private ClaimsPrincipal ValidateToken(SecurityToken token)
{
var config = new SecurityTokenHandlerConfiguration();
config.AudienceRestriction.AudienceMode = AudienceUriMode.Always;
config.AudienceRestriction.AllowedAudienceUris.Add(new Uri(ConfigurationManager.AppSettings["acsAppliesToAddress"]));
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(ConfigurationManager.AppSettings["acsTrustedIssuerThumbprint"], "ACS");
config.IssuerNameRegistry = registry;
config.CertificateValidator = X509CertificateValidator.None;
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(config);
var identity = handler.ValidateToken(token).First();
return new ClaimsPrincipal(identity);
}
protected virtual void LoadMetadata()
{
using (var stream = GetMetadataStream())
{
var serializer = new MetadataSerializer();
serializer.CertificateValidationMode = mode;
var md = serializer.ReadMetadata(stream);
var ed = md as EntityDescriptor;
var stsd = (SecurityTokenServiceDescriptor)ed.RoleDescriptors.FirstOrDefault(x => x is SecurityTokenServiceDescriptor);
var registry = new ConfigurationBasedIssuerNameRegistry();
foreach (var key in stsd.Keys)
{
var clause = key.KeyInfo.FirstOrDefault() as X509RawDataKeyIdentifierClause;
if (clause != null)
{
var cert = new X509Certificate2(clause.GetX509RawData());
registry.AddTrustedIssuer(cert.Thumbprint, issuerName);
}
}
_registry = registry;
}
}
private static AuthenticationHandler GetDefaultAuthenticationHandler()
{
var authConfig = new AuthenticationConfiguration();
#region Basic Authentication
authConfig.AddBasicAuthentication((userName, password) => { return userName == password; });
#endregion
//#region SWT
//authConfig.Handler.AddSimpleWebToken(
// "SWT",
// Constants.Issuer,
// Constants.Realm,
// "Dc9Mpi3jbooUpBQpB/4R7XtUsa3D/ALSjTVvK8IUZbg=");
//#endregion
#region SAML2 tokens
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer("D263DDCF598E716F0037380796A4A62DF017ADB8", "TEST");
var saml2Config = new SecurityTokenHandlerConfiguration();
saml2Config.AudienceRestriction.AllowedAudienceUris.Add(new Uri("https://test"));
saml2Config.IssuerNameRegistry = registry;
saml2Config.CertificateValidator = X509CertificateValidator.None;
authConfig.AddSaml2(saml2Config, AuthenticationOptions.ForAuthorizationHeader("Saml2"));
#endregion
var authHandler = new AuthenticationHandler(authConfig);
return authHandler;
}
public TokenServiceConfiguration() : base()
{
Tracing.Information("Configuring token service");
Container.Current.SatisfyImportsOnce(this);
GlobalConfiguration = ConfigurationRepository.Configuration;
SecurityTokenService = typeof(TokenService);
DefaultTokenLifetime = TimeSpan.FromHours(GlobalConfiguration.DefaultTokenLifetime);
MaximumTokenLifetime = TimeSpan.FromDays(GlobalConfiguration.MaximumTokenLifetime);
DefaultTokenType = GlobalConfiguration.DefaultTokenType;
TokenIssuerName = GlobalConfiguration.IssuerUri;
SigningCredentials = new X509SigningCredentials(ConfigurationRepository.SigningCertificate.Certificate);
if (GlobalConfiguration.EnableDelegation)
{
Tracing.Information("Configuring identity delegation support");
try
{
var actAsRegistry = new ConfigurationBasedIssuerNameRegistry();
actAsRegistry.AddTrustedIssuer(ConfigurationRepository.SigningCertificate.Certificate.Thumbprint, GlobalConfiguration.IssuerUri);
var actAsHandlers = SecurityTokenHandlerCollectionManager["ActAs"];
actAsHandlers.Configuration.IssuerNameRegistry = actAsRegistry;
actAsHandlers.Configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
}
catch (Exception ex)
{
Tracing.Error("Error configuring identity delegation");
Tracing.Error(ex.ToString());
throw;
}
}
}
public static void PreAppStart()
{
FederatedAuthentication.FederationConfigurationCreated += (sender, args) =>
{
// Load config
var audience = ConfigurationManager.AppSettings["Auth.AudienceUrl"];
var realm = ConfigurationManager.AppSettings["Auth.AuthenticationRealm"];
var issuer = ConfigurationManager.AppSettings["Auth.AuthenticationIssuer"];
var thumbprint = ConfigurationManager.AppSettings["Auth.AuthenticationIssuerThumbprint"];
var idconfig = new IdentityConfiguration();
idconfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(audience));
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(thumbprint, issuer);
idconfig.IssuerNameRegistry = registry;
var sessionTransforms = new List<CookieTransform>() {
new DeflateCookieTransform(),
new MachineKeyTransform()
};
idconfig.SecurityTokenHandlers.AddOrReplace(new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly()));
var wsfedconfig = new WsFederationConfiguration(issuer, realm);
wsfedconfig.PersistentCookiesOnPassiveRedirects = true;
wsfedconfig.PassiveRedirectEnabled = true;
args.FederationConfiguration.IdentityConfiguration = idconfig;
args.FederationConfiguration.WsFederationConfiguration = wsfedconfig;
args.FederationConfiguration.CookieHandler = new ChunkedCookieHandler();
};
}
public ClaimsPrincipal Validate(string userName, string password)
{
var binding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential);
var credentials = new ClientCredentials();
credentials.UserName.UserName = userName;
credentials.UserName.Password = password;
GenericXmlSecurityToken genericToken;
genericToken = WSTrustClient.Issue(
new EndpointAddress(_address),
new EndpointAddress(_realm),
binding,
credentials) as GenericXmlSecurityToken;
var config = new SecurityTokenHandlerConfiguration();
config.AudienceRestriction.AllowedAudienceUris.Add(new Uri(_realm));
config.CertificateValidationMode = X509CertificateValidationMode.None;
config.CertificateValidator = X509CertificateValidator.None;
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(_issuerThumbprint, _address);
config.IssuerNameRegistry = registry;
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(config);
ClaimsPrincipal principal;
var token = genericToken.ToSecurityToken();
principal = new ClaimsPrincipal(handler.ValidateToken(token));
Tracing.Information("Successfully requested token for user via WS-Trust");
return FederatedAuthentication.FederationConfiguration.IdentityConfiguration.ClaimsAuthenticationManager.Authenticate("ResourceOwnerPasswordValidation", principal);
}
private void SetupFederatedLogin()
{
FederatedAuthentication.FederationConfigurationCreated += (sender, args) =>
{
var config = Kernel.Get<IConfigurationService>();
var idconfig = new IdentityConfiguration();
idconfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(config.Auth.AudienceUrl));
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(config.Auth.TokenCertificateThumbprint, config.Auth.AuthenticationIssuer);
idconfig.IssuerNameRegistry = registry;
idconfig.CertificateValidationMode = X509CertificateValidationMode.None;
var sessionTransforms = new List<CookieTransform>() {
new DeflateCookieTransform(),
new MachineKeyTransform()
};
idconfig.SecurityTokenHandlers.AddOrReplace(new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly()));
var wsfedconfig = new WsFederationConfiguration(config.Auth.AuthenticationIssuer, config.Auth.AuthenticationRealm);
wsfedconfig.PersistentCookiesOnPassiveRedirects = true;
args.FederationConfiguration.IdentityConfiguration = idconfig;
args.FederationConfiguration.WsFederationConfiguration = wsfedconfig;
args.FederationConfiguration.CookieHandler = new ChunkedCookieHandler();
};
}
public static void AddSaml2(this AuthenticationConfiguration configuration, string issuerThumbprint, string issuerName, string audienceUri, X509CertificateValidator certificateValidator, AuthenticationOptions options, AuthenticationScheme scheme)
{
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(issuerThumbprint, issuerName);
var handlerConfig = new SecurityTokenHandlerConfiguration();
handlerConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(audienceUri));
handlerConfig.IssuerNameRegistry = registry;
handlerConfig.CertificateValidator = certificateValidator;
configuration.AddSaml2(handlerConfig, options, scheme);
}
private WebSecurityTokenHandlerCollectionManager SetupSecurityTokenHandler()
{
var manager = new WebSecurityTokenHandlerCollectionManager();
#region Basic Authentication
// basic authentication
manager.AddBasicAuthenticationHandler((username, password) => username == password);
// sample to use membership provider
//manager.AddBasicAuthenticationHandler((username, password) => Membership.ValidateUser(username, password));
#endregion
#region SAML
// SAML via ADFS
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer("d1 c5 b1 25 97 d0 36 94 65 1c e2 64 fe 48 06 01 35 f7 bd db", "ADFS");
var adfsConfig = new SecurityTokenHandlerConfiguration();
adfsConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri("https://" + Constants.WebHost + "/webservicesecurity/rest/"));
adfsConfig.IssuerNameRegistry = registry;
adfsConfig.CertificateValidator = X509CertificateValidator.None;
// token decryption (read from config)
adfsConfig.ServiceTokenResolver = IdentityModelConfiguration.ServiceConfiguration.CreateAggregateTokenResolver();
manager.AddSaml11SecurityTokenHandler("SAML", adfsConfig);
//manager.AddSaml2SecurityTokenHandler("SAML", adfsConfig);
#endregion
#region ACS SWT
manager.AddSimpleWebTokenHandler(
"ACS",
"https://" + Constants.ACS + "/",
"https://" + Constants.WebHost + "/webservicesecurity/rest/",
"ds9t7JPEsprLRxWvnFjGr+xOhWOy5H8ZHEr5z/rJbi8=");
#endregion
#region IdSrv SWT
manager.AddSimpleWebTokenHandler(
"IdSrv",
"http://identity.thinktecture.com/trust",
"https://" + Constants.WebHost + "/webservicesecurity/rest/",
"yM7+ti12DiFWcg8t5EfdQbOIgdZCchkETYSXxmvTY0s=");
#endregion
#region Allow ASP.NET based authentication
manager.AddDefaultHandler();
#endregion
return manager;
}
public CustomSaml2SecurityTokenHandler()
{
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer("fb369e5dcf3ae82dcbe95a922baff3112fcde352", "McKesson");
registry.AddTrustedIssuer("17bfb6a73bc53bbfdc64e4e64f77b206471e9c08","Cerner");
var handlerConfig = new SecurityTokenHandlerConfiguration
{
AudienceRestriction = new AudienceRestriction(AudienceUriMode.Never),
MaxClockSkew = new TimeSpan(50000000),
IssuerNameRegistry = registry
};
Configuration = handlerConfig;
}
private static SecurityTokenHandlerConfiguration CreateSaml2SecurityTokenHandlerConfiguration(string issuerThumbprint, string issuerName, string audienceUri, X509CertificateValidator certificateValidator)
{
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(issuerThumbprint, issuerName);
var handlerConfig = new SecurityTokenHandlerConfiguration();
handlerConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(audienceUri));
handlerConfig.IssuerNameRegistry = registry;
handlerConfig.CertificateValidator = certificateValidator;
return(handlerConfig);
}
//Λύνει το πρόβλημα που περιγράφεται στο:
//https://erikvanderstarre.wordpress.com/2014/12/14/using-the-jwtsecuritytokenhandler/
/// <summary>
/// Reads and validates a token encoded in JSON Compact serialized format.
/// </summary>
/// <param name="securityToken">A 'JSON Web Token' (JWT) that has been encoded as a JSON object. May be signed using 'JSON Web Signature' (JWS).</param>
/// <returns>A <see cref="ReadOnlyCollection<ClaimsIdentity>"/> from the jwt.</returns>
public override ReadOnlyCollection <ClaimsIdentity> ValidateToken(SecurityToken token)
{
JwtSecurityToken jwtToken = (JwtSecurityToken)token;
ConfigurationBasedIssuerNameRegistry reg = (ConfigurationBasedIssuerNameRegistry)Configuration.IssuerNameRegistry;
IDictionary <string, string> trustedIssuers = reg.ConfiguredTrustedIssuers;
//// Get the configuration from the configuration file (element "issuerNameRegistry").
//ValidatingIssuerNameRegistry issuerNameRegistry = (ValidatingIssuerNameRegistry)
// Configuration.IssuerNameRegistry;
//IssuingAuthority issuingAuthority = issuerNameRegistry.IssuingAuthorities.First();
//// Set the validation parameters from the configuration.
var validationParameters = new TokenValidationParameters
{
// Get the audiences that are expected.
ValidAudiences = Configuration.AudienceRestriction.AllowedAudienceUris.Select(s => s.ToString()),
// Get the issuer that are expected.
ValidIssuers = trustedIssuers.Select(f => f.Value),
// Get the certificate to validate signing from the certificate store (if configured).
IssuerSigningKeys = trustedIssuers.Select(f => GetSecurityKey(f.Key)),
// Get the certificate to validate signing from the certificate store (if configured).
//IssuerSigningKey = getCertificate(issuingAuthority.Thumbprints.FirstOrDefault()),
// Get the symmetric key token that is used to sign (if configured).
// Did not get this one working though.
//IssuerSigningToken = GetSymmetricKeyToken(issuingAuthority.SymmetricKeys.FirstOrDefault()),
// Get how to validate the certificate.
CertificateValidator = Configuration.CertificateValidator,
// Get if the token should be preserved.
SaveSigninToken = Configuration.SaveBootstrapContext
};
// Call the correct validation method.
SecurityToken validatedToken;
ClaimsPrincipal validated = ValidateToken(jwtToken.RawData, validationParameters, out validatedToken);
// Return the claim identities.
return(new ReadOnlyCollection <ClaimsIdentity>(validated.Identities.ToList()));
}
private static void ConfigureHandler(SecurityTokenHandlerConfiguration configuration)
{
var issuerTokens = new List <SecurityToken> {
new X509SecurityToken(GetSigningCertificate())
}.AsReadOnly();
configuration.IssuerTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
issuerTokens, false);
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(GetSigningCertificate().Thumbprint, "TecTeacher");
configuration.IssuerNameRegistry = registry;
}
private static SecurityTokenHandlerConfiguration CreateStandardConfiguration(string thumbprint)
{
var configuration = new SecurityTokenHandlerConfiguration();
configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(thumbprint, thumbprint);
configuration.IssuerNameRegistry = registry;
configuration.SaveBootstrapTokens = true;
return(configuration);
}
protected virtual void LoadMetadata()
{
var client = new HttpClient { BaseAddress = _metadataAddress };
var stream = client.GetStreamAsync("").Result;
var serializer = new MetadataSerializer();
var md = serializer.ReadMetadata(stream);
var id = md.SigningCredentials.SigningKeyIdentifier;
var clause = id.First() as X509RawDataKeyIdentifierClause;
var cert = new X509Certificate2(clause.GetX509RawData());
_registry = new ConfigurationBasedIssuerNameRegistry();
_registry.AddTrustedIssuer(cert.Thumbprint, _issuerName);
}
public CustomSaml2SecurityTokenHandler()
{
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer("fb369e5dcf3ae82dcbe95a922baff3112fcde352", "McKesson");
registry.AddTrustedIssuer("17bfb6a73bc53bbfdc64e4e64f77b206471e9c08", "Cerner");
var handlerConfig = new SecurityTokenHandlerConfiguration
{
AudienceRestriction = new AudienceRestriction(AudienceUriMode.Never),
MaxClockSkew = new TimeSpan(50000000),
IssuerNameRegistry = registry
};
Configuration = handlerConfig;
}
protected virtual void LoadMetadata()
{
var client = new HttpClient {
BaseAddress = _metadataAddress
};
var stream = client.GetStreamAsync("").Result;
var serializer = new MetadataSerializer();
var md = serializer.ReadMetadata(stream);
var id = md.SigningCredentials.SigningKeyIdentifier;
var clause = id.First() as X509RawDataKeyIdentifierClause;
var cert = new X509Certificate2(clause.GetX509RawData());
_registry = new ConfigurationBasedIssuerNameRegistry();
_registry.AddTrustedIssuer(cert.Thumbprint, _issuerName);
}
public ClaimsPrincipal Validate(string userName, string password)
{
var binding = new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential);
var credentials = new ClientCredentials();
credentials.UserName.UserName = userName;
credentials.UserName.Password = password;
GenericXmlSecurityToken genericToken;
try
{
genericToken = WSTrustClient.Issue(
new EndpointAddress(_address),
new EndpointAddress(_realm),
binding,
credentials) as GenericXmlSecurityToken;
}
catch (MessageSecurityException ex)
{
Tracing.Error("WSTrustResourceOwnerCredentialValidation failed: " + ex.ToString());
return(null);
}
var config = new SecurityTokenHandlerConfiguration();
config.AudienceRestriction.AllowedAudienceUris.Add(new Uri(_realm));
config.CertificateValidationMode = X509CertificateValidationMode.None;
config.CertificateValidator = X509CertificateValidator.None;
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(_issuerThumbprint, _address);
config.IssuerNameRegistry = registry;
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(config);
ClaimsPrincipal principal;
var token = genericToken.ToSecurityToken();
principal = new ClaimsPrincipal(handler.ValidateToken(token));
Tracing.Information("Successfully requested token for user via WS-Trust");
return(FederatedAuthentication.FederationConfiguration.IdentityConfiguration.ClaimsAuthenticationManager.Authenticate("ResourceOwnerPasswordValidation", principal));
}
private static void ConfigureWIF()
{
var inr = new ConfigurationBasedIssuerNameRegistry();
inr.AddTrustedIssuer(EmbeddedStsConstants.SigningCertificate.Thumbprint,
EmbeddedStsConstants.TokenIssuerName);
var config = FederatedAuthentication.FederationConfiguration;
config.IdentityConfiguration.IssuerNameRegistry = inr;
var rpRealm = new Uri(config.WsFederationConfiguration.Realm);
if (!config.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Contains(rpRealm))
{
config.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(rpRealm);
}
config.IdentityConfiguration.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;
config.IdentityConfiguration.RevocationMode = System.Security.Cryptography.X509Certificates.X509RevocationMode.NoCheck;
}
public static ClaimsIdentity ValidateSamlToken(SecurityToken securityToken)
{
var configuration = new SecurityTokenHandlerConfiguration();
configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
configuration.CertificateValidationMode = X509CertificateValidationMode.None;
configuration.RevocationMode = X509RevocationMode.NoCheck;
configuration.CertificateValidator = X509CertificateValidator.None;
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer("thumb", "ADFS Signing - mycomp.com");
configuration.IssuerNameRegistry = registry;
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(configuration);
var identity = handler.ValidateToken(securityToken).First();
return(identity);
}
public SecurityToken GetToken()
{
// Need this because the server has a self-signed certificate that doesn't pass validation
ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, errors) => true;
var factory = new WSTrustChannelFactory(
new UserNameWsTrustBinding(),
StsWsTrustEndpoint)
{
TrustVersion = TrustVersion.WSTrust13
};
factory.Credentials.UserName.UserName = UserName;
factory.Credentials.UserName.Password = Password;
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Bearer,
TokenType = "urn:oasis:names:tc:SAML:2.0:assertion",
AppliesTo = new EndpointReference(Realm)
};
var genericToken = factory.CreateChannel().Issue(rst) as GenericXmlSecurityToken;
var tokenXml = genericToken.TokenXml.OuterXml;
var tokenHandlers = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
var config = tokenHandlers.Configuration;
config.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Realm));
config.CertificateValidator = X509CertificateValidator.None;
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer("CB317A2E635B47310D50A67C7B40081F7B4BD280", "http://platformservices.spikesco.com/devsts");
config.IssuerNameRegistry = registry;
var token = tokenHandlers.ReadToken(new XmlTextReader(new StringReader(tokenXml)));
var identity = tokenHandlers.ValidateToken(token);
Thread.CurrentPrincipal = new ClaimsPrincipal(identity);
TokenHelpers.TokenHelpers.Print(tokenXml);
TokenHelpers.TokenHelpers.PrintCurrentPrincipal();
return(token);
}
private static void ConfigureWIF()
{
var inr = new ConfigurationBasedIssuerNameRegistry();
inr.AddTrustedIssuer(DevStsConstants.SigningCertificate.Thumbprint, DevStsConstants.TokenIssuerName);
var config = FederatedAuthentication.FederationConfiguration;
config.IdentityConfiguration.IssuerNameRegistry = inr;
var rpRealm = new Uri(config.WsFederationConfiguration.Realm);
if (!config.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Contains(rpRealm))
{
config.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(rpRealm);
}
config.IdentityConfiguration.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;
config.IdentityConfiguration.RevocationMode = System.Security.Cryptography.X509Certificates.X509RevocationMode.NoCheck;
}
public static ClaimsIdentity ValidateSamlToken(SecurityToken securityToken)
{
var configuration = new SecurityTokenHandlerConfiguration();
configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Always;
configuration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(_relyingPartyIdentifier));
configuration.CertificateValidationMode = X509CertificateValidationMode.ChainTrust;
configuration.RevocationMode = X509RevocationMode.Online;
configuration.CertificateValidator = X509CertificateValidator.ChainTrust;
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(_signingCertificateThumbprint, _signingCertificateCommonName);
configuration.IssuerNameRegistry = registry;
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(configuration);
var identity = handler.ValidateToken(securityToken).First();
return(identity);
}
private ClaimsPrincipal ValidateToken(SecurityToken token)
{
var config = new SecurityTokenHandlerConfiguration();
config.AudienceRestriction.AudienceMode = AudienceUriMode.Always;
config.AudienceRestriction.AllowedAudienceUris.Add(new Uri(ConfigurationManager.AppSettings["acsAppliesToAddress"]));
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(ConfigurationManager.AppSettings["acsTrustedIssuerThumbprint"], "ACS");
config.IssuerNameRegistry = registry;
config.CertificateValidator = X509CertificateValidator.None;
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(config);
var identity = handler.ValidateToken(token).First();
return(new ClaimsPrincipal(identity));
}
private static void ConfigureWIF(ServiceHost host)
{
/*
* this method demonstrates how to configure WIF and WCF by code instead of use the classic config file approach
* Emulates the following config:
*
* WIF
* ----------------------------------
* <system.identityModel>
* <identityConfiguration>
* <audienceUris>
* <add value="http://testWCFservice.gianlucb.local" />
* </audienceUris>
* <issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
* <trustedIssuers>
* <add thumbprint="9b91b18206a805896b19c4ffd20a487db025d321" name="signing certificate sts" />
* </trustedIssuers>
* </issuerNameRegistry>
* <certificateValidation certificateValidationMode="None" />
* </identityConfiguration>
* </system.identityModel>
*
* if you want ot use the config file approach do not call this method
*/
//configure the WIF specific settings
IdentityConfiguration identityConfig = new IdentityConfiguration(false);
//AUDIENCE URI
//this value can be a fantasy name and not a real URL, it identifies our service whitin the ADFS server.
//It must be equal to the one defined in ADFS Console ("RELAYING PARTY trust identifiers" section)
//the token we receive contains this value, so if do not match we fail
identityConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri("http://testWCFservice.gianlucb.local"));
//ISSUER NAME REGISTRY explicit the thumbprint of the accepted certificates, if the token coming in is not signed with any of these certificates then is considered invalid
var issuerNameRegistry = new ConfigurationBasedIssuerNameRegistry();
issuerNameRegistry.AddTrustedIssuer("9b91b18206a805896b19c4ffd20a487db025d321", "signing certificate sts"); //STS signing certificate thumbprint
identityConfig.IssuerNameRegistry = issuerNameRegistry;
identityConfig.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;
//attach our config to the service
host.Credentials.IdentityConfiguration = identityConfig;
}
public static void ConfigureTrustedIssuers(string federationMetadataLocationUrl)
{
var issuerNameRegistry = new ConfigurationBasedIssuerNameRegistry();
string fedString;
using (var webClient = new WebClient())
fedString = webClient.DownloadString(federationMetadataLocationUrl);
var fedXml = XDocument.Parse(fedString);
var nsmgr = new XmlNamespaceManager(new NameTable());
nsmgr.AddNamespace("meta", "urn:oasis:names:tc:SAML:2.0:metadata");
var elements = fedXml.XPathSelectElements("//meta:IDPSSODescriptor/meta:KeyDescriptor[@use=\"signing\"]", nsmgr).ToList();
foreach (var cert in elements.Select(element => new X509Certificate2(Convert.FromBase64String(element.Value))))
{
issuerNameRegistry.AddTrustedIssuer(cert.Thumbprint, cert.Thumbprint);
}
FederatedAuthentication.FederationConfiguration.IdentityConfiguration.IssuerNameRegistry = issuerNameRegistry;
}
static void FederatedAuthentication_FederationConfigurationCreated(object sender, FederationConfigurationCreatedEventArgs e)
{
if (IsEmbeddedSts(e.FederationConfiguration.WsFederationConfiguration.Issuer))
{
var inr = new ConfigurationBasedIssuerNameRegistry();
inr.AddTrustedIssuer(EmbeddedStsConstants.SigningCertificate.Thumbprint,
EmbeddedStsConstants.TokenIssuerName);
var config = e.FederationConfiguration;
config.IdentityConfiguration.IssuerNameRegistry = inr;
var rpRealm = new Uri(config.WsFederationConfiguration.Realm);
if (!config.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Contains(rpRealm))
{
config.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(rpRealm);
}
config.IdentityConfiguration.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;
config.IdentityConfiguration.RevocationMode = System.Security.Cryptography.X509Certificates.X509RevocationMode.NoCheck;
}
}
private static void ConfigureHandler(SecurityTokenHandler handler, Uri audience, string issuerThumbprint, string issuerName = null, X509CertificateValidator validator = null)
{
var handlerConfiguration = new SecurityTokenHandlerConfiguration();
handlerConfiguration.AudienceRestriction.AllowedAudienceUris.Add(audience);
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(issuerThumbprint, issuerName ?? issuerThumbprint);
if (validator != null)
{
handlerConfiguration.CertificateValidator = validator;
}
else
{
handlerConfiguration.CertificateValidator = X509CertificateValidator.None;
}
handlerConfiguration.IssuerNameRegistry = registry;
handler.Configuration = handlerConfiguration;
}
private static AuthenticationConfiguration CreateAuthenticationConfiguration()
{
var options = new AuthenticationOptions()
{
RequestType = HttpRequestType.AuthorizationHeader,
Name = "Authorization",
Scheme = "SAML"
};
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer("18145fb6b5d96b3cc34ec7599f12172bb93c68ef", "DummySTS");
var adfsConfig = new SecurityTokenHandlerConfiguration();
adfsConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri("urn:claimsdemo:mvc5http"));
adfsConfig.IssuerNameRegistry = registry;
adfsConfig.CertificateValidator = X509CertificateValidator.None;
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certificates = store.Certificates;
X509Certificate2Collection matchingCertificates = certificates.Find(
X509FindType.FindByThumbprint,
"a2028f8e7f7b082cd35e81fd0ca0b70b04651abf", false);
X509Certificate2 certificate = certificates[0];
List<SecurityToken> serviceTokens = new List<SecurityToken>();
serviceTokens.Add(new X509SecurityToken(certificate));
SecurityTokenResolver serviceResolver =
SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
serviceTokens.AsReadOnly(), false);
adfsConfig.ServiceTokenResolver = serviceResolver;
var config = new AuthenticationConfiguration
{
RequireSsl = false
};
config.AddSaml11(adfsConfig, options);
return config;
}
public ClaimsIdentity ValidateSamlToken(GenericXmlSecurityToken securityToken)
{
var _handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
var tokenString = securityToken.ToTokenXmlString();
var samlToken2 = _handler.ReadToken(new XmlTextReader(new StringReader(tokenString)));
var configuration = new SecurityTokenHandlerConfiguration();
configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
configuration.CertificateValidationMode = X509CertificateValidationMode.None;
configuration.RevocationMode = X509RevocationMode.NoCheck;
configuration.CertificateValidator = X509CertificateValidator.None;
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(trustedIssuerCertificateThumbPrint, trustedIssuerName);
configuration.IssuerNameRegistry = registry;
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(configuration);
var identity = handler.ValidateToken(samlToken2).First();
return identity;
}
public ClaimsIdentity ValidateSamlToken(SecurityToken securityToken)
{
StripSaml2ProtocolProperties(securityToken);
var configuration = new SecurityTokenHandlerConfiguration();
configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
configuration.CertificateValidationMode = X509CertificateValidationMode.None;
configuration.RevocationMode = X509RevocationMode.NoCheck;
configuration.CertificateValidator = X509CertificateValidator.None;
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(_configuration.AdfsIntegration.IssuerThumbprint, "ADFS");
configuration.IssuerNameRegistry = registry;
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(configuration);
var identity = handler.ValidateToken(securityToken).First();
return(identity);
}
private static void ConfigureHandler(SecurityTokenHandler handler, Uri audience, string issuerThumbprint, string issuerName = null, X509CertificateValidator validator = null)
{
var handlerConfiguration = new SecurityTokenHandlerConfiguration();
handlerConfiguration.AudienceRestriction.AllowedAudienceUris.Add(audience);
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(issuerThumbprint, issuerName ?? issuerThumbprint);
if (validator != null)
{
handlerConfiguration.CertificateValidator = validator;
}
else
{
handlerConfiguration.CertificateValidator = X509CertificateValidator.None;
}
handlerConfiguration.IssuerNameRegistry = registry;
handler.Configuration = handlerConfiguration;
}
private static AuthenticationHandler GetDefaultAuthenticationHandler()
{
var authConfig = new AuthenticationConfiguration
{
InheritHostClientIdentity = false
};
#region Basic Authentication
authConfig.Handler.AddBasicAuthenticationHandler((userName, password) => { return userName == password; });
#endregion
#region SWT
authConfig.Handler.AddSimpleWebTokenHandler(
"SWT",
Constants.Issuer,
Constants.Realm,
"Dc9Mpi3jbooUpBQpB/4R7XtUsa3D/ALSjTVvK8IUZbg=");
#endregion
#region SAML tokens
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer("D263DDCF598E716F0037380796A4A62DF017ADB8", "TEST");
var adfsConfig = new SecurityTokenHandlerConfiguration();
adfsConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
adfsConfig.IssuerNameRegistry = registry;
adfsConfig.CertificateValidator = X509CertificateValidator.None;
// token decryption (read from configuration section)
adfsConfig.ServiceTokenResolver = FederatedAuthentication.ServiceConfiguration.CreateAggregateTokenResolver();
authConfig.Handler.AddSaml11SecurityTokenHandler("SAML", adfsConfig);
//manager.AddSaml2SecurityTokenHandler("AdfsSaml", adfsConfig);
#endregion
var authHandler = new AuthenticationHandler(authConfig);
return authHandler;
}
public void ReadEpamSignedSamlToken()
{
var tokenHandler = new SamlSecurityTokenHandler();
var issuerRegistry = new ConfigurationBasedIssuerNameRegistry();
issuerRegistry.AddTrustedIssuer(CERTIFICATE_THUMBPRINT,
ISSUER_NAME);
tokenHandler.Configuration = new SecurityTokenHandlerConfiguration()
{
AudienceRestriction = new AudienceRestriction(AudienceUriMode.Never),
IssuerNameRegistry = issuerRegistry,
MaxClockSkew = TimeSpan.MaxValue
};
var xmlReader = XmlReader.Create(new StringReader(Resource.EpamToken));
var token = tokenHandler.ReadToken(xmlReader, new NamedKeyIssuerTokenResolver()) as SamlSecurityToken;
var identity = tokenHandler.ValidateToken(token).First();
PrintIdentity(identity);
}
protected virtual void LoadMetadata()
{
using (var stream = GetMetadataStream())
{
var serializer = new MetadataSerializer();
var md = serializer.ReadMetadata(stream);
var ed = md as EntityDescriptor;
var stsd = (SecurityTokenServiceDescriptor)ed.RoleDescriptors.FirstOrDefault(x => x is SecurityTokenServiceDescriptor);
var registry = new ConfigurationBasedIssuerNameRegistry();
foreach (var key in stsd.Keys)
{
var clause = key.KeyInfo.FirstOrDefault() as X509RawDataKeyIdentifierClause;
if (clause != null)
{
var cert = new X509Certificate2(clause.GetX509RawData());
registry.AddTrustedIssuer(cert.Thumbprint, issuerName);
}
}
_registry = registry;
}
}
protected virtual SecurityTokenHandlerConfiguration GetSecurityTokenHandlerConfiguration(ISaml2AssertionValidationOptions options)
{
var serviceTokens = new List<SecurityToken>();
serviceTokens.Add(new X509SecurityToken(options.Certificate));
var issuers = new ConfigurationBasedIssuerNameRegistry();
issuers.AddTrustedIssuer(options.Certificate.Thumbprint, options.Certificate.Issuer);
var conf = new SecurityTokenHandlerConfiguration
{
AudienceRestriction = new AudienceRestriction(AudienceUriMode.Always),
CertificateValidator = X509CertificateValidator.ChainTrust,
RevocationMode = X509RevocationMode.NoCheck,
IssuerNameRegistry = issuers,
MaxClockSkew = TimeSpan.FromMinutes(5),
ServiceTokenResolver =
SecurityTokenResolver.CreateDefaultSecurityTokenResolver(serviceTokens.AsReadOnly(), false)
};
foreach (var y in options.Audience)
{
conf.AudienceRestriction.AllowedAudienceUris.Add(y);
}
return conf;
}
private ReadOnlyCollection <ClaimsIdentity> ValidateAssertion(string assertionXml)
{
ReadOnlyCollection <ClaimsIdentity> claimsIdentities = null;
Saml2SecurityToken securityToken;
StringReader reader = new StringReader(assertionXml);
using (XmlReader xmlReader = XmlReader.Create(reader))
{
if (!xmlReader.ReadToFollowing("saml2:Assertion"))
{
throw new SecurityTokenValidationException("SAML2 Assertion not found.");
}
FixedSaml2SecurityTokenHandler tokenHandler = new FixedSaml2SecurityTokenHandler(Recipient);
SecurityTokenHandler[] tokenHandlers = new SecurityTokenHandlers[] { tokenHandler };
SecurityTokenHandlerCollection handlerCollection = new SecurityTokenHandlerCollection(tokenHandlers);
ConfigurationBasedIssuerNameRegistry issuerNameRegistry = new ConfigurationBasedIssuerNameRegistry();
foreach (TrustedIssuer issuer in TrustedIssuers)
{
issuerNameRegistry.AddTrustedIssuer(issuer.CertificateThumbprint, issuer.IssuerName);
}
handlerCollection.Configuration.IssuerNameRegistry = issuerNameRegistry;
AudienceRestriction restriction = new AudienceRestriction(AudienceUriMode.Always);
foreach (Uri allowedAudience in AllowedAudiences)
{
restriction.AllowedAudiencesUris.Add(allowedAudience);
}
handlerCollection.Configuration.AudienceRestriction = restriction;
securityToken = (Saml2SecurityToken)handlerCollection.ReadToken(xmlReader.ReadSubtree());
claimsIdentities = handlerCollection.ValidateToken(securityToken);
}
return(claimsIdentities);
}
public static AuthenticationConfiguration CreateConfiguration()
{
var config = new AuthenticationConfiguration
{
DefaultAuthenticationScheme = "Basic",
};
#region BasicAuthentication
config.AddBasicAuthentication((userName, password) => userName == password);
#endregion
#region SimpleWebToken
config.AddSimpleWebToken(
issuer: "http://localhost/idsrv/trust",
audience: Constants.Realm,
signingKey: Constants.IdSrvSymmetricSigningKey,
options: AuthenticationOptions.ForAuthorizationHeader("IdSrv"));
#endregion
#region JsonWebToken
config.AddJsonWebToken(
issuer: "http://selfissued.test",
audience: Constants.Realm,
signingKey: Constants.IdSrvSymmetricSigningKey,
options: AuthenticationOptions.ForAuthorizationHeader("JWT"));
#endregion
#region IdentityServer SAML
var idsrvRegistry = new ConfigurationBasedIssuerNameRegistry();
idsrvRegistry.AddTrustedIssuer("a90d2bc088d949d63321e1152065234c1acda7b1", "Thinktecture IdSrv");
var idsrvConfig = new SecurityTokenHandlerConfiguration();
idsrvConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
idsrvConfig.IssuerNameRegistry = idsrvRegistry;
idsrvConfig.CertificateValidator = X509CertificateValidator.None;
config.AddSaml2(idsrvConfig, AuthenticationOptions.ForAuthorizationHeader("IdSrvSaml"));
#endregion
#region ACS SWT
config.AddSimpleWebToken(
issuer: "https://" + Constants.ACS + "/",
audience: Constants.Realm,
signingKey: Constants.AcsSymmetricSigningKey,
options: AuthenticationOptions.ForAuthorizationHeader("ACS"));
#endregion
#region AccessKey
var handler = new SimpleSecurityTokenHandler(token =>
{
if (ObfuscatingComparer.IsEqual(token, "accesskey123"))
{
return IdentityFactory.Create("Custom",
new Claim("customerid", "123"),
new Claim("email", "*****@*****.**"));
}
return null;
});
config.AddAccessKey(handler, AuthenticationOptions.ForQueryString("key"));
#endregion
return config;
}
private AuthenticationConfiguration ConfigureAuthentication()
{
var config = new AuthenticationConfiguration
{
// sample claims transformation for consultants sample, comment out to see raw claims
ClaimsAuthenticationManager = new ConsultantsClaimsTransformer(),
// value of the www-authenticate header, if not set, the first scheme added to the handler collection is used
DefaultAuthenticationScheme = "Basic"
};
#region Basic Authentication
config.Handler.AddBasicAuthenticationHandler((username, password) => username == password);
#endregion
#region IdSrv Simple Web Tokens
config.Handler.AddSimpleWebTokenHandler(
"IdSrv",
"http://identity.thinktecture.com/trust",
Constants.Realm,
"Dc9Mpi3jbooUpBQpB/4R7XtUsa3D/ALSjTVvK8IUZbg=");
#endregion
#region ACS Simple Web Tokens
config.Handler.AddSimpleWebTokenHandler(
"ACS",
"https://" + Constants.ACS + "/",
Constants.Realm,
"yFvxu8Xkmo/xBSSPrzqZLSAiB4lgjR4PIi0Bn1RsUDI=");
#endregion
#region ADFS SAML tokens
// SAML via ADFS
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer("d1 c5 b1 25 97 d0 36 94 65 1c e2 64 fe 48 06 01 35 f7 bd db", "ADFS");
var adfsConfig = new SecurityTokenHandlerConfiguration();
adfsConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
adfsConfig.IssuerNameRegistry = registry;
adfsConfig.CertificateValidator = X509CertificateValidator.None;
// token decryption (read from configuration section)
adfsConfig.ServiceTokenResolver = FederatedAuthentication.ServiceConfiguration.CreateAggregateTokenResolver();
config.Handler.AddSaml11SecurityTokenHandler("AdfsSaml", adfsConfig);
//manager.AddSaml2SecurityTokenHandler("AdfsSaml", adfsConfig);
#endregion
#region IdSrv SAML tokens
// SAML via IdSrv
var idsrvRegistry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer("A1EED7897E55388FCE60FEF1A1EED81FF1CBAEC6", "Thinktecture IdSrv");
var idsrvConfig = new SecurityTokenHandlerConfiguration();
adfsConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
adfsConfig.IssuerNameRegistry = registry;
adfsConfig.CertificateValidator = X509CertificateValidator.None;
// token decryption (read from configuration section)
adfsConfig.ServiceTokenResolver = FederatedAuthentication.ServiceConfiguration.CreateAggregateTokenResolver();
config.Handler.AddSaml2SecurityTokenHandler("IdSrvSaml", adfsConfig);
#endregion
return config;
}
public static AuthenticationConfiguration CreateConfiguration()
{
var config = new AuthenticationConfiguration
{
DefaultAuthenticationScheme = "Basic",
EnableSessionToken = true,
SetNoRedirectMarker = true
};
#region BasicAuthentication
config.AddBasicAuthentication((userName, password) => userName == password, retainPassword: false);
#endregion
#region SimpleWebToken
config.AddSimpleWebToken(
issuer: Constants.IdSrvIssuerName,
audience: Constants.Realm,
signingKey: Constants.IdSrvSymmetricSigningKey,
options: AuthenticationOptions.ForAuthorizationHeader("IdSrv"));
#endregion
#region JsonWebToken
config.AddJsonWebToken(
issuer: "http://selfissued.test",
audience: Constants.Realm,
signingKey: Constants.IdSrvSymmetricSigningKey,
options: AuthenticationOptions.ForAuthorizationHeader("JWT"));
#endregion
#region JsonWebToken Windows Store Client
config.AddJsonWebToken(
issuer: "http://identityserver45.thinktecture.com/trust/changethis",
audience: "https://test/rp/",
signingKey: "3ihK5qGVhp8ptIk9+TDucXQW4Aaengg3d5m6gU8nzc8=",
options: AuthenticationOptions.ForAuthorizationHeader("Win8"));
#endregion
#region IdentityServer SAML
var idsrvRegistry = new ConfigurationBasedIssuerNameRegistry();
idsrvRegistry.AddTrustedIssuer(Constants.IdSrvSamlSigningKeyThumbprint, "Thinktecture IdSrv");
var idsrvConfig = new SecurityTokenHandlerConfiguration();
idsrvConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
idsrvConfig.IssuerNameRegistry = idsrvRegistry;
idsrvConfig.CertificateValidator = X509CertificateValidator.None;
config.AddSaml2(idsrvConfig, AuthenticationOptions.ForAuthorizationHeader("IdSrvSaml"));
#endregion
#region ADFS SAML
var adfsRegistry = new ConfigurationBasedIssuerNameRegistry();
adfsRegistry.AddTrustedIssuer(Constants.AdfsSamlSigningKeyThumbprint, "ADFS");
var adfsConfig = new SecurityTokenHandlerConfiguration();
adfsConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
adfsConfig.IssuerNameRegistry = adfsRegistry;
adfsConfig.CertificateValidator = X509CertificateValidator.None;
config.AddSaml2(adfsConfig, AuthenticationOptions.ForAuthorizationHeader("AdfsSaml"));
#endregion
#region ACS SWT
config.AddSimpleWebToken(
issuer: "https://" + Constants.ACS + "/",
audience: Constants.Realm,
signingKey: Constants.AcsSymmetricSigningKey,
options: AuthenticationOptions.ForAuthorizationHeader("ACS"));
#endregion
#region AccessKey
config.AddAccessKey(token =>
{
if (ObfuscatingComparer.IsEqual(token, "accesskey123"))
{
return Principal.Create("Custom",
new Claim("customerid", "123"),
new Claim("email", "*****@*****.**"));
}
return null;
}, AuthenticationOptions.ForQueryString("key"));
#endregion
#region Client Certificate
config.AddClientCertificate(
ClientCertificateMode.ChainValidationWithIssuerSubjectName,
"CN=PortableCA");
#endregion
return config;
}
public static AuthenticationConfiguration CreateConfiguration()
{
var config = new AuthenticationConfiguration
{
DefaultAuthenticationScheme = "Basic",
};
#region Basic Authentication
config.AddBasicAuthentication((userName, password) => userName == password);
#endregion
#region SimpleWebToken
config.AddSimpleWebToken(
"http://identity.thinktecture.com/trust",
Constants.Realm,
Constants.IdSrvSymmetricSigningKey,
AuthenticationOptions.ForAuthorizationHeader("IdSrv"));
#endregion
#region JsonWebToken
config.AddJsonWebToken(
"http://selfissued.test",
Constants.Realm,
Constants.IdSrvSymmetricSigningKey,
AuthenticationOptions.ForAuthorizationHeader("JWT"));
#endregion
#region IdentityServer SAML
var idsrvRegistry = new ConfigurationBasedIssuerNameRegistry();
idsrvRegistry.AddTrustedIssuer("A1EED7897E55388FCE60FEF1A1EED81FF1CBAEC6", "Thinktecture IdSrv");
var idsrvConfig = new SecurityTokenHandlerConfiguration();
idsrvConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
idsrvConfig.IssuerNameRegistry = idsrvRegistry;
idsrvConfig.CertificateValidator = X509CertificateValidator.None;
config.AddSaml2(idsrvConfig, AuthenticationOptions.ForAuthorizationHeader("IdSrvSaml"));
#endregion
#region ACS SWT
config.AddSimpleWebToken(
"https://" + Constants.ACS + "/",
Constants.Realm,
Constants.AcsSymmetricSigningKey,
AuthenticationOptions.ForAuthorizationHeader("ACS"));
#endregion
#region AccessKey
var handler = new SimpleSecurityTokenHandler("my access key", token =>
{
if (ObfuscatingComparer.IsEqual(token, "accesskey123"))
{
return new ClaimsIdentity(new Claim[]
{
new Claim("customerid", "123")
}, "Custom");
}
return null;
});
config.AddAccessKey(handler, AuthenticationOptions.ForQueryString("key"));
#endregion
return config;
}
private static ConfigurationBasedIssuerNameRegistry CreateIssuerNameRegistry(Endpoint serviceInterface)
{
GetStsSettingsFromEnvironment(serviceInterface);
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(ThumbprintResolver.ResolveThumbprint(serviceInterface.Thumbprint, serviceInterface.IssuerAddress), serviceInterface.IssuerAddress);
return registry;
}
public static AuthenticationConfiguration CreateConfiguration()
{
var config = new AuthenticationConfiguration
{
DefaultAuthenticationScheme = "Basic",
EnableSessionToken = true
};
#region BasicAuthentication
config.AddBasicAuthentication((userName, password) => userName == password, retainPassword: false);
#endregion
#region SimpleWebToken
config.AddSimpleWebToken(
issuer: Constants.IdSrvIssuerName,
audience: Constants.Realm,
signingKey: Constants.IdSrvSymmetricSigningKey,
options: AuthenticationOptions.ForAuthorizationHeader("IdSrv"));
#endregion
#region JsonWebToken
config.AddJsonWebToken(
issuer: "http://selfissued.test",
audience: Constants.Realm,
signingKey: Constants.IdSrvSymmetricSigningKey,
options: AuthenticationOptions.ForAuthorizationHeader("JWT"));
#endregion
#region JsonWebToken Windows Store Client
config.AddJsonWebToken(
issuer: "http://identityserver.v2.thinktecture.com/trust/changethis",
audience: "https://test/rp/",
signingKey: "3ihK5qGVhp8ptIk9+TDucXQW4Aaengg3d5m6gU8nzc8=",
options: AuthenticationOptions.ForAuthorizationHeader("Win8"));
#endregion
#region IdentityServer SAML
var idsrvRegistry = new ConfigurationBasedIssuerNameRegistry();
idsrvRegistry.AddTrustedIssuer(Constants.IdSrvSamlSigningKeyThumbprint, "Thinktecture IdSrv");
var idsrvConfig = new SecurityTokenHandlerConfiguration();
idsrvConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
idsrvConfig.IssuerNameRegistry = idsrvRegistry;
idsrvConfig.CertificateValidator = X509CertificateValidator.None;
config.AddSaml2(idsrvConfig, AuthenticationOptions.ForAuthorizationHeader("IdSrvSaml"));
#endregion
#region ADFS SAML
var adfsRegistry = new ConfigurationBasedIssuerNameRegistry();
adfsRegistry.AddTrustedIssuer(Constants.AdfsSamlSigningKeyThumbprint, "ADFS");
var adfsConfig = new SecurityTokenHandlerConfiguration();
adfsConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
adfsConfig.IssuerNameRegistry = adfsRegistry;
adfsConfig.CertificateValidator = X509CertificateValidator.None;
config.AddSaml2(adfsConfig, AuthenticationOptions.ForAuthorizationHeader("AdfsSaml"));
#endregion
#region ACS SWT
config.AddSimpleWebToken(
issuer: "https://" + Constants.ACS + "/",
audience: Constants.Realm,
signingKey: Constants.AcsSymmetricSigningKey,
options: AuthenticationOptions.ForAuthorizationHeader("ACS"));
#endregion
#region AccessKey
config.AddAccessKey(token =>
{
if (ObfuscatingComparer.IsEqual(token, "accesskey123"))
{
return(Principal.Create("Custom",
new Claim("customerid", "123"),
new Claim("email", "*****@*****.**")));
}
return(null);
}, AuthenticationOptions.ForQueryString("key"));
#endregion
#region Client Certificate
config.AddClientCertificate(
ClientCertificateMode.ChainValidationWithIssuerSubjectName,
"CN=PortableCA");
#endregion
return(config);
}
private void ProcessSSOResponse(HttpRequest request, HttpResponse response)
{
string samlResponseString = request.Params[SSOAgentConstants.SAML2SSO.HTTP_POST_PARAM_SAML2_RESP];
XmlElement AssertionXmlElement = null;
if (samlResponseString != null)
{
string decodedResponse = Encoding.UTF8.GetString(Convert.FromBase64String(samlResponseString));
XmlDocument xmlDoc = new XmlDocument {
PreserveWhitespace = true
};
xmlDoc.LoadXml(decodedResponse);
ValidateSAMLResponseStructure(xmlDoc.DocumentElement);
if (ssoAgentConfig.Saml2.IsResponseSigned)
{
ValidateSignature(xmlDoc);
}
XmlNamespaceManager nsManager = new XmlNamespaceManager(xmlDoc.NameTable);
nsManager.AddNamespace("saml2", "urn:oasis:names:tc:SAML:2.0:assertion");
if (xmlDoc.DocumentElement.SelectSingleNode("//saml2:EncryptedAssertion", nsManager) != null)
{
X509Certificate2 cert = LoadX509Certificate();
List <SecurityToken> serviceTokens = new List <SecurityToken>
{
new X509SecurityToken(cert)
};
var issuers = new ConfigurationBasedIssuerNameRegistry();
// For creating an object of type SecurityTokenHandlerConfiguration,
// we create a dummy issuer.
issuers.AddTrustedIssuer("...thumbprintHere...", "notTheRealName");
var configuration = new SecurityTokenHandlerConfiguration
{
AudienceRestriction = { AudienceMode = AudienceUriMode.Never },
CertificateValidationMode = X509CertificateValidationMode.None,
RevocationMode = X509RevocationMode.NoCheck,
IssuerNameRegistry = issuers,
MaxClockSkew = TimeSpan.FromMinutes(5),
ServiceTokenResolver = new Saml2SSOSecurityTokenResolver(serviceTokens)
};
var tokenHandlers = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(configuration);
XmlNodeReader tokenReader = new XmlNodeReader(xmlDoc.DocumentElement.SelectSingleNode("//saml2:EncryptedAssertion", nsManager));
if (tokenHandlers.CanReadToken(tokenReader))
{
SecurityToken token = tokenHandlers.ReadToken(tokenReader);
XElement xElement = ((Saml2SecurityToken)token).Assertion.ToXElement();
AssertionXmlElement = XElementToXMLDocument(xElement).DocumentElement;
}
else
{
throw new Exception("Unreadable token was encountered.");
}
}
else if (xmlDoc.DocumentElement.SelectSingleNode("//saml2:Assertion", nsManager) != null)
{
AssertionXmlElement = (XmlElement)xmlDoc.DocumentElement.SelectSingleNode("//saml2:Assertion", nsManager);
}
ValidateAssertionValidityPeriod(AssertionXmlElement);
ValidateAudienceRestriction(AssertionXmlElement.OwnerDocument);
HttpContext.Current.Session["SessionIndex"] = GetSessionIndex(AssertionXmlElement.OwnerDocument);
HttpContext.Current.Session["Saml2Subject"] = GetSaml2Subject(AssertionXmlElement.OwnerDocument);
HttpContext.Current.Session["claims"] = ProcessAttributeStatement(AssertionXmlElement.OwnerDocument);
}
}
public static AuthenticationConfiguration CreateConfiguration()
{
var config = new AuthenticationConfiguration
{
DefaultAuthenticationScheme = "Basic",
EnableSessionToken = true
};
#region BasicAuthentication
config.AddBasicAuthentication((userName, password) => userName == password, retainPassword: false);
#endregion
#region SimpleWebToken
config.AddSimpleWebToken(
issuer: "http://identity.thinktecture.com/trust",
audience: Constants.Realm,
signingKey: Constants.IdSrvSymmetricSigningKey,
options: AuthenticationOptions.ForAuthorizationHeader("IdSrv"));
#endregion
#region JsonWebToken
config.AddJsonWebToken(
issuer: "http://selfissued.test",
audience: Constants.Realm,
signingKey: Constants.IdSrvSymmetricSigningKey,
options: AuthenticationOptions.ForAuthorizationHeader("JWT"));
#endregion
#region IdentityServer SAML
var idsrvRegistry = new ConfigurationBasedIssuerNameRegistry();
idsrvRegistry.AddTrustedIssuer("A1EED7897E55388FCE60FEF1A1EED81FF1CBAEC6", "Thinktecture IdSrv");
var idsrvConfig = new SecurityTokenHandlerConfiguration();
idsrvConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
idsrvConfig.IssuerNameRegistry = idsrvRegistry;
idsrvConfig.CertificateValidator = X509CertificateValidator.None;
config.AddSaml2(idsrvConfig, AuthenticationOptions.ForAuthorizationHeader("IdSrvSaml"));
#endregion
#region ADFS SAML
var adfsRegistry = new ConfigurationBasedIssuerNameRegistry();
adfsRegistry.AddTrustedIssuer("8EC7F962CC083FF7C5997D8A4D5ED64B12E4C174", "ADFS");
adfsRegistry.AddTrustedIssuer("b6 93 46 34 7f 70 a9 c3 72 02 18 ae f1 82 2a 5c 97 b1 8c a5", "PETS ADFS");
var adfsConfig = new SecurityTokenHandlerConfiguration();
adfsConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
adfsConfig.IssuerNameRegistry = adfsRegistry;
adfsConfig.CertificateValidator = X509CertificateValidator.None;
config.AddSaml2(adfsConfig, AuthenticationOptions.ForAuthorizationHeader("AdfsSaml"));
#endregion
#region ACS SWT
config.AddSimpleWebToken(
issuer: "https://" + Constants.ACS + "/",
audience: Constants.Realm,
signingKey: Constants.AcsSymmetricSigningKey,
options: AuthenticationOptions.ForAuthorizationHeader("ACS"));
#endregion
#region AccessKey
config.AddAccessKey(token =>
{
if (ObfuscatingComparer.IsEqual(token, "accesskey123"))
{
return(Principal.Create("Custom",
new Claim("customerid", "123"),
new Claim("email", "*****@*****.**")));
}
return(null);
}, AuthenticationOptions.ForQueryString("key"));
#endregion
#region Client Certificate
config.AddClientCertificate(
ClientCertificateMode.ChainValidationWithIssuerSubjectName,
"CN=PortableCA");
#endregion
return(config);
}
public static void AddSaml2(this AuthenticationConfiguration configuration, string issuerThumbprint, string issuerName, string audienceUri, X509CertificateValidator certificateValidator, AuthenticationOptions options, AuthenticationScheme scheme)
{
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(issuerThumbprint, issuerName);
var handlerConfig = new SecurityTokenHandlerConfiguration();
handlerConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(audienceUri));
handlerConfig.IssuerNameRegistry = registry;
handlerConfig.CertificateValidator = certificateValidator;
configuration.AddSaml2(handlerConfig, options, scheme);
}
/// <summary>
/// Configure ACS endpoint address in Web.config.
/// </summary>
public static void Intialize()
{
// Compute federation metadata address based on web config's
// <system.identityModel.services>\<federationConfiguration>\<wsFederation issuer=""> attribute value
var settings = DependencyResolver.Current.GetService<IPortalFrontendSettings>();
string acsNamespace = settings.AcsNamespace;
// Setup correct issuer name
// Compute federation metadata address based on web config's
// <system.identityModel.services>\<federationConfiguration>\<wsFederation issuer=""> attribute value
string stsMetadataAddress = string.Format(WsFederationMetadata, acsNamespace);
// Update the web config with latest local STS federation meta data each
// time when instance of the application is created
try
{
using (XmlReader metadataReader = XmlReader.Create(stsMetadataAddress))
{
// Creates the xml reader pointing to the updated web.config contents
// Don't validate the cert signing the federation metadata
var serializer = new MetadataSerializer
{
CertificateValidationMode = X509CertificateValidationMode.None,
};
var metadata = (EntityDescriptor)serializer.ReadMetadata(metadataReader);
// Select security token descriptors
SecurityTokenServiceDescriptor descriptor = metadata.RoleDescriptors.OfType<SecurityTokenServiceDescriptor>().FirstOrDefault();
if (descriptor != null)
{
var issuerNameRegistry = new ConfigurationBasedIssuerNameRegistry();
// Try to find and add certificates for trusted issuers
foreach (KeyDescriptor keyDescriptor in descriptor.Keys)
{
if (keyDescriptor.KeyInfo != null && (keyDescriptor.Use == KeyType.Signing || keyDescriptor.Use == KeyType.Unspecified))
{
SecurityKeyIdentifier keyInfo = keyDescriptor.KeyInfo;
X509RawDataKeyIdentifierClause clause;
keyInfo.TryFind(out clause);
if (clause != null)
{
var x509Certificate2 = new X509Certificate2(clause.GetX509RawData());
if (x509Certificate2.Thumbprint != null)
{
issuerNameRegistry.AddTrustedIssuer(x509Certificate2.Thumbprint, x509Certificate2.SubjectName.Name);
}
}
}
}
// Set retrieved issuers
FederatedAuthentication.FederationConfiguration.IdentityConfiguration.IssuerNameRegistry = issuerNameRegistry;
}
metadataReader.Dispose();
}
}
catch (Exception e)
{
Trace.TraceError("Error occured when update web config with latest local STS federation meta data. {0}", e);
return;
}
// Add audience URIs
string portalUri = settings.PortalUri;
// Front-end
var uriBuilder = new UriBuilder(portalUri);
FederatedAuthentication.FederationConfiguration.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(uriBuilder.Uri);
// Extension
uriBuilder.Path = "/extension/login";
FederatedAuthentication.FederationConfiguration.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(uriBuilder.Uri);
// Update WS-Federation configuration
FederatedAuthentication.WSFederationAuthenticationModule.Issuer = string.Format(WsFederationIssuer, acsNamespace);
FederatedAuthentication.WSFederationAuthenticationModule.Realm = portalUri;
}
static void Main(string[] args)
{
Console.SetWindowSize(Console.LargestWindowWidth / 2, Console.LargestWindowHeight / 2);
Console.WriteLine("Requesting security token from \"{0}\" for resource \"{1}\"...", PF_IP_STS_Endpoint, IPSTS_appliesTo);
Console.WriteLine();
try
{
// To Issue the initial token (ie the Web Services Client (WSC) doing its thing, we are going to auth with a username and a password
// Issue the initial SAML token
RequestSecurityTokenResponse RSTR_Issue;
SecurityToken token = IssueTokenWithUserNamePassword(subject_username, subject_password, PF_IP_STS_Endpoint, IPSTS_appliesTo, out RSTR_Issue, KeyTypes.Bearer);
// When using Asymmetric Key (HoK) - we need to supply a UseKey
// When using Symmetric Key (HoK) - SP Encryption cert is not defined - unless encryption key available to use as subj confirmation
if (token != null)
{
//show the token
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("{0}", token);
Console.WriteLine();
Console.WriteLine("{0}", RSTR_Issue.RequestedSecurityToken.SecurityTokenXml.InnerXml);
Console.WriteLine();
// At this point we received a token from our STS. We can now use it to authenticate to our web service using it as an IssuedToken.
// ... here is where the WSP kicks in...
//
Console.ForegroundColor = ConsoleColor.Gray;
Console.WriteLine();
Console.WriteLine("Do you want to validate the security token? [Y]");
if (Console.ReadKey(true).Key == ConsoleKey.Y)
{
Console.WriteLine("Validating security token with \"{0}\"...", PF_RP_STS_Endpoint);
Console.WriteLine();
// We are acting as the WSP now. We want to Validate the SAML token against PingFederate's STS
RequestSecurityTokenResponse RSTR_Validate = ValidateSecurityToken(token, PF_RP_STS_Endpoint);
// This will return:
// http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid or
// http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/invalid
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("{0}", RSTR_Validate.Status.Code);
Console.WriteLine();
// So we have a valid token supplied by the web services client.... we can grab the claims from there and do as we wish... or.. we can issue a local token
Console.ForegroundColor = ConsoleColor.Gray;
Console.WriteLine();
Console.WriteLine("Do you want to issue a local security token? [Y]");
if (Console.ReadKey(true).Key == ConsoleKey.Y)
{
Console.WriteLine("Requesting \"{0}\" security token from \"{1}\"...", tokenType, PF_RP_STS_Endpoint);
Console.WriteLine();
// We need to make a call to our RP-STS (SP side of PF) to issue a local token (according to our Token Generator)
//SecurityToken localToken = IssueLocalSecurityToken(token, RPSTS_issuerUri, RPSTS_appliesTo, tokenType, keyType);
// I'm going to receive it as a GenericXmlSecurityToken so we can parse it easier later on...
RequestSecurityTokenResponse RSTR_LocalToken;
GenericXmlSecurityToken xmlToken = (GenericXmlSecurityToken)IssueLocalSecurityToken(token, PF_RP_STS_Endpoint, tokenType, out RSTR_LocalToken);
if (xmlToken != null)
{
//show the token
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("{0}", xmlToken);
// parse token to grab the attributes:
if (tokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0")
{
// Configure the IssuerNameRegistry
ConfigurationBasedIssuerNameRegistry myIssuerNameRegistry = new ConfigurationBasedIssuerNameRegistry();
myIssuerNameRegistry.AddTrustedIssuer(PF_Signing_Cert_Thumbprint, "RP-STS"); // this is the dsig cert (of my RP-STS) SHA1 thumbprint | name
//inr.AddTrustedIssuer("97463668CD4482AFAC7F341A1C3ABB1010757800", "localhost"); // this is the encryption cert (of my RP-STS - bearer token isn't encrypted tho)
// Define the "verification configuration"
SecurityTokenHandlerConfiguration securityTokenHanderConfig = new SecurityTokenHandlerConfiguration();
securityTokenHanderConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri("https://www.app.com")); // the Audience defined in the Token Generator
Saml2SecurityTokenHandler saml2TokenHandler = new Saml2SecurityTokenHandler();
securityTokenHanderConfig.IssuerNameRegistry = myIssuerNameRegistry;
saml2TokenHandler.Configuration = securityTokenHanderConfig;
// Parse the token and return a Claims Identity
SecurityToken saml2Token = saml2TokenHandler.ReadToken(new XmlTextReader(new StringReader(xmlToken.TokenXml.OuterXml)));
ClaimsIdentity identity = saml2TokenHandler.ValidateToken(saml2Token).First();
// Spit out the Claims
Console.WriteLine("Attributes in the Assertion.....");
Console.WriteLine("{0}", identity.Name);
foreach (Claim theClaim in identity.Claims)
{
Console.WriteLine("{0} : {1}", theClaim.Type, theClaim.Value);
}
}
else if (tokenType == "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0")
{
}
}
}
}
}
}
catch (Exception ex)
{
ConsoleColor PreviousColor = Console.ForegroundColor;
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(ex.Message);
if (ex.InnerException != null)
{
Console.WriteLine();
Console.WriteLine(ex.InnerException.Message);
}
Console.ForegroundColor = PreviousColor;
}
Console.ForegroundColor = ConsoleColor.White;
Console.WriteLine();
Console.WriteLine();
Console.WriteLine("Press <enter> to close.");
Console.Read();
}
/// <summary>
/// Configure ACS endpoint address in Web.config.
/// </summary>
public static void Intialize()
{
// Compute federation metadata address based on web config's
// <system.identityModel.services>\<federationConfiguration>\<wsFederation issuer=""> attribute value
var settings = DependencyResolver.Current.GetService <IPortalFrontendSettings>();
string acsNamespace = settings.AcsNamespace;
// Setup correct issuer name
// Compute federation metadata address based on web config's
// <system.identityModel.services>\<federationConfiguration>\<wsFederation issuer=""> attribute value
string stsMetadataAddress = string.Format(WsFederationMetadata, acsNamespace);
// Update the web config with latest local STS federation meta data each
// time when instance of the application is created
try
{
using (XmlReader metadataReader = XmlReader.Create(stsMetadataAddress))
{
// Creates the xml reader pointing to the updated web.config contents
// Don't validate the cert signing the federation metadata
var serializer = new MetadataSerializer
{
CertificateValidationMode = X509CertificateValidationMode.None,
};
var metadata = (EntityDescriptor)serializer.ReadMetadata(metadataReader);
// Select security token descriptors
SecurityTokenServiceDescriptor descriptor = metadata.RoleDescriptors.OfType <SecurityTokenServiceDescriptor>().FirstOrDefault();
if (descriptor != null)
{
var issuerNameRegistry = new ConfigurationBasedIssuerNameRegistry();
// Try to find and add certificates for trusted issuers
foreach (KeyDescriptor keyDescriptor in descriptor.Keys)
{
if (keyDescriptor.KeyInfo != null && (keyDescriptor.Use == KeyType.Signing || keyDescriptor.Use == KeyType.Unspecified))
{
SecurityKeyIdentifier keyInfo = keyDescriptor.KeyInfo;
X509RawDataKeyIdentifierClause clause;
keyInfo.TryFind(out clause);
if (clause != null)
{
var x509Certificate2 = new X509Certificate2(clause.GetX509RawData());
if (x509Certificate2.Thumbprint != null)
{
issuerNameRegistry.AddTrustedIssuer(x509Certificate2.Thumbprint, x509Certificate2.SubjectName.Name);
}
}
}
}
// Set retrieved issuers
FederatedAuthentication.FederationConfiguration.IdentityConfiguration.IssuerNameRegistry = issuerNameRegistry;
}
metadataReader.Dispose();
}
}
catch (Exception e)
{
Trace.TraceError("Error occured when update web config with latest local STS federation meta data. {0}", e);
return;
}
// Add audience URIs
string portalUri = settings.PortalUri;
// Front-end
var uriBuilder = new UriBuilder(portalUri);
FederatedAuthentication.FederationConfiguration.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(uriBuilder.Uri);
// Extension
uriBuilder.Path = "/extension/login";
FederatedAuthentication.FederationConfiguration.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(uriBuilder.Uri);
// Update WS-Federation configuration
FederatedAuthentication.WSFederationAuthenticationModule.Issuer = string.Format(WsFederationIssuer, acsNamespace);
FederatedAuthentication.WSFederationAuthenticationModule.Realm = portalUri;
}
public static AuthenticationConfiguration CreateConfiguration()
{
var config = new AuthenticationConfiguration
{
DefaultAuthenticationScheme = "Basic",
EnableSessionToken = true
};
#region BasicAuthentication
config.AddBasicAuthentication((userName, password) => userName == password);
#endregion
#region SimpleWebToken
config.AddSimpleWebToken(
issuer: Constants.IdSrvIssuerName,
audience: Constants.Realm,
signingKey: Constants.IdSrvSymmetricSigningKey,
options: AuthenticationOptions.ForAuthorizationHeader("IdSrv"));
#endregion
#region JsonWebToken
config.AddJsonWebToken(
issuer: "http://selfissued.test",
audience: Constants.Realm,
signingKey: Constants.IdSrvSymmetricSigningKey,
options: AuthenticationOptions.ForAuthorizationHeader("JWT"));
#endregion
#region IdentityServer SAML
var idsrvRegistry = new ConfigurationBasedIssuerNameRegistry();
idsrvRegistry.AddTrustedIssuer(Constants.IdSrvSamlSigningKeyThumbprint, "Thinktecture IdSrv");
var idsrvConfig = new SecurityTokenHandlerConfiguration();
idsrvConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
idsrvConfig.IssuerNameRegistry = idsrvRegistry;
idsrvConfig.CertificateValidator = X509CertificateValidator.None;
config.AddSaml2(idsrvConfig, AuthenticationOptions.ForAuthorizationHeader("IdSrvSaml"));
#endregion
#region ADFS SAML
var adfsRegistry = new ConfigurationBasedIssuerNameRegistry();
adfsRegistry.AddTrustedIssuer(Constants.AdfsSamlSigningKeyThumbprint, "ADFS");
var adfsConfig = new SecurityTokenHandlerConfiguration();
adfsConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
adfsConfig.IssuerNameRegistry = adfsRegistry;
adfsConfig.CertificateValidator = X509CertificateValidator.None;
config.AddSaml2(adfsConfig, AuthenticationOptions.ForAuthorizationHeader("AdfsSaml"));
#endregion
#region ACS SWT
config.AddSimpleWebToken(
issuer: "https://" + Constants.ACS + "/",
audience: Constants.Realm,
signingKey: Constants.AcsSymmetricSigningKey,
options: AuthenticationOptions.ForAuthorizationHeader("ACS"));
#endregion
#region AccessKey
config.AddAccessKey(token =>
{
if (ObfuscatingComparer.IsEqual(token, "accesskey123"))
{
return Principal.Create("Custom",
new Claim("customerid", "123"),
new Claim("email", "*****@*****.**"));
}
return null;
}, AuthenticationOptions.ForQueryString("key"));
#endregion
return config;
}
public static void Register(HttpConfiguration config)
{
var authConfig = new AuthenticationConfiguration
{
RequireSsl = false,
ClaimsAuthenticationManager = new ClaimsTransformer(),
EnableSessionToken = true,
//SessionToken = new SessionTokenConfiguration()
// {
// EndpointAddress = "apiArea/fuel/token"
// }
};
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(System.Configuration.ConfigurationManager.AppSettings["SigningThumbPrint"], System.Configuration.ConfigurationManager.AppSettings["IssuerURI"]);
var handlerConfig = new SecurityTokenHandlerConfiguration();
handlerConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(System.Configuration.ConfigurationManager.AppSettings["AudianceUri"]));
handlerConfig.IssuerNameRegistry = registry;
handlerConfig.CertificateValidator = X509CertificateValidator.None;
handlerConfig.ServiceTokenResolver = new X509CertificateStoreTokenResolver(StoreName.My, StoreLocation.LocalMachine);
authConfig.AddSaml2(handlerConfig, AuthenticationOptions.ForAuthorizationHeader("SAML"), AuthenticationScheme.SchemeOnly("SAML"));
config.MessageHandlers.Add(new AuthenticationHandler(authConfig));
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new
{
id = RouteParameter.Optional
}
);
config.Routes.MapHttpRoute(
name: "OffhirePricingValueRoute",
routeTemplate: "apiArea/{area}/OffhirePricingValue/",
defaults: new
{
controller = "OffhirePricingValue"
}
);
//{startDateTime:datetime:regex(\d{4}\d{2}\d{2} \d{2}\d{2}\d{2})}
//{startDateTime:datetime:regex(\\d{4}\\d{2}\\d{2}\\d{2}\\d{2}\\d{2})}
// [Route("date/{pubdate:datetime:regex(\\d{4}-\\d{2}-\\d{2})}")]
//[Route("date/{*pubdate:datetime:regex(\\d{4}/\\d{2}/\\d{2})}")]
config.Routes.MapHttpRoute(
name: "OffhireManagementSystemPreparedDataRoute",
routeTemplate: "apiArea/{area}/OffhireManagementSystem/{referenceNumber}/PreparedData/{introducerId}",
defaults: new
{
controller = "OffhireManagementSystemPreparedData"
}
);
config.Routes.MapHttpRoute(
name: "OffhireManagementSystemRoute",
routeTemplate: "apiArea/{area}/OffhireManagementSystem/{referenceNumber}",
defaults: new
{
controller = "OffhireManagementSystem",
referenceNumber = RouteParameter.Optional
}
);
config.Routes.MapHttpRoute(
name: "OffhireDetailRoute",
routeTemplate: "apiArea/{area}/Offhire/{id}/Detail/{detailId}",
defaults: new
{
controller = "OffhireDetail",
detailId = RouteParameter.Optional
}
);
config.Routes.MapHttpRoute(
name: "OffhireRoute",
routeTemplate: "apiArea/{area}/Offhire/{id}",
defaults: new
{
controller = "Offhire",
vesselId = RouteParameter.Optional
}
);
config.Routes.MapHttpRoute(
name: "CompanyOwnedVesselRoute",
routeTemplate: "apiArea/{area}/Company/{id}/OwnedVessel/{vesselId}",
defaults: new
{
controller = "CompanyOwnedVessel",
vesselId = RouteParameter.Optional
}
);
config.Routes.MapHttpRoute(
name: "ScrapInventoryOperationRoute",
routeTemplate: "apiArea/{area}/Scrap/{id}/InventoryOperation/{operationId}",
defaults: new
{
controller = "ScrapInventoryOperation",
operationId = RouteParameter.Optional
}
);
config.Routes.MapHttpRoute(
name: "ScrapDetailRoute",
routeTemplate: "apiArea/{area}/Scrap/{id}/Detail/{detailId}",
defaults: new
{
controller = "ScrapDetail",
detailId = RouteParameter.Optional
}
);
config.Routes.MapHttpRoute(
name: "ScrapRoute",
routeTemplate: "apiArea/{area}/Scrap/{id}",
defaults: new
{
controller = "Scrap",
id = RouteParameter.Optional
}
);
config.Routes.MapHttpRoute(
name: "VoyageLogRoute",
routeTemplate: "apiArea/{area}/Voyage/{voyageId}/Log/",
defaults: new
{
controller = "VoyageLog",
}
);
config.Routes.MapHttpRoute(
name: "VoyageRoute",
routeTemplate: "apiArea/{area}/Voyage/{id}",
defaults: new
{
controller = "Voyage",
id = RouteParameter.Optional
}
);
config.Routes.MapHttpRoute(
name: "FuelReportInventoryResultRoute",
routeTemplate: "apiArea/{area}/FuelReport/{id}/InventoryResult/",
defaults: new
{
controller = "FuelReportInventoryResult",
}
);
config.Routes.MapHttpRoute(
name: "FuelReportDetailInventoryOperationRoute",
routeTemplate: "apiArea/{area}/FuelReport/{id}/Detail/{detailId}/InventoryOperation/{operationId}",
defaults: new
{
controller = "FuelReportDetailInventoryOperation",
operationId = RouteParameter.Optional
}
);
config.Routes.MapHttpRoute(
name: "FuelReportDetailRoute",
routeTemplate: "apiArea/{area}/FuelReport/{id}/Detail/{detailId}",
defaults: new
{
controller = "FuelReportDetail",
detailId = RouteParameter.Optional
}
);
config.Routes.MapHttpRoute(
name: "OrderItemRoute",
routeTemplate: "apiArea/{area}/Order/{id}/OrderItem/{orderItemId}",
defaults: new
{
controller = "OrderItem",
orderItemId = RouteParameter.Optional
}
);
config.Routes.MapHttpRoute(
name: "InvoiceItemRoute",
routeTemplate: "apiArea/{area}/Invoice/{id}/InvoiceItem/{invoiceItemId}",
defaults: new
{
controller = "InvoiceItem",
invoiceItemId = RouteParameter.Optional
}
);
config.Routes.MapHttpRoute(
name: "MainUnitValue",
routeTemplate: "apiArea/{area}/MainUnit/{goodId}/{goodUnitId}/{value}",
defaults: new
{
controller = "OrderItem",
});
config.Routes.MapHttpRoute(
name: "CharterItemRoute",
routeTemplate: "apiArea/{area}/Charter/{id}/CharterItem/{charterItemId}",
defaults: new
{
controller = "CharterItem",
charterItemId = RouteParameter.Optional
}
);
config.Routes.MapHttpRoute(
name: "Default_apiArea",
routeTemplate: "apiArea/{area}/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
config.Routes.MapHttpRoute(
name: "apiAreaWithAction",
routeTemplate: "apiArea/{area}/{controller}/{action}/{id}",
defaults: new { id = RouteParameter.Optional }
);
config.Routes.MapHttpRoute(
name: "Default_areaApi",
routeTemplate: "apiArea/{area}/{controller}/{action}/{id}",
// "apiArea/Order/{id}/OrderDetail/{DetailId}",
defaults: new { action = "UpdateOrderItem", id = RouteParameter.Optional }
);
config.Filters.Add(DependencyResolver.Current.GetService<GlobalExceptionHandlingAttribute>());
}
public static void Register(HttpConfiguration config)
{
var authConfig = new AuthenticationConfiguration
{
RequireSsl = false,
ClaimsAuthenticationManager = new ClaimsTransformer(),
EnableSessionToken = true,
};
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(System.Configuration.ConfigurationManager.AppSettings["SigningThumbPrint"], System.Configuration.ConfigurationManager.AppSettings["IssuerURI"]);
var handlerConfig = new SecurityTokenHandlerConfiguration();
handlerConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(System.Configuration.ConfigurationManager.AppSettings["AudianceUri"]));
handlerConfig.IssuerNameRegistry = registry;
handlerConfig.CertificateValidator = X509CertificateValidator.None;
handlerConfig.ServiceTokenResolver = new X509CertificateStoreTokenResolver(StoreName.My, StoreLocation.LocalMachine);
authConfig.AddSaml2(handlerConfig, AuthenticationOptions.ForAuthorizationHeader("SAML"), AuthenticationScheme.SchemeOnly("SAML"));
config.MessageHandlers.Add(new AuthenticationHandler(authConfig));
config.Routes.MapHttpRoute(
name: "UsersCurrentPermittedUser",
routeTemplate: "api/Users/{logonUserName}/CurrentPermittedUser",
defaults: new { Controller = "UsersCurrentPermittedUser", id = RouteParameter.Optional });
//constraints:new {httpMethod = new System.Web.Http.Routing.HttpMethodConstraint(HttpMethod.Get,HttpMethod.Post)});
config.Routes.MapHttpRoute(
name: "Calculations",
routeTemplate: "api/Periods/{PeriodId}/Calculations/{id}",
defaults: new { Controller = "Calculations", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "CalculationsState",
routeTemplate: "api/Periods/{PeriodId}/Calculations/{id}/State",
defaults: new { Controller = "CalculationsState", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "CalculationsExceptions",
routeTemplate: "api/Periods/{PeriodId}/Calculations/{calculationId}/Exceptions/{id}",
defaults: new { Controller = "CalculationsExceptions", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "JobIndexPoints",
routeTemplate: "api/Periods/{PeriodId}/Calculations/{CalculationId}/JobIndexpoints/{id}",
defaults: new { Controller = "JobIndexPoints", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "JobCustomFields",
routeTemplate: "api/Jobs/{jobId}/CustomFields/{id}",
defaults: new { Controller = "JobCustomFields", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "PeriodState",
routeTemplate: "api/Periods/{id}/State",
defaults: new { Controller = "PeriodsState", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "PeriodSourceDestinationState",
routeTemplate: "api/SourcePeriods/{sourcePeriodId}/DestinationPeriods/{destinationPeriodId}/State",
defaults: new { Controller = "PeriodSourceDestinationState", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "PolicyFunctions",
routeTemplate: "api/Policies/{PolicyId}/Functions/{id}",
defaults: new { Controller = "PolicyFunctions", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "PolicyRules",
routeTemplate: "api/Policies/{PolicyId}/Rules/{id}",
defaults: new { Controller = "PolicyRules", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "PolicyRuleTrails",
routeTemplate: "api/Policies/{policyId}/Rules/{ruleId}/Trails/{id}",
defaults: new { Controller = "PolicyRuleTrails", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "PolicyRuleCompilations",
routeTemplate: "api/Policies/{PolicyId}/RuleCompilations/{id}",
defaults: new { Controller = "RuleCompilations", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "PeriodUnits",
routeTemplate: "api/Periods/{PeriodId}/Units/{id}",
defaults: new { Controller = "PeriodUnits", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "UnitInquirySubjectsController",
routeTemplate: "api/Periods/{PeriodId}/Units/{UnitId}/InquirySubjects",
defaults: new { Controller = "UnitInquirySubjects", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "UnitVerifiersController",
routeTemplate: "api/Periods/{PeriodId}/Units/{UnitId}/Verifiers",
defaults: new { Controller = "UnitVerifiers", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "InquirerInquiryUnits",
routeTemplate: "api/Periods/{PeriodId}/Inquirers/{InquirerEmployeeNo}/InquiryUnits",
defaults: new { Controller = "InquirerInquiryUnits", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "EmployeeUnits",
routeTemplate: "api/Periods/{PeriodId}/Employees/{EmployeeNo}/Units",
defaults: new { Controller = "EmployeeUnits", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "InquiryUnitInquiryUnitIndexPoints",
routeTemplate:
"api/Periods/{PeriodId}/Inquirers/{InquirerEmployeeNo}/Units/{unitId}/InquiryUnitIndexPoints",
defaults: new { Controller = "InquiryUnitInquiryUnitIndexPoints", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "PeriodEmployees",
routeTemplate: "api/Periods/{PeriodId}/Employees/{id}",
defaults: new { Controller = "PeriodEmployees", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "EmployeeJobPositions",
routeTemplate: "api/Periods/{PeriodId}/Employees/{EmployeeNo}/JobPositions",
defaults: new { Controller = "EmployeeJobPositions", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "PeriodJobPositions",
routeTemplate: "api/Periods/{PeriodId}/JobPositions/{id}",
defaults: new { Controller = "PeriodJobPositions", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "PeriodJobIndex",
routeTemplate: "api/Periods/{PeriodId}/JobIndices/{id}",
defaults: new { Controller = "PeriodJobIndex", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "PeriodUnitIndex",
routeTemplate: "api/Periods/{PeriodId}/UnitIndices/{id}",
defaults: new { Controller = "PeriodUnitIndex", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "PeriodJobs",
routeTemplate: "api/Periods/{PeriodId}/Jobs/{id}",
defaults: new { Controller = "PeriodJobs", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "JobIndexCustomFields",
routeTemplate: "api/JobIndices/{jobindexid}/CustomFields/{id}",
defaults: new { Controller = "CustomFields", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "JobPositionJobs",
routeTemplate: "api/Periods/{PeriodId}/JobPositions/{JobPositionId}/Jobs",
defaults: new { Controller = "JobPositionJobs", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "JobPositionInquirySubjects",
routeTemplate: "api/Periods/{PeriodId}/JobPositions/{JobPositionId}/InquirySubjects",
defaults: new { Controller = "JobPositionInquirySubjects", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "InquirySubjectInquirers",
routeTemplate: "api/Periods/{PeriodId}/JobPositions/{JobPositionId}/InquirySubjects/{InquirySubjectEmployeeNo}/Inquirers",
defaults: new { Controller = "InquirySubjectInquirers", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "InquirerInquirySubjects",
routeTemplate: "api/Periods/{PeriodId}/Inquirers/{InquirerEmployeeNo}/InquirySubjects",
defaults: new { Controller = "InquirerInquirySubjects", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "InquirerInquiryIndices",
routeTemplate: "api/Periods/{PeriodId}/Inquirers/{InquirerEmployeeNo}/InquiryIndices",
defaults: new { Controller = "InquirerInquiryIndices", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "InquirySubjectJobPositionInquiryJobIndexPoints",
routeTemplate:
"api/Periods/{PeriodId}/Inquirers/{InquirerEmployeeNo}/InquirySubjects/{InquirySubjectEmployeeNo}/JobPositions/{JobPositionId}/InquiryJobIndexPoints",
defaults: new { Controller = "InquirySubjectJobPositionInquiryJobIndexPoints", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "InquiryIndexInquiryJobIndexPoints",
routeTemplate:
"api/Periods/{PeriodId}/Inquirers/{InquirerEmployeeNo}/InquiryIndices/{jobIndexId}/InquiryJobIndexPoints",
defaults: new { Controller = "InquiryIndexInquiryJobIndexPoints", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "PeriodClaims",
routeTemplate: "api/Periods/{PeriodId}/Claims/{id}",
defaults: new { Controller = "PeriodClaims", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "PeriodClaimStates",
routeTemplate: "api/Periods/{PeriodId}/ClaimStates",
defaults: new { Controller = "PeriodClaimStates", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "PeriodClaimTypes",
routeTemplate: "api/Periods/{PeriodId}/ClaimTypes",
defaults: new { Controller = "PeriodClaimTypes", id = RouteParameter.Optional });
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional });
config.Formatters.Add(new PlainTextFormatter());
config.Filters.Add(new GlobalExceptionFilterAttribute());
config.Formatters.JsonFormatter.SerializerSettings.TypeNameHandling = TypeNameHandling.Auto;
config.Formatters.JsonFormatter.SerializerSettings.TypeNameAssemblyFormat = System.Runtime.Serialization.Formatters.FormatterAssemblyStyle.Simple;
config.Formatters.JsonFormatter.SerializerSettings.ReferenceLoopHandling
= ReferenceLoopHandling.Serialize;
config.Formatters.JsonFormatter.SerializerSettings.PreserveReferencesHandling
= PreserveReferencesHandling.Objects;
config.Services.RemoveAll(typeof(System.Web.Http.Validation.ModelValidatorProvider), v => v is InvalidModelValidatorProvider);
}
static void Main(string[] args)
{
{
// read token
var jwtHandler = new JwtSecurityTokenHandler();
//string jwtEncodedString = "eyJ0eXAiOiJKV1QiLCJhbGciOiJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLCJ4NXQiOiI0dnk1YV9oM0NVcFJEd3QzbUFCSUdaWlgxMWcifQ.eyJpc3MiOiJodHRwczovL3YtbGFiL2NyYXNlcnZpY2UiLCJhdWQiOiJodHRwczovL3YtbGFiL2NyYXNlcnZpY2UiLCJuYmYiOjE0NDEzNzg0MTQsImV4cCI6MTQ0MTk4MzIxNCwidW5pcXVlX25hbWUiOiJXZW5qdW4iLCJnaXZlbl9uYW1lIjoiV2VuanVuIiwiZ3JvdXAiOlsiUkFZTUFSS0xBQlxcRG9tYWluIEFkbWlucyIsIlJBWU1BUktMQUJcXERvbWFpbiBVc2VycyJdLCJhdXRobWV0aG9kIjoiaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93cy8yMDA4LzA2L2lkZW50aXR5L2F1dGhlbnRpY2F0aW9ubWV0aG9kL3Bhc3N3b3JkIiwiYXV0aF90aW1lIjoiMjAxNS0wOS0wNFQxNDo1MzoyNi4xNDdaIn0.NTEU48x2-faKVISrv50ucfwJSma4lDuAFGOe5e6QScOxT7rNUilyn3SxIsUVtRKVDLY1Inof8FhARiBUXcoED153z9EyQVoqX4xgWwTccKzcRGdwELn77iK1bGl_Mb51mj4QWbDARSVXS3m4fMrS4V70XuDXhWM5bv7xpRUxW5ibkMu6Ih60OVUvStLb7XM1RZ3mvtqjFhOTO1Omsng5gU2OViLsuPBoNCi-nMyi47qKz5R3X502uFvCQirLud3Igjc0OqMhRkZzz-NNAvo4i_78fTmvrltyLMxHgTuiM7w9vGsGQ-u6SA-PR9LT3lkIlhtuzkBZLi1wWS55Gmc-1g";
string jwtEncodedString = "eyJ0eXAiOiJKV1QiLCJhbGciOiJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLCJ4NXQiOiI0dnk1YV9oM0NVcFJEd3QzbUFCSUdaWlgxMWcifQ.eyJpc3MiOiJodHRwczovL3YtbGFiL2NyYXNlcnZpY2UiLCJhdWQiOiJodHRwczovL3YtbGFiL2NyYXNlcnZpY2UiLCJuYmYiOjE0NDEzNzg0MTQsImV4cCI6MTQ0MTk4MzIxNCwidW5pcXVlX25hbWUiOiJXZW5qdW4iLCJnaXZlbl9uYW1lIjoiV2VuanVuIiwiZ3JvdXAiOlsiUkFZTUFSS0xBQlxcRG9tYWluIEFkbWlucyIsIlJBWU1BUktMQUJcXERvbWFpbiBVc2VycyJdLCJhdXRobWV0aG9kIjoiaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93cy8yMDA4LzA2L2lkZW50aXR5L2F1dGhlbnRpY2F0aW9ubWV0aG9kL3Bhc3N3b3JkIiwiYXV0aF90aW1lIjoiMjAxNS0wOS0wNFQxNDo1MzoyNi4xNDdaIn0.NTEU48x2-faKVISrv50ucfwJSma4lDuAFGOe5e6QScOxT7rNUilyn3SxIsUVtRKVDLY1Inof8FhARiBUXcoED153z9EyQVoqX4xgWwTccKzcRGdwELn77iK1bGl_Mb51mj4QWbDARSVXS3m4fMrS4V70XuDXhWM5bv7xpRUxW5ibkMu6Ih60OVUvStLb7XM1RZ3mvtqjFhOTO1Omsng5gU2OViLsuPBoNCi-nMyi47qKz5R3X502uFvCQirLud3Igjc0OqMhRkZzz-NNAvo4i_78fTmvrltyLMxHgTuiM7w9vGsGQ-u6SA-PR9LT3lkIlhtuzkBZLi1wWS55Gmc-1g";
SecurityToken sToken = jwtHandler.ReadToken(jwtEncodedString);
X509Store store = new X509Store(StoreName.TrustedPeople, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
var cs = store.Certificates.Find(X509FindType.FindByThumbprint, "E2FCB96BF877094A510F0B77980048199657D758", false);
X509Certificate2 certificate = store.Certificates.Find(X509FindType.FindByThumbprint, "E2FCB96BF877094A510F0B77980048199657D758", false)[0];
TokenValidationParameters validationParameters = new TokenValidationParameters()
{
AllowedAudience = "https://v-lab/craservice",
ValidIssuer = "https://v-lab/craservice",
// Fetch the signing token from the FederationMetadata document of the tenant.
SigningToken = new X509SecurityToken(certificate)
};
var claims1 = jwtHandler.ValidateToken(jwtEncodedString, validationParameters);
{
var configuration = new SecurityTokenHandlerConfiguration();
configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
configuration.CertificateValidationMode = X509CertificateValidationMode.None;
configuration.RevocationMode = X509RevocationMode.NoCheck;
configuration.CertificateValidator = X509CertificateValidator.None;
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer("e2fcb96bf877094a510f0b77980048199617d758", "V-LAB.RAYMARKLAB.COM");
configuration.IssuerNameRegistry = registry;
jwtHandler.Configuration = configuration;
//var claimP = jwtHandler.ValidateToken(jwtEncodedString);
var claims = jwtHandler.ValidateToken(sToken);
}
}
/////////////////////////////////////////////////////////////////////////////////////////////////////////
{
const string relyingPartyId = "https://adfsserver.security.net/MyApp"; //ID of the relying party in AD FS
const string adfsEndpoint = "https://adfsserver.security.net/adfs/services/trust/13/windowsmixed";
const string certSubject = "CN=adfsserver.security.net";
//Setup the connection to ADFS
var factory = new WSTrustChannelFactory(new WindowsWSTrustBinding(SecurityMode.TransportWithMessageCredential), new EndpointAddress(adfsEndpoint))
{
TrustVersion = TrustVersion.WSTrust13
};
//Setup the request object
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Bearer,
AppliesTo = new EndpointReference(relyingPartyId)
};
//Open a connection to ADFS and get a token for the logged in user
var channel = factory.CreateChannel();
var genericToken = channel.Issue(rst) as GenericXmlSecurityToken;
if (genericToken != null)
{
//Setup the handlers needed to convert the generic token to a SAML Token
var tokenHandlers = new SecurityTokenHandlerCollection(new SecurityTokenHandler[] { new SamlSecurityTokenHandler() });
tokenHandlers.Configuration.AudienceRestriction = new AudienceRestriction();
tokenHandlers.Configuration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(relyingPartyId));
var trusted = new TrustedIssuerNameRegistry(certSubject);
tokenHandlers.Configuration.IssuerNameRegistry = trusted;
//convert the generic security token to a saml token
var samlToken = tokenHandlers.ReadToken(new XmlTextReader(new StringReader(genericToken.TokenXml.OuterXml)));
//convert the saml token to a claims principal
var claimsPrincipal = new ClaimsPrincipal(tokenHandlers.ValidateToken(samlToken).First());
//Display token information
Console.WriteLine("Name : " + claimsPrincipal.Identity.Name);
Console.WriteLine("Auth Type : " + claimsPrincipal.Identity.AuthenticationType);
Console.WriteLine("Is Authed : " + claimsPrincipal.Identity.IsAuthenticated);
foreach (var c in claimsPrincipal.Claims)
{
Console.WriteLine(c.Type + " / " + c.Value);
}
Console.ReadLine();
}
}
/////////////////////////////////////////////////////////////////////////////////////////////////////////
{
var stsEndpoint = "https://[server]/adfs/services/trust/13/windowstransport";
var relayPartyUri = "https://localhost:8080/WebApp";
var factory = new WSTrustChannelFactory(
new WindowsWSTrustBinding(SecurityMode.Transport),
new EndpointAddress(stsEndpoint));
factory.TrustVersion = TrustVersion.WSTrust13;
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
//AppliesTo = new EndpointAddress(relayPartyUri),
AppliesTo = new EndpointReference(relayPartyUri),
KeyType = KeyTypes.Symmetric
};
var channel = factory.CreateChannel();
SecurityToken token = channel.Issue(rst);
}
/////////////////////////////////////////////////////////////////////////////////////////////////////////
{
var stsEndpoint = "https://[server]/adfs/services/trust/13/UsernameMixed";
var relayPartyUri = "https://localhost:8080/WebApp";
var factory = new WSTrustChannelFactory(
new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
new EndpointAddress(stsEndpoint));
factory.TrustVersion = TrustVersion.WSTrust13;
// Username and Password here...
factory.Credentials.UserName.UserName = "";
factory.Credentials.UserName.Password = "";
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
//AppliesTo = new EndpointAddress(relayPartyUri),
AppliesTo = new EndpointReference(relayPartyUri),
KeyType = KeyTypes.Bearer,
};
var channel = factory.CreateChannel();
SecurityToken token = channel.Issue(rst);
}
}
public static AuthenticationConfiguration CreateConfiguration()
{
var config = new AuthenticationConfiguration
{
DefaultAuthenticationScheme = "Basic",
EnableSessionToken = true
};
#region BasicAuthentication
config.AddBasicAuthentication((userName, password) => userName == password, retainPassword: false);
#endregion
#region SimpleWebToken
config.AddSimpleWebToken(
issuer: "http://identity.thinktecture.com/trust",
audience: Constants.Realm,
signingKey: Constants.IdSrvSymmetricSigningKey,
options: AuthenticationOptions.ForAuthorizationHeader("IdSrv"));
#endregion
#region JsonWebToken
config.AddJsonWebToken(
issuer: "http://selfissued.test",
audience: Constants.Realm,
signingKey: Constants.IdSrvSymmetricSigningKey,
options: AuthenticationOptions.ForAuthorizationHeader("JWT"));
#endregion
#region IdentityServer SAML
var idsrvRegistry = new ConfigurationBasedIssuerNameRegistry();
idsrvRegistry.AddTrustedIssuer("A1EED7897E55388FCE60FEF1A1EED81FF1CBAEC6", "Thinktecture IdSrv");
var idsrvConfig = new SecurityTokenHandlerConfiguration();
idsrvConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
idsrvConfig.IssuerNameRegistry = idsrvRegistry;
idsrvConfig.CertificateValidator = X509CertificateValidator.None;
config.AddSaml2(idsrvConfig, AuthenticationOptions.ForAuthorizationHeader("IdSrvSaml"));
#endregion
#region ADFS SAML
var adfsRegistry = new ConfigurationBasedIssuerNameRegistry();
adfsRegistry.AddTrustedIssuer("8EC7F962CC083FF7C5997D8A4D5ED64B12E4C174", "ADFS");
adfsRegistry.AddTrustedIssuer("b6 93 46 34 7f 70 a9 c3 72 02 18 ae f1 82 2a 5c 97 b1 8c a5", "PETS ADFS");
var adfsConfig = new SecurityTokenHandlerConfiguration();
adfsConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
adfsConfig.IssuerNameRegistry = adfsRegistry;
adfsConfig.CertificateValidator = X509CertificateValidator.None;
config.AddSaml2(adfsConfig, AuthenticationOptions.ForAuthorizationHeader("AdfsSaml"));
#endregion
#region ACS SWT
config.AddSimpleWebToken(
issuer: "https://" + Constants.ACS + "/",
audience: Constants.Realm,
signingKey: Constants.AcsSymmetricSigningKey,
options: AuthenticationOptions.ForAuthorizationHeader("ACS"));
#endregion
#region AccessKey
config.AddAccessKey(token =>
{
if (ObfuscatingComparer.IsEqual(token, "accesskey123"))
{
return Principal.Create("Custom",
new Claim("customerid", "123"),
new Claim("email", "*****@*****.**"));
}
return null;
}, AuthenticationOptions.ForQueryString("key"));
#endregion
#region Client Certificate
config.AddClientCertificate(
ClientCertificateMode.ChainValidationWithIssuerSubjectName,
"CN=PortableCA");
#endregion
return config;
}
public static AuthenticationConfiguration CreateConfiguration()
{
var config = new AuthenticationConfiguration
{
DefaultAuthenticationScheme = "Basic",
};
#region Basic Authentication
config.AddBasicAuthentication((userName, password) => userName == password);
#endregion
#region SimpleWebToken
config.AddSimpleWebToken(
"http://identity.thinktecture.com/trust",
Constants.Realm,
Constants.IdSrvSymmetricSigningKey,
AuthenticationOptions.ForAuthorizationHeader("IdSrv"));
#endregion
#region JsonWebToken
config.AddJsonWebToken(
"http://selfissued.test",
Constants.Realm,
Constants.IdSrvSymmetricSigningKey,
AuthenticationOptions.ForAuthorizationHeader("JWT"));
#endregion
#region IdentityServer SAML
var idsrvRegistry = new ConfigurationBasedIssuerNameRegistry();
idsrvRegistry.AddTrustedIssuer("A1EED7897E55388FCE60FEF1A1EED81FF1CBAEC6", "Thinktecture IdSrv");
var idsrvConfig = new SecurityTokenHandlerConfiguration();
idsrvConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Constants.Realm));
idsrvConfig.IssuerNameRegistry = idsrvRegistry;
idsrvConfig.CertificateValidator = X509CertificateValidator.None;
config.AddSaml2(idsrvConfig, AuthenticationOptions.ForAuthorizationHeader("IdSrvSaml"));
#endregion
#region ACS SWT
config.AddSimpleWebToken(
"https://" + Constants.ACS + "/",
Constants.Realm,
Constants.AcsSymmetricSigningKey,
AuthenticationOptions.ForAuthorizationHeader("ACS"));
#endregion
#region AccessKey
var handler = new SimpleSecurityTokenHandler("my access key", token =>
{
if (ObfuscatingComparer.IsEqual(token, "accesskey123"))
{
return(new ClaimsIdentity(new Claim[]
{
new Claim("customerid", "123")
}, "Custom"));
}
return(null);
});
config.AddAccessKey(handler, AuthenticationOptions.ForQueryString("key"));
#endregion
return(config);
}
private static IssuerNameRegistry CreateIssuerNameRegistry(this X509Certificate2 certificate)
{
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(certificate.Thumbprint, certificate.Subject);
return registry;
}
public ClaimsIdentity ValidateSamlToken(SecurityToken securityToken)
{
var configuration = new SecurityTokenHandlerConfiguration();
configuration.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
configuration.CertificateValidationMode = X509CertificateValidationMode.None;
configuration.RevocationMode = X509RevocationMode.NoCheck;
configuration.CertificateValidator = X509CertificateValidator.None;
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(_configuration.AdfsIntegration.IssuerThumbprint, "ADFS");
configuration.IssuerNameRegistry = registry;
var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(configuration);
var identity = handler.ValidateToken(securityToken).First();
return identity;
}
