public void AutomapperConfigurationIsValidToEntity()
{
var encryptingCertificate = Cert.LoadEncryptingCertificate();
var relyingParty = new IdentityServer3.WsFederation.Models.RelyingParty
{
Realm = "urn:identityserver",
Name = "Test Relying Party",
Enabled = true,
ReplyUrl = "https://www.google.com/",
TokenType = "urn:oasis:names:tc:SAML:1.0:assertion",
TokenLifeTime = 1000,
IncludeAllClaimsForUser = false,
DefaultClaimTypeMappingPrefix = "https://schema.org/",
SamlNameIdentifierFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
SignatureAlgorithm = SecurityAlgorithms.RsaSha256Signature,
DigestAlgorithm = SecurityAlgorithms.Sha256Digest,
ClaimMappings = new Dictionary <string, string>
{
{ "name", ClaimTypes.Name },
{ "email", ClaimTypes.Email }
},
EncryptingCertificate = encryptingCertificate,
PostLogoutRedirectUris = new List <string>
{
"https://www.google.com/post",
"https://www.google.com/post2"
}
};
var entity = relyingParty.ToEntity();
Assert.NotNull(entity);
Assert.True(entity.Realm == relyingParty.Realm);
Assert.True(entity.Name == relyingParty.Name);
Assert.True(entity.Enabled == relyingParty.Enabled);
Assert.True(entity.ReplyUrl == relyingParty.ReplyUrl);
Assert.True(entity.TokenType == relyingParty.TokenType);
Assert.True(entity.TokenLifeTime == relyingParty.TokenLifeTime);
Assert.True(entity.IncludeAllClaimsForUser == relyingParty.IncludeAllClaimsForUser);
Assert.True(entity.DefaultClaimTypeMappingPrefix == relyingParty.DefaultClaimTypeMappingPrefix);
Assert.True(entity.SamlNameIdentifierFormat == relyingParty.SamlNameIdentifierFormat);
Assert.True(entity.DigestAlgorithm == relyingParty.DigestAlgorithm);
Assert.NotNull(entity.ClaimMappings);
Assert.True(entity.ClaimMappings.Any());
Assert.True(entity.ClaimMappings.First(x => x.InboundClaim == "name").OutboundClaim == ClaimTypes.Name);
Assert.NotNull(entity.EncryptingCertificate);
var loadedCertificate = new X509Certificate2(entity.EncryptingCertificate);
Assert.True(loadedCertificate.Subject == encryptingCertificate.Subject);
Assert.True(loadedCertificate.Issuer == encryptingCertificate.Issuer);
Assert.True(loadedCertificate.Thumbprint == encryptingCertificate.Thumbprint);
Assert.NotNull(entity.PostLogoutRedirectUris);
Assert.NotEmpty(entity.PostLogoutRedirectUris);
ModelsMap.Mapper.ConfigurationProvider.AssertConfigurationIsValid();
}
public void AutomapperConfigurationIsValidToModel()
{
var encryptingCertificate = Cert.LoadEncryptingCertificate();
var relyingParty = new RelyingParty
{
Realm = "urn:identityserver",
Name = "Test Relying Party",
Enabled = true,
ReplyUrl = "https://www.google.com/",
TokenType = "urn:oasis:names:tc:SAML:1.0:assertion",
TokenLifeTime = 1000,
IncludeAllClaimsForUser = false,
DefaultClaimTypeMappingPrefix = "https://schema.org/",
SamlNameIdentifierFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
SignatureAlgorithm = SecurityAlgorithms.RsaSha256Signature,
DigestAlgorithm = SecurityAlgorithms.Sha256Digest,
ClaimMappings = new List <ClaimMap>
{
new ClaimMap {
InboundClaim = "name", OutboundClaim = ClaimTypes.Name
},
new ClaimMap {
InboundClaim = "email", OutboundClaim = ClaimTypes.Email
}
},
EncryptingCertificate = encryptingCertificate.RawData,
PostLogoutRedirectUris = new List <RelyingPartyPostLogoutUri>
{
new RelyingPartyPostLogoutUri {
Uri = "https://www.google.com/post"
},
new RelyingPartyPostLogoutUri {
Uri = "https://www.google.com/post2"
}
}
};
var model = relyingParty.ToModel();
Assert.NotNull(model);
Assert.True(model.Realm == relyingParty.Realm);
Assert.True(model.Name == relyingParty.Name);
Assert.True(model.Enabled == relyingParty.Enabled);
Assert.True(model.ReplyUrl == relyingParty.ReplyUrl);
Assert.True(model.TokenType == relyingParty.TokenType);
Assert.True(model.TokenLifeTime == relyingParty.TokenLifeTime);
Assert.True(model.IncludeAllClaimsForUser == relyingParty.IncludeAllClaimsForUser);
Assert.True(model.DefaultClaimTypeMappingPrefix == relyingParty.DefaultClaimTypeMappingPrefix);
Assert.True(model.SamlNameIdentifierFormat == relyingParty.SamlNameIdentifierFormat);
Assert.True(model.DigestAlgorithm == relyingParty.DigestAlgorithm);
Assert.NotNull(model.ClaimMappings);
Assert.True(model.ClaimMappings.Any());
Assert.True(model.ClaimMappings.First(x => x.Key == "name").Value == ClaimTypes.Name);
Assert.NotNull(model.EncryptingCertificate);
Assert.True(model.EncryptingCertificate.Subject == encryptingCertificate.Subject);
Assert.True(model.EncryptingCertificate.Issuer == encryptingCertificate.Issuer);
Assert.True(model.EncryptingCertificate.Thumbprint == encryptingCertificate.Thumbprint);
Assert.NotNull(model.PostLogoutRedirectUris);
Assert.NotEmpty(model.PostLogoutRedirectUris);
EntitiesMap.Mapper.ConfigurationProvider.AssertConfigurationIsValid();
}
public void CanAddRelyingPartyWithClaimMappings()
{
var encryptingCertificate = Cert.LoadEncryptingCertificate();
var relyingParty = new RelyingParty
{
Realm = "urn:identityserver:encrypt",
Name = "Test Relying Party",
Enabled = true,
ReplyUrl = "https://www.google.com/",
TokenType = "urn:oasis:names:tc:SAML:1.0:assertion",
TokenLifeTime = 1000,
IncludeAllClaimsForUser = false,
DefaultClaimTypeMappingPrefix = "https://schema.org/",
SamlNameIdentifierFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
SignatureAlgorithm = SecurityAlgorithms.RsaSha256Signature,
DigestAlgorithm = SecurityAlgorithms.Sha256Digest,
ClaimMappings = new List <ClaimMap>
{
new ClaimMap {
InboundClaim = "name", OutboundClaim = ClaimTypes.Name
},
new ClaimMap {
InboundClaim = "email", OutboundClaim = ClaimTypes.Email
}
},
EncryptingCertificate = encryptingCertificate.RawData
};
using (var context = new RelyingPartyConfigurationDbContext(ConfigConnectionStringName))
{
context.RelyingParties.Add(relyingParty);
context.SaveChanges();
}
RelyingParty persistedRelyingParty;
using (var context = new RelyingPartyConfigurationDbContext(ConfigConnectionStringName))
{
persistedRelyingParty =
context.RelyingParties.Include(x => x.ClaimMappings)
.FirstOrDefault(x => x.Realm == relyingParty.Realm);
}
Assert.NotNull(persistedRelyingParty);
Assert.True(relyingParty.Realm == persistedRelyingParty.Realm);
Assert.True(persistedRelyingParty.ClaimMappings.Any());
Assert.True(relyingParty.ClaimMappings.Count == persistedRelyingParty.ClaimMappings.Count);
Assert.True(relyingParty.DefaultClaimTypeMappingPrefix ==
persistedRelyingParty.DefaultClaimTypeMappingPrefix);
Assert.True(relyingParty.DigestAlgorithm == persistedRelyingParty.DigestAlgorithm);
Assert.True(relyingParty.Enabled == persistedRelyingParty.Enabled);
Assert.True(relyingParty.Id == persistedRelyingParty.Id);
Assert.True(relyingParty.IncludeAllClaimsForUser == persistedRelyingParty.IncludeAllClaimsForUser);
Assert.True(relyingParty.Name == persistedRelyingParty.Name);
Assert.True(relyingParty.ReplyUrl == persistedRelyingParty.ReplyUrl);
Assert.True(relyingParty.SamlNameIdentifierFormat == persistedRelyingParty.SamlNameIdentifierFormat);
Assert.True(relyingParty.SignatureAlgorithm == persistedRelyingParty.SignatureAlgorithm);
Assert.True(relyingParty.TokenLifeTime == persistedRelyingParty.TokenLifeTime);
Assert.True(relyingParty.TokenType == persistedRelyingParty.TokenType);
Assert.NotNull(relyingParty.EncryptingCertificate);
var readEncryptionCertificate = new X509Certificate2(relyingParty.EncryptingCertificate);
Assert.True(readEncryptionCertificate.SubjectName.Name == encryptingCertificate.SubjectName.Name);
Assert.True(readEncryptionCertificate.IssuerName.Name == encryptingCertificate.IssuerName.Name);
Assert.True(readEncryptionCertificate.Thumbprint == encryptingCertificate.Thumbprint);
// assert token encrypted using saved cert can be decrypted
var testClaim = new Claim(ClaimTypes.NameIdentifier, "69307727-D2F7-4ED3-A7DF-08EEE8F8C624");
var securityTokenDescriptor = new SecurityTokenDescriptor
{
AppliesToAddress = relyingParty.Realm,
Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddMinutes(relyingParty.TokenLifeTime)),
ReplyToAddress = relyingParty.ReplyUrl,
SigningCredentials = new X509SigningCredentials(Cert.LoadDecryptingCertificate(), relyingParty.SignatureAlgorithm, relyingParty.DigestAlgorithm),
Subject = new ClaimsIdentity(new List <Claim> {
testClaim
}),
TokenIssuerName = "https://domain.test",
TokenType = "urn:oasis:names:tc:SAML:2.0:assertion",
EncryptingCredentials = new EncryptedKeyEncryptingCredentials(readEncryptionCertificate)
};
var handler = new Saml2SecurityTokenHandler();
var securityToken = handler.CreateToken(securityTokenDescriptor);
var stringBuilder = new StringBuilder();
using (var writer = XmlWriter.Create(stringBuilder))
{
handler.WriteToken(writer, securityToken);
}
var token = stringBuilder.ToString();
SecurityToken validatedToken;
var claimsPrincipal = handler.ValidateToken(
token,
new TokenValidationParameters
{
IssuerSigningKey = new X509SecurityKey(Cert.LoadDecryptingCertificate()),
ValidateIssuer = false,
ValidateIssuerSigningKey = false,
ValidateAudience = false,
ClientDecryptionTokens =
new ReadOnlyCollection <SecurityToken>(new List <SecurityToken>
{
new X509SecurityToken(Cert.LoadDecryptingCertificate())
})
},
out validatedToken);
Assert.NotNull(validatedToken);
Assert.NotNull(claimsPrincipal);
Assert.True(claimsPrincipal.HasClaim(testClaim.Type, testClaim.Value));
}