private void ReadMetadataIdpDescriptor(ExtendedEntityDescriptor metadata) { var idpDescriptor = metadata.RoleDescriptors .OfType <IdentityProviderSingleSignOnDescriptor>().Single(); // Prefer an endpoint with a redirect binding, then check for POST which // is the other supported by AuthServices. var ssoService = idpDescriptor.SingleSignOnServices .FirstOrDefault(s => s.Binding == Saml2Binding.HttpRedirectUri) ?? idpDescriptor.SingleSignOnServices .First(s => s.Binding == Saml2Binding.HttpPostUri); binding = Saml2Binding.UriToSaml2BindingType(ssoService.Binding); singleSignOnServiceUrl = ssoService.Location; var key = idpDescriptor.Keys .Where(k => k.Use == KeyType.Unspecified || k.Use == KeyType.Signing) .SingleOrDefault(); if (key != null) { signingKey = ((AsymmetricSecurityKey)key.KeyInfo.CreateKey()) .GetAsymmetricAlgorithm(SignedXml.XmlDsigRSASHA1Url, false); } }
private void ReadMetadataIdpDescriptor(ExtendedEntityDescriptor metadata) { var idpDescriptor = metadata.RoleDescriptors .OfType <IdentityProviderSingleSignOnDescriptor>().Single(); // Prefer an endpoint with a redirect binding, then check for POST which // is the other supported by AuthServices. var ssoService = idpDescriptor.SingleSignOnServices .FirstOrDefault(s => s.Binding == Saml2Binding.HttpRedirectUri) ?? idpDescriptor.SingleSignOnServices .FirstOrDefault(s => s.Binding == Saml2Binding.HttpPostUri); if (ssoService != null) { binding = Saml2Binding.UriToSaml2BindingType(ssoService.Binding); singleSignOnServiceUrl = ssoService.Location; } foreach (var ars in idpDescriptor.ArtifactResolutionServices) { artifactResolutionServiceUrls[ars.Value.Index] = ars.Value.Location; } foreach (var ars in artifactResolutionServiceUrls.Keys .Where(k => !idpDescriptor.ArtifactResolutionServices.Keys.Contains(k))) { artifactResolutionServiceUrls.Remove(ars); } var keys = idpDescriptor.Keys.Where(k => k.Use == KeyType.Unspecified || k.Use == KeyType.Signing); signingKeys.SetLoadedItems(keys.Select(k => ((AsymmetricSecurityKey)k.KeyInfo.CreateKey()) .GetAsymmetricAlgorithm(SignedXml.XmlDsigRSASHA1Url, false)).ToList()); }
internal IdentityProvider(IdentityProviderElement config, ISPOptions spOptions) { singleSignOnServiceUrl = config.DestinationUrl; EntityId = new EntityId(config.EntityId); binding = config.Binding; AllowUnsolicitedAuthnResponse = config.AllowUnsolicitedAuthnResponse; metadataUrl = config.MetadataUrl; ShowNameIdPolicy = config.ShowNameIdPolicy; // If configured to load metadata, this will immediately do the load. VerifyCertificate = config.VerifyCertificate; LoadMetadata = config.LoadMetadata; this.spOptions = spOptions; // Certificates from metadata already present, add eventual other certificates // from web.config. var certificate = config.SigningCertificate.LoadCertificate(); if (certificate != null) { signingKeys = new ConfiguredAndLoadedCollection<AsymmetricAlgorithm>(); signingKeys.AddConfiguredItem(certificate.PublicKey.Key); } // Validate if values are only from config. If metadata is loaded, validation // is done on metadata load. if (!LoadMetadata) { Validate(); } }
internal IdentityProvider(IdentityProviderElement config, ISPOptions spOptions) { singleSignOnServiceUrl = config.DestinationUrl; EntityId = new EntityId(config.EntityId); binding = config.Binding; AllowUnsolicitedAuthnResponse = config.AllowUnsolicitedAuthnResponse; metadataUrl = config.MetadataUrl; LoadMetadata = config.LoadMetadata; this.spOptions = spOptions; var certificate = config.SigningCertificate.LoadCertificate(); if (certificate != null) { signingKey = certificate.PublicKey.Key; } try { if (LoadMetadata) { DoLoadMetadata(); } Validate(); } catch (WebException) { // If we had a web exception, the metadata failed. It will // be automatically retried. } }
internal IdentityProvider(IdentityProviderElement config, ISPOptions spOptions) { singleSignOnServiceUrl = config.DestinationUrl; EntityId = new EntityId(config.EntityId); binding = config.Binding; AllowUnsolicitedAuthnResponse = config.AllowUnsolicitedAuthnResponse; metadataLocation = string.IsNullOrEmpty(config.MetadataLocation) ? null : config.MetadataLocation; WantAuthnRequestsSigned = config.WantAuthnRequestsSigned; var certificate = config.SigningCertificate.LoadCertificate(); if (certificate != null) { signingKeys.AddConfiguredKey( new X509RawDataKeyIdentifierClause(certificate)); } // If configured to load metadata, this will immediately do the load. LoadMetadata = config.LoadMetadata; this.spOptions = spOptions; // Validate if values are only from config. If metadata is loaded, validation // is done on metadata load. if (!LoadMetadata) { Validate(); } }
internal IdentityProvider(IdentityProviderElement config, SPOptions spOptions) { singleSignOnServiceUrl = config.SignOnUrl; SingleLogoutServiceUrl = config.LogoutUrl; EntityId = new EntityId(config.EntityId); binding = config.Binding; AllowUnsolicitedAuthnResponse = config.AllowUnsolicitedAuthnResponse; metadataLocation = string.IsNullOrEmpty(config.MetadataLocation) ? null : config.MetadataLocation; WantAuthnRequestsSigned = config.WantAuthnRequestsSigned; DisableOutboundLogoutRequests = config.DisableOutboundLogoutRequests; var certificate = config.SigningCertificate.LoadCertificate(); if (certificate != null) { signingKeys.AddConfiguredKey( new X509RawDataKeyIdentifierClause(certificate)); } foreach (var ars in config.ArtifactResolutionServices) { ArtifactResolutionServiceUrls[ars.Index] = ars.Location; } // If configured to load metadata, this will immediately do the load. this.spOptions = spOptions; LoadMetadata = config.LoadMetadata; // Validate if values are only from config. If metadata is loaded, validation // is done on metadata load. if (!LoadMetadata) { Validate(); } }
internal IdentityProvider(IdentityProviderElement config, ISPOptions spOptions) { singleSignOnServiceUrl = config.DestinationUrl; EntityId = new EntityId(config.EntityId); binding = config.Binding; AllowUnsolicitedAuthnResponse = config.AllowUnsolicitedAuthnResponse; metadataUrl = config.MetadataUrl; var certificate = config.SigningCertificate.LoadCertificate(); if (certificate != null) { signingKeys.AddConfiguredItem(certificate.PublicKey.Key); } // If configured to load metadata, this will immediately do the load. LoadMetadata = config.LoadMetadata; this.spOptions = spOptions; // Validate if values are only from config. If metadata is loaded, validation // is done on metadata load. if (!LoadMetadata) { Validate(); } }
/// <summary> /// Gets the Uri for a Saml2BindingType. /// </summary> /// <param name="type">Saml2BindingType</param> /// <returns>Uri constant for the speicified Binding Type</returns> /// <exception cref="ArgumentException">If the type is not mapped.</exception> public static Uri Saml2BindingTypeToUri(Saml2BindingType type) { if (bindingUriMap.TryGetValue(type, out Uri uri)) { return(uri); } var msg = string.Format(CultureInfo.InvariantCulture, "Unknown Saml2 Binding Type \"{0}\".", type); throw new ArgumentException(msg); }
/// <summary> /// Get a cached binding instance that supports the requested type. /// </summary> /// <param name="binding">Type of binding to get</param> /// <returns>A derived class instance that supports the requested binding.</returns> public static Saml2Binding Get(Saml2BindingType binding) { try { return bindings[binding]; } catch(KeyNotFoundException ex) { throw new ArgumentException(string.Format(CultureInfo.InvariantCulture, "{0} is not a valid value for the Saml2BindingType enum. Have you forgotten to configure a binding for your identity provider?", binding), ex); } }
/// <summary> /// Get a cached binding instance that supports the requested type. /// </summary> /// <param name="binding">Type of binding to get</param> /// <returns>A derived class instance that supports the requested binding.</returns> public static Saml2Binding Get(Saml2BindingType binding) { try { return(bindings[binding]); } catch (KeyNotFoundException ex) { throw new ArgumentException(string.Format(CultureInfo.InvariantCulture, "{0} is not a valid value for the Saml2BindingType enum. Have you forgotten to configure a binding for your identity provider?", binding), ex); } }
private void ReadMetadataIdpDescriptor(ExtendedEntityDescriptor metadata) { var idpDescriptor = metadata.RoleDescriptors .OfType <IdentityProviderSingleSignOnDescriptor>().Single(); WantAuthnRequestsSigned = idpDescriptor.WantAuthenticationRequestsSigned; // Prefer an endpoint with a redirect binding, then check for POST which // is the other supported by AuthServices. var ssoService = idpDescriptor.SingleSignOnServices .FirstOrDefault(s => s.Binding == Saml2Binding.HttpRedirectUri) ?? idpDescriptor.SingleSignOnServices .FirstOrDefault(s => s.Binding == Saml2Binding.HttpPostUri); if (ssoService != null) { binding = Saml2Binding.UriToSaml2BindingType(ssoService.Binding); singleSignOnServiceUrl = ssoService.Location; } var sloService = idpDescriptor.SingleLogoutServices .Where(slo => slo.Binding == Saml2Binding.HttpRedirectUri || slo.Binding == Saml2Binding.HttpPostUri) .FirstOrDefault(); if (sloService != null) { SingleLogoutServiceUrl = sloService.Location; SingleLogoutServiceBinding = Saml2Binding.UriToSaml2BindingType(sloService.Binding); singleLogoutServiceResponseUrl = sloService.ResponseLocation; } foreach (var ars in idpDescriptor.ArtifactResolutionServices) { artifactResolutionServiceUrls[ars.Value.Index] = ars.Value.Location; } foreach (var ars in artifactResolutionServiceUrls.Keys .Where(k => !idpDescriptor.ArtifactResolutionServices.Keys.Contains(k))) { artifactResolutionServiceUrls.Remove(ars); } var keys = idpDescriptor.Keys.Where(k => k.Use == KeyType.Unspecified || k.Use == KeyType.Signing); signingKeys.SetLoadedItems(keys.Select(k => k.KeyInfo.First(c => c.CanCreateKey)).ToList()); }
private void ReadMetadataIdpDescriptor(EntityDescriptor metadata) { var idpDescriptor = metadata.RoleDescriptors .OfType <IdpSsoDescriptor>().Single(); WantAuthnRequestsSigned = idpDescriptor.WantAuthnRequestsSigned ?? false; var ssoService = GetPreferredEndpoint(idpDescriptor.SingleSignOnServices); if (ssoService != null) { binding = Saml2Binding.UriToSaml2BindingType(ssoService.Binding); singleSignOnServiceUrl = ssoService.Location; } var sloService = GetPreferredEndpoint(idpDescriptor.SingleLogoutServices); if (sloService != null) { SingleLogoutServiceUrl = sloService.Location; SingleLogoutServiceBinding = Saml2Binding.UriToSaml2BindingType(sloService.Binding); singleLogoutServiceResponseUrl = sloService.ResponseLocation; } foreach (var kv in idpDescriptor.ArtifactResolutionServices) { var ars = kv.Value; artifactResolutionServiceUrls[ars.Index] = ars.Location; } var arsKeys = idpDescriptor.ArtifactResolutionServices.ToLookup(x => x.Value.Index); foreach (var ars in artifactResolutionServiceUrls.Keys .Where(k => !arsKeys.Contains(k))) { artifactResolutionServiceUrls.Remove(ars); } var keys = idpDescriptor.Keys.Where(k => k.Use == KeyType.Unspecified || k.Use == KeyType.Signing); signingKeys.SetLoadedItems(keys.Select(k => k.KeyInfo .MakeSecurityKeyIdentifier().First(c => c.CanCreateKey)).ToList()); }
/// <summary> /// Get a cached binding instance that supports the requested type. /// </summary> /// <param name="binding">Type of binding to get</param> /// <returns>A derived class instance that supports the requested binding.</returns> public static Saml2Binding Get(Saml2BindingType binding) { return(bindings[binding]); }
public AssertionModel() { ResponseBinding = Saml2BindingType.HttpPost; }
private void ReadMetadataIdpDescriptor(ExtendedEntityDescriptor metadata) { var idpDescriptor = metadata.RoleDescriptors .OfType<IdentityProviderSingleSignOnDescriptor>().Single(); WantAuthnRequestsSigned = idpDescriptor.WantAuthenticationRequestsSigned; // Prefer an endpoint with a redirect binding, then check for POST which // is the other supported by AuthServices. var ssoService = idpDescriptor.SingleSignOnServices .FirstOrDefault(s => s.Binding == Saml2Binding.HttpRedirectUri) ?? idpDescriptor.SingleSignOnServices .FirstOrDefault(s => s.Binding == Saml2Binding.HttpPostUri); if (ssoService != null) { binding = Saml2Binding.UriToSaml2BindingType(ssoService.Binding); singleSignOnServiceUrl = ssoService.Location; } var sloService = idpDescriptor.SingleLogoutServices .Where(slo => slo.Binding == Saml2Binding.HttpRedirectUri || slo.Binding == Saml2Binding.HttpPostUri) .FirstOrDefault(); if (sloService != null) { SingleLogoutServiceUrl = sloService.Location; SingleLogoutServiceBinding = Saml2Binding.UriToSaml2BindingType(sloService.Binding); singleLogoutServiceResponseUrl = sloService.ResponseLocation; } foreach (var ars in idpDescriptor.ArtifactResolutionServices) { artifactResolutionServiceUrls[ars.Value.Index] = ars.Value.Location; } foreach (var ars in artifactResolutionServiceUrls.Keys .Where(k => !idpDescriptor.ArtifactResolutionServices.Keys.Contains(k))) { artifactResolutionServiceUrls.Remove(ars); } var keys = idpDescriptor.Keys.Where(k => k.Use == KeyType.Unspecified || k.Use == KeyType.Signing); signingKeys.SetLoadedItems(keys.Select(k => k.KeyInfo.First(c => c.CanCreateKey)).ToList()); }
private void ReadMetadataIdpDescriptor(ExtendedEntityDescriptor metadata) { var idpDescriptor = metadata.RoleDescriptors .OfType<IdentityProviderSingleSignOnDescriptor>().Single(); // Prefer an endpoint with a redirect binding, then check for POST which // is the other supported by AuthServices. var ssoService = idpDescriptor.SingleSignOnServices .FirstOrDefault(s => s.Binding == Saml2Binding.HttpRedirectUri) ?? idpDescriptor.SingleSignOnServices .First(s => s.Binding == Saml2Binding.HttpPostUri); binding = Saml2Binding.UriToSaml2BindingType(ssoService.Binding); singleSignOnServiceUrl = ssoService.Location; var key = idpDescriptor.Keys .Where(k => k.Use == KeyType.Unspecified || k.Use == KeyType.Signing) .SingleOrDefault(); if (key != null) { signingKey = ((AsymmetricSecurityKey)key.KeyInfo.CreateKey()) .GetAsymmetricAlgorithm(SignedXml.XmlDsigRSASHA1Url, false); } }
/// <summary> /// Get a cached binding instance that supports the requested type. /// </summary> /// <param name="binding">Type of binding to get</param> /// <returns>A derived class instance that supports the requested binding.</returns> public static Saml2Binding Get(Saml2BindingType binding) { return bindings[binding]; }
private void ReadMetadataIdpDescriptor(ExtendedEntityDescriptor metadata) { var idpDescriptor = metadata.RoleDescriptors .OfType<IdentityProviderSingleSignOnDescriptor>().Single(); // Prefer an endpoint with a redirect binding, then check for POST which // is the other supported by AuthServices. var ssoService = idpDescriptor.SingleSignOnServices .FirstOrDefault(s => s.Binding == Saml2Binding.HttpRedirectUri) ?? idpDescriptor.SingleSignOnServices .FirstOrDefault(s => s.Binding == Saml2Binding.HttpPostUri); if (ssoService != null) { binding = Saml2Binding.UriToSaml2BindingType(ssoService.Binding); singleSignOnServiceUrl = ssoService.Location; } foreach(var ars in idpDescriptor.ArtifactResolutionServices) { artifactResolutionServiceUrls[ars.Value.Index] = ars.Value.Location; } foreach (var ars in artifactResolutionServiceUrls.Keys .Where(k => !idpDescriptor.ArtifactResolutionServices.Keys.Contains(k))) { artifactResolutionServiceUrls.Remove(ars); } var keys = idpDescriptor.Keys.Where(k => k.Use == KeyType.Unspecified || k.Use == KeyType.Signing); signingKeys.SetLoadedItems(keys.Select(k => ((AsymmetricSecurityKey)k.KeyInfo.CreateKey()) .GetAsymmetricAlgorithm(SignedXml.XmlDsigRSASHA1Url, false)).ToList()); }
/// <summary> /// Gets the Uri for a Saml2BindingType. /// </summary> /// <param name="type">Saml2BindingType</param> /// <returns>Uri constant for the speicified Binding Type</returns> /// <exception cref="ArgumentException">If the type is not mapped.</exception> public static Uri Saml2BindingTypeToUri(Saml2BindingType type) { Uri uri; if (bindingUriMap.TryGetValue(type, out uri)) { return uri; } var msg = string.Format(CultureInfo.InvariantCulture, "Unknown Saml2 Binding Type \"{0}\".", type); throw new ArgumentException(msg); }
private void ReadMetadataIdpDescriptor(ExtendedEntityDescriptor metadata) { var idpDescriptor = metadata.RoleDescriptors .OfType<IdentityProviderSingleSignOnDescriptor>().Single(); WantAuthnRequestsSigned = idpDescriptor.WantAuthenticationRequestsSigned; var ssoService = GetPreferredEndpoint(idpDescriptor.SingleSignOnServices); if (ssoService != null) { binding = Saml2Binding.UriToSaml2BindingType(ssoService.Binding); singleSignOnServiceUrl = ssoService.Location; } var sloService = GetPreferredEndpoint(idpDescriptor.SingleLogoutServices); if (sloService != null) { SingleLogoutServiceUrl = sloService.Location; SingleLogoutServiceBinding = Saml2Binding.UriToSaml2BindingType(sloService.Binding); singleLogoutServiceResponseUrl = sloService.ResponseLocation; } foreach (var ars in idpDescriptor.ArtifactResolutionServices) { artifactResolutionServiceUrls[ars.Value.Index] = ars.Value.Location; } foreach (var ars in artifactResolutionServiceUrls.Keys .Where(k => !idpDescriptor.ArtifactResolutionServices.Keys.Contains(k))) { artifactResolutionServiceUrls.Remove(ars); } var keys = idpDescriptor.Keys.Where(k => k.Use == KeyType.Unspecified || k.Use == KeyType.Signing); signingKeys.SetLoadedItems(keys.Select(k => k.KeyInfo.First(c => c.CanCreateKey)).ToList()); }