public virtual async Task <IdentityClaimTypeDto> CreateAsync(IdentityClaimTypeCreateDto input)
{
if (await IdentityClaimTypeRepository.AnyAsync(input.Name))
{
throw new UserFriendlyException(L["IdentityClaimTypeAlreadyExists", input.Name]);
}
var identityClaimType = new IdentityClaimType(
GuidGenerator.Create(),
input.Name,
input.Required,
input.IsStatic,
input.Regex,
input.RegexDescription,
input.Description,
input.ValueType
);
identityClaimType = await IdentityClaimTypeManager.CreateAsync(identityClaimType);
await CurrentUnitOfWork.SaveChangesAsync();
return(ObjectMapper.Map <IdentityClaimType, IdentityClaimTypeDto>(identityClaimType));
}
/// <summary>
/// Retrieves an S2S access token signed by the application's private certificate on
/// behalf of the specified Claims Identity and intended for application at the targetApplicationUri using the
/// targetRealm. If no Realm is specified in web.config, an auth challenge will be issued to the
/// targetApplicationUri to discover it.
/// </summary>
/// <param name="targetApplicationUri">Url of the target SharePoint site</param>
/// <param name="identity">Identity of the user on whose behalf to create the access token; use HttpContext.Current.User</param>
/// <param name="UserIdentityClaimType">The claim type that is used as the identity claim for the user</param>
/// <param name="IdentityClaimProviderType">The type of identity provider being used</param>
/// <param name="UseAppOnlyClaim">Use an App Only claim</param>
/// <returns></returns>
public static string GetS2SClaimsAccessTokenWithClaims(
Uri targetApplicationUri,
ClaimsIdentity identity,
IdentityClaimType UserIdentityClaimType,
ClaimProviderType IdentityClaimProviderType,
bool UseAppOnlyClaim)
{
//get the identity claim info first
TokenHelper.ClaimsUserIdClaim id = null;
if (IdentityClaimProviderType == ClaimProviderType.SAML)
{
id = RetrieveIdentityForSamlClaimsUser(identity, UserIdentityClaimType);
}
else
{
id = RetrieveIdentityForFbaClaimsUser(identity, UserIdentityClaimType);
}
string realm = string.IsNullOrEmpty(Realm) ? GetRealmFromTargetUrl(targetApplicationUri) : Realm;
JsonWebTokenClaim[] claims = identity != null?GetClaimsWithClaimsIdentity(identity, UserIdentityClaimType, id, IdentityClaimProviderType) : null;
return(IssueToken(
ClientId,
IssuerId,
realm,
SharePointPrincipal,
realm,
targetApplicationUri.Authority,
true,
claims,
UseAppOnlyClaim,
id.ClaimsIdClaimType != CLAIMS_ID_TYPE_UPN,
id.ClaimsIdClaimType,
id.ClaimsIdClaimValue));
}
private static JsonWebTokenClaim[] GetClaimsWithClaimsIdentity(ClaimsIdentity indentity, IdentityClaimType SamlIdentityClaimType, TokenHelper.ClaimsUserIdClaim id, ClaimProviderType IdentityClaimProviderType)
{
//if an identity claim was not found, then exit
if (string.IsNullOrEmpty(id.ClaimsIdClaimValue))
{
return(null);
}
Hashtable claimSet = new Hashtable();
//you always need nii claim, so add that
claimSet.Add("nii", "temp");
//set up the nii claim and then add the smtp or sip claim separately
if (IdentityClaimProviderType == ClaimProviderType.SAML)
{
claimSet["nii"] = "trusted:" + TrustedProviderName.ToLower(); //was urn:office:idp:trusted:, but this does not seem to align with what SPIdentityClaimMapper uses
}
else
{
claimSet["nii"] = "urn:office:idp:forms:" + MembershipProviderName.ToLower();
}
//plug in UPN claim if we're using that
if (id.ClaimsIdClaimType == CLAIMS_ID_TYPE_UPN)
{
claimSet.Add("upn", id.ClaimsIdClaimValue.ToLower());
}
//now create the JsonWebTokenClaim array
List <JsonWebTokenClaim> claimList = new List <JsonWebTokenClaim>();
foreach (string key in claimSet.Keys)
{
claimList.Add(new JsonWebTokenClaim(key, (string)claimSet[key]));
}
return(claimList.ToArray());
}
/// <summary>
/// NOT IMPLEMENTED
/// </summary>
/// <param name="identity"></param>
/// <param name="SamlIdentityClaimType"></param>
/// <returns></returns>
private static TokenHelper.ClaimsUserIdClaim RetrieveIdentityForFbaClaimsUser(ClaimsIdentity identity, IdentityClaimType SamlIdentityClaimType)
{
throw new NotImplementedException();
}
/// <summary>
/// Retrieves the identity for the ClaimsIdentity
/// </summary>
/// <param name="identity">The Claims Identity</param>
/// <param name="SamlIdentityClaimType">The Claims Identity Type</param>
/// <returns></returns>
private static TokenHelper.ClaimsUserIdClaim RetrieveIdentityForSamlClaimsUser(ClaimsIdentity identity, IdentityClaimType SamlIdentityClaimType)
{
TokenHelper.ClaimsUserIdClaim id = new ClaimsUserIdClaim();
try
{
if (identity.IsAuthenticated)
{
//get the claim type we're looking for
string claimType = CLAIM_TYPE_EMAIL;
id.ClaimsIdClaimType = CLAIMS_ID_TYPE_EMAIL;
//since the vast majority of the time the id claim is email, we'll start out with that
//as our default position and only check if that isn't the case
if (SamlIdentityClaimType != IdentityClaimType.SMTP)
{
switch (SamlIdentityClaimType)
{
case IdentityClaimType.UPN:
claimType = CLAIM_TYPE_UPN;
id.ClaimsIdClaimType = CLAIMS_ID_TYPE_UPN;
break;
default:
claimType = CLAIM_TYPE_SIP;
id.ClaimsIdClaimType = CLAIMS_ID_TYPE_SIP;
break;
}
}
foreach (Claim claim in identity.Claims)
{
if (claim.Type == claimType)
{
id.ClaimsIdClaimValue = claim.Value;
break;
}
}
}
}
catch (Exception ex)
{
//not going to do anything here; could look for a missing identity claim but instead will just
//return an empty string
Debug.WriteLine(ex.Message);
}
return(id);
}
private async Task AddClaimTypes()
{
var ageClaim = new IdentityClaimType(Guid.NewGuid(), "Age", false, false, null, null, null,
IdentityClaimValueType.Int);
await _identityClaimTypeRepository.InsertAsync(ageClaim);
}
/// <summary>
/// Retrieves the identity for the ClaimsIdentity
/// </summary>
/// <param name="identity">The Claims Identity</param>
/// <param name="SamlIdentityClaimType">The Claims Identity Type</param>
/// <returns></returns>
private static TokenHelper.ClaimsUserIdClaim RetrieveIdentityForSamlClaimsUser(ClaimsIdentity identity, IdentityClaimType SamlIdentityClaimType)
{
TokenHelper.ClaimsUserIdClaim id = new ClaimsUserIdClaim();
try
{
if (identity.IsAuthenticated)
{
//get the claim type we're looking for
string claimType = CLAIM_TYPE_EMAIL;
id.ClaimsIdClaimType = CLAIMS_ID_TYPE_EMAIL;
//since the vast majority of the time the id claim is email, we'll start out with that
//as our default position and only check if that isn't the case
if (SamlIdentityClaimType != IdentityClaimType.SMTP)
{
switch (SamlIdentityClaimType)
{
case IdentityClaimType.UPN:
claimType = CLAIM_TYPE_UPN;
id.ClaimsIdClaimType = CLAIMS_ID_TYPE_UPN;
break;
default:
claimType = CLAIM_TYPE_SIP;
id.ClaimsIdClaimType = CLAIMS_ID_TYPE_SIP;
break;
}
}
foreach (Claim claim in identity.Claims)
{
if (claim.Type == claimType)
{
id.ClaimsIdClaimValue = claim.Value;
break;
}
}
}
}
catch (Exception ex)
{
//not going to do anything here; could look for a missing identity claim but instead will just
//return an empty string
Debug.WriteLine(ex.Message);
}
return id;
}
/// <summary>
/// NOT IMPLEMENTED
/// </summary>
/// <param name="identity"></param>
/// <param name="SamlIdentityClaimType"></param>
/// <returns></returns>
private static TokenHelper.ClaimsUserIdClaim RetrieveIdentityForFbaClaimsUser(ClaimsIdentity identity, IdentityClaimType SamlIdentityClaimType)
{
throw new NotImplementedException();
}
private static JsonWebTokenClaim[] GetClaimsWithClaimsIdentity(ClaimsIdentity indentity, IdentityClaimType SamlIdentityClaimType, TokenHelper.ClaimsUserIdClaim id, ClaimProviderType IdentityClaimProviderType)
{
//if an identity claim was not found, then exit
if (string.IsNullOrEmpty(id.ClaimsIdClaimValue))
return null;
Hashtable claimSet = new Hashtable();
//you always need nii claim, so add that
claimSet.Add("nii", "temp");
//set up the nii claim and then add the smtp or sip claim separately
if (IdentityClaimProviderType == ClaimProviderType.SAML)
claimSet["nii"] = "trusted:" + TrustedProviderName.ToLower(); //was urn:office:idp:trusted:, but this does not seem to align with what SPIdentityClaimMapper uses
else
claimSet["nii"] = "urn:office:idp:forms:" + MembershipProviderName.ToLower();
//plug in UPN claim if we're using that
if (id.ClaimsIdClaimType == CLAIMS_ID_TYPE_UPN)
claimSet.Add("upn", id.ClaimsIdClaimValue.ToLower());
//now create the JsonWebTokenClaim array
List<JsonWebTokenClaim> claimList = new List<JsonWebTokenClaim>();
foreach (string key in claimSet.Keys)
{
claimList.Add(new JsonWebTokenClaim(key, (string)claimSet[key]));
}
return claimList.ToArray();
}
/// <summary>
/// Retrieves an S2S client context with an access token signed by the application's private certificate on
/// behalf of the specified Claims Identity and intended for application at the targetApplicationUri using the
/// targetRealm. If no Realm is specified in web.config, an auth challenge will be issued to the
/// targetApplicationUri to discover it.
/// </summary>
/// <param name="targetApplicationUri">Url of the target SharePoint site</param>
/// <param name="identity">Identity of the user on whose behalf to create the access token; use HttpContext.Current.User</param>
/// <param name="UserIdentityClaimType">The claim type that is used as the identity claim for the user</param>
/// <param name="IdentityClaimProviderType">The type of identity provider being used</param>
/// <param name="UseAppOnlyClaim">Use an App Only claim</param>
/// <returns>A ClientContext using an access token with an audience of the target application</returns>
public static ClientContext GetS2SClientContextWithClaimsIdentity(
Uri targetApplicationUri,
ClaimsIdentity identity,
IdentityClaimType UserIdentityClaimType,
ClaimProviderType IdentityClaimProviderType,
bool UseAppOnlyClaim)
{
string realm = string.IsNullOrEmpty(Realm) ? GetRealmFromTargetUrl(targetApplicationUri) : Realm;
string accessToken = GetS2SClaimsAccessTokenWithClaims(
targetApplicationUri,
identity,
UserIdentityClaimType,
IdentityClaimProviderType,
UseAppOnlyClaim);
return GetClientContextWithAccessToken(targetApplicationUri.ToString(), accessToken);
}
/// <summary>
/// Retrieves an S2S access token signed by the application's private certificate on
/// behalf of the specified Claims Identity and intended for application at the targetApplicationUri using the
/// targetRealm. If no Realm is specified in web.config, an auth challenge will be issued to the
/// targetApplicationUri to discover it.
/// </summary>
/// <param name="targetApplicationUri">Url of the target SharePoint site</param>
/// <param name="identity">Identity of the user on whose behalf to create the access token; use HttpContext.Current.User</param>
/// <param name="UserIdentityClaimType">The claim type that is used as the identity claim for the user</param>
/// <param name="IdentityClaimProviderType">The type of identity provider being used</param>
/// <param name="UseAppOnlyClaim">Use an App Only claim</param>
/// <returns></returns>
public static string GetS2SClaimsAccessTokenWithClaims(
Uri targetApplicationUri,
ClaimsIdentity identity,
IdentityClaimType UserIdentityClaimType,
ClaimProviderType IdentityClaimProviderType,
bool UseAppOnlyClaim)
{
//get the identity claim info first
TokenHelper.ClaimsUserIdClaim id = null;
if (IdentityClaimProviderType == ClaimProviderType.SAML)
id = RetrieveIdentityForSamlClaimsUser(identity, UserIdentityClaimType);
else
{
id = RetrieveIdentityForFbaClaimsUser(identity, UserIdentityClaimType);
}
string realm = string.IsNullOrEmpty(Realm) ? GetRealmFromTargetUrl(targetApplicationUri) : Realm;
JsonWebTokenClaim[] claims = identity != null ? GetClaimsWithClaimsIdentity(identity, UserIdentityClaimType, id, IdentityClaimProviderType) : null;
return IssueToken(
ClientId,
IssuerId,
realm,
SharePointPrincipal,
realm,
targetApplicationUri.Authority,
true,
claims,
UseAppOnlyClaim,
id.ClaimsIdClaimType != CLAIMS_ID_TYPE_UPN,
id.ClaimsIdClaimType,
id.ClaimsIdClaimValue);
}
