/// <summary>
/// Creates an instance of Saml2AuthenticationContext.
/// </summary>
/// <param name="authenticationContext">The authentication context of this statement.</param>
/// <param name="authenticationInstant">The time of the authentication.</param>
public Saml2AuthenticationStatement(Saml2AuthenticationContext authenticationContext, DateTime authenticationInstant)
{
if (null == authenticationContext)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("authenticationContext");
}
this.authnContext = authenticationContext;
this.authnInstant = DateTimeUtil.ToUniversalTime(authenticationInstant);
}
/// <summary>
/// Creates an instance of Saml2AuthenticationContext.
/// </summary>
/// <param name="authenticationContext">The authentication context of this statement.</param>
/// <param name="authenticationInstant">The time of the authentication.</param>
public Saml2AuthenticationStatement(Saml2AuthenticationContext authenticationContext, DateTime authenticationInstant)
{
if (null == authenticationContext)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("authenticationContext");
}
this.authnContext = authenticationContext;
this.authnInstant = DateTimeUtil.ToUniversalTime(authenticationInstant);
}
private static SecurityToken GenerateHardcodedToken()
{
var securityTokenDescriptor = new SecurityTokenDescriptor();
securityTokenDescriptor.Subject = ClaimsPrincipal.Current.Identity as ClaimsIdentity;
securityTokenDescriptor.Lifetime = new Lifetime(DateTime.Now, DateTime.Now.AddDays(2));
securityTokenDescriptor.TokenIssuerName = "http://identityserver.v2.thinktecture.com/trust/changethis";
securityTokenDescriptor.AppliesToAddress = "https://windows7:444/identity/wstrust/bearer";
securityTokenDescriptor.SigningCredentials = GenerateSigningCredentials();
Saml2SecurityTokenHandler saml2SecurityTokenHandler = new Saml2SecurityTokenHandler();
var saml2SecurityToken = saml2SecurityTokenHandler.CreateToken(securityTokenDescriptor) as Saml2SecurityToken;
var authenticationMethod = "urn:oasis:names:tc:SAML:2.0:ac:classes:Password";
var authenticationContext = new Saml2AuthenticationContext(new Uri(authenticationMethod));
saml2SecurityToken.Assertion.Statements.Add(new Saml2AuthenticationStatement(authenticationContext));
return saml2SecurityToken;
}
/// <summary>
/// Creates a Saml2AuthenticationStatement.
/// </summary>
/// <param name="authenticationContext">The authentication context of this statement.</param>
public Saml2AuthenticationStatement(Saml2AuthenticationContext authenticationContext)
: this(authenticationContext, DateTime.UtcNow)
{
}
/// <summary>
/// Writes the <saml:AuthnContext> element.
/// </summary>
/// <param name="writer">A <see cref="XmlWriter"/> to serialize the <see cref="Saml2AuthenticationContext"/>.</param>
/// <param name="data">The <see cref="Saml2AuthenticationContext"/> to serialize.</param>
protected virtual void WriteAuthenticationContext(XmlWriter writer, Saml2AuthenticationContext data)
{
if (null == writer)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("writer");
}
if (null == data)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("data");
}
// One of ClassRef and DeclRef must be present.
if (null == data.ClassReference && null == data.DeclarationReference)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new InvalidOperationException(SR.GetString(SR.ID4117)));
}
// <AuthnContext>
writer.WriteStartElement(Saml2Constants.Elements.AuthnContext, Saml2Constants.Namespace);
// <AuthnContextClassReference> 0-1
if (null != data.ClassReference)
{
writer.WriteElementString(Saml2Constants.Elements.AuthnContextClassRef, Saml2Constants.Namespace, data.ClassReference.AbsoluteUri);
}
// <AuthnContextDeclRef> 0-1
if (null != data.DeclarationReference)
{
writer.WriteElementString(Saml2Constants.Elements.AuthnContextDeclRef, Saml2Constants.Namespace, data.DeclarationReference.AbsoluteUri);
}
// <AuthenticatingAuthority> 0-OO
foreach (Uri authority in data.AuthenticatingAuthorities)
{
writer.WriteElementString(Saml2Constants.Elements.AuthenticatingAuthority, Saml2Constants.Namespace, authority.AbsoluteUri);
}
// </AuthnContext>
writer.WriteEndElement();
}
/// <summary>
/// Reads the <saml:AuthnContext> element.
/// </summary>
/// <remarks>
/// The default implementation does not handle the optional
/// <saml:AuthnContextDecl> element. To handle by-value
/// authentication context declarations, override this method.
/// </remarks>
/// <param name="reader">A <see cref="XmlReader"/> positioned at a <see cref="Saml2AuthenticationContext"/> element.</param>
/// <returns>A <see cref="Saml2AuthenticationContext"/> instance.</returns>
protected virtual Saml2AuthenticationContext ReadAuthenticationContext(XmlReader reader)
{
if (null == reader)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader");
}
// throw if wrong element
if (!reader.IsStartElement(Saml2Constants.Elements.AuthnContext, Saml2Constants.Namespace))
{
reader.ReadStartElement(Saml2Constants.Elements.AuthnContext, Saml2Constants.Namespace);
}
try
{
// Disallow empty
if (reader.IsEmptyElement)
{
throw DiagnosticUtility.ThrowHelperXml(reader, SR.GetString(SR.ID3061, Saml2Constants.Elements.AuthnContext, Saml2Constants.Namespace));
}
// @attributes
// @xsi:type
XmlUtil.ValidateXsiType(reader, Saml2Constants.Types.AuthnContextType, Saml2Constants.Namespace);
// Content
reader.ReadStartElement();
// At least one of ClassRef and ( Decl XOR DeclRef) must be present
// At this time, we do not support Decl, which is a by-value
// authentication context declaration.
Uri classRef = null;
Uri declRef = null;
// <AuthnContextClassRef> - see comment above
if (reader.IsStartElement(Saml2Constants.Elements.AuthnContextClassRef, Saml2Constants.Namespace))
{
classRef = ReadSimpleUriElement(reader);
}
// <AuthnContextDecl> - see comment above
if (reader.IsStartElement(Saml2Constants.Elements.AuthnContextDecl, Saml2Constants.Namespace))
{
throw DiagnosticUtility.ThrowHelperXml(reader, SR.GetString(SR.ID4118));
}
// <AuthnContextDeclRef> - see comment above
// If there was no ClassRef, there must be a DeclRef
if (reader.IsStartElement(Saml2Constants.Elements.AuthnContextDeclRef, Saml2Constants.Namespace))
{
declRef = ReadSimpleUriElement(reader);
}
else if (null == classRef)
{
reader.ReadStartElement(Saml2Constants.Elements.AuthnContextDeclRef, Saml2Constants.Namespace);
}
// Now we have enough data to create the object
Saml2AuthenticationContext authnContext = new Saml2AuthenticationContext(classRef, declRef);
// <AuthenticatingAuthority> - 0-OO
while (reader.IsStartElement(Saml2Constants.Elements.AuthenticatingAuthority, Saml2Constants.Namespace))
{
authnContext.AuthenticatingAuthorities.Add(ReadSimpleUriElement(reader));
}
reader.ReadEndElement();
return authnContext;
}
catch (Exception e)
{
if (System.Runtime.Fx.IsFatal(e))
throw;
Exception wrapped = TryWrapReadException(reader, e);
if (null == wrapped)
{
throw;
}
else
{
throw wrapped;
}
}
}
/// <summary>
/// Given an AuthenticationInformation object, this routine creates a Saml2AuthenticationStatement
/// to be added to the Saml2Assertion that is produced by the factory.
/// </summary>
/// <param name="authInfo">
/// An AuthenticationInformation object containing the state to be wrapped as a Saml2AuthenticationStatement
/// object.
/// </param>
/// <param name="tokenDescriptor">The token descriptor.</param>
/// <returns>
/// The Saml2AuthenticationStatement to add to the assertion being created or null to ignore the AuthenticationInformation
/// being wrapped as a statement.
/// </returns>
protected virtual Saml2AuthenticationStatement CreateAuthenticationStatement(AuthenticationInformation authInfo, SecurityTokenDescriptor tokenDescriptor)
{
if (tokenDescriptor == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenDescriptor");
}
if (tokenDescriptor.Subject == null)
{
return null;
}
string authenticationMethod = null;
string authenticationInstant = null;
// Search for an Authentication Claim.
IEnumerable<Claim> claimCollection = from c in tokenDescriptor.Subject.Claims where c.Type == ClaimTypes.AuthenticationMethod select c;
if (claimCollection.Count<Claim>() > 0)
{
// We support only one authentication statement and hence we just pick the first authentication type
// claim found in the claim collection. Since the spec allows multiple Auth Statements,
// we do not throw an error.
authenticationMethod = claimCollection.First<Claim>().Value;
}
claimCollection = from c in tokenDescriptor.Subject.Claims where c.Type == ClaimTypes.AuthenticationInstant select c;
if (claimCollection.Count<Claim>() > 0)
{
authenticationInstant = claimCollection.First<Claim>().Value;
}
if (authenticationMethod == null && authenticationInstant == null)
{
return null;
}
else if (authenticationMethod == null)
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4270, "AuthenticationMethod", "SAML2"));
}
else if (authenticationInstant == null)
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4270, "AuthenticationInstant", "SAML2"));
}
Uri saml2AuthenticationClass;
if (!UriUtil.TryCreateValidUri(this.DenormalizeAuthenticationType(authenticationMethod), UriKind.Absolute, out saml2AuthenticationClass))
{
throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4185, authenticationMethod));
}
Saml2AuthenticationContext authCtx = new Saml2AuthenticationContext(saml2AuthenticationClass);
DateTime authInstantTime = DateTime.ParseExact(authenticationInstant, DateTimeFormats.Accepted, DateTimeFormatInfo.InvariantInfo, DateTimeStyles.None).ToUniversalTime();
Saml2AuthenticationStatement authnStatement = new Saml2AuthenticationStatement(authCtx, authInstantTime);
if (authInfo != null)
{
if (!string.IsNullOrEmpty(authInfo.DnsName)
|| !string.IsNullOrEmpty(authInfo.Address))
{
authnStatement.SubjectLocality
= new Saml2SubjectLocality(authInfo.Address, authInfo.DnsName);
}
if (!string.IsNullOrEmpty(authInfo.Session))
{
authnStatement.SessionIndex = authInfo.Session;
}
authnStatement.SessionNotOnOrAfter = authInfo.NotOnOrAfter;
}
return authnStatement;
}
/// <summary>
/// Creates a Saml2AuthenticationStatement.
/// </summary>
/// <param name="authenticationContext">The authentication context of this statement.</param>
public Saml2AuthenticationStatement(Saml2AuthenticationContext authenticationContext)
: this(authenticationContext, DateTime.UtcNow)
{
}
