public void Saml2SubjectExtensions_ToXElement_SubjectConfirmation()
{
var saml2SubjectConfirmation = new Saml2SubjectConfirmation(new Uri("urn:oasis:names:tc:SAML:2.0:cm:bearer"));
var confirmation = saml2SubjectConfirmation.ToXElement();
confirmation.Attribute("Method").Value.Should().Be("urn:oasis:names:tc:SAML:2.0:cm:bearer");
}
/// <summary>
/// Initializes an instance of <see cref="Saml2Subject"/> from a <see cref="Saml2SubjectConfirmation"/>.
/// </summary>
/// <param name="subjectConfirmation">The <see cref="Saml2SubjectConfirmation"/> to use for initialization.</param>
public Saml2Subject(Saml2SubjectConfirmation subjectConfirmation)
{
if (null == subjectConfirmation)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("subjectConfirmation");
}
this.subjectConfirmations.Add(subjectConfirmation);
}
/// <summary>
/// Initializes an instance of <see cref="Saml2Subject"/> from a <see cref="Saml2SubjectConfirmation"/>.
/// </summary>
/// <param name="subjectConfirmation">The <see cref="Saml2SubjectConfirmation"/> to use for initialization.</param>
public Saml2Subject(Saml2SubjectConfirmation subjectConfirmation)
{
if (null == subjectConfirmation)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("subjectConfirmation");
}
this.subjectConfirmations.Add(subjectConfirmation);
}
/// <summary>
/// Writes the <saml:SubjectConfirmation> element.
/// </summary>
/// <param name="writer">A <see cref="XmlWriter"/> to serialize the <see cref="Saml2SubjectConfirmation"/>.</param>
/// <param name="data">The <see cref="Saml2SubjectConfirmation"/> to serialize.</param>
protected virtual void WriteSubjectConfirmation(XmlWriter writer, Saml2SubjectConfirmation data)
{
if (null == writer)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("writer");
}
if (null == data)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("data");
}
if (null == data.Method)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("data.Method");
}
if (string.IsNullOrEmpty(data.Method.ToString()))
{
throw DiagnosticUtility.ThrowHelperArgumentNullOrEmptyString("data.Method");
}
// <SubjectConfirmation>
writer.WriteStartElement(Saml2Constants.Elements.SubjectConfirmation, Saml2Constants.Namespace);
// @Method - required
writer.WriteAttributeString(Saml2Constants.Attributes.Method, data.Method.AbsoluteUri);
// <NameID> 0-1
if (null != data.NameIdentifier)
{
this.WriteNameId(writer, data.NameIdentifier);
}
// <SubjectConfirmationData> 0-1
if (null != data.SubjectConfirmationData)
{
this.WriteSubjectConfirmationData(writer, data.SubjectConfirmationData);
}
// </SubjectConfirmation>
writer.WriteEndElement();
}
/// <summary>
/// Reads the <SubjectConfirmation> element.
/// </summary>
/// <param name="reader">A <see cref="XmlReader"/> positioned at a <see cref="Saml2SubjectConfirmation"/> element.</param>
/// <returns>An instance of <see cref="Saml2SubjectConfirmation"/> .</returns>
protected virtual Saml2SubjectConfirmation ReadSubjectConfirmation(XmlReader reader)
{
if (null == reader)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader");
}
// throw if wrong element
if (!reader.IsStartElement(Saml2Constants.Elements.SubjectConfirmation, Saml2Constants.Namespace))
{
reader.ReadStartElement(Saml2Constants.Elements.SubjectConfirmation, Saml2Constants.Namespace);
}
try
{
bool isEmpty = reader.IsEmptyElement;
// @attributes
// @xsi:type
XmlUtil.ValidateXsiType(reader, Saml2Constants.Types.SubjectConfirmationType, Saml2Constants.Namespace);
// @Method - required
string method = reader.GetAttribute(Saml2Constants.Attributes.Method);
if (string.IsNullOrEmpty(method))
{
throw DiagnosticUtility.ThrowHelperXml(reader, SR.GetString(SR.ID0001, Saml2Constants.Attributes.Method, Saml2Constants.Elements.SubjectConfirmation));
}
if (!UriUtil.CanCreateValidUri(method, UriKind.Absolute))
{
throw DiagnosticUtility.ThrowHelperXml(reader, SR.GetString(SR.ID0011, Saml2Constants.Attributes.Method, Saml2Constants.Elements.SubjectConfirmation));
}
// Construct the appropriate SubjectConfirmation based on the method
Saml2SubjectConfirmation subjectConfirmation = new Saml2SubjectConfirmation(new Uri(method));
// <elements>
reader.Read();
if (!isEmpty)
{
// <NameID> | <EncryptedID> | <BaseID> 0-1
subjectConfirmation.NameIdentifier = this.ReadSubjectId(reader, Saml2Constants.Elements.SubjectConfirmation);
// <SubjectConfirmationData> 0-1
if (reader.IsStartElement(Saml2Constants.Elements.SubjectConfirmationData, Saml2Constants.Namespace))
{
subjectConfirmation.SubjectConfirmationData = this.ReadSubjectConfirmationData(reader);
}
reader.ReadEndElement();
}
return subjectConfirmation;
}
catch (Exception e)
{
if (System.Runtime.Fx.IsFatal(e))
throw;
Exception wrapped = TryWrapReadException(reader, e);
if (null == wrapped)
{
throw;
}
else
{
throw wrapped;
}
}
}
/// <summary>
/// Creates a SAML2 subject of the assertion.
/// </summary>
/// <param name="tokenDescriptor">The security token descriptor to create the subject.</param>
/// <exception cref="ArgumentNullException">Thrown when 'tokenDescriptor' is null.</exception>
/// <returns>A Saml2Subject.</returns>
protected virtual Saml2Subject CreateSamlSubject(SecurityTokenDescriptor tokenDescriptor)
{
if (null == tokenDescriptor)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenDescriptor");
}
Saml2Subject saml2Subject = new Saml2Subject();
// Look for name identifier claims
string nameIdentifierClaim = null;
string nameIdentifierFormat = null;
string nameIdentifierNameQualifier = null;
string nameIdentifierSpProviderId = null;
string nameIdentifierSpNameQualifier = null;
if (tokenDescriptor.Subject != null && tokenDescriptor.Subject.Claims != null)
{
foreach (Claim claim in tokenDescriptor.Subject.Claims)
{
if (claim.Type == ClaimTypes.NameIdentifier)
{
// Do not allow multiple name identifier claim.
if (null != nameIdentifierClaim)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.GetString(SR.ID4139)));
}
nameIdentifierClaim = claim.Value;
if (claim.Properties.ContainsKey(ClaimProperties.SamlNameIdentifierFormat))
{
nameIdentifierFormat = claim.Properties[ClaimProperties.SamlNameIdentifierFormat];
}
if (claim.Properties.ContainsKey(ClaimProperties.SamlNameIdentifierNameQualifier))
{
nameIdentifierNameQualifier = claim.Properties[ClaimProperties.SamlNameIdentifierNameQualifier];
}
if (claim.Properties.ContainsKey(ClaimProperties.SamlNameIdentifierSPNameQualifier))
{
nameIdentifierSpNameQualifier = claim.Properties[ClaimProperties.SamlNameIdentifierSPNameQualifier];
}
if (claim.Properties.ContainsKey(ClaimProperties.SamlNameIdentifierSPProvidedId))
{
nameIdentifierSpProviderId = claim.Properties[ClaimProperties.SamlNameIdentifierSPProvidedId];
}
}
}
}
if (nameIdentifierClaim != null)
{
Saml2NameIdentifier nameIdentifier = new Saml2NameIdentifier(nameIdentifierClaim);
if (nameIdentifierFormat != null && UriUtil.CanCreateValidUri(nameIdentifierFormat, UriKind.Absolute))
{
nameIdentifier.Format = new Uri(nameIdentifierFormat);
}
nameIdentifier.NameQualifier = nameIdentifierNameQualifier;
nameIdentifier.SPNameQualifier = nameIdentifierSpNameQualifier;
nameIdentifier.SPProvidedId = nameIdentifierSpProviderId;
saml2Subject.NameId = nameIdentifier;
}
// Add subject confirmation data
Saml2SubjectConfirmation subjectConfirmation;
if (null == tokenDescriptor.Proof)
{
subjectConfirmation = new Saml2SubjectConfirmation(Saml2Constants.ConfirmationMethods.Bearer);
}
else
{
subjectConfirmation = new Saml2SubjectConfirmation(Saml2Constants.ConfirmationMethods.HolderOfKey, new Saml2SubjectConfirmationData());
subjectConfirmation.SubjectConfirmationData.KeyIdentifiers.Add(tokenDescriptor.Proof.KeyIdentifier);
}
saml2Subject.SubjectConfirmations.Add(subjectConfirmation);
return saml2Subject;
}
protected override Saml2Subject CreateSamlSubject(SecurityTokenDescriptor tokenDescriptor)
{
Saml2SubjectConfirmation confirmation;
if (tokenDescriptor == null)
{
throw new ArgumentNullException("tokenDescriptor");
}
Saml2Subject subject = new Saml2Subject();
string name = null;
string uriString = null;
if ((tokenDescriptor.Subject != null) && (tokenDescriptor.Subject.Claims != null))
{
foreach (Claim claim in tokenDescriptor.Subject.Claims)
{
if (claim.ClaimType == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier")
{
if (name != null)
{
throw new InvalidOperationException(
"No suitable Saml2NameIdentifier could be created for the SAML2:Subject because more than one Claim of type NameIdentifier was supplied.");
}
name = claim.Value;
if (claim.Properties.ContainsKey("http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"))
{
uriString = claim.Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"];
}
}
}
}
if (name != null)
{
Saml2NameIdentifier identifier = new Saml2NameIdentifier(name);
if ((uriString != null) && UriUtil.CanCreateValidUri(uriString, UriKind.Absolute))
{
identifier.Format = new Uri(uriString);
}
subject.NameId = identifier;
}
// IGNORE SAML confirmation and just create the SenderVouches
// GFIPM S2S 8.8.2.6.c
confirmation = new Saml2SubjectConfirmation(Saml2Constants.ConfirmationMethods.SenderVouches);
// SAML V2.0 Condition for Delegation Restriction Version 1.0
// 2.5 Use of Identifiers Within <saml:SubjectConfirmation>
string lastDelegateNameId = tokenDescriptor.Subject.Actor.Name;
confirmation.NameIdentifier = new Saml2NameIdentifier(lastDelegateNameId);
subject.SubjectConfirmations.Add(confirmation);
return subject;
}
private Saml2Assertion NewAssertion()
{
var assertion = new Saml2Assertion(new Saml2NameIdentifier(certificate.Subject));
assertion.Id = new Saml2Id();
assertion.IssueInstant = DateTime.Now;
assertion.Subject = new Saml2Subject(new Saml2NameIdentifier("CPS") { Value = "id3" });
assertion.Statements.Add(new Saml2AttributeStatement(new Saml2Attribute("identifiantFacturation", "id1")));
assertion.Statements.Add(new Saml2AttributeStatement(new Saml2Attribute("codeSpecialiteAMO", "id2")));
var saml2SubjectConfirmation = new Saml2SubjectConfirmation(new Uri("urn:oasis:names:tc:SAML:2.0:cm:bearer"));
saml2SubjectConfirmation.SubjectConfirmationData = new Saml2SubjectConfirmationData();
saml2SubjectConfirmation.SubjectConfirmationData.Recipient = new Uri("http://identityserver3");
saml2SubjectConfirmation.SubjectConfirmationData.NotOnOrAfter = DateTime.UtcNow;
assertion.Subject.SubjectConfirmations.Add(saml2SubjectConfirmation);
assertion.SigningCredentials = new X509SigningCredentials(certificate);
return assertion;
}
private Saml2Assertion NewAssertion(X509Certificate2 x509Certificate2 = null, ClaimsIdentity id = null)
{
var cert = x509Certificate2 ?? certificate;
var assertion = new Saml2Assertion(new Saml2NameIdentifier("b"));
assertion.Id = new Saml2Id();
assertion.IssueInstant = DateTime.Now;
assertion.Subject = new Saml2Subject(new Saml2NameIdentifier("CPS") { Value = "id3" });
assertion.Statements.Add(new Saml2AttributeStatement(new Saml2Attribute("identifiantFacturation", "id1")));
assertion.Statements.Add(new Saml2AttributeStatement(new Saml2Attribute("codeSpecialiteAMO", "id2")));
if (id != null)
foreach (var claim in id.Claims)
{
assertion.Statements.Add(new Saml2AttributeStatement(new Saml2Attribute(claim.Type, claim.Value)));
}
var saml2SubjectConfirmation = new Saml2SubjectConfirmation(new Uri("urn:oasis:names:tc:SAML:2.0:cm:bearer"));
saml2SubjectConfirmation.SubjectConfirmationData = new Saml2SubjectConfirmationData();
saml2SubjectConfirmation.SubjectConfirmationData.Recipient = new Uri("http://allowed_recipient1");
saml2SubjectConfirmation.SubjectConfirmationData.NotOnOrAfter = DateTime.UtcNow.AddHours(1); // valid for 1 hour
assertion.Subject.SubjectConfirmations.Add(saml2SubjectConfirmation);
assertion.Conditions = new Saml2Conditions();
assertion.Conditions.AudienceRestrictions.Add(new Saml2AudienceRestriction(new Uri("http://audience")));
assertion.SigningCredentials = new X509SigningCredentials(cert);
return assertion;
}
