/// <summary>
/// Creates a new <see cref = " RelyingParty" />.
/// </summary>
/// <param name = "name">Name of this new <see cref = " RelyingParty" />.</param>
/// <param name = "realm">Realm of the relying party.</param>
/// <param name = "reply">ReplyTo address for the relying party. May be null.</param>
/// <param name = "tokenType">The type of token that the relying party consumes.</param>
/// <param name = "requireEncryption">Whether to require asymmetric token encryption.</param>
/// <returns>The new <see cref = " RelyingParty" /> created.</returns>
public static RelyingParty CreateRelyingParty(
this ManagementService svc, string name, string realm, string reply, RelyingPartyTokenType tokenType, bool requireEncryption)
{
svc.DeleteRelyingPartyByRealmIfExists(realm);
var relyingParty = new RelyingParty
{
AsymmetricTokenEncryptionRequired = requireEncryption, Name = name, TokenType = tokenType.ToString(), TokenLifetime = 3600,
};
svc.AddToRelyingParties(relyingParty);
//
// Create the Realm address
//
var realmAddress = new RelyingPartyAddress {
Address = realm, EndpointType = RelyingPartyAddressType.Realm.ToString(),
};
svc.AddRelatedObject(relyingParty, "RelyingPartyAddresses", realmAddress);
if (!string.IsNullOrEmpty(reply))
{
//
// Create the ReplyTo address
//
var replyAddress = new RelyingPartyAddress {
Address = reply, EndpointType = RelyingPartyAddressType.Reply.ToString(),
};
svc.AddRelatedObject(relyingParty, "RelyingPartyAddresses", replyAddress);
}
return(relyingParty);
}
/// <summary>
/// Create a Facebook identity provider with associated keys and permissions configured.
/// </summary>
/// <param name="applicationId">The Facebook Application ID</param>
/// <param name="applicationSecret">The Facebook Application Secret</param>
/// <param name="applicationPermissions">The permissions to request from Facebook</param>
/// <returns></returns>
public static IdentityProvider CreateFacebookIdentityProvider(this ManagementService svc, string applicationId, string applicationSecret, string applicationPermissions)
{
string name = String.Format(CultureInfo.InvariantCulture, "Facebook-{0}", applicationId);
Issuer issuer = new Issuer()
{
Name = name
};
svc.AddToIssuers(issuer);
//
// Create the Identity Provider
//
IdentityProvider identityProvider = new IdentityProvider()
{
DisplayName = name,
LoginParameters = applicationPermissions,
WebSSOProtocolType = IdentityProviderProtocolType.Facebook.ToString(),
};
svc.AddObject("IdentityProviders", identityProvider);
svc.SetLink(identityProvider, "Issuer", issuer);
//
// Create the application Id and application secret keys for this facebook application.
//
IdentityProviderKey applicationIdKey = new IdentityProviderKey()
{
DisplayName = "Facebook application ID",
Type = IdentityProviderKeyType.ApplicationKey.ToString(),
Usage = IdentityProviderKeyUsage.ApplicationId.ToString(),
Value = Encoding.UTF8.GetBytes(applicationId),
StartDate = DateTime.UtcNow,
EndDate = DateTime.MaxValue,
};
svc.AddRelatedObject(identityProvider, "IdentityProviderKeys", applicationIdKey);
IdentityProviderKey applicationSecretKey = new IdentityProviderKey()
{
DisplayName = "Facebook application Secret",
Type = IdentityProviderKeyType.ApplicationKey.ToString(),
Usage = IdentityProviderKeyUsage.ApplicationSecret.ToString(),
Value = Encoding.UTF8.GetBytes(applicationSecret),
StartDate = DateTime.UtcNow,
EndDate = DateTime.MaxValue,
};
svc.AddRelatedObject(identityProvider, "IdentityProviderKeys", applicationSecretKey);
identityProvider.Issuer = issuer;
return(identityProvider);
}
/// <summary>
/// Create a WS-Federation identity provider with associated keys and addresses.
/// </summary>
public static IdentityProvider CreateWsFederationIdentityProvider(this ManagementService svc, string name, byte[] signingCertificateValue, DateTime keyStartDate, DateTime keyEndDate, string signInUrl)
{
Issuer issuer = new Issuer()
{
Name = name
};
svc.AddToIssuers(issuer);
//
// Create the Identity Provider
//
IdentityProvider identityProvider = new IdentityProvider()
{
DisplayName = name,
WebSSOProtocolType = IdentityProviderProtocolType.WsFederation.ToString(),
};
svc.AddObject("IdentityProviders", identityProvider);
svc.SetLink(identityProvider, "Issuer", issuer);
//
// Create the Identity Provider key used to validate the signature of IDP-signed tokens.
//
IdentityProviderKey signingKey = new IdentityProviderKey()
{
DisplayName = "SampleIdentityProviderKeyDisplayName",
Type = IdentityProviderKeyType.X509Certificate.ToString(),
Usage = IdentityProviderKeyUsage.Signing.ToString(),
Value = signingCertificateValue,
StartDate = keyStartDate.ToUniversalTime(),
EndDate = keyEndDate.ToUniversalTime()
};
svc.AddRelatedObject(identityProvider, "IdentityProviderKeys", signingKey);
// Create the sign-in address for Identity Provider
IdentityProviderAddress signInAddress = new IdentityProviderAddress()
{
Address = signInUrl,
EndpointType = IdentityProviderEndpointType.SignIn.ToString(),
};
svc.AddRelatedObject(identityProvider, "IdentityProviderAddresses", signInAddress);
identityProvider.Issuer = issuer;
return(identityProvider);
}
public static RelyingParty AddRelyingParty(this ManagementService svc, Uri realm,
string relyingPartyName, DateTime startDate, DateTime endDate,
byte[] tokenSigningKey, int tokenLifetime)
{
Contract.Requires(svc != null);
Contract.Requires(realm != null);
Contract.Requires(realm.IsAbsoluteUri);
Contract.Requires(realm.AbsolutePath == "/");
Contract.Requires(!string.IsNullOrWhiteSpace(relyingPartyName));
Contract.Requires(startDate != default(DateTime));
Contract.Requires(endDate > startDate);
Contract.Requires(tokenSigningKey != null);
Contract.Requires(tokenLifetime >= 1);
var relyingParty = new RelyingParty()
{
Name = relyingPartyName,
AsymmetricTokenEncryptionRequired = false,
TokenType = "SWT",
TokenLifetime = tokenLifetime
};
svc.AddToRelyingParties(relyingParty);
var relyingPartyAddress = new RelyingPartyAddress()
{
Address = realm.AbsoluteUri,
EndpointType = "Realm"
};
svc.AddRelatedObject(relyingParty, "RelyingPartyAddresses", relyingPartyAddress);
var relyingPartyKey = new RelyingPartyKey()
{
StartDate = startDate,
EndDate = endDate,
Type = "Symmetric",
Usage = "Signing",
IsPrimary = true,
Value = tokenSigningKey
};
svc.AddRelatedObject(relyingParty, "RelyingPartyKeys", relyingPartyKey);
svc.SaveChanges(SaveChangesOptions.Batch);
return(relyingParty);
}
public static void AddIdentity(this ManagementService svc,
Credentials serviceIdentity, DateTime startDate, DateTime endDate)
{
Contract.Requires(svc != null);
Contract.Requires(serviceIdentity != null);
Contract.Requires(startDate != default(DateTime));
Contract.Requires(endDate > startDate);
var sid = new ServiceIdentity()
{
Name = serviceIdentity.UserName
};
var key = new ServiceIdentityKey()
{
StartDate = startDate,
EndDate = endDate,
Type = "Password",
Usage = "Password",
Value = Encoding.UTF8.GetBytes(serviceIdentity.Password),
DisplayName = string.Format(CultureInfo.InvariantCulture,
"{0} key for {1}", "Password", serviceIdentity.UserName)
};
svc.AddToServiceIdentities(sid);
svc.AddRelatedObject(sid, "ServiceIdentityKeys", key);
svc.SaveChanges(SaveChangesOptions.Batch);
}
private void LinkExistingRuleGroups(ManagementService client, Action <LogInfo> logAction)
{
foreach (var linkedRuleGroup in this.relyingPartySpec.LinkedRuleGroups())
{
var @group = linkedRuleGroup;
var ruleGroup = client.RuleGroups.Where(rg => rg.Name.Equals(group)).Single();
var relyingParty = client.RelyingParties.Where(rp => rp.Name.Equals(this.relyingPartySpec.Name())).Single();
var relyingPartyRuleGroup = new RelyingPartyRuleGroup
{
RuleGroupId = ruleGroup.Id,
RelyingParty = relyingParty
};
this.LogMessage(logAction, string.Format("Linking Relying Party '{0}' to Rule Group '{1}'", this.relyingPartySpec.Name(), linkedRuleGroup));
client.AddRelatedObject(relyingParty, "RelyingPartyRuleGroups", relyingPartyRuleGroup);
}
if (this.relyingPartySpec.LinkedRuleGroups().Any())
{
client.SaveChanges(SaveChangesOptions.Batch);
this.LogSavingChangesMessage(logAction);
}
}
public void ExecuteCmdletBase(PSCmdlet callingCmdlet)
{
ManagementService client = CreateManagementServiceClient();
var relyingParties = client.RelyingParties;
if (relyingParties != null)
{
foreach (var relyingParty in relyingParties)
{
string name = relyingParty.Name;
if (name == RelyingParty)
{
RelyingPartyAddress address = new RelyingPartyAddress();
address.Address = RelyingPartyRelayAddress;
address.EndpointType = "Reply";
client.AddRelatedObject(relyingParty, "RelyingPartyAddresses", address);
client.SaveChanges(SaveChangesOptions.Batch);
}
}
}
else
{
throw new Exception("Failed to get the Relying Parties list from the ACS Management Service.");
}
}
public void Save()
{
ManagementService serviceClient = ManagementServiceHelper.CreateManagementServiceClient(this.settings);
ServiceIdentity serviceId = serviceClient.GetServiceIdentityByName(this.Name);
if (serviceId == null)
{
serviceId = serviceClient.CreateServiceIdentity(this.Name, Encoding.UTF8.GetBytes(this.Password), ServiceIdentityKeyType.Password,
ServiceIdentityKeyUsage.Password);
ServiceIdentityKey key = new ServiceIdentityKey
{
EndDate = DateTime.MaxValue.AddDays(-1).ToUniversalTime(),
StartDate = DateTime.UtcNow.ToUniversalTime(),
Type = ServiceIdentityKeyType.Symmetric.ToString(),
Usage = ServiceIdentityKeyUsage.Signing.ToString(),
Value = this.Key,
DisplayName = String.Format(CultureInfo.InvariantCulture, "Symmetric key for {0}", this.Name)
};
serviceClient.AddRelatedObject(serviceId, "ServiceIdentityKeys", key);
}
else
{
if (serviceId.Description != this.Description)
{
serviceId.Description = this.Description;
serviceClient.UpdateObject(serviceId);
}
serviceClient.UpdateServiceIdentityKey(this.Name, Encoding.UTF8.GetBytes(this.Password), ServiceIdentityKeyType.Password);
serviceClient.UpdateServiceIdentityKey(this.Name, this.Key, ServiceIdentityKeyType.Symmetric);
}
serviceClient.SaveChanges(SaveChangesOptions.Batch);
}
/// <summary>
/// Configures the ACS service namespace with the proper objects for this sample.
/// </summary>
/// <remarks>
/// Existing objects that are needed for this sample will be deleted and recreated.
/// </remarks>
static void Main(string[] args)
{
const string rpName = "ASPNET Simple MVC Sample";
const string rpRealm = "http://localhost:63000/";
const string rpErrorUrl = "http://localhost:63000/Error";
const string ruleGroupName = "Default rule group for ASPNET Simple MVC Sample";
const string googleIdpName = "Google";
const string yahooIdpName = "Yahoo!";
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
svc.DeleteRelyingPartyByRealmIfExists(rpRealm);
svc.DeleteRuleGroupByNameIfExists(ruleGroupName);
svc.DeleteIdentityProviderIfExists(googleIdpName);
svc.DeleteIdentityProviderIfExists(yahooIdpName);
svc.SaveChangesBatch();
IdentityProvider live = svc.GetIdentityProviderByName("uri:WindowsLiveID");
IdentityProvider google = svc.CreateOpenIdIdentityProvider(googleIdpName, "https://www.google.com/accounts/o8/ud");
IdentityProvider yahoo = svc.CreateOpenIdIdentityProvider(yahooIdpName, "https://open.login.yahooapis.com/openid/op/auth");
IdentityProvider[] associatedProviders = new[] { live, google, yahoo };
//
// Create the relying party. In this case, the Realm and the ReplyTo are the same address.
//
RelyingParty relyingParty = svc.CreateRelyingParty(rpName, rpRealm, rpRealm, RelyingPartyTokenType.SAML_2_0, false);
svc.AssociateIdentityProvidersWithRelyingParties(associatedProviders, new[] { relyingParty });
//
// Configure the error URL.
//
RelyingPartyAddress errorUrl = new RelyingPartyAddress()
{
Address = rpErrorUrl,
EndpointType = RelyingPartyAddressType.Error.ToString()
};
svc.AddRelatedObject(relyingParty, "RelyingPartyAddresses", errorUrl);
RuleGroup ruleGroup = svc.CreateRuleGroup(ruleGroupName);
svc.AssignRuleGroupToRelyingParty(ruleGroup, relyingParty);
//
// Create simple rules to pass through all claims from each issuer.
//
foreach (IdentityProvider identityProvider in associatedProviders)
{
string ruleDescription = String.Format(CultureInfo.InvariantCulture, "Pass through all claims from '{0}'", identityProvider.Issuer.Name);
svc.CreateRule(identityProvider.Issuer, null, null, null, null, ruleGroup, ruleDescription);
}
svc.SaveChangesBatch();
Console.WriteLine("Sample successfully configured. Press ENTER to continue ...");
Console.ReadLine();
}
private static void LinkRuleGroupToRelyingParty(ManagementService client, RuleGroup ruleGroup, RelyingParty relyingParty)
{
Guard.NotNull(() => ruleGroup, ruleGroup);
Guard.NotNull(() => relyingParty, relyingParty);
var relyingPartyRuleGroup = new RelyingPartyRuleGroup
{
RuleGroupId = ruleGroup.Id,
RelyingParty = relyingParty
};
client.AddRelatedObject(relyingParty, "RelyingPartyRuleGroups", relyingPartyRuleGroup);
client.SaveChanges(SaveChangesOptions.Batch);
}
private static void AddEncryptionKeyToRelyingParty(ManagementService client, string relyingPartyName, byte[] encryptionCert, DateTime defaultStartDate, DateTime defaultEndDate, RelyingParty relyingParty)
{
var relyingPartyKey = new RelyingPartyKey
{
DisplayName = "Encryption Certificate for " + relyingPartyName,
Type = KeyType.X509Certificate.ToString(),
Usage = KeyUsage.Encrypting.ToString(),
Value = encryptionCert,
RelyingParty = relyingParty,
StartDate = defaultStartDate,
EndDate = defaultEndDate
};
client.AddRelatedObject(relyingParty, "RelyingPartyKeys", relyingPartyKey);
client.SaveChanges();
}
private static void AddSigningKeyToRelyingParty(ManagementService client, string relyingPartyName, byte[] symmetricKey, DateTime defaultStartDate, DateTime defaultEndDate, RelyingParty relyingParty)
{
var relyingPartyKey = new RelyingPartyKey
{
DisplayName = "Signing Key for " + relyingPartyName,
Type = KeyType.Symmetric.ToString(),
Usage = KeyUsage.Signing.ToString(),
Value = symmetricKey,
RelyingParty = relyingParty,
StartDate = defaultStartDate,
EndDate = defaultEndDate,
IsPrimary = true
};
client.AddRelatedObject(relyingParty, "RelyingPartyKeys", relyingPartyKey);
client.SaveChanges();
}
/// <summary>
/// Creates a new ServiceIdentity and an associated key of the value, type, and usage specified.
/// </summary>
public static ServiceIdentity CreateServiceIdentity(this ManagementService svc, string name, byte[] keyValue, ServiceIdentityKeyType keyType, ServiceIdentityKeyUsage keyUsage)
{
ServiceIdentity sid = new ServiceIdentity()
{
Name = name
};
DateTime startDate, endDate;
if (keyType == ServiceIdentityKeyType.X509Certificate)
{
//
// ACS requires that the key start and end dates be within the certificate's validity period.
//
X509Certificate2 cert = new X509Certificate2(keyValue);
startDate = cert.NotBefore.ToUniversalTime();
endDate = cert.NotAfter.ToUniversalTime();
}
else
{
startDate = DateTime.UtcNow;
endDate = DateTime.MaxValue;
}
ServiceIdentityKey key = new ServiceIdentityKey()
{
EndDate = endDate.ToUniversalTime(),
StartDate = startDate.ToUniversalTime(),
Type = keyType.ToString(),
Usage = keyUsage.ToString(),
Value = keyValue,
DisplayName = String.Format(CultureInfo.InvariantCulture, "{0} key for {1}", keyType.ToString(), name)
};
svc.AddToServiceIdentities(sid);
svc.AddRelatedObject(
sid,
"ServiceIdentityKeys",
key);
return(sid);
}
private static void AddSigningKeyToRelyingParty(ManagementService client, string relyingPartyName, byte[] signingCert, string signingCertPassword, DateTime defaultStartDate, DateTime defaultEndDate, RelyingParty relyingParty)
{
var relyingPartyKey = new RelyingPartyKey
{
DisplayName = "Signing Certificate for " + relyingPartyName,
Type = KeyType.X509Certificate.ToString(),
Usage = KeyUsage.Signing.ToString(),
Value = signingCert,
Password = string.IsNullOrEmpty(signingCertPassword) ? null : new UTF8Encoding().GetBytes(signingCertPassword),
RelyingParty = relyingParty,
StartDate = defaultStartDate,
EndDate = defaultEndDate,
IsPrimary = true
};
client.AddRelatedObject(relyingParty, "RelyingPartyKeys", relyingPartyKey);
client.SaveChanges();
}
/// <summary>
/// Insert relying party encrypting keys.
/// </summary>
/// <param name="svc">Management service instance.</param>
/// <param name="rpKeys">List of keys to insert.</param>
/// <param name="relyingParty">Relying Party associated with the keys.</param>
private static void InsertRelyingPartyEncryptingKeysFromMetadata(ManagementService svc, List <X509Certificate2> rpKeys, RelyingParty relyingParty)
{
foreach (X509Certificate2 certificate in rpKeys)
{
RelyingPartyKey keyFromMetadata = new RelyingPartyKey()
{
Usage = RelyingPartyKeyUsage.Encrypting.ToString(),
DisplayName = string.Format(CultureInfo.InvariantCulture, "{0} Encrypting Key", relyingParty.Name),
//
// As a security best practice, set the start and end dates on the data entry
// to be the same value as the dates on the certificate.
//
StartDate = certificate.NotBefore.ToUniversalTime(),
EndDate = certificate.NotAfter.ToUniversalTime(),
Type = RelyingPartyKeyType.X509Certificate.ToString(),
Value = certificate.GetRawCertData()
};
Console.WriteLine(String.Format("Adding new relying party key with subject: '{0}'.\n", GetSubjectFromCertificate(keyFromMetadata.Value)));
svc.AddRelatedObject(relyingParty, "RelyingPartyKeys", keyFromMetadata);
}
}
/// <summary>
/// Insert keys for an identity provider.
/// </summary>
/// <param name="svc">ManagementService instance.</param>
/// <param name="idpKeys">List of keys to insert.</param>
/// <param name="identityProvider">Identity Provider associated with the keys.</param>
private static void InsertIdentityProviderSigningKeysFromMetadata(ManagementService svc, List <X509Certificate2> idpKeys, IdentityProvider identityProvider)
{
foreach (X509Certificate2 certificate in idpKeys)
{
IdentityProviderKey keyFromMetadata = new IdentityProviderKey()
{
Usage = IdentityProviderKeyUsage.Signing.ToString(),
DisplayName = string.Format(CultureInfo.InvariantCulture, "{0} Signing Key", identityProvider.DisplayName),
//
// As a security best practice, set the start and end dates on the data entry
// to be the same value as the dates on the certificate.
//
StartDate = certificate.NotBefore.ToUniversalTime(),
EndDate = certificate.NotAfter.ToUniversalTime(),
Type = IdentityProviderKeyType.X509Certificate.ToString(),
Value = certificate.GetRawCertData()
};
Console.WriteLine(String.Format("Adding new identity provider key with subject: '{0}'.", GetSubjectFromCertificate(keyFromMetadata.Value)));
svc.AddRelatedObject(identityProvider, "IdentityProviderKeys", keyFromMetadata);
}
}
/// <summary>
/// Generate a symmetric RelyingPartyKey and associcate it with the given relying party.
/// </summary>
public static RelyingPartyKey GenerateRelyingPartySymmetricKey(this ManagementService svc, RelyingParty relyingParty, DateTime startDate, DateTime endDate, bool isPrimary)
{
//
// Symmetric keys used by ACS are 256-bits, which equals 32 bytes.
//
byte[] keyValue = new byte[32];
new RNGCryptoServiceProvider().GetBytes(keyValue);
RelyingPartyKey relyingPartyKey = new RelyingPartyKey()
{
DisplayName = String.Format(CultureInfo.InvariantCulture, "Default signing key for {0}", relyingParty.Name),
EndDate = endDate.ToUniversalTime(),
IsPrimary = isPrimary,
StartDate = startDate.ToUniversalTime(),
Type = RelyingPartyKeyType.Symmetric.ToString(),
Usage = RelyingPartyKeyUsage.Signing.ToString(),
Value = keyValue
};
svc.AddRelatedObject(relyingParty, "RelyingPartyKeys", relyingPartyKey);
return(relyingPartyKey);
}
/// <summary>
/// Create a RelyingPartyKey with the given value, type, and usage, and associate it with the given relying party.
/// </summary>
public static RelyingPartyKey CreateRelyingPartyKey(this ManagementService svc, RelyingParty relyingParty, byte[] keyValue, string password, RelyingPartyKeyType keyType, RelyingPartyKeyUsage keyUsage, bool isPrimary)
{
DateTime startDate, endDate;
if (keyType == RelyingPartyKeyType.X509Certificate)
{
//
// ACS requires that the key start and end dates be within the certificate's validity period.
//
X509Certificate2 cert = new X509Certificate2(keyValue, password);
startDate = cert.NotBefore.ToUniversalTime();
endDate = cert.NotAfter.ToUniversalTime();
}
else
{
startDate = DateTime.UtcNow;
endDate = DateTime.MaxValue;
}
RelyingPartyKey relyingPartyKey = new RelyingPartyKey()
{
DisplayName = String.Format(CultureInfo.InvariantCulture, "Default {0} key for {1}", keyType, relyingParty.Name),
EndDate = endDate,
IsPrimary = isPrimary,
Password = string.IsNullOrEmpty(password) ? null : Encoding.UTF8.GetBytes(password),
StartDate = startDate,
Type = keyType.ToString(),
Usage = keyUsage.ToString(),
Value = keyValue,
};
svc.AddRelatedObject(relyingParty, "RelyingPartyKeys", relyingPartyKey);
return(relyingPartyKey);
}
/// <summary>
/// Create an OpenID identity provider with the associated sign-in address
/// </summary>
/// <param name="name">The name of the issuer to create.</param>
/// <param name="signInUrl">The post-discovery OpenID endpoint URL of the provider.</param>
/// <returns>The created identity provider.</returns>
public static IdentityProvider CreateOpenIdIdentityProvider(this ManagementService svc, string name, string signInUrl)
{
Issuer issuer = new Issuer()
{
Name = name
};
svc.AddToIssuers(issuer);
//
// Create the Identity Provider
//
IdentityProvider identityProvider = new IdentityProvider()
{
DisplayName = name,
WebSSOProtocolType = IdentityProviderProtocolType.OpenId.ToString(),
};
svc.AddObject("IdentityProviders", identityProvider);
svc.SetLink(identityProvider, "Issuer", issuer);
//
// Create the sign-in address for Identity Provider
//
IdentityProviderAddress signInAddress = new IdentityProviderAddress()
{
Address = signInUrl,
EndpointType = IdentityProviderEndpointType.SignIn.ToString(),
};
svc.AddRelatedObject(identityProvider, "IdentityProviderAddresses", signInAddress);
identityProvider.Issuer = issuer;
return(identityProvider);
}
private static void CreateRelyingParty(ManagementService client, string relyingPartyName, string ruleGroupName, string realmAddress, string replyAddress, TokenType tokenType, int tokenLifetime, bool asymmetricTokenEncryptionRequired, out RelyingParty relyingParty)
{
// Create Relying Party
relyingParty = new RelyingParty
{
Name = relyingPartyName,
DisplayName = relyingPartyName,
Description = relyingPartyName,
TokenType = tokenType.ToString(),
TokenLifetime = tokenLifetime,
AsymmetricTokenEncryptionRequired = asymmetricTokenEncryptionRequired
};
client.AddObject("RelyingParties", relyingParty);
client.SaveChanges();
if (!string.IsNullOrWhiteSpace(ruleGroupName))
{
RuleGroup ruleGroup = client.RuleGroups.Where(rg => rg.Name.Equals(ruleGroupName, StringComparison.OrdinalIgnoreCase)).FirstOrDefault();
if (ruleGroup == null)
{
ruleGroup = new RuleGroup
{
Name = ruleGroupName
};
client.AddToRuleGroups(ruleGroup);
client.SaveChanges();
}
var relyingPartyRuleGroup = new RelyingPartyRuleGroup
{
RuleGroupId = ruleGroup.Id,
RelyingParty = relyingParty
};
client.AddRelatedObject(relyingParty, "RelyingPartyRuleGroups", relyingPartyRuleGroup);
}
// Create the Realm for Relying Party
var realm = new RelyingPartyAddress
{
Address = realmAddress,
EndpointType = RelyingPartyAddressEndpointType.Realm.ToString(),
RelyingParty = relyingParty
};
client.AddRelatedObject(relyingParty, "RelyingPartyAddresses", realm);
if (!string.IsNullOrEmpty(replyAddress))
{
var reply = new RelyingPartyAddress
{
Address = replyAddress,
EndpointType = RelyingPartyAddressEndpointType.Reply.ToString(),
RelyingParty = relyingParty
};
client.AddRelatedObject(relyingParty, "RelyingPartyAddresses", reply);
}
client.SaveChanges(SaveChangesOptions.Batch);
}
/// <summary>
/// Add an Identity Provider
/// </summary>
private static Issuer CreateIdpManually(DateTime startDate, DateTime endDate, ManagementService svc0, string idpName, string idpDisplayName, string idpAddress, string idpKeyDisplayName)
{
var issuer = new Issuer
{
Name = idpName
};
// Check the Issuer does not exist previouly (if it exists, delete it)
var oldIssuer = svc0.Issuers.Where(ip => ip.Name == issuer.Name).FirstOrDefault();
if (oldIssuer != null)
{
svc0.DeleteObject(oldIssuer);
svc0.SaveChanges();
}
// Add Issuer
svc0.AddToIssuers(issuer);
svc0.SaveChanges(SaveChangesOptions.Batch);
Console.WriteLine("Info: Issuer created: {0}", idpName);
var idp = new IdentityProvider
{
DisplayName = idpDisplayName,
LoginLinkName = idpDisplayName,
WebSSOProtocolType = "WsFederation",
IssuerId = issuer.Id
};
// Check the IP does not exist previouly (if it exists, delete it)
var oldIdentityProvider = svc0.IdentityProviders.Where(ip => ip.DisplayName == idp.DisplayName).FirstOrDefault();
if (oldIdentityProvider != null)
{
svc0.DeleteObject(oldIdentityProvider);
svc0.SaveChanges();
}
// Add the new IP to ACS
svc0.AddObject("IdentityProviders", idp);
// Console.WriteLine("Info: Identity Provider created: {0}", idp.Name);
Console.WriteLine("Info: Identity Provider created: {0}", idp.DisplayName);
// Identity provider public key to verify the signature
var cert = File.ReadAllBytes(@"Resources\SelfSTS.cer");
var key = new IdentityProviderKey
{
IdentityProvider = idp,
DisplayName = idpKeyDisplayName,
EndDate = endDate,
StartDate = startDate,
Type = "X509Certificate",
Usage = "Signing",
Value = cert
};
svc0.AddRelatedObject(idp, "IdentityProviderKeys", key);
svc0.SaveChanges(SaveChangesOptions.Batch);
Console.WriteLine("Info: Identity Provider Key added: {0}", idpKeyDisplayName);
// WS-Federation sign-in URL
var idpaSignIn = new IdentityProviderAddress
{
IdentityProviderId = idp.Id,
EndpointType = "SignIn",
Address = idpAddress
};
svc0.AddRelatedObject(idp, "IdentityProviderAddresses", idpaSignIn);
svc0.SaveChanges(SaveChangesOptions.Batch);
Console.WriteLine("Info: Identity Provider Address added: {0}", idpAddress);
string labRelyingPartyName = "WebSiteAdvancedACS";
// Relying Party related to the Identity Provider
foreach (var existingRelyingParty in svc0.RelyingParties)
{
var rpid = new RelyingPartyIdentityProvider
{
IdentityProviderId = idp.Id,
RelyingPartyId = existingRelyingParty.Id
};
existingRelyingParty.RelyingPartyIdentityProviders.Add(rpid);
idp.RelyingPartyIdentityProviders.Add(rpid);
svc0.AddToRelyingPartyIdentityProviders(rpid);
}
svc0.SaveChanges(SaveChangesOptions.Batch);
Console.WriteLine("Info: Relying Party added to Identity Provider: {0}", labRelyingPartyName);
return(issuer);
}
/// <summary>
/// Add the Rules into a Rule Group.
/// </summary>
private static void AddRulesToRuleGroup(string ruleGroupName, string issuerName)
{
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
RuleGroup rg = svc.RuleGroups.AddQueryOption("$filter", "Name eq '" + ruleGroupName + "'").FirstOrDefault();
Issuer issuer = svc.Issuers.Where(i => i.Name == issuerName).ToArray()[0];
Rule namePassthroughRule = new Rule()
{
Issuer = issuer,
IssuerId = issuer.Id,
// InputClaimIssuerId = issuer.Id,
InputClaimType = "http://www.theselfsts2.net/claims/nome",
OutputClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
RuleGroup = rg,
Description = "Passthrough \"nome\" claim from SelfSTS2 as \"name\""
};
svc.AddRelatedObject(rg, "Rules", namePassthroughRule);
Rule emailPassthroughRule = new Rule()
{
Issuer = issuer,
IssuerId = issuer.Id,
InputClaimType = "http://www.theselfsts2.net/claims/postaelettronica",
OutputClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
RuleGroup = rg,
Description = "Passthrough \"postaelettronica\" claim from SelfSTS2 as \"emailaddress\""
};
svc.AddRelatedObject(rg, "Rules", emailPassthroughRule);
Rule goldenRule = new Rule()
{
Issuer = issuer,
IssuerId = issuer.Id,
InputClaimType = "http://www.theselfsts2.net/claims/gruppo",
InputClaimValue = "Amministratori",
OutputClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role",
OutputClaimValue = "Gold",
RuleGroup = rg,
Description = "Map Gold Role SelfSTS2"
};
svc.AddRelatedObject(rg, "Rules", goldenRule);
Rule silverRule = new Rule()
{
Issuer = issuer,
IssuerId = issuer.Id,
InputClaimType = "http://www.theselfsts2.net/claims/gruppo",
InputClaimValue = "Utenti",
OutputClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role",
OutputClaimValue = "Silver",
RuleGroup = rg,
Description = "Map Silver Role SelfSTS2"
};
svc.AddRelatedObject(rg, "Rules", silverRule);
svc.SaveChanges(SaveChangesOptions.Batch);
Console.WriteLine();
Console.WriteLine("-----------------------------------");
Console.WriteLine("Info: Passthrough Rules:");
Console.WriteLine("Info: Passthrough Name Rule created: {0}", namePassthroughRule.Description);
Console.WriteLine("Info: Passthrough Email Rule created: {0}", emailPassthroughRule.Description);
Console.WriteLine();
Console.WriteLine("-----------------------------------");
Console.WriteLine("Info: Roles Rules:");
Console.WriteLine("Info: Golden Rule created: {0}", goldenRule.Description);
Console.WriteLine("Info: Silver Rule created: {0}", silverRule.Description);
}
