/// <summary>
/// Construct the options from the given configuration section
/// </summary>
/// <param name="configSection"></param>
public SPOptions(KentorAuthServicesSection configSection)
{
if (configSection == null)
{
throw new ArgumentNullException(nameof(configSection));
}
systemIdentityModelIdentityConfiguration = new IdentityConfiguration(true);
ReturnUrl = configSection.ReturnUrl;
MetadataCacheDuration = configSection.Metadata.CacheDuration;
MetadataValidDuration = configSection.Metadata.ValidUntil;
WantAssertionsSigned = configSection.Metadata.WantAssertionsSigned;
ValidateCertificates = configSection.ValidateCertificates;
DiscoveryServiceUrl = configSection.DiscoveryServiceUrl;
EntityId = configSection.EntityId;
ModulePath = configSection.ModulePath;
PublicOrigin = configSection.PublicOrigin;
Organization = configSection.Organization;
AuthenticateRequestSigningBehavior = configSection.AuthenticateRequestSigningBehavior;
NameIdPolicy = new Saml2NameIdPolicy(
configSection.NameIdPolicyElement.AllowCreate, configSection.NameIdPolicyElement.Format);
RequestedAuthnContext = new Saml2RequestedAuthnContext(configSection.RequestedAuthnContext);
configSection.ServiceCertificates.RegisterServiceCertificates(this);
foreach (var acs in configSection.AttributeConsumingServices)
{
AttributeConsumingServices.Add(acs);
}
foreach (var contact in configSection.Contacts)
{
Contacts.Add(contact);
}
}
/// <summary>
/// Construct the options from the given configuration section
/// </summary>
/// <param name="configSection"></param>
public SPOptions(KentorAuthServicesSection configSection)
{
if (configSection == null)
{
throw new ArgumentNullException(nameof(configSection));
}
systemIdentityModelIdentityConfiguration = new IdentityConfiguration(true);
ReturnUrl = configSection.ReturnUrl;
MetadataCacheDuration = configSection.MetadataCacheDuration;
DiscoveryServiceUrl = configSection.DiscoveryServiceUrl;
EntityId = configSection.EntityId;
ModulePath = configSection.ModulePath;
Organization = configSection.Organization;
AuthenticateRequestSigningBehavior = configSection.AuthenticateRequestSigningBehavior;
configSection.ServiceCertificates.RegisterServiceCertificates(this);
foreach (var acs in configSection.AttributeConsumingServices)
{
AttributeConsumingServices.Add(acs);
}
foreach (var contact in configSection.Contacts)
{
Contacts.Add(contact);
}
}
public static void PreAppStart()
{
FederatedAuthentication.FederationConfigurationCreated += (sender, args) =>
{
// Load config
var audience = ConfigurationManager.AppSettings["Auth.AudienceUrl"];
var realm = ConfigurationManager.AppSettings["Auth.AuthenticationRealm"];
var issuer = ConfigurationManager.AppSettings["Auth.AuthenticationIssuer"];
var thumbprint = ConfigurationManager.AppSettings["Auth.AuthenticationIssuerThumbprint"];
var idconfig = new IdentityConfiguration();
idconfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(audience));
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(thumbprint, issuer);
idconfig.IssuerNameRegistry = registry;
var sessionTransforms = new List<CookieTransform>() {
new DeflateCookieTransform(),
new MachineKeyTransform()
};
idconfig.SecurityTokenHandlers.AddOrReplace(new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly()));
var wsfedconfig = new WsFederationConfiguration(issuer, realm);
wsfedconfig.PersistentCookiesOnPassiveRedirects = true;
wsfedconfig.PassiveRedirectEnabled = true;
args.FederationConfiguration.IdentityConfiguration = idconfig;
args.FederationConfiguration.WsFederationConfiguration = wsfedconfig;
args.FederationConfiguration.CookieHandler = new ChunkedCookieHandler();
};
}
protected override void ValidateTestCase( string testVariation )
{
IdentityConfiguration identityConfig = new IdentityConfiguration( IdentityConfiguration.DefaultServiceName );
Assert.IsNotNull( identityConfig.IssuerTokenResolver );
Assert.IsFalse( identityConfig.IssuerTokenResolver.GetType() != typeof( NamedKeyIssuerTokenResolver ) , string.Format( "Expected identityConfiguration.IsuerTokenResolver.GetType() == typeof( NamedKeyIssuerTokenResolver ), was: '{0}'", identityConfig.IssuerTokenResolver.GetType() ) );
NamedKeyIssuerTokenResolver resolver = identityConfig.IssuerTokenResolver as NamedKeyIssuerTokenResolver;
Assert.IsTrue( resolver.SecurityKeys.Count == 0 );
Assert.IsTrue( IssuerTokenResolver.DefaultStoreName == StoreName.TrustedPeople );
Assert.IsTrue( IssuerTokenResolver.DefaultStoreLocation == StoreLocation.LocalMachine );
// Should not find key
SecurityKey key = null;
NamedKeySecurityKeyIdentifierClause clause = new NamedKeySecurityKeyIdentifierClause( "keyName", "KeyingMaterial.SymmetricKeyBytes_256" );
Assert.IsFalse( resolver.TryResolveSecurityKey( clause, out key ) );
Assert.IsNull( key );
// Should not find token
SecurityToken token = null;
Assert.IsFalse( resolver.TryResolveToken( clause, out token ) );
Assert.IsNull( token );
}
private void SetupFederatedLogin()
{
FederatedAuthentication.FederationConfigurationCreated += (sender, args) =>
{
var config = Kernel.Get<IConfigurationService>();
var idconfig = new IdentityConfiguration();
idconfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri(config.Auth.AudienceUrl));
var registry = new ConfigurationBasedIssuerNameRegistry();
registry.AddTrustedIssuer(config.Auth.TokenCertificateThumbprint, config.Auth.AuthenticationIssuer);
idconfig.IssuerNameRegistry = registry;
idconfig.CertificateValidationMode = X509CertificateValidationMode.None;
var sessionTransforms = new List<CookieTransform>() {
new DeflateCookieTransform(),
new MachineKeyTransform()
};
idconfig.SecurityTokenHandlers.AddOrReplace(new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly()));
var wsfedconfig = new WsFederationConfiguration(config.Auth.AuthenticationIssuer, config.Auth.AuthenticationRealm);
wsfedconfig.PersistentCookiesOnPassiveRedirects = true;
args.FederationConfiguration.IdentityConfiguration = idconfig;
args.FederationConfiguration.WsFederationConfiguration = wsfedconfig;
args.FederationConfiguration.CookieHandler = new ChunkedCookieHandler();
};
}
public override void Initialize()
{
IdentityConfiguration = new IdentityConfiguration
{
ClaimsAuthorizationManager = new MyClaimsAuthorizationManager(),
};
IsInitialized = true;
}
static IdentityConfiguration CreateIdentityConfiguration()
{
var identityConfiguration = new IdentityConfiguration();
identityConfiguration.SecurityTokenHandlers.Clear();
identityConfiguration.SecurityTokenHandlers.Add(new IdentityServerWrappedJwtHandler("https://localhost:44333/core", "write"));
identityConfiguration.ClaimsAuthorizationManager = new RequireAuthenticationAuthorizationManager();
return identityConfiguration;
}
protected ServiceCredentials(ServiceCredentials other)
{
if (other == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("other");
}
this.userName = new UserNamePasswordServiceCredential(other.userName);
this.clientCertificate = new X509CertificateInitiatorServiceCredential(other.clientCertificate);
this.serviceCertificate = new X509CertificateRecipientServiceCredential(other.serviceCertificate);
this.windows = new WindowsServiceCredential(other.windows);
this.issuedToken = new IssuedTokenServiceCredential(other.issuedToken);
this.peer = new PeerCredential(other.peer);
this.secureConversation = new SecureConversationServiceCredential(other.secureConversation);
this.identityConfiguration = other.identityConfiguration;
this.saveBootstrapTokenInSession = other.saveBootstrapTokenInSession;
this.exceptionMapper = other.exceptionMapper;
this.UseIdentityConfiguration = other.useIdentityConfiguration;
}
public ActionResult ProcessWSFedResponse()
{
var fam = new WSFederationAuthenticationModule();
fam.FederationConfiguration = new FederationConfiguration();
if (ConfigurationRepository.Keys.DecryptionCertificate != null)
{
var idConfig = new IdentityConfiguration();
idConfig.ServiceTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
new ReadOnlyCollection<SecurityToken>(new SecurityToken[] { new X509SecurityToken(ConfigurationRepository.Keys.DecryptionCertificate) }), false);
fam.FederationConfiguration.IdentityConfiguration = idConfig;
}
if (fam.CanReadSignInResponse(Request))
{
var token = fam.GetSecurityToken(Request);
return ProcessWSFedSignInResponse(fam.GetSignInResponseMessage(Request), token);
}
return View("Error");
}
/// <summary>
/// Ctor
/// </summary>
public SPOptions()
{
systemIdentityModelIdentityConfiguration = new IdentityConfiguration(false);
MetadataCacheDuration = new TimeSpan(1, 0, 0);
}
public static string Write(this Saml2SecurityToken token, IdentityConfiguration configuration)
{
if (configuration == null)
throw new ArgumentException("Identity configuration cannot be null", "configuration");
var settings = new XmlWriterSettings {Indent = false, Encoding = Encoding.Default};
var sbuilder = new StringBuilder();
using (var writer = XmlWriter.Create(sbuilder, settings))
{
if (token != null) configuration.SecurityTokenHandlers.WriteToken(writer, token);
}
var tokenString = sbuilder.ToString();
return tokenString;
}
private void VerifyConfig(IdentityConfiguration identityconfig, ExpectedJwtSecurityTokenRequirement variation)
{
JwtSecurityTokenHandler handler = identityconfig.SecurityTokenHandlers[typeof(JwtSecurityToken)] as JwtSecurityTokenHandler;
Assert.IsFalse(!variation.AsExpected(handler.JwtSecurityTokenRequirement), "JwtSecurityTokenRequirement was not as expected");
}
protected override void ValidateTestCase(string variationId)
{
ExpectedJwtSecurityTokenRequirement variation = JwtHandlerConfigVariation.Variation(variationId);
try
{
IdentityConfiguration identityConfig = new IdentityConfiguration(IdentityConfiguration.DefaultServiceName);
variation.ExpectedException.ProcessNoException();
VerifyConfig(identityConfig, variation);
}
catch (Exception ex)
{
try
{
variation.ExpectedException.ProcessException(ex);
}
catch (Exception innerException)
{
Assert.Fail("\nConfig case failed:\n'{0}'\nConfig:\n'{1}'\nException:\n'{2}'.", variationId, variation.Config, innerException.ToString());
}
}
}
protected override void ValidateTestCase( string testCase )
{
try
{
IdentityConfiguration identityConfig = new IdentityConfiguration( IdentityConfiguration.DefaultServiceName );
Assert.Fail( string.Format( "Expected Exception of type '{0}'", typeof( ConfigurationErrorsException ) ) );
}
catch ( Exception ex )
{
Assert.IsTrue( ex.GetType() == typeof( ConfigurationErrorsException ) );
}
}