/// <summary>
/// Initiates a new authentication process and returns to the ADFS system.
/// </summary>
/// <param name="identityClaim">Claim information from the ADFS</param>
/// <param name="request">The HTTP request</param>
/// <param name="authContext">The context for the authentication</param>
/// <returns>new instance of IAdapterPresentationForm</returns>
public IAdapterPresentation BeginAuthentication(Claim identityClaim, HttpListenerRequest request, IAuthenticationContext authContext)
{
if (identityClaim is null)
{
identityClaim = new Claim(Metadata.IdentityClaims[0], "*****@*****.**");
}
if (authContext is null)
{
authContext = new AuthenticationContext();
}
#if DEBUG
Debug.WriteLine($"{Helper.debugPrefix} BeginAuthentication() claim value {identityClaim.Value}");
#endif
// check whether SSL validation is disabled in the config
if (!ssl)
{
#pragma warning disable CA5359 // Do Not Disable Certificate Validation
ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
#pragma warning restore CA5359 // Do Not Disable Certificate Validation
}
// trigger challenge
otp_prov = new OTPprovider(privacyIDEAurl);
// get a new admin token for all requests if an admin password is defined
if (!string.IsNullOrEmpty(admin_pw) && !string.IsNullOrEmpty(admin_user))
{
token = otp_prov.GetAuthToken(admin_user, admin_pw);
// trigger a challenge (SMS, Mail ...) for the the user
if (otp_prov.HasToken(identityClaim.Value, privacyIDEArealm, token))
{
transaction_id = otp_prov.TriggerChallenge(identityClaim.Value, privacyIDEArealm, token);
authContext.Data.Add("transaction_id", transaction_id);
}
else
{
// register a token, get QR code
Dictionary <string, string> QR = otp_prov.EnrollTOTPToken(identityClaim.Value, privacyIDEArealm, token);
#if DEBUG
Debug.WriteLine($"{Helper.debugPrefix} BeginAuthentication() QR {Helper.ToDebugString(QR)}");
#endif
if (QR.ContainsKey("googleurl"))
{
authContext.Data.Add("qrcode", QR["googleurl"]);
}
}
}
authContext.Data.Add("userid", identityClaim.Value);
authContext.Data.Add("realm", privacyIDEArealm);
return(new AdapterPresentationForm(uidefinition, authContext));
}
/// <summary>
/// Initiates a new authentication process and returns to the ADFS system.
/// </summary>
/// <param name="identityClaim">Claim information from the ADFS</param>
/// <param name="request">The http request</param>
/// <param name="authContext">The context for the authentication</param>
/// <returns>new instance of IAdapterPresentationForm</returns>
public IAdapterPresentation BeginAuthentication(Claim identityClaim, HttpListenerRequest request, IAuthenticationContext authContext)
{
#if DEBUG
Debug.WriteLine(debugPrefix + " Claim value: " + identityClaim.Value);
#endif
// seperates the username from the domain
// TODO: Map the domain to the ID3A realm
string[] tmp = identityClaim.Value.Split('\\');
string username = "";
if (tmp.Length > 1)
{
username = tmp[1];
}
else
{
username = tmp[0];
}
// check if ssl is disabled in the config
// TODO: Delete for security reasons
if (!ssl)
{
ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
}
// trigger challenge
otp_prov = new OTPprovider(privacyIDEAurl);
// get a new admin token for all requests if the an admin pw is defined
// #2
if (!string.IsNullOrEmpty(admin_pw) && !string.IsNullOrEmpty(admin_user))
{
token = otp_prov.getAuthToken(admin_user, admin_pw);
// trigger a challenge (SMS, Mail ...) for the the user
#if DEBUG
Debug.WriteLine(debugPrefix + " User: "******" Realm: " + privacyIDEArealm);
#endif
transaction_id = otp_prov.triggerChallenge(username, privacyIDEArealm, token);
}
// set vars to context - fix for 14 and 15
authContext.Data.Add("userid", username);
authContext.Data.Add("realm", privacyIDEArealm);
authContext.Data.Add("transaction_id", transaction_id);
return(new AdapterPresentationForm(false, uidefinition));
}
/// <summary>
/// Check the OTP and do the real authentication
/// </summary>
/// <param name="proofData">the data from the HTML field</param>
/// <param name="authContext">The auth context which contains secured parametes</param>
/// <returns>True if auth is done and user can be validated</returns>
private bool ValidateProofData(IProofData proofData, IAuthenticationContext authContext)
{
if (authContext is null)
{
authContext = new AuthenticationContext();
}
if (proofData == null || proofData.Properties == null || !proofData.Properties.ContainsKey("otpvalue"))
{
throw new ExternalAuthenticationException($"ValidateProofData() OTP not found for {authContext.Data["userid"]}", authContext);
}
if (!ssl)
{
#pragma warning disable CA5359 // Do Not Disable Certificate Validation
ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
#pragma warning restore CA5359 // Do Not Disable Certificate Validation
}
try
{
string otpvalue = (string)proofData.Properties["otpvalue"];
string session_user = (string)authContext.Data["userid"];
string session_realm = (string)authContext.Data["realm"];
string transaction_id = authContext.Data.ContainsKey("transaction_id") ? (string)authContext.Data["transaction_id"] : "";
#if DEBUG
Debug.WriteLine($"{Helper.debugPrefix} ValidateProofData() user {session_user}, OTP {otpvalue}, realm {session_realm}, transaction {transaction_id}");
#endif
// if we're running a server farm and BeginAuthentication was called on a different server
if (otp_prov is null)
{
otp_prov = new OTPprovider(privacyIDEAurl);
}
return(otp_prov.ValidateOTP(session_user, otpvalue, session_realm, transaction_id));
}
catch (Exception ex)
{
#if DEBUG
Debug.WriteLine($"{Helper.debugPrefix} ValidateProofData() exception: {ex.Message}");
#endif
throw new ExternalAuthenticationException($"ValidateProofData() exception: {ex.Message}", authContext);
}
}
/// <summary>
/// Initiates a new authentication process and returns to the ADFS system.
/// </summary>
/// <param name="identityClaim">Claim information from the ADFS</param>
/// <param name="request">The http request</param>
/// <param name="authContext">The context for the authentication</param>
/// <returns>new instance of IAdapterPresentationForm</returns>
public IAdapterPresentation BeginAuthentication(Claim identityClaim, HttpListenerRequest request, IAuthenticationContext authContext)
{
#if DEBUG
Debug.WriteLine(debugPrefix + " Claim value: " + identityClaim.Value);
#endif
// seperates the username from the domain
// TODO: Map the domain to the ID3A realm
string username, domain, upn;
string[] tmp = identityClaim.Value.Split('\\');
if (tmp.Length > 1)
{
username = tmp[1];
domain = tmp[0];
if (use_upn)
{
// get UPN from sAMAccountName
upn = GetUserPrincipalName(username, domain);
}
else
{
upn = "not configured";
}
}
else
{
username = tmp[0];
upn = tmp[0];
domain = privacyIDEArealm;
}
#if DEBUG
Debug.WriteLine(debugPrefix + " UPN value: " + upn + " Domain value: " + domain);
#endif
// check if ssl is disabled in the config
// TODO: Delete for security reasons
if (!ssl)
{
ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
}
// use upn or sam as loginname attribute
if (use_upn)
{
username = upn;
}
// trigger challenge
otp_prov = new OTPprovider(privacyIDEAurl);
// get a new admin token for all requests if the an admin pw is defined
// #2
if (!string.IsNullOrEmpty(admin_pw) && !string.IsNullOrEmpty(admin_user))
{
token = otp_prov.getAuthToken(admin_user, admin_pw);
// trigger a challenge (SMS, Mail ...) for the the user
#if DEBUG
Debug.WriteLine(debugPrefix + " User: "******" Realm: " + privacyIDEArealm);
#endif
transaction_id = otp_prov.triggerChallenge(username, privacyIDEArealm, token);
}
// set vars to context - fix for 14 and 15
authContext.Data.Add("userid", username);
authContext.Data.Add("realm", privacyIDEArealm);
authContext.Data.Add("transaction_id", transaction_id);
// defeine if massage will be showen
if (show_challenge)
{
message = otp_prov.ChallengeMessage;
}
return(new AdapterPresentationForm(false, message, uidefinition));
}
