/// <summary>
/// [SAML2.0std] section 2.7.2
/// </summary>
/// <param name="statement"></param>
private void ValidateAuthnStatement(AuthnStatement statement)
{
if (statement.AuthnInstant == null)
throw new Saml20FormatException("AuthnStatement MUST have an AuthnInstant attribute");
if (!Saml20Utils.ValidateOptionalString(statement.SessionIndex))
throw new Saml20FormatException("SessionIndex attribute of AuthnStatement must contain at least one non-whitespace character");
if (statement.SubjectLocality != null)
{
if (!Saml20Utils.ValidateOptionalString(statement.SubjectLocality.Address))
throw new Saml20FormatException("Address attribute of SubjectLocality must contain at least one non-whitespace character");
if (!Saml20Utils.ValidateOptionalString(statement.SubjectLocality.DNSName))
throw new Saml20FormatException("DNSName attribute of SubjectLocality must contain at least one non-whitespace character");
}
ValidateAuthnContext(statement.AuthnContext);
}
/// <summary>
/// Assembles our basic test assertion
/// </summary>
/// <returns></returns>
public static Assertion GetBasicAssertion()
{
Assertion assertion = new Assertion();
{
assertion.Issuer = new NameID();
assertion.ID = "_b8977dc86cda41493fba68b32ae9291d";
assertion.IssueInstant = DateTime.UtcNow;
assertion.Version = "2.0";
assertion.Issuer.Value = GetBasicIssuer();
}
{
assertion.Subject = new Subject();
SubjectConfirmation subjectConfirmation = new SubjectConfirmation();
subjectConfirmation.Method = SubjectConfirmation.BEARER_METHOD;
subjectConfirmation.SubjectConfirmationData = new SubjectConfirmationData();
subjectConfirmation.SubjectConfirmationData.NotOnOrAfter = new DateTime(2008, 12, 31, 12, 0, 0, 0);
subjectConfirmation.SubjectConfirmationData.Recipient = "http://borger.dk";
assertion.Subject.Items = new object[] { subjectConfirmation };
}
{
assertion.Conditions = new Conditions();
assertion.Conditions.NotOnOrAfter = new DateTime(2008, 12, 31, 12, 0, 0, 0);
AudienceRestriction audienceRestriction = new AudienceRestriction();
audienceRestriction.Audience = GetAudiences();
assertion.Conditions.Items = new List<ConditionAbstract>(new ConditionAbstract[] { audienceRestriction });
}
AuthnStatement authnStatement;
{
authnStatement = new AuthnStatement();
assertion.Items = new StatementAbstract[] { authnStatement };
authnStatement.AuthnInstant = new DateTime(2008, 1, 8);
authnStatement.SessionIndex = "70225885";
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.Items = new object[] { "urn:oasis:names:tc:SAML:2.0:ac:classes:X509", "http://www.safewhere.net/authncontext/declref" };
authnStatement.AuthnContext.ItemsElementName = new ItemsChoiceType5[] { ItemsChoiceType5.AuthnContextClassRef, ItemsChoiceType5.AuthnContextDeclRef};
}
AttributeStatement attributeStatement;
{
attributeStatement = new AttributeStatement();
SamlAttribute surName = new SamlAttribute();
surName.FriendlyName = "SurName";
surName.Name = "urn:oid:2.5.4.4";
surName.NameFormat = SamlAttribute.NAMEFORMAT_URI;
surName.AttributeValue = new string[] { "Fry" };
SamlAttribute commonName = new SamlAttribute();
commonName.FriendlyName = "CommonName";
commonName.Name = "urn:oid:2.5.4.3";
commonName.NameFormat = SamlAttribute.NAMEFORMAT_URI;
commonName.AttributeValue = new string[] { "Philip J. Fry" };
SamlAttribute userName = new SamlAttribute();
userName.Name = "urn:oid:0.9.2342.19200300.100.1.1";
userName.NameFormat = SamlAttribute.NAMEFORMAT_URI;
userName.AttributeValue = new string[] { "fry" };
SamlAttribute eMail = new SamlAttribute();
eMail.FriendlyName = "Email";
eMail.Name = "urn:oid:0.9.2342.19200300.100.1.3";
eMail.NameFormat = SamlAttribute.NAMEFORMAT_URI;
eMail.AttributeValue = new string[] { "*****@*****.**" };
attributeStatement.Items = new object[] { surName, commonName, userName, eMail };
}
assertion.Items = new StatementAbstract[] { authnStatement, attributeStatement };
return assertion;
}
private void ValidateAuthnStatement(AuthnStatement authnStatement)
{
if (!Saml20Utils.ValidateRequiredString(authnStatement.SessionIndex))
throw new DKSaml20FormatException(
"The DK-SAML 2.0 profile requires that the \"AuthnStatement\" element contains the \"SessionIndex\" attribute.");
}
private Assertion CreateAssertion(User user, string receiver)
{
Assertion assertion = new Assertion();
{ // Subject element
assertion.Subject = new Subject();
assertion.ID = "id" + Guid.NewGuid().ToString("N");
assertion.IssueInstant = DateTime.Now.AddMinutes(10);
assertion.Issuer = new NameID();
assertion.Issuer.Value = IDPConfig.ServerBaseUrl;
SubjectConfirmation subjectConfirmation = new SubjectConfirmation();
subjectConfirmation.Method = SubjectConfirmation.BEARER_METHOD;
subjectConfirmation.SubjectConfirmationData = new SubjectConfirmationData();
subjectConfirmation.SubjectConfirmationData.NotOnOrAfter = DateTime.Now.AddHours(1);
subjectConfirmation.SubjectConfirmationData.Recipient = receiver;
NameID nameId = new NameID();
nameId.Format = Saml20Constants.NameIdentifierFormats.Persistent;
nameId.Value = user.ppid;
assertion.Subject.Items = new object[] { nameId, subjectConfirmation };
}
{ // Conditions element
assertion.Conditions = new Conditions();
assertion.Conditions.Items = new List<ConditionAbstract>();
assertion.Conditions.NotOnOrAfter = DateTime.Now.AddHours(1);
AudienceRestriction audienceRestriction = new AudienceRestriction();
audienceRestriction.Audience = new List<string>();
audienceRestriction.Audience.Add(receiver);
assertion.Conditions.Items.Add(audienceRestriction);
}
List<StatementAbstract> statements = new List<StatementAbstract>(2);
{ // AuthnStatement element
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnInstant = DateTime.Now;
authnStatement.SessionIndex = Convert.ToString(new Random().Next());
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.Items =
new object[] {"urn:oasis:names:tc:SAML:2.0:ac:classes:X509"};
// Wow! Setting the AuthnContext is .... verbose.
authnStatement.AuthnContext.ItemsElementName =
new ItemsChoiceType5[] { ItemsChoiceType5.AuthnContextClassRef };
statements.Add(authnStatement);
}
{ // Generate attribute list.
AttributeStatement attributeStatement = new AttributeStatement();
List<SamlAttribute> attributes = new List<SamlAttribute>(user.Attributes.Count);
foreach (KeyValuePair<string, string> att in user.Attributes)
{
SamlAttribute attribute = new SamlAttribute();
attribute.Name = att.Key;
attribute.AttributeValue = new string[] { att.Value };
attribute.NameFormat = SamlAttribute.NAMEFORMAT_BASIC;
attributes.Add(attribute);
}
attributeStatement.Items = attributes.ToArray();
statements.Add(attributeStatement);
}
assertion.Items = statements.ToArray();
return assertion;
}
public void AuthnStatement_Invalid_AuthnContextAuthenticatingAuthorityUri()
{
Assertion saml20Assertion = AssertionUtil.GetBasicAssertion();
List<StatementAbstract> statements = new List<StatementAbstract>(saml20Assertion.Items);
AuthnStatement sas = new AuthnStatement();
sas.AuthnInstant = DateTime.UtcNow;
sas.SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1);
sas.AuthnContext = new AuthnContext();
sas.AuthnContext.Items = new object[2] { "urn:a:valid.uri:string", "http://another/valid/uri.string" };
sas.AuthnContext.ItemsElementName = new ItemsChoiceType5[2] { ItemsChoiceType5.AuthnContextClassRef, ItemsChoiceType5.AuthnContextDeclRef };
sas.AuthnContext.AuthenticatingAuthority = new string[2] { "urn:aksdlfj", "urn/invalid" };
statements.Add(sas);
saml20Assertion.Items = statements.ToArray();
CreateSaml20Token(saml20Assertion);
}
public void AuthnStatement_Invalid_AuthnContextDecl()
{
Assertion saml20Assertion = AssertionUtil.GetBasicAssertion();
List<StatementAbstract> statements = new List<StatementAbstract>(saml20Assertion.Items);
AuthnStatement sas = new AuthnStatement();
sas.AuthnInstant = DateTime.UtcNow;
sas.SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1);
sas.AuthnContext = new AuthnContext();
sas.AuthnContext.Items = new object[1] { new AuthnStatement() };
sas.AuthnContext.ItemsElementName = new ItemsChoiceType5[1] { ItemsChoiceType5.AuthnContextDecl };
statements.Add(sas);
saml20Assertion.Items = statements.ToArray();
CreateSaml20Token(saml20Assertion);
}
public void AuthnStatement_Invalid_AuthnContextDeclRefUri()
{
Assertion saml20Assertion = AssertionUtil.GetBasicAssertion();
List<StatementAbstract> statements = new List<StatementAbstract>(saml20Assertion.Items);
AuthnStatement sas = new AuthnStatement();
sas.AuthnInstant = DateTime.UtcNow;
sas.SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1);
sas.AuthnContext = new AuthnContext();
sas.AuthnContext.Items = new object[2] { "urn:a.valid.uri:string", "an/invalid/uri/string.aspx" };
sas.AuthnContext.ItemsElementName = new ItemsChoiceType5[2] { ItemsChoiceType5.AuthnContextClassRef, ItemsChoiceType5.AuthnContextDeclRef };
statements.Add(sas);
saml20Assertion.Items = statements.ToArray();
CreateSaml20Token(saml20Assertion);
}
public void AuthnStatement_Invalid_AuthnContextNoContextItems()
{
Assertion saml20Assertion = AssertionUtil.GetBasicAssertion();
List<StatementAbstract> statements = new List<StatementAbstract>(saml20Assertion.Items);
AuthnStatement sas = new AuthnStatement();
sas.AuthnInstant = DateTime.UtcNow;
sas.SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1);
sas.AuthnContext = new AuthnContext();
statements.Add(sas);
saml20Assertion.Items = statements.ToArray();
CreateSaml20Token(saml20Assertion);
}
public void AuthnStatement_Invalid_SessionNotOnOrAfter()
{
Assertion saml20Assertion = AssertionUtil.GetBasicAssertion();
List<StatementAbstract> statements = new List<StatementAbstract>(saml20Assertion.Items);
AuthnStatement sas = new AuthnStatement();
sas.AuthnInstant = DateTime.UtcNow;
sas.SessionNotOnOrAfter = DateTime.UtcNow.AddHours(-1);
statements.Add(sas);
saml20Assertion.Items = statements.ToArray();
Saml20AssertionValidator validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false);
validator.ValidateTimeRestrictions(saml20Assertion, new TimeSpan(0, 0, 0));
}
