public static ExtendedEntityDescriptor CreateIdpMetadata(bool includeCacheDuration = true)
{
var metadata = new ExtendedEntityDescriptor()
{
EntityId = new EntityId(UrlResolver.MetadataUrl.ToString())
};
if (includeCacheDuration)
{
metadata.CacheDuration = new TimeSpan(0, 15, 0);
}
var idpSsoDescriptor = new IdentityProviderSingleSignOnDescriptor();
idpSsoDescriptor.ProtocolsSupported.Add(new Uri("urn:oasis:names:tc:SAML:2.0:protocol"));
metadata.RoleDescriptors.Add(idpSsoDescriptor);
idpSsoDescriptor.SingleSignOnServices.Add(new ProtocolEndpoint()
{
Binding = Saml2Binding.HttpRedirectUri,
Location = UrlResolver.SsoServiceUrl
});
idpSsoDescriptor.ArtifactResolutionServices.Add(0, new IndexedProtocolEndpoint()
{
Index = 0,
IsDefault = true,
Binding = Saml2Binding.SoapUri,
Location = UrlResolver.ArtifactServiceUrl
});
idpSsoDescriptor.Keys.Add(CertificateHelper.SigningKey);
return(metadata);
}
public void IdentityProvider_ConstructedFromEntityDescriptor_DoesntReloadMetadataWhenDisabled()
{
var ed = new ExtendedEntityDescriptor
{
ValidUntil = DateTime.UtcNow.AddYears(-1),
EntityId = new EntityId("someEntityId")
};
var idpSsoDescriptor = new IdentityProviderSingleSignOnDescriptor();
idpSsoDescriptor.ProtocolsSupported.Add(new Uri("urn:oasis:names:tc:SAML:2.0:protocol"));
ed.RoleDescriptors.Add(idpSsoDescriptor);
idpSsoDescriptor.SingleSignOnServices.Add(new ProtocolEndpoint()
{
Binding = Saml2Binding.HttpRedirectUri,
Location = new Uri("http://idp.example.com/sso")
});
idpSsoDescriptor.Keys.Add(SignedXmlHelper.TestKeyDescriptor);
var subject = new IdentityProvider(ed.EntityId, StubFactory.CreateSPOptions());
Action a = () => { var b = subject.Binding; };
subject.LoadMetadata.Should().BeFalse();
// Will throw invalid Uri if it tries to use EntityId as metadata url.
a.ShouldNotThrow();
}
public void MetadatabaseExtensions_ToXmlString_IncludesKeyInfo()
{
var metadata = new ExtendedEntityDescriptor
{
EntityId = new EntityId("http://idp.example.com/metadata"),
CacheDuration = new TimeSpan(1, 0, 0)
};
var idpSsoDescriptor = new IdentityProviderSingleSignOnDescriptor();
idpSsoDescriptor.ProtocolsSupported.Add(new Uri("urn:oasis:names:tc:SAML:2.0:protocol"));
metadata.RoleDescriptors.Add(idpSsoDescriptor);
idpSsoDescriptor.SingleSignOnServices.Add(new ProtocolEndpoint
{
Binding = Saml2Binding.HttpRedirectUri,
Location = new Uri("http://idp.example.com/sso")
});
idpSsoDescriptor.Keys.Add(SignedXmlHelper.TestKeyDescriptor);
var subject = XDocument.Parse((metadata.ToXmlString(null, "")));
var ds = XNamespace.Get(SignedXml.XmlDsigNamespaceUrl);
subject.Element(Saml2Namespaces.Saml2Metadata + "EntityDescriptor")
.Element(Saml2Namespaces.Saml2Metadata + "IDPSSODescriptor")
.Element(Saml2Namespaces.Saml2Metadata + "KeyDescriptor")
.Element(ds + "KeyInfo")
.Element(ds + "X509Data")
.Element(ds + "X509Certificate")
.Value.Should().StartWith("MIIDIzCCAg+gAwIBAgIQg7mOjTf994NAVxZu4jqXpzAJBgUrDgM");
}
public void MetadatabaseExtensions_ToXmlString_ShouldUseSuppliedEntityDescriptorId()
{
var metadata = new ExtendedEntityDescriptor
{
EntityId = new EntityId("http://idp.example.com/metadata"),
CacheDuration = new TimeSpan(1, 0, 0),
EntityDescriptorId = Guid.NewGuid().ToString()
};
var idpSsoDescriptor = new IdentityProviderSingleSignOnDescriptor();
idpSsoDescriptor.ProtocolsSupported.Add(new Uri("urn:oasis:names:tc:SAML:2.0:protocol"));
metadata.RoleDescriptors.Add(idpSsoDescriptor);
idpSsoDescriptor.SingleSignOnServices.Add(new ProtocolEndpoint
{
Binding = Saml2Binding.HttpRedirectUri,
Location = new Uri("http://idp.example.com/sso")
});
idpSsoDescriptor.Keys.Add(SignedXmlHelper.TestKeyDescriptor);
var subject = XDocument.Parse((metadata.ToXmlString(null)));
var ds = XNamespace.Get(SignedXml.XmlDsigNamespaceUrl);
subject.Element(Saml2Namespaces.Saml2Metadata + "EntityDescriptor").Attribute("ID")
.Value.Should().BeEquivalentTo(metadata.EntityDescriptorId);
}
public static EntityDescriptor GetEntityDescriptor()
{
var descriptor = new EntityDescriptor();
var cert = EntityDescriptorProviderMock.GetMockCertificate();
var idpRole = new IdentityProviderSingleSignOnDescriptor();
idpRole.SingleSignOnServices.Add(new ProtocolEndpoint(new Uri(ProtocolBindings.HttpRedirect), new Uri("http://localhost:60879")));
descriptor.RoleDescriptors.Add(idpRole);
return(descriptor);
}
public static EntityDescriptor GetIdpEntityDescriptor(string entityId)
{
var descriptor = new EntityDescriptor(new EntityId(entityId));
var cert = EntityDescriptorProviderMock.GetMockCertificate();
var idpRole = new IdentityProviderSingleSignOnDescriptor();
idpRole.ProtocolsSupported.Add(new Uri("urn:oasis:names:tc:SAML:2.0:protocol"));
idpRole.SingleSignOnServices.Add(new ProtocolEndpoint(new Uri(ProtocolBindings.HttpRedirect), new Uri("http://localhost:60879")));
descriptor.RoleDescriptors.Add(idpRole);
return(descriptor);
}
private ExtendedEntityDescriptor CreateIdpMetadata(IOwinRequest request, bool includeCacheDuration = true)
{
var metadata = new ExtendedEntityDescriptor
{
EntityId = new EntityId(GetAbsoluteUri(request, MetadataPath).AbsoluteUri)
};
if (includeCacheDuration)
{
metadata.CacheDuration = new TimeSpan(0, 15, 0);
metadata.ValidUntil = DateTime.UtcNow.AddDays(1);
}
var idpSsoDescriptor = new IdentityProviderSingleSignOnDescriptor();
idpSsoDescriptor.ProtocolsSupported.Add(new Uri("urn:oasis:names:tc:SAML:2.0:protocol"));
metadata.RoleDescriptors.Add(idpSsoDescriptor);
idpSsoDescriptor.SingleSignOnServices.Add(new ProtocolEndpoint
{
Binding = Saml2Binding.HttpRedirectUri,
Location = GetAbsoluteUri(request, AuthorizePath)
});
idpSsoDescriptor.ArtifactResolutionServices.Add(0, new IndexedProtocolEndpoint
{
Index = 0,
IsDefault = true,
Binding = Saml2Binding.SoapUri,
Location = GetAbsoluteUri(request, ArtifactPath)
});
idpSsoDescriptor.SingleLogoutServices.Add(new ProtocolEndpoint
{
Binding = Saml2Binding.HttpRedirectUri,
Location = GetAbsoluteUri(request, LogoutPath)
});
idpSsoDescriptor.SingleLogoutServices.Add(new ProtocolEndpoint
{
Binding = Saml2Binding.HttpPostUri,
Location = GetAbsoluteUri(request, LogoutPath)
});
var key = new KeyDescriptor(
new SecurityKeyIdentifier(
new X509SecurityToken(Options.SigningCertificate)
.CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause>()));
idpSsoDescriptor.Keys.Add(key);
return(metadata);
}
private MetadataBase GetMetadata()
{
var entity = new EntityDescriptor(new EntityId("local"));
var idp = new IdentityProviderSingleSignOnDescriptor();
var certificate = AssertionFactroryMock.GetMockCertificate();
var ski = new SecurityKeyIdentifier(new X509RawDataKeyIdentifierClause(certificate));
idp.Keys.Add(new KeyDescriptor(ski)
{
Use = KeyType.Signing
});
entity.RoleDescriptors.Add(idp);
return(entity);
}
public Uri GetIdentityProviderSingleSignOnServices(IdentityProviderSingleSignOnDescriptor descriptor, Uri binding)
{
if (descriptor == null)
{
throw new ArgumentNullException("descriptor");
}
var endPoint = descriptor.SingleSignOnServices.FirstOrDefault(x => x.Binding == binding);
if (endPoint == null)
{
throw new InvalidOperationException(String.Format("No endpoint found for binding: {0}.", binding));
}
return(endPoint.Location);
}
public void ExtendedMetadataSerializer_Write_EntitiesDescriptorCacheDuration()
{
var metadata = new ExtendedEntitiesDescriptor
{
Name = "Federation Name",
CacheDuration = new TimeSpan(0, 42, 0)
};
var entity = new ExtendedEntityDescriptor
{
EntityId = new EntityId("http://some.entity.example.com")
};
var idpSsoDescriptor = new IdentityProviderSingleSignOnDescriptor();
idpSsoDescriptor.ProtocolsSupported.Add(new Uri("urn:oasis:names:tc:SAML:2.0:protocol"));
idpSsoDescriptor.SingleSignOnServices.Add(new ProtocolEndpoint
{
Binding = Saml2Binding.HttpRedirectUri,
Location = new Uri("http://some.entity.example.com/sso")
});
entity.RoleDescriptors.Add(idpSsoDescriptor);
metadata.ChildEntities.Add(entity);
var stream = new MemoryStream();
ExtendedMetadataSerializer.ReaderInstance.WriteMetadata(stream, metadata);
stream.Seek(0, SeekOrigin.Begin);
var result = XDocument.Load(stream).Root;
result.Name.Should().Be(Saml2Namespaces.Saml2Metadata + "EntitiesDescriptor");
result.Attribute("cacheDuration").Value.Should().Be("PT42M");
result.Element(Saml2Namespaces.Saml2Metadata + "EntityDescriptor").Attribute("cacheDuration")
.Should().BeNull();
}
public void IdentityProvider_ConstructedFromEntityDescriptor_DoesntScheduleMedataRefresh()
{
MetadataRefreshScheduler.minInterval = new TimeSpan(0, 0, 0, 0, 1);
var ed = new ExtendedEntityDescriptor
{
ValidUntil = DateTime.UtcNow.AddYears(-1),
EntityId = new EntityId("http://localhost:13428/idpMetadata")
};
var idpSsoDescriptor = new IdentityProviderSingleSignOnDescriptor();
idpSsoDescriptor.ProtocolsSupported.Add(new Uri("urn:oasis:names:tc:SAML:2.0:protocol"));
ed.RoleDescriptors.Add(idpSsoDescriptor);
var pe = new ProtocolEndpoint()
{
Binding = Saml2Binding.HttpRedirectUri,
Location = new Uri("http://idp.example.com/sso")
};
idpSsoDescriptor.SingleSignOnServices.Add(pe);
idpSsoDescriptor.Keys.Add(SignedXmlHelper.TestKeyDescriptor);
var subject = new IdentityProvider(ed.EntityId, StubFactory.CreateSPOptions());
subject.ReadMetadata(ed);
// Ugly, but have to wait and see that nothing happened. Have tried
// some different timeouts but need 100 to ensure fail before bug
// is fixed :-(
Thread.Sleep(100);
// Would be changed if metadata was reloaded.
subject.SingleSignOnServiceUrl.Should().Be(pe.Location);
}
public MetadataSerializerTests()
{
idp = new IdentityProviderSingleSignOnDescriptor
{
ErrorUrl = new Uri("http://localhost/uh-oh"),
WantAuthenticationRequestsSigned = true,
ProtocolsSupported = { new Uri("urn:oasis:names:tc:SAML:2.0:protocol") },
SingleSignOnServices = { new ProtocolEndpoint(new Uri("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"), new Uri("http://*****:*****@rocksolidknowledge.com" },
TelephoneNumbers ={ "441174220515" }
}
}
};
}
private static void CreateIdentityProviderMetadata(SamlIdpData idpData, string fileName, Encoding encoding)
{
if ( string.IsNullOrEmpty(idpData.SigninCertificateCn))
throw new ApplicationException("no CN for a Certificate supplied");
string signingCertificateSubjectName = idpData.SigninCertificateCn;
Constants.NameIdType nidFmt = idpData.NameIdType;
MetadataSerializer serializer = new MetadataSerializer();
IdentityProviderSingleSignOnDescriptor item = new IdentityProviderSingleSignOnDescriptor();
EntityDescriptor metadata = new EntityDescriptor();
metadata.EntityId = new EntityId(idpData.EntityId);
X509Certificate2 certificate = CertificateHelper.RetrieveCertificate(signingCertificateSubjectName);
KeyDescriptor descriptor = new KeyDescriptor(
new SecurityKeyIdentifier(
new SecurityKeyIdentifierClause[]
{
new X509SecurityToken(certificate).CreateKeyIdentifierClause<X509RawDataKeyIdentifierClause>()
}));
descriptor.Use = KeyType.Signing;
item.Keys.Add(descriptor);
//using 2.0
if (Constants.NameIdType.Saml20 == nidFmt)
item.NameIdentifierFormats.Add(Saml2Constants.NameIdentifierFormats.Transient);
//using 1.1
if (Constants.NameIdType.Saml11 == nidFmt)
item.NameIdentifierFormats.Add(Saml2Constants.NameIdentifierFormats.Unspecified);
foreach (var attributeName in idpData.AttributeNames)
{
Saml2Attribute at1 = new Saml2Attribute(attributeName.Name)
{
NameFormat = new Uri(Constants.Saml20AttributeNameFormat)
};
item.SupportedAttributes.Add(at1);
}
item.ProtocolsSupported.Add(new Uri(Constants.Saml20Protocol));
item.SingleSignOnServices.Add(new ProtocolEndpoint(new Uri(idpData.BindingType), new Uri(idpData.BindingLocation)));
metadata.RoleDescriptors.Add(item);
metadata.Contacts.Add(new ContactPerson(ContactType.Technical)
{
Company = idpData.MainContact.Company,
GivenName = idpData.MainContact.GivenName,
Surname = idpData.MainContact.SurName,
EmailAddresses = { idpData.MainContact.Email },
TelephoneNumbers = { idpData.MainContact.Phone }
});
XmlTextWriter writer = new XmlTextWriter(fileName, encoding);
serializer.WriteMetadata(writer, metadata);
writer.Close();
}
private static void CreateIdentityProviderMetadata(SamlIdpData idpData, string fileName, Encoding encoding)
{
if (string.IsNullOrEmpty(idpData.SigninCertificateCn))
{
throw new ApplicationException("no CN for a Certificate supplied");
}
string signingCertificateSubjectName = idpData.SigninCertificateCn;
Constants.NameIdType nidFmt = idpData.NameIdType;
MetadataSerializer serializer = new MetadataSerializer();
IdentityProviderSingleSignOnDescriptor item = new IdentityProviderSingleSignOnDescriptor();
EntityDescriptor metadata = new EntityDescriptor();
metadata.EntityId = new EntityId(idpData.EntityId);
X509Certificate2 certificate = CertificateHelper.RetrieveCertificate(signingCertificateSubjectName);
KeyDescriptor descriptor = new KeyDescriptor(
new SecurityKeyIdentifier(
new SecurityKeyIdentifierClause[]
{
new X509SecurityToken(certificate).CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause>()
}));
descriptor.Use = KeyType.Signing;
item.Keys.Add(descriptor);
//using 2.0
if (Constants.NameIdType.Saml20 == nidFmt)
{
item.NameIdentifierFormats.Add(Saml2Constants.NameIdentifierFormats.Transient);
}
//using 1.1
if (Constants.NameIdType.Saml11 == nidFmt)
{
item.NameIdentifierFormats.Add(Saml2Constants.NameIdentifierFormats.Unspecified);
}
foreach (var attributeName in idpData.AttributeNames)
{
Saml2Attribute at1 = new Saml2Attribute(attributeName.Name)
{
NameFormat = new Uri(Constants.Saml20AttributeNameFormat)
};
item.SupportedAttributes.Add(at1);
}
item.ProtocolsSupported.Add(new Uri(Constants.Saml20Protocol));
item.SingleSignOnServices.Add(new ProtocolEndpoint(new Uri(idpData.BindingType), new Uri(idpData.BindingLocation)));
metadata.RoleDescriptors.Add(item);
metadata.Contacts.Add(new ContactPerson(ContactType.Technical)
{
Company = idpData.MainContact.Company,
GivenName = idpData.MainContact.GivenName,
Surname = idpData.MainContact.SurName,
EmailAddresses = { idpData.MainContact.Email },
TelephoneNumbers = { idpData.MainContact.Phone }
});
XmlTextWriter writer = new XmlTextWriter(fileName, encoding);
serializer.WriteMetadata(writer, metadata);
writer.Close();
}
