private SecurityToken CreateOutputSamlToken(ClaimsIdentity identity, ProofDescriptor proof, X509Certificate2 encryptingCertificate) { var adfsIssuerUri = _configuration.AdfsIntegration.IssuerUri; var encryptingCredentials = new EncryptedKeyEncryptingCredentials( new X509EncryptingCredentials(encryptingCertificate), 256, "http://www.w3.org/2001/04/xmlenc#aes256-cbc"); var descriptor = new SecurityTokenDescriptor { AppliesToAddress = adfsIssuerUri, TokenIssuerName = _configuration.Global.IssuerUri, SigningCredentials = new X509SigningCredentials(_configuration.Keys.SigningCertificate), // signing creds of IdSrv EncryptingCredentials = encryptingCredentials, Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddHours(1)), Proof = proof, Subject = identity, TokenType = TokenTypes.Saml2TokenProfile11 }; return(_handler.CreateToken(descriptor) as Saml2SecurityToken); }
private GenericXmlSecurityToken BuildSamlToken <T>(T contract) where T : SamlTokenContract { var signingCredentials = SetSigningCredentials(contract); SecurityTokenDescriptor tokenDescriptor = BuildSAMLDescriptorUsingXspaProfile(contract); tokenDescriptor.TokenType = CustomSaml2TokenConstants.SAML2TokenType; tokenDescriptor.SigningCredentials = signingCredentials; if (contract.EncryptingCertificate != null) { var encryptingCredentials = new EncryptedKeyEncryptingCredentials(contract.EncryptingCertificate, contract.AlgorithmSuite.DefaultAsymmetricKeyWrapAlgorithm, contract.AlgorithmSuite.DefaultEncryptionKeyDerivationLength, contract.AlgorithmSuite.DefaultEncryptionAlgorithm); tokenDescriptor.EncryptingCredentials = encryptingCredentials; } SetConfirmationMethod(contract, tokenDescriptor); tokenDescriptor.AddAuthenticationClaims(contract.AuthenticationContext); var samlToken = Saml2Handler.CreateToken(tokenDescriptor) as Saml2SecurityToken; if (samlToken == null) { throw new Exception("Failed to create Saml2 Security token"); } return(SetSecurityToken(contract, samlToken, Saml2Handler, tokenDescriptor)); }
/// <summary> /// Override this method to change the token encrypting credentials. /// </summary> /// <param name="tokenDescriptor">The token descriptor.</param> /// <returns>The token encrypting credentials.</returns> /// <exception cref="ArgumentNullException">When the given tokenDescriptor is null.</exception> protected virtual EncryptingCredentials GetEncryptingCredentials(SecurityTokenDescriptor tokenDescriptor) { if (null == tokenDescriptor) { throw new ArgumentNullException("tokenDescriptor"); } EncryptingCredentials encryptingCredentials = null; if (null != tokenDescriptor.EncryptingCredentials) { encryptingCredentials = tokenDescriptor.EncryptingCredentials; if (encryptingCredentials.SecurityKey is AsymmetricSecurityKey) { // // Here we will create a symmetric key // encryptingCredentials = new EncryptedKeyEncryptingCredentials(encryptingCredentials, SecurityAlgorithmSuite.Default.DefaultSymmetricKeyLength, SecurityAlgorithmSuite.Default.DefaultEncryptionAlgorithm); } } return(encryptingCredentials); }
private GenericXmlSecurityToken GenerateSAML2Token() { var signingCertificatePrivateKey = new X509Certificate2(Settings.Default.CertificatePath, Settings.Default.Passphrase); var encryptingCertificatePublicKey = signingCertificatePrivateKey; //new X509Certificate2(@"C:\Users\ed2ny1e\Documents\CommonWell\Integration Certificates\McKesson.cer"); string signingAlgorithm = SignatureAlgorithm.Sha256; string digestAlgorithm = DigestAlgorithm.Sha256; SigningCredentials signingCredentials = null; SymmetricProofDescriptor proof = CreateSymmetricProofDescriptor(encryptingCertificatePublicKey); switch (ComboBoxSigningAlgorithm.SelectedValue.ToString()) { case "SHA1": signingAlgorithm = SignatureAlgorithm.Sha1; break; case "SHA256": signingAlgorithm = SignatureAlgorithm.Sha256; break; } switch (ComboBoxDigestAlgorithm.SelectedValue.ToString()) { case "SHA1": digestAlgorithm = DigestAlgorithm.Sha1; break; case "SHA256": digestAlgorithm = DigestAlgorithm.Sha256; break; } if (Rsa.IsChecked.HasValue && Rsa.IsChecked.Value) { var rsa = signingCertificatePrivateKey.PrivateKey as RSACryptoServiceProvider; if (rsa != null) { var rsaKey = new RsaSecurityKey(rsa); var rsaClause = new RsaKeyIdentifierClause(rsa); var ski = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { rsaClause }); signingCredentials = new SigningCredentials(rsaKey, signingAlgorithm, digestAlgorithm, ski); } } else { var clause = new X509SecurityToken(signingCertificatePrivateKey) .CreateKeyIdentifierClause <X509RawDataKeyIdentifierClause>(); var ski = new SecurityKeyIdentifier(clause); signingCredentials = new X509SigningCredentials(signingCertificatePrivateKey, ski, signingAlgorithm, digestAlgorithm); } SecurityTokenDescriptor tokenDescriptor = BuildSAMLDescriptorUsingXspaProfile(); tokenDescriptor.TokenType = WSTrust.TokenType; tokenDescriptor.SigningCredentials = signingCredentials; if (CheckBoxEncrypt.IsChecked.HasValue && CheckBoxEncrypt.IsChecked.Value) { const string keyWrapAlgorithm = WSTrust.KeyWrapAlgorithm; const string encryptionAlgorithm = WSTrust.EncryptionAlgorithm; var encryptingCredentials = new EncryptedKeyEncryptingCredentials(encryptingCertificatePublicKey, keyWrapAlgorithm, WSTrust.KeySize, encryptionAlgorithm); tokenDescriptor.EncryptingCredentials = encryptingCredentials; } switch (ComboBoxConfirmation.SelectedValue.ToString()) { case "holder": if (AsymmetricKey.IsChecked != null && (bool)AsymmetricKey.IsChecked) { tokenDescriptor.Proof = CreateAsymmetricProofDescriptor(encryptingCertificatePublicKey); } else { tokenDescriptor.Proof = proof; } break; case "sender": //TODO break; } var tokenHandler = new CustomSaml2SecurityTokenHandler(); tokenDescriptor.AddAuthenticationClaims("uurn:oasis:names:tc:SAML:2.0:ac:classes:X509"); var outputToken = tokenHandler.CreateToken(tokenDescriptor) as Saml2SecurityToken; if (outputToken == null) { throw new Exception("Failed to create Saml2 Security token"); } // turn token into a generic xml security token var outputTokenString = outputToken.ToTokenXmlString(); // create attached and unattached references var attachedReference = tokenHandler.CreateSecurityTokenReference(outputToken, true); var unattachedReference = tokenHandler.CreateSecurityTokenReference(outputToken, false); GenericXmlSecurityToken xmlToken; if (ComboBoxConfirmation.SelectedValue.ToString().Equals("holder")) { xmlToken = new GenericXmlSecurityToken( GetElement(outputTokenString), new BinarySecretSecurityToken(proof.GetKeyBytes()), DateTime.UtcNow, DateTime.UtcNow.AddHours(1), attachedReference, unattachedReference, new ReadOnlyCollection <IAuthorizationPolicy>(new List <IAuthorizationPolicy>())); } else { xmlToken = new GenericXmlSecurityToken( GetElement(outputTokenString), null, DateTime.UtcNow, DateTime.UtcNow.AddHours(8), attachedReference, unattachedReference, new ReadOnlyCollection <IAuthorizationPolicy>(new List <IAuthorizationPolicy>())); } return(xmlToken); }