private static bool Equals(IFederatedAuthenticationSettings x, IFederatedAuthenticationSettings y)
{
return(Equals(x.Certificate, y.Certificate) &&
Equals(x.ErrorUrl, y.ErrorUrl) &&
Equals(x.LoginUrl, y.LoginUrl) &&
Equals(x.LogoutUrl, y.LogoutUrl) &&
Equals(x.NameClaimType, y.NameClaimType));
}
private static void ConfigureHandler(SecurityTokenHandlerConfiguration hc, IFederatedAuthenticationSettings settings)
{
hc.AudienceRestriction = new AudienceRestriction(AudienceUriMode.Never);
hc.CertificateValidator = new SamlCertificateValidator(settings.Certificate, WebApiConfig.VerifyCertificateChain);
hc.IssuerNameRegistry = new SamlIssuerNameRegistry(settings.Certificate);
hc.IssuerTokenResolver = new IssuerTokenResolver();
// need this if certificate not included into sign info
var tokens = new List <SecurityToken> {
new X509SecurityToken(settings.Certificate)
};
hc.ServiceTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
new ReadOnlyCollection <SecurityToken>(tokens), false);
}
public IPrincipal ProcessResponse(string samlResponse, IFederatedAuthenticationSettings settings)
{
ThrowIf.ArgumentNull(samlResponse, nameof(samlResponse));
ThrowIf.ArgumentNull(settings, nameof(settings));
var token = ReadSecurityToken(samlResponse, settings);
if (token == null)
{
// TODO add logging
// Log.DebugFormat("[SAMLHandler] Cannot read non SAML2 token.\n {0}", tokenString);
throw new FederatedAuthenticationException("Cannot read token",
FederatedAuthenticationErrorCode.WrongFormat);
}
var samlSecurityTokenRequirement = new SamlSecurityTokenRequirement
{
NameClaimType = settings.NameClaimType, // "Username",
MapToWindows = false
};
var handler = new BpSaml2SecurityTokenHandler(samlResponse, samlSecurityTokenRequirement)
{
Configuration = new SecurityTokenHandlerConfiguration()
};
ConfigureHandler(handler.Configuration, settings);
ReadOnlyCollection <ClaimsIdentity> validateToken;
try
{
validateToken = handler.ValidateToken(token);
}
catch (FederatedAuthenticationException faEx)
{
if (faEx.ErrorCode != FederatedAuthenticationErrorCode.WrongFormat)
{
throw;
}
token = (Saml2SecurityToken)handler.ReadToken(samlResponse);
validateToken = handler.ValidateToken(token);
}
return(new ClaimsPrincipal(validateToken));
}
private static Saml2SecurityToken ReadSecurityToken(string samlXml, IFederatedAuthenticationSettings settings)
{
var sr = new StringReader(samlXml);
using (var reader = XmlReader.Create(sr))
{
try
{
if (!reader.ReadToFollowing("Assertion", "urn:oasis:names:tc:SAML:2.0:assertion"))
{
return(null);
}
}
catch (Exception ex)
{
throw new FederatedAuthenticationException("Cannot read token", FederatedAuthenticationErrorCode.WrongFormat, ex);
}
// Deserialize the token so that data can be taken from it and plugged into the RSTR
var collection = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
ConfigureHandler(collection.Configuration, settings);
var tokenString = reader.ReadSubtree();
return(collection.ReadToken(tokenString) as Saml2SecurityToken);
}
}
public IPrincipal ProcessEncodedResponse(string encodedSamlXml, IFederatedAuthenticationSettings settings)
{
var samlXml = Encoding.UTF8.GetString(Convert.FromBase64String(HttpUtility.HtmlDecode(encodedSamlXml)));
return(ProcessResponse(samlXml, settings));
}
