public async Task<SignInValidationResult> ValidateAsync(SignInRequestMessage message, ClaimsPrincipal subject)
{
var result = new SignInValidationResult();
// todo: wfresh handling?
if (!subject.Identity.IsAuthenticated)
{
return new SignInValidationResult
{
IsSignInRequired = true,
};
};
var rp = await _relyingParties.GetByRealmAsync(message.Realm);
if (rp == null || rp.Enabled == false)
{
return new SignInValidationResult
{
IsError = true,
Error = "invalid_relying_party"
};
}
// todo: check wreply against list of allowed reply URLs
result.ReplyUrl = rp.ReplyUrl;
result.RelyingParty = rp;
result.SignInRequestMessage = message;
result.Subject = subject;
return result;
}
private async Task<ClaimsIdentity> CreateSubjectAsync(SignInValidationResult validationResult)
{
var claims = await _users.GetProfileDataAsync(
validationResult.Subject.GetSubjectId(),
validationResult.RelyingParty.ClaimMappings.Keys);
var mappedClaims = new List<Claim>();
foreach (var claim in claims)
{
string mappedType;
if (validationResult.RelyingParty.ClaimMappings.TryGetValue(claim.Type, out mappedType))
{
mappedClaims.Add(new Claim(mappedType, claim.Value));
}
}
// todo: do complete mapping
if (validationResult.Subject.GetAuthenticationMethod() == Constants.AuthenticationMethods.Password)
{
mappedClaims.Add(new Claim(ClaimTypes.AuthenticationMethod, AuthenticationMethods.Password));
mappedClaims.Add(AuthenticationInstantClaim.Now);
}
return new ClaimsIdentity(mappedClaims, "idsrv");
}
public async Task<SignInResponseMessage> GenerateResponseAsync(SignInValidationResult validationResult)
{
// create subject
var outgoingSubject = await CreateSubjectAsync(validationResult);
// create token for user
var token = CreateSecurityToken(validationResult, outgoingSubject);
// return response
var rstr = new RequestSecurityTokenResponse
{
AppliesTo = new EndpointReference(validationResult.RelyingParty.Realm),
Context = validationResult.SignInRequestMessage.Context,
ReplyTo = validationResult.ReplyUrl,
RequestedSecurityToken = new RequestedSecurityToken(token)
};
var serializer = new WSFederationSerializer(
new WSTrust13RequestSerializer(),
new WSTrust13ResponseSerializer());
var responseMessage = new SignInResponseMessage(
new Uri(validationResult.ReplyUrl),
rstr,
serializer,
new WSTrustSerializationContext());
return responseMessage;
}
public async Task <SignInValidationResult> ValidateAsync(SignInRequestMessage message, ClaimsPrincipal subject)
{
Logger.Info("Validating WS-Federation signin request");
var result = new SignInValidationResult();
if (message.HomeRealm.IsPresent())
{
Logger.Info("Setting home realm to: " + message.HomeRealm);
result.HomeRealm = message.HomeRealm;
}
// todo: wfresh handling?
if (!subject.Identity.IsAuthenticated)
{
result.IsSignInRequired = true;
return(result);
}
;
var rp = await _relyingParties.GetByRealmAsync(message.Realm);
if (rp == null || rp.Enabled == false)
{
Logger.Error("Relying party not found: " + rp.Realm);
return(new SignInValidationResult
{
IsError = true,
Error = "invalid_relying_party"
});
}
Logger.InfoFormat("Relying party registration found: {0} / {1}", rp.Realm, rp.Name);
result.ReplyUrl = rp.ReplyUrl;
Logger.InfoFormat("Reply URL set to: " + result.ReplyUrl);
result.RelyingParty = rp;
result.SignInRequestMessage = message;
result.Subject = subject;
return(result);
}
public async Task <SignInValidationResult> ValidateAsync(SignInRequestMessage message, ClaimsPrincipal subject)
{
var result = new SignInValidationResult();
if (message.HomeRealm.IsPresent())
{
result.HomeRealm = message.HomeRealm;
}
// todo: wfresh handling?
if (!subject.Identity.IsAuthenticated)
{
result.IsSignInRequired = true;
return(result);
}
;
var rp = await _relyingParties.GetByRealmAsync(message.Realm);
if (rp == null || rp.Enabled == false)
{
return(new SignInValidationResult
{
IsError = true,
Error = "invalid_relying_party"
});
}
// todo: check wreply against list of allowed reply URLs
result.ReplyUrl = rp.ReplyUrl;
result.RelyingParty = rp;
result.SignInRequestMessage = message;
result.Subject = subject;
return(result);
}
IHttpActionResult RedirectToLogin(CoreSettings settings, SignInValidationResult result)
{
var message = new SignInMessage();
message.ReturnUrl = Request.RequestUri.AbsoluteUri;
if (result.HomeRealm.IsPresent())
{
message.IdP = result.HomeRealm;
}
return new LoginResult(message, this.Request, settings, _internalConfig);
}
private SecurityToken CreateSecurityToken(SignInValidationResult validationResult, ClaimsIdentity outgoingSubject)
{
var descriptor = new SecurityTokenDescriptor
{
AppliesToAddress = validationResult.RelyingParty.Realm,
Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddMinutes(validationResult.RelyingParty.TokenLifeTime)),
ReplyToAddress = validationResult.ReplyUrl,
SigningCredentials = new X509SigningCredentials(_settings.GetSigningCertificate()),
Subject = outgoingSubject,
TokenIssuerName = _settings.GetIssuerUri(),
TokenType = validationResult.RelyingParty.TokenType
};
return CreateSupportedSecurityTokenHandler().CreateToken(descriptor);
}
