private GenericXmlSecurityToken BuildSamlToken <T>(T contract) where T : SamlTokenContract
{
var signingCredentials = SetSigningCredentials(contract);
SecurityTokenDescriptor tokenDescriptor = BuildSAMLDescriptorUsingXspaProfile(contract);
tokenDescriptor.TokenType = CustomSaml2TokenConstants.SAML2TokenType;
tokenDescriptor.SigningCredentials = signingCredentials;
if (contract.EncryptingCertificate != null)
{
var encryptingCredentials = new EncryptedKeyEncryptingCredentials(contract.EncryptingCertificate,
contract.AlgorithmSuite.DefaultAsymmetricKeyWrapAlgorithm,
contract.AlgorithmSuite.DefaultEncryptionKeyDerivationLength,
contract.AlgorithmSuite.DefaultEncryptionAlgorithm);
tokenDescriptor.EncryptingCredentials = encryptingCredentials;
}
SetConfirmationMethod(contract, tokenDescriptor);
tokenDescriptor.AddAuthenticationClaims(contract.AuthenticationContext);
var samlToken = Saml2Handler.CreateToken(tokenDescriptor) as Saml2SecurityToken;
if (samlToken == null)
{
throw new Exception("Failed to create Saml2 Security token");
}
return(SetSecurityToken(contract, samlToken, Saml2Handler, tokenDescriptor));
}
public static Saml2SecurityToken ClaimsToSaml2SenderVouchesToken(ClaimsIdentity claimsId, string issuerUrl, X509Certificate2 cert)
{
var descriptor = new SecurityTokenDescriptor
{
Subject = claimsId,
TokenIssuerName = issuerUrl,
Lifetime = new Lifetime(DateTime.Now.ToUniversalTime() - TimeSpan.FromHours(12), DateTime.Now.ToUniversalTime() + TimeSpan.FromHours(12)),
SigningCredentials = new X509SigningCredentials(cert, SecurityAlgorithms.RsaSha1Signature, SecurityAlgorithms.Sha1Digest)
};
descriptor.AddAuthenticationClaims(Saml2Constants.AuthenticationContextClasses.X509.ToString(), DateTime.Now.ToUniversalTime());
Saml2SecurityToken token = new AccessPointTokenHandler().CreateToken(descriptor) as Saml2SecurityToken;
return(token);
}
private GenericXmlSecurityToken GenerateSAML2Token()
{
var signingCertificatePrivateKey = new X509Certificate2(Settings.Default.CertificatePath,
Settings.Default.Passphrase);
var encryptingCertificatePublicKey = signingCertificatePrivateKey;
//new X509Certificate2(@"C:\Users\ed2ny1e\Documents\CommonWell\Integration Certificates\McKesson.cer");
string signingAlgorithm = SignatureAlgorithm.Sha256;
string digestAlgorithm = DigestAlgorithm.Sha256;
SigningCredentials signingCredentials = null;
SymmetricProofDescriptor proof = CreateSymmetricProofDescriptor(encryptingCertificatePublicKey);
switch (ComboBoxSigningAlgorithm.SelectedValue.ToString())
{
case "SHA1":
signingAlgorithm = SignatureAlgorithm.Sha1;
break;
case "SHA256":
signingAlgorithm = SignatureAlgorithm.Sha256;
break;
}
switch (ComboBoxDigestAlgorithm.SelectedValue.ToString())
{
case "SHA1":
digestAlgorithm = DigestAlgorithm.Sha1;
break;
case "SHA256":
digestAlgorithm = DigestAlgorithm.Sha256;
break;
}
if (Rsa.IsChecked.HasValue && Rsa.IsChecked.Value)
{
var rsa = signingCertificatePrivateKey.PrivateKey as RSACryptoServiceProvider;
if (rsa != null)
{
var rsaKey = new RsaSecurityKey(rsa);
var rsaClause = new RsaKeyIdentifierClause(rsa);
var ski = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { rsaClause });
signingCredentials = new SigningCredentials(rsaKey, signingAlgorithm, digestAlgorithm, ski);
}
}
else
{
var clause =
new X509SecurityToken(signingCertificatePrivateKey)
.CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause>();
var ski = new SecurityKeyIdentifier(clause);
signingCredentials = new X509SigningCredentials(signingCertificatePrivateKey, ski, signingAlgorithm,
digestAlgorithm);
}
SecurityTokenDescriptor tokenDescriptor = BuildSAMLDescriptorUsingXspaProfile();
tokenDescriptor.TokenType = WSTrust.TokenType;
tokenDescriptor.SigningCredentials = signingCredentials;
if (CheckBoxEncrypt.IsChecked.HasValue && CheckBoxEncrypt.IsChecked.Value)
{
const string keyWrapAlgorithm = WSTrust.KeyWrapAlgorithm;
const string encryptionAlgorithm = WSTrust.EncryptionAlgorithm;
var encryptingCredentials = new EncryptedKeyEncryptingCredentials(encryptingCertificatePublicKey,
keyWrapAlgorithm, WSTrust.KeySize, encryptionAlgorithm);
tokenDescriptor.EncryptingCredentials = encryptingCredentials;
}
switch (ComboBoxConfirmation.SelectedValue.ToString())
{
case "holder":
if (AsymmetricKey.IsChecked != null && (bool)AsymmetricKey.IsChecked)
{
tokenDescriptor.Proof = CreateAsymmetricProofDescriptor(encryptingCertificatePublicKey);
}
else
{
tokenDescriptor.Proof = proof;
}
break;
case "sender":
//TODO
break;
}
var tokenHandler = new CustomSaml2SecurityTokenHandler();
tokenDescriptor.AddAuthenticationClaims("uurn:oasis:names:tc:SAML:2.0:ac:classes:X509");
var outputToken = tokenHandler.CreateToken(tokenDescriptor) as Saml2SecurityToken;
if (outputToken == null)
{
throw new Exception("Failed to create Saml2 Security token");
}
// turn token into a generic xml security token
var outputTokenString = outputToken.ToTokenXmlString();
// create attached and unattached references
var attachedReference = tokenHandler.CreateSecurityTokenReference(outputToken, true);
var unattachedReference = tokenHandler.CreateSecurityTokenReference(outputToken, false);
GenericXmlSecurityToken xmlToken;
if (ComboBoxConfirmation.SelectedValue.ToString().Equals("holder"))
{
xmlToken = new GenericXmlSecurityToken(
GetElement(outputTokenString),
new BinarySecretSecurityToken(proof.GetKeyBytes()),
DateTime.UtcNow,
DateTime.UtcNow.AddHours(1),
attachedReference,
unattachedReference,
new ReadOnlyCollection <IAuthorizationPolicy>(new List <IAuthorizationPolicy>()));
}
else
{
xmlToken = new GenericXmlSecurityToken(
GetElement(outputTokenString),
null,
DateTime.UtcNow,
DateTime.UtcNow.AddHours(8),
attachedReference,
unattachedReference,
new ReadOnlyCollection <IAuthorizationPolicy>(new List <IAuthorizationPolicy>()));
}
return(xmlToken);
}