public void IdentityProvider_CreateAuthenticateRequest_BasicInfo()
{
var options = Options.FromConfiguration;
var idp = options.IdentityProviders.Default;
var urls = StubFactory.CreateAuthServicesUrls();
var subject = idp.CreateAuthenticateRequest(null, urls);
var expected = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = urls.AssertionConsumerServiceUrl,
DestinationUrl = idp.SingleSignOnServiceUrl,
Issuer = options.SPOptions.EntityId,
AttributeConsumingServiceIndex = 0,
NameIdPolicy = new Saml2NameIdPolicy(true, NameIdFormat.EntityIdentifier),
RequestedAuthnContext = new Saml2RequestedAuthnContext(
new Uri("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"),
AuthnContextComparisonType.Minimum)
};
subject.ShouldBeEquivalentTo(expected, opt => opt
.Excluding(au => au.Id)
.Excluding(au => au.RelayState));
subject.RelayState.Should().HaveLength(56);
}
public void Saml2AuthenticationRequest_ToXElement_RootNode()
{
var subject = new Saml2AuthenticationRequest().ToXElement();
subject.Should().NotBeNull().And.Subject.Name.Should().Be(
Saml2Namespaces.Saml2P + "AuthnRequest");
}
public void Saml2AuthenticationRequest_ForceAuthentication_OmittedIfFalse()
{
var subject = new Saml2AuthenticationRequest() {
ForceAuthentication = false
}.ToXElement();
subject.Should().NotBeNull().And.Subject.Attribute("ForceAuthn").Should().BeNull();
}
public void Saml2AuthenticationRequest_ForceAuthentication()
{
var subject = new Saml2AuthenticationRequest() {
ForceAuthentication = true
}.ToXElement();
subject.Should().NotBeNull().And.Subject.Attribute("ForceAuthn")
.Should().NotBeNull().And.Subject.Value.Should().Be("true");
}
public void Saml2AuthenticationRequest_ToXElement_AddsAttributeConsumingServiceIndex()
{
var subject = new Saml2AuthenticationRequest()
{
AttributeConsumingServiceIndex = 17
}.ToXElement();
subject.Attribute("AttributeConsumingServiceIndex").Value.Should().Be("17");
}
public void Saml2AuthenticationRequest_ToXElement_AddsRequestBaseFields()
{
// Just checking for the id field and assuming that means that the
// base fields are added. The details of the fields are tested
// by Saml2RequestBaseTests.
var subject = new Saml2AuthenticationRequest().ToXElement();
subject.Should().NotBeNull().And.Subject.Attribute("ID").Should().NotBeNull();
subject.Attribute("AttributeConsumingServiceIndex").Should().BeNull();
}
public void Saml2AuthenticationRequest_AssertionConsumerServiceUrl()
{
string url = "http://some.example.com/Saml2AuthenticationModule/acs";
var subject = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = new Uri(url)
}.ToXElement();
subject.Should().NotBeNull().And.Subject.Attribute("AssertionConsumerServiceURL")
.Should().NotBeNull().And.Subject.Value.Should().Be(url);
}
public ActionResult Index(Guid? idpId)
{
var model = new HomePageModel
{
AssertionModel = AssertionModel.CreateFromConfiguration(),
};
if (idpId.HasValue)
{
var fileData = GetCachedConfiguration(idpId.Value);
if (fileData != null)
{
if (!string.IsNullOrEmpty(fileData.DefaultAssertionConsumerServiceUrl))
{
// Override default StubIdp Acs with Acs from IdpConfiguration
model.AssertionModel.AssertionConsumerServiceUrl = fileData.DefaultAssertionConsumerServiceUrl;
}
if(!string.IsNullOrEmpty(fileData.DefaultAssertionConsumerServiceUrl))
{
model.AssertionModel.Audience = fileData.DefaultAudience;
}
model.CustomDescription = fileData.IdpDescription;
model.AssertionModel.NameId = null;
model.HideDetails = fileData.HideDetails;
}
}
var requestData = Request.ToHttpRequestData(false);
if (requestData.QueryString["SAMLRequest"].Any())
{
var extractedMessage = Saml2Binding.Get(Saml2BindingType.HttpRedirect)
.Unbind(requestData, null);
var request = new Saml2AuthenticationRequest(
extractedMessage.Data,
extractedMessage.RelayState);
model.AssertionModel.InResponseTo = request.Id.Value;
model.AssertionModel.AssertionConsumerServiceUrl = request.AssertionConsumerServiceUrl.ToString();
model.AssertionModel.RelayState = extractedMessage.RelayState;
model.AssertionModel.Audience = request.Issuer.Id;
model.AssertionModel.AuthnRequestXml = extractedMessage.Data.PrettyPrint();
}
return View(model);
}
public void IdentityProvider_CreateAuthenticateRequest_BasicInfo()
{
var options = Options.FromConfiguration;
var idp = options.IdentityProviders.Default;
var urls = StubFactory.CreateAuthServicesUrls();
var subject = idp.CreateAuthenticateRequest(null, urls);
var expected = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = urls.AssertionConsumerServiceUrl,
DestinationUrl = idp.SingleSignOnServiceUrl,
Issuer = options.SPOptions.EntityId,
AttributeConsumingServiceIndex = 0,
};
subject.ShouldBeEquivalentTo(expected, opt => opt.Excluding(au => au.Id));
}
public void IdentityProvider_CreateAuthenticateRequest_BasicInfo()
{
var options = Options.FromConfiguration;
var idp = options.IdentityProviders.Default;
var urls = StubFactory.CreateAuthServicesUrls();
var subject = idp.CreateAuthenticateRequest(null, urls);
var expected = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = urls.AssertionConsumerServiceUrl,
DestinationUrl = idp.SingleSignOnServiceUrl,
Issuer = options.SPOptions.EntityId,
AttributeConsumingServiceIndex = 0,
NameIdPolicy = new Saml2NameIdPolicy { AllowCreate = true, Format = NameIdFormat.EntityIdentifier}
};
subject.ShouldBeEquivalentTo(expected, opt => opt
.Excluding(au => au.Id)
.Excluding(au => au.RelayState));
subject.RelayState.Should().HaveLength(56);
}
public void IdentityProvider_CreateAuthenticateRequest_PublicOrigin()
{
var origin = new Uri("https://my.public.origin:8443/");
var options = StubFactory.CreateOptionsPublicOrigin(origin);
var idp = options.IdentityProviders.Default;
var urls = StubFactory.CreateAuthServicesUrlsPublicOrigin(origin);
var subject = idp.CreateAuthenticateRequest(urls);
var expected = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = urls.AssertionConsumerServiceUrl,
DestinationUrl = idp.SingleSignOnServiceUrl,
Issuer = options.SPOptions.EntityId,
AttributeConsumingServiceIndex = 0
};
subject.ShouldBeEquivalentTo(expected, opt => opt
.Excluding(au => au.Id)
.Excluding(au => au.RelayState));
}
public void IdentityProvider_CreateAuthenticateRequest_NoAttributeIndex()
{
var options = StubFactory.CreateOptions();
var idp = options.IdentityProviders.Default;
var urls = StubFactory.CreateAuthServicesUrls();
options.SPOptions.AttributeConsumingServices.Clear();
var subject = idp.CreateAuthenticateRequest(urls);
var expected = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = urls.AssertionConsumerServiceUrl,
DestinationUrl = idp.SingleSignOnServiceUrl,
Issuer = options.SPOptions.EntityId,
AttributeConsumingServiceIndex = null
};
subject.ShouldBeEquivalentTo(expected, opt => opt
.Excluding(au => au.Id)
.Excluding(au => au.RelayState));
}
public void Saml2AuthenticationRequest_ToXElement_AddsElementSaml2NameIdPolicy()
{
var subject = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = new Uri("http://destination.example.com"),
NameIdPolicy = new Saml2NameIdPolicy { AllowCreate = false, Format = NameIdFormat.EmailAddress}
}.ToXElement();
XNamespace ns = "urn:oasis:names:tc:SAML:2.0:protocol";
subject.Attribute("AttributeConsumingServiceIndex").Should().BeNull();
subject.Should().NotBeNull().And.Subject.Element(ns + "NameIDPolicy").Should().NotBeNull();
}
public void Saml2AuthenticateRequest_ToXElement_OmitsRequestedAuthnContext_OnNullClassRef()
{
var subject = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = new Uri("http://destination.example.com"),
RequestedAuthnContext = new Saml2RequestedAuthnContext(null, AuthnContextComparisonType.Exact)
}.ToXElement();
subject.Element(Saml2Namespaces.Saml2P + "RequestedAuthnContext").Should().BeNull();
}
public void Saml2AuthenticationRequest_ToXElement_NameFormatTransientForbidsAllowCreate()
{
var subject = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = new Uri("http://destination.example.com"),
NameIdPolicy = new Saml2NameIdPolicy(true, NameIdFormat.Transient)
};
subject.Invoking(s => s.ToXElement())
.ShouldThrow<InvalidOperationException>()
.And.Message.Should().Be("When NameIdPolicy/Format is set to Transient, it is not permitted to specify AllowCreate. Change Format or leave AllowCreate as null.");
}
public void Saml2AuthenticationRequest_ToXElement_AddsRequestedAuthnContext()
{
var classRef = "http://www.kentor.se";
var subject = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = new Uri("http://destination.example.com"),
RequestedAuthnContext = new Saml2RequestedAuthnContext(new Uri(classRef), AuthnContextComparisonType.Maximum)
}.ToXElement();
var expected = new XElement(Saml2Namespaces.Saml2P + "root",
new XAttribute(XNamespace.Xmlns + "saml2p", Saml2Namespaces.Saml2P),
new XAttribute(XNamespace.Xmlns + "saml2", Saml2Namespaces.Saml2),
new XElement(Saml2Namespaces.Saml2P + "RequestedAuthnContext",
new XAttribute("Comparison", "Maximum"),
new XElement(Saml2Namespaces.Saml2 + "AuthnContextClassRef", classRef)))
.Elements().Single();
var actual = subject.Element(Saml2Namespaces.Saml2P + "RequestedAuthnContext");
actual.Should().BeEquivalentTo(expected);
}
public void Saml2AuthenticationRequest_ToXElement_AddsScoping()
{
var requesterId = "urn://requesterid/";
var location = "http://location";
var name = "name";
var providerId = "urn:providerId";
var subject = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = new Uri("http://destination.example.com"),
Scoping = new Saml2Scoping()
{
ProxyCount = 5
}
.With(new Saml2IdpEntry(new EntityId(providerId))
{
Name = name,
Location = new Uri(location)
})
.WithRequesterId(new EntityId(requesterId))
};
var actual = subject.ToXElement().Element(Saml2Namespaces.Saml2P + "Scoping");
var expected = new XElement(Saml2Namespaces.Saml2P + "Scoping",
new XAttribute("ProxyCount", "5"),
new XElement(Saml2Namespaces.Saml2P + "IDPList",
new XElement(Saml2Namespaces.Saml2P + "IDPEntry",
new XAttribute("ProviderID", providerId),
new XAttribute("Name", name),
new XAttribute("Loc", location))),
new XElement(Saml2Namespaces.Saml2P + "RequesterID", requesterId.ToString()));
actual.Should().BeEquivalentTo(expected);
}
public void Saml2AuthenticationRequest_ToXElement_AddsElementSaml2NameIdPolicy_ForNameIdFormat()
{
var subject = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = new Uri("http://destination.example.com"),
NameIdPolicy = new Saml2NameIdPolicy(null, NameIdFormat.EmailAddress)
}.ToXElement();
var expected = new XElement(Saml2Namespaces.Saml2P + "root",
new XAttribute(XNamespace.Xmlns + "saml2p", Saml2Namespaces.Saml2P),
new XElement(Saml2Namespaces.Saml2P + "NameIDPolicy",
new XAttribute("Format", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")))
.Elements().Single();
subject.Element(Saml2Namespaces.Saml2P + "NameIDPolicy")
.Should().BeEquivalentTo(expected);
}
public void Saml2AuthenticationRequest_ToXElement_AddsElementSaml2NameIdPolicy_ForAllowCreate()
{
var subject = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = new Uri("http://destination.example.com"),
NameIdPolicy = new Saml2NameIdPolicy(false, NameIdFormat.NotConfigured)
}.ToXElement();
var expected = new XElement(Saml2Namespaces.Saml2P + "root",
new XAttribute(XNamespace.Xmlns + "saml2p", Saml2Namespaces.Saml2P),
new XElement(Saml2Namespaces.Saml2P + "NameIDPolicy",
new XAttribute("AllowCreate", false)))
.Elements().Single();
subject.Attribute("AttributeConsumingServiceIndex").Should().BeNull();
subject.Element(Saml2Namespaces.Saml2P + "NameIDPolicy")
.Should().BeEquivalentTo(expected);
}
public void Saml2AuthenticationRequest_ToXElement_Scoping_NullContents_EmptyScoping()
{
var subject = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = new Uri("http://destination.example.com"),
Scoping = new Saml2Scoping()
}.ToXElement().Element(Saml2Namespaces.Saml2P + "Scoping");
var expected = new XElement(Saml2Namespaces.Saml2P + "root",
new XAttribute(XNamespace.Xmlns + "saml2p", Saml2Namespaces.Saml2P),
new XElement(Saml2Namespaces.Saml2P + "Scoping"))
.Elements().Single();
subject.Should().BeEquivalentTo(expected);
}
public void Saml2AuthenticationRequest_ToXElement_Scoping_ZeroProxyCount_AttributeAdded()
{
var subject = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = new Uri("http://destination.example.com"),
Scoping = new Saml2Scoping()
{
ProxyCount = 0
}
};
var actual = subject.ToXElement().Element(Saml2Namespaces.Saml2P + "Scoping");
var expected = new XElement(Saml2Namespaces.Saml2P + "root",
new XAttribute(XNamespace.Xmlns + "saml2p", Saml2Namespaces.Saml2P),
new XElement(Saml2Namespaces.Saml2P + "Scoping",
new XAttribute("ProxyCount", "0")))
.Elements().Single();
actual.Should().BeEquivalentTo(expected);
}
private void Saml2AuthenticationRequest_ToXElement_AddsProtocolBinding(AuthServices.WebSso.Saml2BindingType protocolBinding, string expectedProtocolBinding)
{
var subject = new Saml2AuthenticationRequest()
{
AssertionConsumerServiceUrl = new Uri("http://destination.example.com"),
Binding = protocolBinding
}.ToXElement();
subject.Attribute("ProtocolBinding").Value.Should().Be(expectedProtocolBinding);
}