protected virtual Saml2AuthenticationStatement CreateAuthenticationStatement(Uri authnContext) { var authenticationStatement = new Saml2AuthenticationStatement(new Saml2AuthenticationContext(authnContext ?? AuthnContextClassTypes.PasswordProtectedTransport)); authenticationStatement.SessionIndex = SessionIndex; return(authenticationStatement); }
protected override void ProcessAuthenticationStatement(Saml2AuthenticationStatement statement, ClaimsIdentity subject, string issuer) { if (statement.AuthenticationContext != null) { statement.AuthenticationContext.DeclarationReference = null; } base.ProcessAuthenticationStatement(statement, subject, issuer); if (statement.SessionIndex != null) { var nameIdClaim = subject.FindFirst(ClaimTypes.NameIdentifier); subject.AddClaim( new Claim( AuthServicesClaimTypes.LogoutNameIdentifier, DelimitedString.Join( nameIdClaim.Properties.GetValueOrEmpty(ClaimProperties.SamlNameIdentifierNameQualifier), nameIdClaim.Properties.GetValueOrEmpty(ClaimProperties.SamlNameIdentifierSPNameQualifier), nameIdClaim.Properties.GetValueOrEmpty(ClaimProperties.SamlNameIdentifierFormat), nameIdClaim.Properties.GetValueOrEmpty(ClaimProperties.SamlNameIdentifierSPProvidedId), nameIdClaim.Value), null, issuer)); subject.AddClaim( new Claim(AuthServicesClaimTypes.SessionIndex, statement.SessionIndex, null, issuer)); } }
public Saml2AuthenticationStatement CreateAuthenticationStatement(string authnContext, DateTimeOffset authenticationInstant) { var authenticationStatement = new Saml2AuthenticationStatement(new Saml2AuthenticationContext(new Uri(authnContext)), authenticationInstant.UtcDateTime); authenticationStatement.SessionIndex = SessionIndex; return(authenticationStatement); }
protected override void ProcessAuthenticationStatement(Saml2AuthenticationStatement statement, ClaimsIdentity subject, string issuer) { if (statement.AuthenticationContext != null) { statement.AuthenticationContext.DeclarationReference = null; } base.ProcessAuthenticationStatement(statement, subject, issuer); }
protected override void ProcessAuthenticationStatement(Saml2AuthenticationStatement statement, ClaimsIdentity identity, string issuer) { if (statement?.AuthenticationContext?.DeclarationReference != null) { // Remove AuthnContextDeclRef from assertion. statement.AuthenticationContext.DeclarationReference = null; } base.ProcessAuthenticationStatement(statement, identity, issuer); }
public void Saml2StatementExtensions_ToXElement_SessionNotOnOrAfter() { Saml2AuthenticationStatement assertion = new Saml2AuthenticationStatement( new Saml2AuthenticationContext( new Uri("urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"))); assertion.SessionNotOnOrAfter = DateTime.UtcNow; var xml = assertion.ToXElement(); xml.Attribute("SessionNotOnOrAfter").Value.Should().Be(assertion.SessionNotOnOrAfter.Value.ToSaml2DateTimeString()); }
protected override void ProcessAuthenticationStatement(Saml2AuthenticationStatement statement, ClaimsIdentity subject, string issuer) { if (statement.AuthenticationContext != null) { statement.AuthenticationContext.DeclarationReference = null; } base.ProcessAuthenticationStatement(statement, subject, issuer); if (statement.SessionIndex != null) { subject.AddClaim( new Claim(AuthServicesClaimTypes.SessionIndex, statement.SessionIndex, null, issuer)); } }
private static XElement ToXElement(Saml2AuthenticationStatement authnStatement) { var result = new XElement(Saml2Namespaces.Saml2 + "AuthnStatement", new XAttribute("AuthnInstant", authnStatement.AuthenticationInstant.ToSaml2DateTimeString()), new XElement(Saml2Namespaces.Saml2 + "AuthnContext", new XElement(Saml2Namespaces.Saml2 + "AuthnContextClassRef", authnStatement.AuthenticationContext.ClassReference.OriginalString))); if (authnStatement.SessionIndex != null) { result.Add(new XAttribute("SessionIndex", authnStatement.SessionIndex)); } return(result); }
private static Saml2Assertion CreateAssertion(SigningCredentials samlpTokenSigningCredentials) { var assertion = new Saml2Assertion(new Saml2NameIdentifier("https://mojeid.regtest.nic.cz/saml/idp.xml", new Uri("urn:oasis:names:tc:SAML:2.0:nameid-format:entity"))) { InclusiveNamespacesPrefixList = "ns1 ns2", IssueInstant = DateTime.Parse("2019-04-08T10:30:49Z"), SigningCredentials = samlpTokenSigningCredentials, Id = new Saml2Id("id-2bMsOPOKIqeVIDLqJ") }; var saml2SubjectConfirmationData = new Saml2SubjectConfirmationData { InResponseTo = new Saml2Id("ida5714d006fcc430c92aacf34ab30b166"), NotOnOrAfter = DateTime.Parse("2019-04-08T10:45:49Z"), Recipient = new Uri("https://tnia.eidentita.cz/fpsts/processRequest.aspx") }; var saml2SubjectConfirmation = new Saml2SubjectConfirmation(new Uri("urn:oasis:names:tc:SAML:2.0:cm:bearer"), saml2SubjectConfirmationData); var saml2Subject = new Saml2Subject(new Saml2NameIdentifier("6dfe0399103d11411b1fa00772b6a13e0858605b80c20ea845769c57b41479ed", new Uri("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"))); saml2Subject.SubjectConfirmations.Add(saml2SubjectConfirmation); assertion.Subject = saml2Subject; var saml2AudienceRestrictions = new Saml2AudienceRestriction("urn:microsoft: cgg2010: fpsts"); var saml2Conditions = new Saml2Conditions(); saml2Conditions.AudienceRestrictions.Add(saml2AudienceRestrictions); saml2Conditions.NotBefore = DateTime.Parse("2019-04-08T10:30:49Z"); saml2Conditions.NotOnOrAfter = DateTime.Parse("2019-04-08T10:45:49Z"); assertion.Conditions = saml2Conditions; var saml2AuthenticationContext = new Saml2AuthenticationContext(new Uri("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")); var saml2Statement = new Saml2AuthenticationStatement(saml2AuthenticationContext) { AuthenticationInstant = DateTime.Parse("2019-04-08T10:30:49Z"), SessionIndex = "id-oTnhrqWtcTTEntvMy" }; assertion.Statements.Add(saml2Statement); return(assertion); }
private void AddAuthenticationStatement(Saml2AuthenticationStatement authenticationStatement) { Saml2SecurityToken.Assertion.Statements.Add(authenticationStatement); }
/// <summary> /// Creates the Security Token and add it to the response. /// </summary> /// <param name="tokenDescriptor">This is a place holder for all the attributes related to the issued token.</param> /// <param name="authenticationStatement">Represents the AuthnStatement element specified in [Saml2Core, 2.7.2].</param> /// <param name="subjectConfirmation">Represents the SubjectConfirmation element specified in [Saml2Core, 2.4.1.1].</param> /// <returns>The SAML 2.0 Security Token.</returns> public Saml2SecurityToken CreateSecurityToken(SecurityTokenDescriptor tokenDescriptor, Saml2AuthenticationStatement authenticationStatement, Saml2SubjectConfirmation subjectConfirmation) { if (tokenDescriptor == null) { throw new ArgumentNullException(nameof(tokenDescriptor)); } if (authenticationStatement == null) { throw new ArgumentNullException(nameof(authenticationStatement)); } if (subjectConfirmation == null) { throw new ArgumentNullException(nameof(subjectConfirmation)); } Saml2SecurityToken = Saml2SecurityTokenHandler.CreateToken(tokenDescriptor) as Saml2SecurityToken; AddNameIdFormat(); AddAuthenticationStatement(authenticationStatement); AddSubjectConfirmation(subjectConfirmation); return(Saml2SecurityToken); }
public Task CreateSecurityTokenAsync(SecurityTokenDescriptor tokenDescriptor, Saml2AuthenticationStatement authenticationStatement, Saml2SubjectConfirmation subjectConfirmation) { return(Task.FromResult(CreateSecurityToken(tokenDescriptor, authenticationStatement, subjectConfirmation))); }
private void AddAuthenticationStatement() { var authenticationStatement = new Saml2AuthenticationStatement(new Saml2AuthenticationContext(AuthnContextClassTypes.UserNameAndPassword)); Saml2SecurityToken.Assertion.Statements.Add(authenticationStatement); }
private async Task <Saml2SecurityToken> CreateSecurityTokenAsync(SignInRequest request, RelyingParty rp, ClaimsIdentity outgoingSubject) { var now = DateTime.Now; var outgoingNameId = outgoingSubject.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier); if (outgoingNameId == null) { _logger.LogError("The user profile does not have a name id"); throw new SignInException("The user profile does not have a name id"); } var issuer = new Saml2NameIdentifier(_options.IssuerName); var nameId = new Saml2NameIdentifier(outgoingNameId.Value); var subjectConfirmationData = new Saml2SubjectConfirmationData(); subjectConfirmationData.NotOnOrAfter = now.AddMinutes( rp.TokenLifetimeInMinutes.GetValueOrDefault(_options.DefaultNotOnOrAfterInMinutes)); if (request.Parameters.ContainsKey("Recipient")) { subjectConfirmationData.Recipient = new Uri(request.Parameters["Recipient"]); } else { subjectConfirmationData.Recipient = new Uri(rp.ReplyUrl); } var subjectConfirmation = new Saml2SubjectConfirmation(new Uri("urn:oasis:names:tc:SAML:2.0:cm:bearer"), subjectConfirmationData); subjectConfirmation.NameIdentifier = nameId; var subject = new Saml2Subject(subjectConfirmation); var conditions = new Saml2Conditions(new Saml2AudienceRestriction[] { new Saml2AudienceRestriction(request.Realm) }); conditions.NotOnOrAfter = now.AddMinutes( rp.TokenLifetimeInMinutes.GetValueOrDefault(_options.DefaultNotOnOrAfterInMinutes)); conditions.NotBefore = now.Subtract(TimeSpan.FromMinutes(_options.DefaultNotBeforeInMinutes)); var authContext = new Saml2AuthenticationContext(new Uri("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")); var authStatement = new Saml2AuthenticationStatement(authContext, now); authStatement.SessionIndex = (request.Parameters.ContainsKey("SessionIndex")) ? request.Parameters["SessionIndex"] : null; var attributeStament = new Saml2AttributeStatement(); foreach (var claim in outgoingSubject.Claims) { _logger.LogDebug("Adding attribute in SAML token '{0} - {1}'", claim.Type, claim.Value); attributeStament.Attributes.Add(new Saml2Attribute(claim.Type, claim.Value)); } var assertion = new Saml2Assertion(issuer); assertion.Id = new Saml2Id(); assertion.Subject = subject; assertion.Conditions = conditions; assertion.Statements.Add(attributeStament); assertion.Statements.Add(authStatement); assertion.IssueInstant = now; assertion.SigningCredentials = await _keyService.GetSigningCredentialsAsync(); var token = new Saml2SecurityToken(assertion); token.SigningKey = assertion.SigningCredentials.Key; return(token); }