/// <summary>
/// Initializes the object with a UA identity token
/// </summary>
private void Initialize(IssuedIdentityToken token, SecurityTokenSerializer serializer, SecurityTokenResolver resolver)
{
if (token == null)
{
throw new ArgumentNullException("token");
}
string text = new UTF8Encoding().GetString(token.DecryptedTokenData);
XmlDocument document = new XmlDocument();
document.InnerXml = text.Trim();
XmlNodeReader reader = new XmlNodeReader(document.DocumentElement);
try
{
if (document.DocumentElement.NamespaceURI == "urn:oasis:names:tc:SAML:1.0:assertion")
{
SecurityToken samlToken = new SamlSerializer().ReadToken(reader, serializer, resolver);
Initialize(samlToken);
}
else
{
SecurityToken securityToken = serializer.ReadToken(reader, resolver);
Initialize(securityToken);
}
}
finally
{
reader.Close();
}
}
private void ParseToken(string xmlToken, X509Certificate2 cert)
{
int skew = 300; // default to 5 minutes
string tokenskew = System.Configuration.ConfigurationManager.AppSettings["MaximumClockSkew"];
if (!string.IsNullOrEmpty(tokenskew))
{
skew = Int32.Parse(tokenskew);
}
XmlReader tokenReader = new XmlTextReader(new StringReader(xmlToken));
EncryptedData enc = new EncryptedData();
enc.TokenSerializer = WSSecurityTokenSerializer.DefaultInstance;
enc.ReadFrom(tokenReader);
List <SecurityToken> tokens = new List <SecurityToken>();
SecurityToken encryptingToken = new X509SecurityToken(cert);
tokens.Add(encryptingToken);
SecurityTokenResolver tokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(tokens.AsReadOnly(), false);
SymmetricSecurityKey encryptingCrypto;
// an error here usually means that you have selected the wrong key.
encryptingCrypto = (SymmetricSecurityKey)tokenResolver.ResolveSecurityKey(enc.KeyIdentifier[0]);
SymmetricAlgorithm algorithm = encryptingCrypto.GetSymmetricAlgorithm(enc.EncryptionMethod);
byte[] decryptedData = enc.GetDecryptedBuffer(algorithm);
SecurityTokenSerializer tokenSerializer = WSSecurityTokenSerializer.DefaultInstance;
XmlReader reader = new XmlTextReader(new StreamReader(new MemoryStream(decryptedData), Encoding.UTF8));
m_token = (SamlSecurityToken)tokenSerializer.ReadToken(reader, tokenResolver);
SamlSecurityTokenAuthenticator authenticator = new SamlSecurityTokenAuthenticator(new List <SecurityTokenAuthenticator>(
new SecurityTokenAuthenticator[] {
new RsaSecurityTokenAuthenticator(),
new X509SecurityTokenAuthenticator()
}), new TimeSpan(0, 0, skew));
if (authenticator.CanValidateToken(m_token))
{
ReadOnlyCollection <IAuthorizationPolicy> policies = authenticator.ValidateToken(m_token);
m_authorizationContext = AuthorizationContext.CreateDefaultAuthorizationContext(policies);
m_identityClaims = FindIdentityClaims(m_authorizationContext);
}
else
{
throw new Exception("Unable to validate the token.");
}
}
protected override SecurityToken ReadTokenCore(XmlReader reader, SecurityTokenResolver tokenResolver)
{
var securityToken = serializer.ReadToken(reader, tokenResolver);
if (securityToken is Saml2SecurityToken)
{
var saml2Token = (Saml2SecurityToken)securityToken;
return(new OIOSaml2SecurityToken(saml2Token.Assertion, saml2Token.SecurityKeys, saml2Token.IssuerToken));
}
return(securityToken);
}
void ReadEntropy()
{
if (reader.IsEmptyElement)
{
throw new XmlException(String.Format("WS-Trust Entropy element is empty.{2}", LineInfo()));
}
reader.ReadStartElement("Entropy", Constants.WstNamespace);
reader.MoveToContent();
req.Entropy = serializer.ReadToken(reader, null);
// after reading a token, </Entropy> should follow.
reader.MoveToContent();
reader.ReadEndElement();
}
object ReadContent(XmlReader reader)
{
reader.MoveToContent();
if (reader.NodeType != XmlNodeType.Element)
{
throw new XmlException(String.Format("Node type {0} is not expected as a WS-Security message header content.", reader.NodeType));
}
switch (reader.NamespaceURI)
{
case Constants.WsuNamespace:
switch (reader.LocalName)
{
case "Timestamp":
return(ReadTimestamp(reader));
}
break;
//case Constants.WstNamespace:
case Constants.Wss11Namespace:
if (reader.LocalName == "SignatureConfirmation")
{
return(ReadSignatureConfirmation(reader, doc));
}
break;
case SignedXml.XmlDsigNamespaceUrl:
switch (reader.LocalName)
{
case "Signature":
WSSignedXml sxml = new WSSignedXml(doc);
sxml.Signature.LoadXml((XmlElement)doc.ReadNode(reader));
UpdateSignatureKeyInfo(sxml.Signature, doc, serializer);
return(sxml);
}
break;
case EncryptedXml.XmlEncNamespaceUrl:
switch (reader.LocalName)
{
case "EncryptedData":
XmlElement el = (XmlElement)doc.ReadNode(reader);
return(CreateEncryptedData(el));
case "ReferenceList":
ReferenceList rl = new ReferenceList();
reader.Read();
for (reader.MoveToContent();
reader.NodeType != XmlNodeType.EndElement;
reader.MoveToContent())
{
switch (reader.LocalName)
{
case "DataReference":
DataReference dref = new DataReference();
dref.LoadXml((XmlElement)doc.ReadNode(reader));
rl.Add(dref);
continue;
case "KeyReference":
KeyReference kref = new KeyReference();
kref.LoadXml((XmlElement)doc.ReadNode(reader));
rl.Add(kref);
continue;
}
throw new XmlException(String.Format("Unexpected {2} node '{0}' in namespace '{1}' in ReferenceList.", reader.Name, reader.NamespaceURI, reader.NodeType));
}
reader.ReadEndElement();
return(rl);
}
break;
}
// SecurityTokenReference will be handled here.
// This order (Token->KeyIdentifierClause) is
// important because WrappedKey could be read
// in both context (but must be a token here).
if (serializer.CanReadToken(reader))
{
return(serializer.ReadToken(reader, resolver));
}
else if (serializer.CanReadKeyIdentifierClause(reader))
{
return(serializer.ReadKeyIdentifierClause(reader));
}
else
{
throw new XmlException(String.Format("Unexpected element '{0}' in namespace '{1}' as a WS-Security message header content.", reader.Name, reader.NamespaceURI));
}
}
void ReadTokenContent()
{
switch (reader.NamespaceURI)
{
case Constants.WstNamespace:
switch (reader.LocalName)
{
case "RequestedSecurityToken":
res.RequestedSecurityToken = (SecurityContextSecurityToken)ReadToken();
return;
case "RequestedProofToken":
#if true // FIXME: we can't handle it right now
string ens = EncryptedXml.XmlEncNamespaceUrl;
reader.Read();
reader.ReadStartElement("EncryptedKey", ens);
string alg = reader.GetAttribute("Algorithm");
bool isEmpty = reader.IsEmptyElement;
reader.ReadStartElement("EncryptionMethod", ens);
if (alg != negotiation_type)
{
throw new XmlException(String.Format("EncryptionMethod '{0}' is not supported in RequestedProofToken.", alg));
}
if (!isEmpty)
{
reader.ReadEndElement();
}
reader.ReadStartElement("CipherData", ens);
reader.ReadStartElement("CipherValue", ens);
byte [] pt = reader.ReadContentAsBase64();
res.RequestedProofToken = pt;
reader.ReadEndElement();
reader.ReadEndElement();
reader.ReadEndElement(); // EncryptedKey
reader.ReadEndElement(); // RPT
#else
reader.Read();
reader.MoveToContent();
if (serializer.CanReadToken(reader))
{
res.RequestedProofToken = serializer.ReadToken(reader, resolver);
}
else
{
res.RequestedProofToken = serializer.ReadKeyIdentifierClause(reader);
}
reader.ReadEndElement();
#endif
return;
case "BinaryExchange":
ReadBinaryExchange();
return;
case "TokenType":
res.TokenType = reader.ReadElementContentAsString();
return;
case "Lifetime":
ReadLifetime();
return;
case "KeySize":
res.KeySize = reader.ReadElementContentAsInt();
return;
case "RequestedAttachedReference":
res.RequestedAttachedReference = ReadTokenReference();
return;
case "RequestedUnattachedReference":
res.RequestedUnattachedReference = ReadTokenReference();
return;
case "Authenticator":
ReadAuthenticator();
return;
}
break;
}
throw new XmlException(String.Format("Unexpected RequestSecurityTokenResponse content element. Name is {0} and namespace URI is {1} {2}", reader.Name, reader.NamespaceURI, LineInfo()));
}