/// <summary>
/// Returns an instance of the class with meaningful default values set.
/// </summary>
/// <returns>The default <see cref="Saml20AuthnRequest"/>.</returns>
public static Saml20AuthnRequest GetDefault()
{
var config = Saml2Config.GetConfig();
var result = new Saml20AuthnRequest { Issuer = config.ServiceProvider.Id };
if (config.ServiceProvider.Endpoints.SignOnEndpoint.Binding != BindingType.NotSet)
{
var baseUrl = new Uri(config.ServiceProvider.Server);
result.AssertionConsumerServiceUrl = new Uri(baseUrl, config.ServiceProvider.Endpoints.SignOnEndpoint.LocalPath).ToString();
}
// Binding
switch (config.ServiceProvider.Endpoints.SignOnEndpoint.Binding)
{
case BindingType.Artifact:
result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpArtifact;
break;
case BindingType.Post:
result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpPost;
break;
case BindingType.Redirect:
result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpRedirect;
break;
case BindingType.Soap:
result.Request.ProtocolBinding = Saml20Constants.ProtocolBindings.HttpSoap;
break;
}
// NameIDPolicy
if (config.ServiceProvider.NameIdFormats.Count > 0)
{
result.NameIdPolicy = new NameIdPolicy
{
AllowCreate = config.ServiceProvider.NameIdFormats.AllowCreate,
Format = config.ServiceProvider.NameIdFormats[0].Format
};
if (result.NameIdPolicy.Format != Saml20Constants.NameIdentifierFormats.Entity)
{
result.NameIdPolicy.SPNameQualifier = config.ServiceProvider.Id;
}
}
// RequestedAuthnContext
if (config.ServiceProvider.AuthenticationContexts.Count > 0)
{
result.RequestedAuthnContext = new RequestedAuthnContext();
switch (config.ServiceProvider.AuthenticationContexts.Comparison)
{
case AuthenticationContextComparison.Better:
result.RequestedAuthnContext.Comparison = AuthnContextComparisonType.Better;
result.RequestedAuthnContext.ComparisonSpecified = true;
break;
case AuthenticationContextComparison.Minimum:
result.RequestedAuthnContext.Comparison = AuthnContextComparisonType.Minimum;
result.RequestedAuthnContext.ComparisonSpecified = true;
break;
case AuthenticationContextComparison.Maximum:
result.RequestedAuthnContext.Comparison = AuthnContextComparisonType.Maximum;
result.RequestedAuthnContext.ComparisonSpecified = true;
break;
case AuthenticationContextComparison.Exact:
result.RequestedAuthnContext.Comparison = AuthnContextComparisonType.Exact;
result.RequestedAuthnContext.ComparisonSpecified = true;
break;
default:
result.RequestedAuthnContext.ComparisonSpecified = false;
break;
}
result.RequestedAuthnContext.Items = new string[config.ServiceProvider.AuthenticationContexts.Count];
result.RequestedAuthnContext.ItemsElementName = new Schema.Protocol.AuthnContextType[config.ServiceProvider.AuthenticationContexts.Count];
var count = 0;
foreach (var authenticationContext in config.ServiceProvider.AuthenticationContexts)
{
result.RequestedAuthnContext.Items[count] = authenticationContext.Context;
switch (authenticationContext.ReferenceType)
{
case "AuthnContextDeclRef":
result.RequestedAuthnContext.ItemsElementName[count] = Schema.Protocol.AuthnContextType.AuthnContextDeclRef;
break;
default:
result.RequestedAuthnContext.ItemsElementName[count] = Schema.Protocol.AuthnContextType.AuthnContextClassRef;
break;
}
count++;
}
}
// Restrictions
var audienceRestrictions = new List<ConditionAbstract>(1);
var audienceRestriction = new AudienceRestriction { Audience = new List<string>(1) { config.ServiceProvider.Id } };
audienceRestrictions.Add(audienceRestriction);
result.SetConditions(audienceRestrictions);
return result;
}
/// <summary>
/// Assembles our basic test assertion
/// </summary>
/// <returns>The <see cref="Assertion"/>.</returns>
public static Assertion GetBasicAssertion()
{
var assertion = new Assertion
{
Issuer = new NameId(),
Id = "_b8977dc86cda41493fba68b32ae9291d",
IssueInstant = DateTime.UtcNow,
Version = "2.0"
};
assertion.Issuer.Value = GetBasicIssuer();
assertion.Subject = new Subject();
var subjectConfirmation = new SubjectConfirmation
{
Method = SubjectConfirmation.BearerMethod,
SubjectConfirmationData =
new SubjectConfirmationData
{
NotOnOrAfter = new DateTime(2008, 12, 31, 12, 0, 0, 0),
Recipient = "http://borger.dk"
}
};
assertion.Subject.Items = new object[] { subjectConfirmation };
assertion.Conditions = new Conditions { NotOnOrAfter = new DateTime(2008, 12, 31, 12, 0, 0, 0) };
var audienceRestriction = new AudienceRestriction { Audience = GetAudiences().Select(u => u.ToString()).ToList() };
assertion.Conditions.Items = new List<ConditionAbstract>(new ConditionAbstract[] { audienceRestriction });
AuthnStatement authnStatement;
{
authnStatement = new AuthnStatement();
assertion.Items = new StatementAbstract[] { authnStatement };
authnStatement.AuthnInstant = new DateTime(2008, 1, 8);
authnStatement.SessionIndex = "70225885";
authnStatement.AuthnContext = new AuthnContext
{
Items = new object[]
{
"urn:oasis:names:tc:SAML:2.0:ac:classes:X509",
"http://www.safewhere.net/authncontext/declref"
},
ItemsElementName = new[]
{
AuthnContextType.AuthnContextClassRef,
AuthnContextType.AuthnContextDeclRef
}
};
}
AttributeStatement attributeStatement;
{
attributeStatement = new AttributeStatement();
var surName = new SamlAttribute
{
FriendlyName = "SurName",
Name = "urn:oid:2.5.4.4",
NameFormat = SamlAttribute.NameformatUri,
AttributeValue = new[] { "Fry" }
};
var commonName = new SamlAttribute
{
FriendlyName = "CommonName",
Name = "urn:oid:2.5.4.3",
NameFormat = SamlAttribute.NameformatUri,
AttributeValue = new[] { "Philip J. Fry" }
};
var userName = new SamlAttribute
{
Name = "urn:oid:0.9.2342.19200300.100.1.1",
NameFormat = SamlAttribute.NameformatUri,
AttributeValue = new[] { "fry" }
};
var email = new SamlAttribute
{
FriendlyName = "Email",
Name = "urn:oid:0.9.2342.19200300.100.1.3",
NameFormat = SamlAttribute.NameformatUri,
AttributeValue = new[] { "*****@*****.**" }
};
attributeStatement.Items = new object[] { surName, commonName, userName, email };
}
assertion.Items = new StatementAbstract[] { authnStatement, attributeStatement };
return assertion;
}
public void ThrowsExceptionWhenAudienceRestrictionAudienceFormatIsInvalid()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
var validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false);
var audienceRestriction = new AudienceRestriction
{
Audience = new List<string>(new[] { "malformed uri" })
};
assertion.Conditions.Items = new List<ConditionAbstract>(new ConditionAbstract[] { audienceRestriction });
// Act
validator.ValidateAssertion(assertion);
}
public void ValidatesAudienceRestrictionWithMultipleAudienceRestrictions()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
var validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false);
var audienceConditions = new List<ConditionAbstract>(assertion.Conditions.Items);
var audienceRestriction = new AudienceRestriction
{
Audience = new List<string>(new[] { "urn:borger.dk:id" })
};
audienceConditions.Add(audienceRestriction);
assertion.Conditions.Items = audienceConditions;
// Act
validator.ValidateAssertion(assertion);
}
public void ThrowsExceptionWhenAudienceRestrictionAnyAudienceRestrictionIsNotMet()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
var validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false);
var audienceConditions = new List<ConditionAbstract>(assertion.Conditions.Items);
var audienceRestriction = new AudienceRestriction
{
Audience = new List<string>(new[] { "http://well/formed.uri" })
};
audienceConditions.Add(audienceRestriction);
assertion.Conditions.Items = audienceConditions;
// Act
validator.ValidateAssertion(assertion);
}
