public void Saml2SecurityTokenHandler_GetSets() { Saml2SecurityTokenHandler samlSecurityTokenHandler = new Saml2SecurityTokenHandler(); TestUtilities.SetGet(samlSecurityTokenHandler, "MaximumTokenSizeInBytes", (object)0, ExpectedException.ArgumentOutOfRangeException(substringExpected: "IDX10101")); TestUtilities.SetGet(samlSecurityTokenHandler, "MaximumTokenSizeInBytes", (object)1, ExpectedException.NoExceptionExpected); }
public void Saml2SecurityTokenHandler_ValidateToken() { // parameter validation Saml2SecurityTokenHandler tokenHandler = new Saml2SecurityTokenHandler(); TestUtilities.ValidateToken(securityToken: null, validationParameters: new TokenValidationParameters(), tokenValidator: tokenHandler, expectedException: ExpectedException.ArgumentNullException(substringExpected: "name: securityToken")); TestUtilities.ValidateToken(securityToken: "s", validationParameters: null, tokenValidator: tokenHandler, expectedException: ExpectedException.ArgumentNullException(substringExpected: "name: validationParameters")); tokenHandler.MaximumTokenSizeInBytes = 1; TestUtilities.ValidateToken(securityToken: "ss", validationParameters: new TokenValidationParameters(), tokenValidator: tokenHandler, expectedException: ExpectedException.ArgumentException(substringExpected: "IDX10209")); tokenHandler.MaximumTokenSizeInBytes = TokenValidationParameters.DefaultMaximumTokenSizeInBytes; string samlToken = IdentityUtilities.CreateSaml2Token(); TestUtilities.ValidateToken(samlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, tokenHandler, ExpectedException.NoExceptionExpected); // EncryptedAssertion SecurityTokenDescriptor tokenDescriptor = new SecurityTokenDescriptor { AppliesToAddress = IdentityUtilities.DefaultAudience, EncryptingCredentials = new EncryptedKeyEncryptingCredentials(KeyingMaterial.DefaultAsymmetricCert_2048), Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow + TimeSpan.FromHours(1)), SigningCredentials = KeyingMaterial.DefaultAsymmetricSigningCreds_2048_RsaSha2_Sha2, Subject = IdentityUtilities.DefaultClaimsIdentity, TokenIssuerName = IdentityUtilities.DefaultIssuer, }; samlToken = IdentityUtilities.CreateSaml2Token(tokenDescriptor); TestUtilities.ValidateToken(samlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, tokenHandler, new ExpectedException(typeExpected: typeof(EncryptedTokenDecryptionFailedException), substringExpected: "ID4022")); TokenValidationParameters validationParameters = IdentityUtilities.DefaultAsymmetricTokenValidationParameters; validationParameters.ClientDecryptionTokens = new List <SecurityToken> { KeyingMaterial.DefaultX509Token_2048 }.AsReadOnly(); TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, ExpectedException.NoExceptionExpected); TestUtilities.ValidateTokenReplay(samlToken, tokenHandler, validationParameters); TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, ExpectedException.NoExceptionExpected); validationParameters.LifetimeValidator = (nb, exp, st, tvp) => { return(false); }; TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, new ExpectedException(typeExpected: typeof(SecurityTokenInvalidLifetimeException), substringExpected: "IDX10230:")); validationParameters.ValidateLifetime = false; validationParameters.LifetimeValidator = IdentityUtilities.LifetimeValidatorThrows; TestUtilities.ValidateToken(securityToken: samlToken, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: ExpectedException.NoExceptionExpected); }
public void CrossToken_ValidateToken() { JwtSecurityTokenHandler jwtHandler = new JwtSecurityTokenHandler(); IMSaml2TokenHandler imSaml2Handler = new IMSaml2TokenHandler(); IMSamlTokenHandler imSamlHandler = new IMSamlTokenHandler(); SMSaml2TokenHandler smSaml2Handler = new SMSaml2TokenHandler(); SMSamlTokenHandler smSamlHandler = new SMSamlTokenHandler(); JwtSecurityTokenHandler.InboundClaimFilter.Add("aud"); JwtSecurityTokenHandler.InboundClaimFilter.Add("exp"); JwtSecurityTokenHandler.InboundClaimFilter.Add("iat"); JwtSecurityTokenHandler.InboundClaimFilter.Add("iss"); JwtSecurityTokenHandler.InboundClaimFilter.Add("nbf"); string jwtToken = IdentityUtilities.CreateJwtToken(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, jwtHandler); // saml tokens created using Microsoft.IdentityModel.Extensions string imSaml2Token = IdentityUtilities.CreateSaml2Token(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, imSaml2Handler); string imSamlToken = IdentityUtilities.CreateSamlToken(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, imSamlHandler); // saml tokens created using System.IdentityModel.Tokens string smSaml2Token = IdentityUtilities.CreateSaml2Token(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, smSaml2Handler); string smSamlToken = IdentityUtilities.CreateSamlToken(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, smSamlHandler); ClaimsPrincipal jwtPrincipal = ValidateToken(jwtToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, jwtHandler, ExpectedException.NoExceptionExpected); ClaimsPrincipal imSaml2Principal = ValidateToken(imSaml2Token, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSaml2Handler, ExpectedException.NoExceptionExpected); ClaimsPrincipal imSamlPrincipal = ValidateToken(imSamlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSamlHandler, ExpectedException.NoExceptionExpected); ClaimsPrincipal smSaml2Principal = ValidateToken(smSaml2Token, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSaml2Handler, ExpectedException.NoExceptionExpected); ClaimsPrincipal smSamlPrincipal = ValidateToken(smSamlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSamlHandler, ExpectedException.NoExceptionExpected); Assert.IsTrue(IdentityComparer.AreEqual <ClaimsPrincipal>(imSamlPrincipal, imSaml2Principal, new CompareContext { IgnoreSubject = true })); Assert.IsTrue(IdentityComparer.AreEqual <ClaimsPrincipal>(smSamlPrincipal, imSaml2Principal, new CompareContext { IgnoreSubject = true })); Assert.IsTrue(IdentityComparer.AreEqual <ClaimsPrincipal>(smSaml2Principal, imSaml2Principal, new CompareContext { IgnoreSubject = true })); // false = ignore type of objects, we expect all objects in the principal to be of same type (no derived types) // true = ignore subject, claims have a backpointer to their ClaimsIdentity. Most of the time this will be different as we are comparing two different ClaimsIdentities. // true = ignore properties of claims, any mapped claims short to long for JWT's will have a property that represents the short type. Assert.IsTrue(IdentityComparer.AreEqual <ClaimsPrincipal>(jwtPrincipal, imSaml2Principal, new CompareContext { IgnoreType = false, IgnoreSubject = true, IgnoreProperties = true })); JwtSecurityTokenHandler.InboundClaimFilter.Clear(); }
private bool CanReadToken(string securityToken, Saml2SecurityTokenHandler samlSecurityTokenHandler, ExpectedException expectedException) { bool canReadToken = false; try { canReadToken = samlSecurityTokenHandler.CanReadToken(securityToken); expectedException.ProcessNoException(); } catch (Exception exception) { expectedException.ProcessException(exception); } return(canReadToken); }
private void CanReadToken() { // CanReadToken Saml2SecurityTokenHandler samlSecurityTokenHandler = new Saml2SecurityTokenHandler(); Assert.IsFalse(CanReadToken(securityToken: null, samlSecurityTokenHandler: samlSecurityTokenHandler, expectedException: ExpectedException.NoExceptionExpected)); string samlString = new string('S', TokenValidationParameters.DefaultMaximumTokenSizeInBytes + 1); Assert.IsFalse(CanReadToken(samlString, samlSecurityTokenHandler, ExpectedException.NoExceptionExpected)); samlString = new string('S', TokenValidationParameters.DefaultMaximumTokenSizeInBytes); CanReadToken(securityToken: samlString, samlSecurityTokenHandler: samlSecurityTokenHandler, expectedException: ExpectedException.NoExceptionExpected); samlString = IdentityUtilities.CreateSamlToken(); Assert.IsFalse(CanReadToken(securityToken: samlString, samlSecurityTokenHandler: samlSecurityTokenHandler, expectedException: ExpectedException.NoExceptionExpected)); samlString = IdentityUtilities.CreateSaml2Token(); Assert.IsTrue(CanReadToken(securityToken: samlString, samlSecurityTokenHandler: samlSecurityTokenHandler, expectedException: ExpectedException.NoExceptionExpected)); }
public void CrossToken_ValidateToken() { JwtSecurityTokenHandler jwtHandler = new JwtSecurityTokenHandler(); IMSaml2TokenHandler imSaml2Handler = new IMSaml2TokenHandler(); IMSamlTokenHandler imSamlHandler = new IMSamlTokenHandler(); SMSaml2TokenHandler smSaml2Handler = new SMSaml2TokenHandler(); SMSamlTokenHandler smSamlHandler = new SMSamlTokenHandler(); JwtSecurityTokenHandler.InboundClaimFilter.Add("aud"); JwtSecurityTokenHandler.InboundClaimFilter.Add("exp"); JwtSecurityTokenHandler.InboundClaimFilter.Add("iat"); JwtSecurityTokenHandler.InboundClaimFilter.Add("iss"); JwtSecurityTokenHandler.InboundClaimFilter.Add("nbf"); string jwtToken = IdentityUtilities.CreateJwtToken(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, jwtHandler); // saml tokens created using Microsoft.IdentityModel.Extensions string imSaml2Token = IdentityUtilities.CreateSaml2Token(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, imSaml2Handler); string imSamlToken = IdentityUtilities.CreateSamlToken(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, imSamlHandler); // saml tokens created using System.IdentityModel.Tokens string smSaml2Token = IdentityUtilities.CreateSaml2Token(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, smSaml2Handler); string smSamlToken = IdentityUtilities.CreateSamlToken(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, smSamlHandler); ClaimsPrincipal jwtPrincipal = ValidateToken(jwtToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, jwtHandler, ExpectedException.NoExceptionExpected); ClaimsPrincipal imSaml2Principal = ValidateToken(imSaml2Token, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSaml2Handler, ExpectedException.NoExceptionExpected); ClaimsPrincipal imSamlPrincipal = ValidateToken(imSamlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSamlHandler, ExpectedException.NoExceptionExpected); ClaimsPrincipal smSaml2Principal = ValidateToken(smSaml2Token, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSaml2Handler, ExpectedException.NoExceptionExpected); ClaimsPrincipal smSamlPrincipal = ValidateToken(smSamlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSamlHandler, ExpectedException.NoExceptionExpected); Assert.IsTrue(IdentityComparer.AreEqual<ClaimsPrincipal>(imSamlPrincipal, imSaml2Principal, new CompareContext { IgnoreSubject = true })); Assert.IsTrue(IdentityComparer.AreEqual<ClaimsPrincipal>(smSamlPrincipal, imSaml2Principal, new CompareContext { IgnoreSubject = true })); Assert.IsTrue(IdentityComparer.AreEqual<ClaimsPrincipal>(smSaml2Principal, imSaml2Principal, new CompareContext { IgnoreSubject = true })); // false = ignore type of objects, we expect all objects in the principal to be of same type (no derived types) // true = ignore subject, claims have a backpointer to their ClaimsIdentity. Most of the time this will be different as we are comparing two different ClaimsIdentities. // true = ignore properties of claims, any mapped claims short to long for JWT's will have a property that represents the short type. Assert.IsTrue(IdentityComparer.AreEqual<ClaimsPrincipal>(jwtPrincipal, imSaml2Principal, new CompareContext{IgnoreType = false, IgnoreSubject = true, IgnoreProperties=true})); JwtSecurityTokenHandler.InboundClaimFilter.Clear(); }
public void Saml2SecurityTokenHandler_Defaults() { Saml2SecurityTokenHandler samlSecurityTokenHandler = new Saml2SecurityTokenHandler(); Assert.IsTrue(samlSecurityTokenHandler.MaximumTokenSizeInBytes == TokenValidationParameters.DefaultMaximumTokenSizeInBytes, "MaximumTokenSizeInBytes"); }
public void Saml2SecurityTokenHandler_Constructors() { Saml2SecurityTokenHandler saml2SecurityTokenHandler = new Saml2SecurityTokenHandler(); }
private void ValidateAudience() { Saml2SecurityTokenHandler tokenHandler = new Saml2SecurityTokenHandler(); ExpectedException expectedException; string samlString = IdentityUtilities.CreateSaml2Token(); TokenValidationParameters tokenValidationParameters = new TokenValidationParameters { IssuerSigningToken = IdentityUtilities.DefaultAsymmetricSigningToken, RequireExpirationTime = false, RequireSignedTokens = false, ValidIssuer = IdentityUtilities.DefaultIssuer, }; // Do not validate audience tokenValidationParameters.ValidateAudience = false; expectedException = ExpectedException.NoExceptionExpected; TestUtilities.ValidateToken(securityToken: samlString, validationParameters: tokenValidationParameters, tokenValidator: tokenHandler, expectedException: expectedException); // no valid audiences tokenValidationParameters.ValidateAudience = true; expectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10208"); TestUtilities.ValidateToken(securityToken: samlString, validationParameters: tokenValidationParameters, tokenValidator: tokenHandler, expectedException: expectedException); tokenValidationParameters.ValidateAudience = true; tokenValidationParameters.ValidAudience = "John"; expectedException = new ExpectedException(typeExpected: typeof(SecurityTokenInvalidAudienceException), substringExpected: "IDX10214"); TestUtilities.ValidateToken(securityToken: samlString, validationParameters: tokenValidationParameters, tokenValidator: tokenHandler, expectedException: expectedException); // UriKind.Absolute, no match. tokenValidationParameters.ValidateAudience = true; tokenValidationParameters.ValidAudience = IdentityUtilities.NotDefaultAudience; expectedException = new ExpectedException(typeExpected: typeof(SecurityTokenInvalidAudienceException), substringExpected: "IDX10214"); TestUtilities.ValidateToken(securityToken: samlString, validationParameters: tokenValidationParameters, tokenValidator: tokenHandler, expectedException: expectedException); expectedException = ExpectedException.NoExceptionExpected; tokenValidationParameters.ValidAudience = IdentityUtilities.DefaultAudience; tokenValidationParameters.ValidAudiences = null; TestUtilities.ValidateToken(securityToken: samlString, validationParameters: tokenValidationParameters, tokenValidator: tokenHandler, expectedException: expectedException); // !UriKind.Absolute List<string> audiences = new List<string> { "John", "Paul", "George", "Ringo" }; tokenValidationParameters.ValidAudience = null; tokenValidationParameters.ValidAudiences = audiences; tokenValidationParameters.ValidateAudience = false; expectedException = ExpectedException.NoExceptionExpected; TestUtilities.ValidateToken(securityToken: samlString, validationParameters: tokenValidationParameters, tokenValidator: tokenHandler, expectedException: expectedException); // UriKind.Absolute, no match audiences = new List<string> { "http://www.John.com", "http://www.Paul.com", "http://www.George.com", "http://www.Ringo.com", " " }; tokenValidationParameters.ValidAudience = null; tokenValidationParameters.ValidAudiences = audiences; tokenValidationParameters.ValidateAudience = false; expectedException = ExpectedException.NoExceptionExpected; TestUtilities.ValidateToken(securityToken: samlString, validationParameters: tokenValidationParameters, tokenValidator: tokenHandler, expectedException: expectedException); tokenValidationParameters.ValidateAudience = true; expectedException = new ExpectedException(typeExpected: typeof(SecurityTokenInvalidAudienceException), substringExpected: "IDX10214"); TestUtilities.ValidateToken(securityToken: samlString, validationParameters: tokenValidationParameters, tokenValidator: tokenHandler, expectedException: expectedException); tokenValidationParameters.ValidateAudience = true; expectedException = ExpectedException.NoExceptionExpected; audiences.Add(IdentityUtilities.DefaultAudience); TestUtilities.ValidateToken(securityToken: samlString, validationParameters: tokenValidationParameters, tokenValidator: tokenHandler, expectedException: expectedException); }
private bool CanReadToken(string securityToken, Saml2SecurityTokenHandler samlSecurityTokenHandler, ExpectedException expectedException) { bool canReadToken = false; try { canReadToken = samlSecurityTokenHandler.CanReadToken(securityToken); expectedException.ProcessNoException(); } catch (Exception exception) { expectedException.ProcessException(exception); } return canReadToken; }
public void Saml2SecurityTokenHandler_ValidateToken() { // parameter validation Saml2SecurityTokenHandler tokenHandler = new Saml2SecurityTokenHandler(); TestUtilities.ValidateToken(securityToken: null, validationParameters: new TokenValidationParameters(), tokenValidator: tokenHandler, expectedException: ExpectedException.ArgumentNullException(substringExpected: "name: securityToken")); TestUtilities.ValidateToken(securityToken: "s", validationParameters: null, tokenValidator: tokenHandler, expectedException: ExpectedException.ArgumentNullException(substringExpected: "name: validationParameters")); tokenHandler.MaximumTokenSizeInBytes = 1; TestUtilities.ValidateToken(securityToken: "ss", validationParameters: new TokenValidationParameters(), tokenValidator: tokenHandler, expectedException: ExpectedException.ArgumentException(substringExpected: "IDX10209")); tokenHandler.MaximumTokenSizeInBytes = TokenValidationParameters.DefaultMaximumTokenSizeInBytes; string samlToken = IdentityUtilities.CreateSaml2Token(); TestUtilities.ValidateToken(samlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, tokenHandler, ExpectedException.NoExceptionExpected); // EncryptedAssertion SecurityTokenDescriptor tokenDescriptor = new SecurityTokenDescriptor { AppliesToAddress = IdentityUtilities.DefaultAudience, EncryptingCredentials = new EncryptedKeyEncryptingCredentials(KeyingMaterial.DefaultAsymmetricCert_2048), Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow + TimeSpan.FromHours(1)), SigningCredentials = KeyingMaterial.DefaultAsymmetricSigningCreds_2048_RsaSha2_Sha2, Subject = IdentityUtilities.DefaultClaimsIdentity, TokenIssuerName = IdentityUtilities.DefaultIssuer, }; samlToken = IdentityUtilities.CreateSaml2Token(tokenDescriptor); TestUtilities.ValidateToken(samlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, tokenHandler, new ExpectedException(typeExpected: typeof(EncryptedTokenDecryptionFailedException), substringExpected: "ID4022")); TokenValidationParameters validationParameters = IdentityUtilities.DefaultAsymmetricTokenValidationParameters; validationParameters.ClientDecryptionTokens = new List<SecurityToken>{ KeyingMaterial.DefaultX509Token_2048 }.AsReadOnly(); TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, ExpectedException.NoExceptionExpected); TestUtilities.ValidateTokenReplay(samlToken, tokenHandler, validationParameters); }
private void ValidateAudience() { Saml2SecurityTokenHandler tokenHandler = new Saml2SecurityTokenHandler(); ExpectedException expectedException; string samlString = IdentityUtilities.CreateSaml2Token(); TokenValidationParameters validationParameters = new TokenValidationParameters { IssuerSigningToken = IdentityUtilities.DefaultAsymmetricSigningToken, RequireExpirationTime = false, RequireSignedTokens = false, ValidIssuer = IdentityUtilities.DefaultIssuer, }; // Do not validate audience validationParameters.ValidateAudience = false; expectedException = ExpectedException.NoExceptionExpected; TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException); // no valid audiences validationParameters.ValidateAudience = true; expectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10208"); TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException); validationParameters.ValidateAudience = true; validationParameters.ValidAudience = "John"; expectedException = new ExpectedException(typeExpected: typeof(SecurityTokenInvalidAudienceException), substringExpected: "IDX10214"); TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException); // UriKind.Absolute, no match. validationParameters.ValidateAudience = true; validationParameters.ValidAudience = IdentityUtilities.NotDefaultAudience; expectedException = new ExpectedException(typeExpected: typeof(SecurityTokenInvalidAudienceException), substringExpected: "IDX10214"); TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException); expectedException = ExpectedException.NoExceptionExpected; validationParameters.ValidAudience = IdentityUtilities.DefaultAudience; validationParameters.ValidAudiences = null; TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException); // !UriKind.Absolute List <string> audiences = new List <string> { "John", "Paul", "George", "Ringo" }; validationParameters.ValidAudience = null; validationParameters.ValidAudiences = audiences; validationParameters.ValidateAudience = false; expectedException = ExpectedException.NoExceptionExpected; TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException); // UriKind.Absolute, no match audiences = new List <string> { "http://www.John.com", "http://www.Paul.com", "http://www.George.com", "http://www.Ringo.com", " " }; validationParameters.ValidAudience = null; validationParameters.ValidAudiences = audiences; validationParameters.ValidateAudience = false; expectedException = ExpectedException.NoExceptionExpected; TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException); validationParameters.ValidateAudience = true; expectedException = new ExpectedException(typeExpected: typeof(SecurityTokenInvalidAudienceException), substringExpected: "IDX10214"); TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException); validationParameters.ValidateAudience = true; expectedException = ExpectedException.NoExceptionExpected; audiences.Add(IdentityUtilities.DefaultAudience); TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException); validationParameters.AudienceValidator = (aud, token, tvp) => { return(false); }; expectedException = new ExpectedException(typeExpected: typeof(SecurityTokenInvalidAudienceException), substringExpected: "IDX10231:"); audiences.Add(IdentityUtilities.DefaultAudience); TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException); validationParameters.ValidateAudience = false; validationParameters.AudienceValidator = IdentityUtilities.AudienceValidatorThrows; TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: ExpectedException.NoExceptionExpected); }
static void Main(string[] args) { var x = new Microsoft.IdentityModel.Tokens.Saml2SecurityTokenHandler(); Console.WriteLine("Eureka"); Console.ReadKey(); }
public void CanAddRelyingPartyWithClaimMappings() { var encryptingCertificate = Cert.LoadEncryptingCertificate(); var relyingParty = new RelyingParty { Realm = "urn:identityserver:encrypt", Name = "Test Relying Party", Enabled = true, ReplyUrl = "https://www.google.com/", TokenType = "urn:oasis:names:tc:SAML:1.0:assertion", TokenLifeTime = 1000, IncludeAllClaimsForUser = false, DefaultClaimTypeMappingPrefix = "https://schema.org/", SamlNameIdentifierFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", SignatureAlgorithm = SecurityAlgorithms.RsaSha256Signature, DigestAlgorithm = SecurityAlgorithms.Sha256Digest, ClaimMappings = new List <ClaimMap> { new ClaimMap { InboundClaim = "name", OutboundClaim = ClaimTypes.Name }, new ClaimMap { InboundClaim = "email", OutboundClaim = ClaimTypes.Email } }, EncryptingCertificate = encryptingCertificate.RawData }; using (var context = new RelyingPartyConfigurationDbContext(ConfigConnectionStringName)) { context.RelyingParties.Add(relyingParty); context.SaveChanges(); } RelyingParty persistedRelyingParty; using (var context = new RelyingPartyConfigurationDbContext(ConfigConnectionStringName)) { persistedRelyingParty = context.RelyingParties.Include(x => x.ClaimMappings) .FirstOrDefault(x => x.Realm == relyingParty.Realm); } Assert.NotNull(persistedRelyingParty); Assert.True(relyingParty.Realm == persistedRelyingParty.Realm); Assert.True(persistedRelyingParty.ClaimMappings.Any()); Assert.True(relyingParty.ClaimMappings.Count == persistedRelyingParty.ClaimMappings.Count); Assert.True(relyingParty.DefaultClaimTypeMappingPrefix == persistedRelyingParty.DefaultClaimTypeMappingPrefix); Assert.True(relyingParty.DigestAlgorithm == persistedRelyingParty.DigestAlgorithm); Assert.True(relyingParty.Enabled == persistedRelyingParty.Enabled); Assert.True(relyingParty.Id == persistedRelyingParty.Id); Assert.True(relyingParty.IncludeAllClaimsForUser == persistedRelyingParty.IncludeAllClaimsForUser); Assert.True(relyingParty.Name == persistedRelyingParty.Name); Assert.True(relyingParty.ReplyUrl == persistedRelyingParty.ReplyUrl); Assert.True(relyingParty.SamlNameIdentifierFormat == persistedRelyingParty.SamlNameIdentifierFormat); Assert.True(relyingParty.SignatureAlgorithm == persistedRelyingParty.SignatureAlgorithm); Assert.True(relyingParty.TokenLifeTime == persistedRelyingParty.TokenLifeTime); Assert.True(relyingParty.TokenType == persistedRelyingParty.TokenType); Assert.NotNull(relyingParty.EncryptingCertificate); var readEncryptionCertificate = new X509Certificate2(relyingParty.EncryptingCertificate); Assert.True(readEncryptionCertificate.SubjectName.Name == encryptingCertificate.SubjectName.Name); Assert.True(readEncryptionCertificate.IssuerName.Name == encryptingCertificate.IssuerName.Name); Assert.True(readEncryptionCertificate.Thumbprint == encryptingCertificate.Thumbprint); // assert token encrypted using saved cert can be decrypted var testClaim = new Claim(ClaimTypes.NameIdentifier, "69307727-D2F7-4ED3-A7DF-08EEE8F8C624"); var securityTokenDescriptor = new SecurityTokenDescriptor { AppliesToAddress = relyingParty.Realm, Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddMinutes(relyingParty.TokenLifeTime)), ReplyToAddress = relyingParty.ReplyUrl, SigningCredentials = new X509SigningCredentials(Cert.LoadDecryptingCertificate(), relyingParty.SignatureAlgorithm, relyingParty.DigestAlgorithm), Subject = new ClaimsIdentity(new List <Claim> { testClaim }), TokenIssuerName = "https://domain.test", TokenType = "urn:oasis:names:tc:SAML:2.0:assertion", EncryptingCredentials = new EncryptedKeyEncryptingCredentials(readEncryptionCertificate) }; var handler = new Saml2SecurityTokenHandler(); var securityToken = handler.CreateToken(securityTokenDescriptor); var stringBuilder = new StringBuilder(); using (var writer = XmlWriter.Create(stringBuilder)) { handler.WriteToken(writer, securityToken); } var token = stringBuilder.ToString(); SecurityToken validatedToken; var claimsPrincipal = handler.ValidateToken( token, new TokenValidationParameters { IssuerSigningKey = new X509SecurityKey(Cert.LoadDecryptingCertificate()), ValidateIssuer = false, ValidateIssuerSigningKey = false, ValidateAudience = false, ClientDecryptionTokens = new ReadOnlyCollection <SecurityToken>(new List <SecurityToken> { new X509SecurityToken(Cert.LoadDecryptingCertificate()) }) }, out validatedToken); Assert.NotNull(validatedToken); Assert.NotNull(claimsPrincipal); Assert.True(claimsPrincipal.HasClaim(testClaim.Type, testClaim.Value)); }