protected virtual Saml2AuthenticationStatement CreateAuthenticationStatement(Uri authnContext)
{
var authenticationStatement = new Saml2AuthenticationStatement(new Saml2AuthenticationContext(authnContext ?? AuthnContextClassTypes.PasswordProtectedTransport));
authenticationStatement.SessionIndex = SessionIndex;
return(authenticationStatement);
}
protected override void ProcessAuthenticationStatement(Saml2AuthenticationStatement statement, ClaimsIdentity subject, string issuer)
{
if (statement.AuthenticationContext != null)
{
statement.AuthenticationContext.DeclarationReference = null;
}
base.ProcessAuthenticationStatement(statement, subject, issuer);
if (statement.SessionIndex != null)
{
var nameIdClaim = subject.FindFirst(ClaimTypes.NameIdentifier);
subject.AddClaim(
new Claim(
AuthServicesClaimTypes.LogoutNameIdentifier,
DelimitedString.Join(
nameIdClaim.Properties.GetValueOrEmpty(ClaimProperties.SamlNameIdentifierNameQualifier),
nameIdClaim.Properties.GetValueOrEmpty(ClaimProperties.SamlNameIdentifierSPNameQualifier),
nameIdClaim.Properties.GetValueOrEmpty(ClaimProperties.SamlNameIdentifierFormat),
nameIdClaim.Properties.GetValueOrEmpty(ClaimProperties.SamlNameIdentifierSPProvidedId),
nameIdClaim.Value),
null,
issuer));
subject.AddClaim(
new Claim(AuthServicesClaimTypes.SessionIndex, statement.SessionIndex, null, issuer));
}
}
public Saml2AuthenticationStatement CreateAuthenticationStatement(string authnContext, DateTimeOffset authenticationInstant)
{
var authenticationStatement = new Saml2AuthenticationStatement(new Saml2AuthenticationContext(new Uri(authnContext)), authenticationInstant.UtcDateTime);
authenticationStatement.SessionIndex = SessionIndex;
return(authenticationStatement);
}
protected override void ProcessAuthenticationStatement(Saml2AuthenticationStatement statement, ClaimsIdentity subject, string issuer)
{
if (statement.AuthenticationContext != null)
{
statement.AuthenticationContext.DeclarationReference = null;
}
base.ProcessAuthenticationStatement(statement, subject, issuer);
}
protected override void ProcessAuthenticationStatement(Saml2AuthenticationStatement statement, ClaimsIdentity identity, string issuer)
{
if (statement?.AuthenticationContext?.DeclarationReference != null)
{
// Remove AuthnContextDeclRef from assertion.
statement.AuthenticationContext.DeclarationReference = null;
}
base.ProcessAuthenticationStatement(statement, identity, issuer);
}
public void Saml2StatementExtensions_ToXElement_SessionNotOnOrAfter()
{
Saml2AuthenticationStatement assertion =
new Saml2AuthenticationStatement(
new Saml2AuthenticationContext(
new Uri("urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified")));
assertion.SessionNotOnOrAfter = DateTime.UtcNow;
var xml = assertion.ToXElement();
xml.Attribute("SessionNotOnOrAfter").Value.Should().Be(assertion.SessionNotOnOrAfter.Value.ToSaml2DateTimeString());
}
protected override void ProcessAuthenticationStatement(Saml2AuthenticationStatement statement, ClaimsIdentity subject, string issuer)
{
if (statement.AuthenticationContext != null)
{
statement.AuthenticationContext.DeclarationReference = null;
}
base.ProcessAuthenticationStatement(statement, subject, issuer);
if (statement.SessionIndex != null)
{
subject.AddClaim(
new Claim(AuthServicesClaimTypes.SessionIndex, statement.SessionIndex, null, issuer));
}
}
private static XElement ToXElement(Saml2AuthenticationStatement authnStatement)
{
var result = new XElement(Saml2Namespaces.Saml2 + "AuthnStatement",
new XAttribute("AuthnInstant", authnStatement.AuthenticationInstant.ToSaml2DateTimeString()),
new XElement(Saml2Namespaces.Saml2 + "AuthnContext",
new XElement(Saml2Namespaces.Saml2 + "AuthnContextClassRef",
authnStatement.AuthenticationContext.ClassReference.OriginalString)));
if (authnStatement.SessionIndex != null)
{
result.Add(new XAttribute("SessionIndex", authnStatement.SessionIndex));
}
return(result);
}
private static Saml2Assertion CreateAssertion(SigningCredentials samlpTokenSigningCredentials)
{
var assertion = new Saml2Assertion(new Saml2NameIdentifier("https://mojeid.regtest.nic.cz/saml/idp.xml", new Uri("urn:oasis:names:tc:SAML:2.0:nameid-format:entity")))
{
InclusiveNamespacesPrefixList = "ns1 ns2",
IssueInstant = DateTime.Parse("2019-04-08T10:30:49Z"),
SigningCredentials = samlpTokenSigningCredentials,
Id = new Saml2Id("id-2bMsOPOKIqeVIDLqJ")
};
var saml2SubjectConfirmationData = new Saml2SubjectConfirmationData
{
InResponseTo = new Saml2Id("ida5714d006fcc430c92aacf34ab30b166"),
NotOnOrAfter = DateTime.Parse("2019-04-08T10:45:49Z"),
Recipient = new Uri("https://tnia.eidentita.cz/fpsts/processRequest.aspx")
};
var saml2SubjectConfirmation = new Saml2SubjectConfirmation(new Uri("urn:oasis:names:tc:SAML:2.0:cm:bearer"), saml2SubjectConfirmationData);
var saml2Subject = new Saml2Subject(new Saml2NameIdentifier("6dfe0399103d11411b1fa00772b6a13e0858605b80c20ea845769c57b41479ed", new Uri("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent")));
saml2Subject.SubjectConfirmations.Add(saml2SubjectConfirmation);
assertion.Subject = saml2Subject;
var saml2AudienceRestrictions = new Saml2AudienceRestriction("urn:microsoft: cgg2010: fpsts");
var saml2Conditions = new Saml2Conditions();
saml2Conditions.AudienceRestrictions.Add(saml2AudienceRestrictions);
saml2Conditions.NotBefore = DateTime.Parse("2019-04-08T10:30:49Z");
saml2Conditions.NotOnOrAfter = DateTime.Parse("2019-04-08T10:45:49Z");
assertion.Conditions = saml2Conditions;
var saml2AuthenticationContext = new Saml2AuthenticationContext(new Uri("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"));
var saml2Statement = new Saml2AuthenticationStatement(saml2AuthenticationContext)
{
AuthenticationInstant = DateTime.Parse("2019-04-08T10:30:49Z"),
SessionIndex = "id-oTnhrqWtcTTEntvMy"
};
assertion.Statements.Add(saml2Statement);
return(assertion);
}
private void AddAuthenticationStatement(Saml2AuthenticationStatement authenticationStatement)
{
Saml2SecurityToken.Assertion.Statements.Add(authenticationStatement);
}
/// <summary>
/// Creates the Security Token and add it to the response.
/// </summary>
/// <param name="tokenDescriptor">This is a place holder for all the attributes related to the issued token.</param>
/// <param name="authenticationStatement">Represents the AuthnStatement element specified in [Saml2Core, 2.7.2].</param>
/// <param name="subjectConfirmation">Represents the SubjectConfirmation element specified in [Saml2Core, 2.4.1.1].</param>
/// <returns>The SAML 2.0 Security Token.</returns>
public Saml2SecurityToken CreateSecurityToken(SecurityTokenDescriptor tokenDescriptor, Saml2AuthenticationStatement authenticationStatement, Saml2SubjectConfirmation subjectConfirmation)
{
if (tokenDescriptor == null)
{
throw new ArgumentNullException(nameof(tokenDescriptor));
}
if (authenticationStatement == null)
{
throw new ArgumentNullException(nameof(authenticationStatement));
}
if (subjectConfirmation == null)
{
throw new ArgumentNullException(nameof(subjectConfirmation));
}
Saml2SecurityToken = Saml2SecurityTokenHandler.CreateToken(tokenDescriptor) as Saml2SecurityToken;
AddNameIdFormat();
AddAuthenticationStatement(authenticationStatement);
AddSubjectConfirmation(subjectConfirmation);
return(Saml2SecurityToken);
}
public Task CreateSecurityTokenAsync(SecurityTokenDescriptor tokenDescriptor, Saml2AuthenticationStatement authenticationStatement, Saml2SubjectConfirmation subjectConfirmation)
{
return(Task.FromResult(CreateSecurityToken(tokenDescriptor, authenticationStatement, subjectConfirmation)));
}
private void AddAuthenticationStatement()
{
var authenticationStatement = new Saml2AuthenticationStatement(new Saml2AuthenticationContext(AuthnContextClassTypes.UserNameAndPassword));
Saml2SecurityToken.Assertion.Statements.Add(authenticationStatement);
}
private async Task <Saml2SecurityToken> CreateSecurityTokenAsync(SignInRequest request, RelyingParty rp, ClaimsIdentity outgoingSubject)
{
var now = DateTime.Now;
var outgoingNameId = outgoingSubject.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier);
if (outgoingNameId == null)
{
_logger.LogError("The user profile does not have a name id");
throw new SignInException("The user profile does not have a name id");
}
var issuer = new Saml2NameIdentifier(_options.IssuerName);
var nameId = new Saml2NameIdentifier(outgoingNameId.Value);
var subjectConfirmationData = new Saml2SubjectConfirmationData();
subjectConfirmationData.NotOnOrAfter = now.AddMinutes(
rp.TokenLifetimeInMinutes.GetValueOrDefault(_options.DefaultNotOnOrAfterInMinutes));
if (request.Parameters.ContainsKey("Recipient"))
{
subjectConfirmationData.Recipient = new Uri(request.Parameters["Recipient"]);
}
else
{
subjectConfirmationData.Recipient = new Uri(rp.ReplyUrl);
}
var subjectConfirmation = new Saml2SubjectConfirmation(new Uri("urn:oasis:names:tc:SAML:2.0:cm:bearer"),
subjectConfirmationData);
subjectConfirmation.NameIdentifier = nameId;
var subject = new Saml2Subject(subjectConfirmation);
var conditions = new Saml2Conditions(new Saml2AudienceRestriction[]
{
new Saml2AudienceRestriction(request.Realm)
});
conditions.NotOnOrAfter = now.AddMinutes(
rp.TokenLifetimeInMinutes.GetValueOrDefault(_options.DefaultNotOnOrAfterInMinutes));
conditions.NotBefore = now.Subtract(TimeSpan.FromMinutes(_options.DefaultNotBeforeInMinutes));
var authContext = new Saml2AuthenticationContext(new Uri("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"));
var authStatement = new Saml2AuthenticationStatement(authContext, now);
authStatement.SessionIndex = (request.Parameters.ContainsKey("SessionIndex")) ? request.Parameters["SessionIndex"] : null;
var attributeStament = new Saml2AttributeStatement();
foreach (var claim in outgoingSubject.Claims)
{
_logger.LogDebug("Adding attribute in SAML token '{0} - {1}'", claim.Type, claim.Value);
attributeStament.Attributes.Add(new Saml2Attribute(claim.Type, claim.Value));
}
var assertion = new Saml2Assertion(issuer);
assertion.Id = new Saml2Id();
assertion.Subject = subject;
assertion.Conditions = conditions;
assertion.Statements.Add(attributeStament);
assertion.Statements.Add(authStatement);
assertion.IssueInstant = now;
assertion.SigningCredentials = await _keyService.GetSigningCredentialsAsync();
var token = new Saml2SecurityToken(assertion);
token.SigningKey = assertion.SigningCredentials.Key;
return(token);
}
