new SamlSecurityTokenAuthenticator(supportingAuthenticators, recipientRequirement.SecurityBindingElement.LocalServiceSettings.MaxClockSkew);
}
authenticator.AudienceUriMode = this.parent.IssuedTokenAuthentication.AudienceUriMode;
IList <string> allowedAudienceUris = authenticator.AllowedAudienceUris;
if (this.parent.IssuedTokenAuthentication.AllowedAudienceUris != null)
{
for (int j = 0; j < this.parent.IssuedTokenAuthentication.AllowedAudienceUris.Count; j++)
{
allowedAudienceUris.Add(this.parent.IssuedTokenAuthentication.AllowedAudienceUris[j]);
}
}
if (recipientRequirement.ListenUri != null)
{
allowedAudienceUris.Add(recipientRequirement.ListenUri.AbsoluteUri);
}
return(authenticator);
}
private static SecurityTokenHandlerConfiguration CreateSaml2SecurityTokenHandlerConfiguration(string issuerThumbprint, string issuerName, string audienceUri, X509CertificateValidator certificateValidator, X509Certificate2 encryptingCertificate)
{
var handlerConfig = CreateSaml2SecurityTokenHandlerConfiguration(issuerThumbprint, issuerName, audienceUri, certificateValidator);
var serviceTokens = new List<SecurityToken> { new X509SecurityToken(encryptingCertificate) };
handlerConfig.ServiceTokenResolver =
SecurityTokenResolver.CreateDefaultSecurityTokenResolver(serviceTokens.AsReadOnly(), true);
return handlerConfig;
}
private static void ConfigureHandler(SecurityTokenHandlerConfiguration configuration)
{
var issuerTokens = new List <SecurityToken> {
new X509SecurityToken(GetSigningCertificate())
}.AsReadOnly();
configuration.IssuerTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
issuerTokens, false);
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(GetSigningCertificate().Thumbprint, "TecTeacher");
configuration.IssuerNameRegistry = registry;
}
private static void ConfigureHandler(SecurityTokenHandlerConfiguration hc, IFederatedAuthenticationSettings settings)
{
hc.AudienceRestriction = new AudienceRestriction(AudienceUriMode.Never);
hc.CertificateValidator = new SamlCertificateValidator(settings.Certificate, WebApiConfig.VerifyCertificateChain);
hc.IssuerNameRegistry = new SamlIssuerNameRegistry(settings.Certificate);
hc.IssuerTokenResolver = new IssuerTokenResolver();
// need this if certificate not included into sign info
var tokens = new List <SecurityToken> {
new X509SecurityToken(settings.Certificate)
};
hc.ServiceTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
new ReadOnlyCollection <SecurityToken>(tokens), false);
}
void ReadHeaders(Message srcmsg)
{
SecurityTokenSerializer serializer =
security.TokenSerializer;
tokens = new List <SecurityToken> ();
token_resolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
new ReadOnlyCollection <SecurityToken> (tokens),
true);
token_resolver = new UnionSecurityTokenResolver(token_resolver, security.OutOfBandTokenResolver);
// Add relevant protection token and supporting tokens.
tokens.Add(security.EncryptionToken);
// FIXME: this is just a workaround for symmetric binding to not require extra client certificate.
if (security.Element is AsymmetricSecurityBindingElement)
{
tokens.Add(security.SigningToken);
}
if (RequestSecurity != null && RequestSecurity.ProtectionToken != null)
{
tokens.Add(RequestSecurity.ProtectionToken.SecurityToken);
}
// FIXME: handle supporting tokens
for (int i = 0; i < srcmsg.Headers.Count; i++)
{
MessageHeaderInfo header = srcmsg.Headers [i];
// FIXME: check SOAP Actor.
// MessageHeaderDescription.Actor needs to be accessible from here.
if (header.Namespace == Constants.WssNamespace &&
header.Name == "Security")
{
wss_header = new WSSecurityMessageHeader(null);
wss_header_reader = new WSSecurityMessageHeaderReader(wss_header, serializer, token_resolver, doc, nsmgr, tokens);
wss_header_reader.ReadContents(srcmsg.Headers.GetReaderAtHeader(i));
headers.Add(wss_header);
}
else
{
headers.Add(header);
}
}
if (wss_header == null)
{
throw new InvalidOperationException("In this service contract, a WS-Security header is required in the Message, but was not found.");
}
}
public CardSignIn()
{
SecurityTokenHandlerConfiguration handlerConfig = new SecurityTokenHandlerConfiguration();
handlerConfig.IssuerNameRegistry = new TrustedIssuerNameRegistry();
List <SecurityToken> servicetokens = new List <SecurityToken>(1);
servicetokens.Add(new X509SecurityToken(CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, "CN=localhost")));
handlerConfig.ServiceTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(servicetokens.AsReadOnly(), false);
handlerConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri("https://localhost/AuthAssuranceSTS/CardSignIn.aspx"));
_handlers = new SecurityTokenHandlerCollection(handlerConfig);
SamlSecurityTokenRequirement samlReqs = new SamlSecurityTokenRequirement();
_handlers.Add(new EncryptedSecurityTokenHandler());
_handlers.Add(new Saml11SecurityTokenHandler(samlReqs));
}
public void AsymmetricSignatureProvider_Extensibility()
{
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
Console.WriteLine("Testvariation: " + "outbound signature algorithm - bobsYourUncle");
// inbound signature algorithm - bobsYourUncle
JwtSecurityTokenHandler.OutboundAlgorithmMap.Remove(SecurityAlgorithms.RsaSha256Signature);
JwtSecurityTokenHandler.OutboundAlgorithmMap.Add(new KeyValuePair <string, string>(SecurityAlgorithms.RsaSha256Signature, "bobsYourUncle"));
JwtSecurityToken jwt = handler.CreateToken(issuer: Issuers.GotJwt, signingCredentials: KeyingMaterial.X509SigningCreds_2048_RsaSha2_Sha2) as JwtSecurityToken;
List <SecurityToken> tokens = new List <SecurityToken>()
{
KeyingMaterial.X509Token_2048
};
handler.Configuration = new SecurityTokenHandlerConfiguration()
{
IssuerTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(tokens.AsReadOnly(), true),
SaveBootstrapContext = true,
CertificateValidator = AlwaysSucceedCertificateValidator.New,
AudienceRestriction = new AudienceRestriction(AudienceUriMode.Never),
};
// inbound unknown algorithm
ExpectedException expectedException = ExpectedException.SecVal(id: "Jwt10316");
try
{
handler.ValidateToken(jwt);
ExpectedException.ProcessNoException(expectedException);
}
catch (Exception ex)
{
ExpectedException.ProcessException(expectedException, ex);
}
finally
{
JwtSecurityTokenHandler.OutboundAlgorithmMap.Remove(SecurityAlgorithms.RsaSha256Signature);
JwtSecurityTokenHandler.OutboundAlgorithmMap.Add(new KeyValuePair <string, string>(SecurityAlgorithms.RsaSha256Signature, "RS256"));
}
}
public ActionResult ProcessWSFedResponse()
{
var fam = new WSFederationAuthenticationModule();
fam.FederationConfiguration = new FederationConfiguration();
if (ConfigurationRepository.Keys.DecryptionCertificate != null)
{
var idConfig = new IdentityConfiguration();
idConfig.ServiceTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
new ReadOnlyCollection <SecurityToken>(new SecurityToken[] { new X509SecurityToken(ConfigurationRepository.Keys.DecryptionCertificate) }), false);
fam.FederationConfiguration.IdentityConfiguration = idConfig;
}
if (fam.CanReadSignInResponse(Request))
{
var token = fam.GetSecurityToken(Request);
return(ProcessWSFedSignInResponse(fam.GetSignInResponseMessage(Request), token));
}
return(View("Error"));
}
private static JsonWebSecurityTokenHandler CreateJsonWebSecurityTokenHandler()
{
JsonWebSecurityTokenHandler handler = new JsonWebSecurityTokenHandler();
handler.Configuration = new Microsoft.IdentityModel.Tokens.SecurityTokenHandlerConfiguration();
handler.Configuration.AudienceRestriction = new Microsoft.IdentityModel.Tokens.AudienceRestriction(AudienceUriMode.Never);
handler.Configuration.CertificateValidator = X509CertificateValidator.None;
byte[] key = Convert.FromBase64String(ClientSecret);
handler.Configuration.IssuerTokenResolver =
SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
new ReadOnlyCollection <SecurityToken>(new List <SecurityToken>(
new SecurityToken[]
{
new SimpleSymmetricKeySecurityToken(key)
})),
false);
SymmetricKeyIssuerNameRegistry issuerNameRegistry = new SymmetricKeyIssuerNameRegistry();
issuerNameRegistry.AddTrustedIssuer(key, GetAcsPrincipalName(ServiceNamespace));
handler.Configuration.IssuerNameRegistry = issuerNameRegistry;
return(handler);
}
/// <summary>
/// Decrpyts a security token from an XML EncryptedData
/// </summary>
/// <param name="xmlToken">the XML token to decrypt</param>
/// <returns>A byte array of the contents of the encrypted token</returns>
public static byte[] DecryptToken(string xmlToken)
{
XmlReader reader = new XmlTextReader(new StringReader(xmlToken));
byte[] securityTokenData;
string encryptionAlgorithm;
SecurityKeyIdentifier keyIdentifier;
bool isEmptyElement;
// if it's not an xml:enc element, something is dreadfully wrong.
if (!reader.IsStartElement(XmlEncryptionStrings.EncryptedData, XmlEncryptionStrings.Namespace))
{
throw new InvalidOperationException();
}
reader.Read(); // looks good.
// if it's not an encryption method, something is dreadfully wrong.
if (!reader.IsStartElement(XmlEncryptionStrings.EncryptionMethod, XmlEncryptionStrings.Namespace))
{
throw new InformationCardException("Failed to find the encryptionAlgorithm");
}
// Looks good, let's grab the alg.
isEmptyElement = reader.IsEmptyElement;
encryptionAlgorithm = reader.GetAttribute(XmlEncryptionStrings.Algorithm);
reader.Read();
if (!isEmptyElement)
{
while (reader.IsStartElement())
{
reader.Skip();
}
reader.ReadEndElement();
}
// get the key identifier
keyIdentifier = WSSecurityTokenSerializer.DefaultInstance.ReadKeyIdentifier(reader);
// resolve the symmetric key
SymmetricSecurityKey decryptingKey = (SymmetricSecurityKey)SecurityTokenResolver.CreateDefaultSecurityTokenResolver(Tokens.AsReadOnly(), false).ResolveSecurityKey(keyIdentifier[0]);
SymmetricAlgorithm algorithm = decryptingKey.GetSymmetricAlgorithm(encryptionAlgorithm);
// dig for the security token data itself.
reader.ReadStartElement(XmlEncryptionStrings.CipherData, XmlEncryptionStrings.Namespace);
reader.ReadStartElement(XmlEncryptionStrings.CipherValue, XmlEncryptionStrings.Namespace);
securityTokenData = Convert.FromBase64String(reader.ReadString());
reader.ReadEndElement(); // CipherValue
reader.ReadEndElement(); // CipherData
reader.ReadEndElement(); // EncryptedData
// decrypto-magic!
int ivSize = algorithm.BlockSize / 8;
byte[] iv = new byte[ivSize];
Buffer.BlockCopy(securityTokenData, 0, iv, 0, iv.Length);
algorithm.Padding = PaddingMode.ISO10126;
algorithm.Mode = CipherMode.CBC;
ICryptoTransform decrTransform = algorithm.CreateDecryptor(algorithm.Key, iv);
byte[] plainText = decrTransform.TransformFinalBlock(securityTokenData, iv.Length, securityTokenData.Length - iv.Length);
decrTransform.Dispose();
return(plainText);
}
public override NameValueCollection Validate(TokenRequestMessage message)
{
if (!this.CanValidateMessage(message))
{
throw new OAuthException(OAuthErrorCodes.UnsupportedGrantType, "This handler cannot validate this message.");
}
if (!message.Parameters[OAuthConstants.AssertionType].Equals("saml", StringComparison.OrdinalIgnoreCase))
{
throw new OAuthException(OAuthErrorCodes.InvalidRequest, string.Format("Assertion format '{0}' not supported. Only Saml Supported", message.Parameters[OAuthConstants.AssertionType]));
}
string assertion = message.Parameters[OAuthConstants.Assertion];
if (assertion == null)
{
throw new OAuthException(OAuthErrorCodes.InvalidRequest, "Parameter 'assertion' is mandatory");
}
this.EnsureClientExists(message);
SecurityToken token = null;
SecurityToken xtoken = null;
using (var stringReader = new StringReader(assertion))
{
var reader = XmlReader.Create(stringReader);
if (!ServiceConfiguration.SecurityTokenHandlers.CanReadToken(reader))
{
throw new OAuthException(OAuthErrorCodes.UnsupportedGrantType, "No Token handler defined can read this assertion");
}
// TODO: this should be changed to be in config
// CHANGE: matias: read decryption cert from servicecertificate instead of hardcoding localhost
using (var xprovider = new X509SecurityTokenProvider(ServiceConfiguration.ServiceCertificate))
{
xtoken = xprovider.GetToken(new TimeSpan(10, 1, 1));
}
var outOfBandTokens = new Collection <SecurityToken>();
outOfBandTokens.Add(xtoken);
// CHANGED: matias, don't validate certificate (should be read from service config)
ServiceConfiguration.CertificateValidator = X509CertificateValidator.None;
// encryptedtoken handler is 6 . Add the X509TOken which has the key to decrypt this token
ServiceConfiguration.SecurityTokenHandlers[6].Configuration.ServiceTokenResolver =
SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection <SecurityToken>(outOfBandTokens), false);
token = ServiceConfiguration.SecurityTokenHandlers.ReadToken(reader);
}
ClaimsIdentityCollection cc;
try
{
cc = ServiceConfiguration.SecurityTokenHandlers.ValidateToken(token);
}
catch (SecurityTokenException ex)
{
throw new OAuthException(OAuthErrorCodes.InvalidGrant, ex.Message, ex);
}
// CHANGE: matias: add CAM in order to be able to tranform claims
IClaimsPrincipal principal = new ClaimsPrincipal(cc);
if (ServiceConfiguration.ClaimsAuthenticationManager != null)
{
principal = ServiceConfiguration.ClaimsAuthenticationManager.Authenticate("replace", principal);
}
var collection = new NameValueCollection();
foreach (Claim claim in cc[0].Claims)
{
collection.Add(claim.ClaimType, claim.Value);
}
return(collection);
}
SamlSecurityTokenAuthenticator CreateSamlTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver outOfBandTokenResolver)
{
if (recipientRequirement == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("recipientRequirement");
}
Collection <SecurityToken> outOfBandTokens = new Collection <SecurityToken>();
if (parent.ServiceCertificate.Certificate != null)
{
outOfBandTokens.Add(new X509SecurityToken(parent.ServiceCertificate.Certificate));
}
List <SecurityTokenAuthenticator> supportingAuthenticators = new List <SecurityTokenAuthenticator>();
if ((parent.IssuedTokenAuthentication.KnownCertificates != null) && (parent.IssuedTokenAuthentication.KnownCertificates.Count > 0))
{
for (int i = 0; i < parent.IssuedTokenAuthentication.KnownCertificates.Count; ++i)
{
outOfBandTokens.Add(new X509SecurityToken(parent.IssuedTokenAuthentication.KnownCertificates[i]));
}
}
X509CertificateValidator validator = parent.IssuedTokenAuthentication.GetCertificateValidator();
supportingAuthenticators.Add(new X509SecurityTokenAuthenticator(validator));
if (parent.IssuedTokenAuthentication.AllowUntrustedRsaIssuers)
{
supportingAuthenticators.Add(new RsaSecurityTokenAuthenticator());
}
outOfBandTokenResolver = (outOfBandTokens.Count > 0) ? SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection <SecurityToken>(outOfBandTokens), false) : null;
SamlSecurityTokenAuthenticator ssta;
if ((recipientRequirement.SecurityBindingElement == null) || (recipientRequirement.SecurityBindingElement.LocalServiceSettings == null))
{
ssta = new SamlSecurityTokenAuthenticator(supportingAuthenticators);
}
else
{
ssta = new SamlSecurityTokenAuthenticator(supportingAuthenticators, recipientRequirement.SecurityBindingElement.LocalServiceSettings.MaxClockSkew);
}
// set audience uri restrictions
ssta.AudienceUriMode = parent.IssuedTokenAuthentication.AudienceUriMode;
IList <string> allowedAudienceUris = ssta.AllowedAudienceUris;
if (parent.IssuedTokenAuthentication.AllowedAudienceUris != null)
{
for (int i = 0; i < parent.IssuedTokenAuthentication.AllowedAudienceUris.Count; i++)
{
allowedAudienceUris.Add(parent.IssuedTokenAuthentication.AllowedAudienceUris[i]);
}
}
if (recipientRequirement.ListenUri != null)
{
allowedAudienceUris.Add(recipientRequirement.ListenUri.AbsoluteUri);
}
return(ssta);
}
SecurityTokenResolver GetResolver(bool canMatchLocalId, params SecurityToken [] tokens)
{
return(SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection <SecurityToken> (tokens), canMatchLocalId));
}
/// <summary>
/// Executed when the authentication should be done.
/// </summary>
/// <param name="sender">The sender.</param>
/// <param name="e">The event args.</param>
private void context_AuthenticateRequest(object sender, EventArgs e)
{
// Get the request.
var request = ((HttpApplication)sender).Request;
// The redirect back from the security token service is done using a POST method. Hence
// abort processing of the current request, if it was not sent using POST.
if (request.HttpMethod != "POST")
{
return;
}
// Check whether the request contains sign in data.
if (request.Form["wa"] != WSFederationConstants.Actions.SignIn ||
request.Form["wresult"].IsNullOrEmpty())
{
return;
}
// Otherwise, get the security token which is attached to the request, process it and
// convert it to a principal. First, set up the federatec authentication module.
var fam =
new WSFederationAuthenticationModule
{
ServiceConfiguration =
new ServiceConfiguration
{
AudienceRestriction = { AudienceMode = AudienceUriMode.Never },
CertificateValidationMode =
X509CertificateValidationMode.Custom,
CertificateValidator = new CertificateValidator(c => true),
IssuerNameRegistry = new X509CertificateIssuerNameRegistry()
}
};
// Prepare the decryption by injecting the certificate to the service token resolver.
var certificates =
new List <SecurityToken>
{
new X509SecurityToken(
this.Container.Resolve <ICertificateManager>().GetEncryptingCertificate())
};
var encryptedSecurityTokenHandler =
(from handler in fam.ServiceConfiguration.SecurityTokenHandlers
where handler is EncryptedSecurityTokenHandler
select handler).First() as EncryptedSecurityTokenHandler;
encryptedSecurityTokenHandler.Configuration.ServiceTokenResolver =
SecurityTokenResolver.CreateDefaultSecurityTokenResolver(certificates.AsReadOnly(), false);
// Get the security token from the request.
var securityToken = fam.GetSecurityToken(request);
// Validate the token and convert it to a collection of claims.
var claims = fam.ServiceConfiguration.SecurityTokenHandlers.ValidateToken(securityToken);
// Create a principal from the claims.
IClaimsPrincipal principal = new ClaimsPrincipal(claims);
// Set the current principal.
HttpContext.Current.User = principal;
Thread.CurrentPrincipal = principal;
}
/// <summary>
/// Reads and validates a well fromed Saml2 token.
/// </summary>
/// <param name="securityToken">A Saml2 token.</param>
/// <param name="validationParameters">Contains data and information needed for validation.</param>
/// <param name="validatedToken">The <see cref="SamlSecurityToken"/> that was validated.</param>
/// <exception cref="ArgumentNullException">'securityToken' is null or whitespace.</exception>
/// <exception cref="ArgumentNullException">'validationParameters' is null.</exception>
/// <exception cref="ArgumentException">'securityToken.Length' > <see cref="MaximumTokenSizeInBytes"/>.</exception>
/// <returns>A <see cref="ClaimsPrincipal"/> generated from the claims in the Saml2 securityToken.</returns>
public virtual ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
{
validatedToken = null;
if (string.IsNullOrWhiteSpace(securityToken))
{
throw new ArgumentNullException("securityToken");
}
if (validationParameters == null)
{
throw new ArgumentNullException("validationParameters");
}
if (securityToken.Length > MaximumTokenSizeInBytes)
{
throw new ArgumentException(string.Format(CultureInfo.InvariantCulture, ErrorMessages.IDX10209, securityToken.Length, MaximumTokenSizeInBytes));
}
Saml2SecurityToken samlToken;
using (StringReader sr = new StringReader(securityToken))
{
using (XmlDictionaryReader reader = XmlDictionaryReader.CreateDictionaryReader(XmlReader.Create(sr)))
{
samlToken = (new Saml2Handler()
{
Configuration = new SecurityTokenHandlerConfiguration
{
IssuerTokenResolver = new SecurityKeyResolver(securityToken, validationParameters),
MaxClockSkew = validationParameters.ClockSkew,
ServiceTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(validationParameters.ClientDecryptionTokens, true),
}
}).ReadToken(reader) as Saml2SecurityToken;
}
}
if (samlToken.IssuerToken == null && validationParameters.RequireSignedTokens)
{
throw new SecurityTokenValidationException(ErrorMessages.IDX10213);
}
if (samlToken.Assertion == null)
{
throw new ArgumentException(ErrorMessages.IDX10202);
}
DateTime?notBefore = null;
DateTime?expires = null;
if (samlToken.Assertion.Conditions != null)
{
notBefore = samlToken.Assertion.Conditions.NotBefore;
expires = samlToken.Assertion.Conditions.NotOnOrAfter;
}
Validators.ValidateTokenReplay(securityToken, expires, validationParameters);
if (validationParameters.ValidateLifetime)
{
if (validationParameters.LifetimeValidator != null)
{
if (!validationParameters.LifetimeValidator(notBefore: notBefore, expires: expires, securityToken: samlToken, validationParameters: validationParameters))
{
throw new SecurityTokenInvalidLifetimeException(string.Format(CultureInfo.InvariantCulture, ErrorMessages.IDX10230, securityToken));
}
}
else
{
ValidateLifetime(notBefore: notBefore, expires: expires, securityToken: samlToken, validationParameters: validationParameters);
}
}
// TODO
// need to validate ValidateConfirmationData(subjectConfirmation.SubjectConfirmationData);
if (validationParameters.ValidateAudience)
{
List <string> audiences = new List <string>();
if (samlToken.Assertion.Conditions != null && samlToken.Assertion.Conditions.AudienceRestrictions != null)
{
foreach (Saml2AudienceRestriction restriction in samlToken.Assertion.Conditions.AudienceRestrictions)
{
if (restriction == null)
{
continue;
}
foreach (Uri uri in restriction.Audiences)
{
if (uri == null)
{
continue;
}
audiences.Add(uri.OriginalString);
}
}
}
if (validationParameters.AudienceValidator != null)
{
if (!validationParameters.AudienceValidator(audiences, samlToken, validationParameters))
{
throw new SecurityTokenInvalidAudienceException(string.Format(CultureInfo.InvariantCulture, ErrorMessages.IDX10231, securityToken));
}
}
else
{
ValidateAudience(audiences, samlToken, validationParameters);
}
}
string issuer = samlToken.Assertion.Issuer != null ? samlToken.Assertion.Issuer.Value : null;
if (validationParameters.ValidateIssuer)
{
if (validationParameters.IssuerValidator != null)
{
issuer = validationParameters.IssuerValidator(issuer, samlToken, validationParameters);
}
else
{
issuer = ValidateIssuer(issuer, samlToken, validationParameters);
}
}
if (samlToken.IssuerToken != null)
{
ValidateIssuerSecurityKey(samlToken.IssuerToken.SecurityKeys[0], samlToken, validationParameters);
}
ClaimsIdentity identity = CreateClaimsIdentity(samlToken, issuer, validationParameters);
if (validationParameters.SaveSigninToken)
{
identity.BootstrapContext = new BootstrapContext(securityToken);
}
validatedToken = samlToken;
return(new ClaimsPrincipal(identity));
}