protected virtual SecurityTokenHandler GetSecurityTokenHandler() { var authPlugin = PluginManager.GetSingleton <SamlOAuthClient>(); //var config = System.IdentityModel.Services.Configuration..FederationConfiguration..; SecurityTokenHandler handler = null; var securityRequirements = new SamlSecurityTokenRequirement(); var securityTokenHandlerConfig = new SecurityTokenHandlerConfiguration(); switch (authPlugin.IdpBindingType) { case SamlBinding.SAML11_POST: handler = new SamlSecurityTokenHandler(securityRequirements) { Configuration = securityTokenHandlerConfig }; break; case SamlBinding.SAML20_POST: handler = new SubjectConfirmationDataSaml2SecurityTokenHandler(securityRequirements, authPlugin.SubjectRecipientValidationMode) { Configuration = securityTokenHandlerConfig }; break; } if (handler == null) { throw new InvalidOperationException( string.Format("No suitable token handler was loaded for the SAML binding type : {0}", tokenProcessorConfiguration.IdpBindingType)); } handler.Configuration.IssuerNameRegistry = new CodeBasedIssuerNameRegistry(tokenProcessorConfiguration.TrustedIssuerThumbprint.Split(',')); handler.Configuration.CertificateValidationMode = tokenProcessorConfiguration.CertificateValidationMode; if (typeof(SamlSecurityTokenHandler).IsAssignableFrom(handler.GetType())) { ((SamlSecurityTokenHandler)handler).CertificateValidator = GetCertificateValidator(handler.Configuration.CertificateValidationMode); } if (typeof(Saml2SecurityTokenHandler).IsAssignableFrom(handler.GetType())) { ((Saml2SecurityTokenHandler)handler).CertificateValidator = GetCertificateValidator(handler.Configuration.CertificateValidationMode); } handler.Configuration.AudienceRestriction.AudienceMode = System.IdentityModel.Selectors.AudienceUriMode.Never; return(handler); }
public override ReadOnlyCollection <ClaimsIdentity> ValidateToken(SecurityToken token) { var saml2SecurityToken = token as Saml2SecurityToken; this.ValidateConditions(saml2SecurityToken.Assertion.Conditions, SamlSecurityTokenRequirement.ShouldEnforceAudienceRestriction(Configuration.AudienceRestriction.AudienceMode, saml2SecurityToken)); if (this.Configuration.DetectReplayedTokens) { this.DetectReplayedToken(saml2SecurityToken); } // If the backing token is x509, validate trust X509SecurityToken issuerToken = saml2SecurityToken.IssuerToken as X509SecurityToken; if (issuerToken != null) { this.CertificateValidator.Validate(issuerToken.Certificate); } var identity = this.CreateClaims(saml2SecurityToken); if (saml2SecurityToken.Assertion.Subject.NameId != null) { identity.AddClaim(new Claim(Saml2ClaimTypes.NameId, saml2SecurityToken.Assertion.Subject.NameId.Value)); //throw new InvalidDataException("The requered NameID Assertion is null"); if (saml2SecurityToken.Assertion.Subject.NameId.Format != null) { identity.AddClaim(new Claim(Saml2ClaimTypes.NameIdFormat, saml2SecurityToken.Assertion.Subject.NameId.Format.AbsoluteUri)); //throw new InvalidDataException("The requered NameID Assertion Format is null"); } } identity.AddClaim(new Claim(Saml2ClaimTypes.SessionIndex, saml2SecurityToken.Id)); if (Configuration.SaveBootstrapContext) { identity.BootstrapContext = new BootstrapContext(saml2SecurityToken, this); } return(new List <ClaimsIdentity>(1) { identity }.AsReadOnly()); }
public IPrincipal ProcessResponse(string samlResponse, IFederatedAuthenticationSettings settings) { ThrowIf.ArgumentNull(samlResponse, nameof(samlResponse)); ThrowIf.ArgumentNull(settings, nameof(settings)); var token = ReadSecurityToken(samlResponse, settings); if (token == null) { // TODO add logging // Log.DebugFormat("[SAMLHandler] Cannot read non SAML2 token.\n {0}", tokenString); throw new FederatedAuthenticationException("Cannot read token", FederatedAuthenticationErrorCode.WrongFormat); } var samlSecurityTokenRequirement = new SamlSecurityTokenRequirement { NameClaimType = settings.NameClaimType, // "Username", MapToWindows = false }; var handler = new BpSaml2SecurityTokenHandler(samlResponse, samlSecurityTokenRequirement) { Configuration = new SecurityTokenHandlerConfiguration() }; ConfigureHandler(handler.Configuration, settings); ReadOnlyCollection <ClaimsIdentity> validateToken; try { validateToken = handler.ValidateToken(token); } catch (FederatedAuthenticationException faEx) { if (faEx.ErrorCode != FederatedAuthenticationErrorCode.WrongFormat) { throw; } token = (Saml2SecurityToken)handler.ReadToken(samlResponse); validateToken = handler.ValidateToken(token); } return(new ClaimsPrincipal(validateToken)); }
public ReadOnlyCollection <ClaimsIdentity> ValidateToken(SecurityToken token, Saml2Response saml2Response) { var saml2SecurityToken = token as Saml2SecurityToken; ValidateConditions(saml2SecurityToken.Assertion.Conditions, SamlSecurityTokenRequirement.ShouldEnforceAudienceRestriction(Configuration.AudienceRestriction.AudienceMode, saml2SecurityToken)); if (Configuration.DetectReplayedTokens) { DetectReplayedToken(saml2SecurityToken); } var identity = CreateClaims(saml2SecurityToken); if (saml2SecurityToken.Assertion.Subject.NameId != null) { saml2Response.NameId = saml2SecurityToken.Assertion.Subject.NameId; identity.AddClaim(new Claim(Saml2ClaimTypes.NameId, saml2Response.NameId.Value)); if (saml2Response.NameId.Format != null) { identity.AddClaim(new Claim(Saml2ClaimTypes.NameIdFormat, saml2Response.NameId.Format.OriginalString)); } } var sessionIndex = (saml2SecurityToken.Assertion.Statements.Where(s => s is Saml2AuthenticationStatement).FirstOrDefault() as Saml2AuthenticationStatement)?.SessionIndex; if (sessionIndex != null) { saml2Response.SessionIndex = sessionIndex; identity.AddClaim(new Claim(Saml2ClaimTypes.SessionIndex, saml2Response.SessionIndex)); } if (Configuration.SaveBootstrapContext) { identity.BootstrapContext = new BootstrapContext(saml2SecurityToken, this); } return(new List <ClaimsIdentity>(1) { identity }.AsReadOnly()); }
public CardSignIn() { SecurityTokenHandlerConfiguration handlerConfig = new SecurityTokenHandlerConfiguration(); handlerConfig.IssuerNameRegistry = new TrustedIssuerNameRegistry(); List <SecurityToken> servicetokens = new List <SecurityToken>(1); servicetokens.Add(new X509SecurityToken(CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, "CN=localhost"))); handlerConfig.ServiceTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(servicetokens.AsReadOnly(), false); handlerConfig.AudienceRestriction.AllowedAudienceUris.Add(new Uri("https://localhost/AuthAssuranceSTS/CardSignIn.aspx")); _handlers = new SecurityTokenHandlerCollection(handlerConfig); SamlSecurityTokenRequirement samlReqs = new SamlSecurityTokenRequirement(); _handlers.Add(new EncryptedSecurityTokenHandler()); _handlers.Add(new Saml11SecurityTokenHandler(samlReqs)); }
public void Validate(Saml2SecurityToken token, SecurityTokenHandlerConfiguration configuration) { if (token == null || token.Response == null || configuration == null) { throw new ArgumentNullException(); } if (token.Response.Assertions != null) { foreach (var assertion in token.Response.Assertions) { if (assertion.Conditions != null) { if (configuration.AudienceRestriction.AudienceMode == AudienceUriMode.Always) { if (configuration.AudienceRestriction.AllowedAudienceUris.Count() == 0) { throw new ValidationException("AudienceRestriction's allowed uris must be provided if AudienceMode is set to Always. Set to Never to suppress this."); } if (assertion.Conditions.AudienceRestriction.Count() == 0) { throw new ValidationException("Token doesn't contain any audience to validate the configuration against"); } var security = new SamlSecurityTokenRequirement(); foreach (var restriction in assertion.Conditions.AudienceRestriction) { security.ValidateAudienceRestriction(configuration.AudienceRestriction.AllowedAudienceUris, restriction.Audience.Select(a => new Uri(a)).ToList()); } } if (configuration.AudienceRestriction.AudienceMode == AudienceUriMode.BearerKeyOnly) { #warning TODO! } } } } }
public HttpSaml2SecurityTokenHandler(SamlSecurityTokenRequirement requirement, string identifier) : base(requirement) { _identifier = new string[] { identifier }; }
public ReadOnlyCollection <ClaimsIdentity> ValidateToken(SecurityToken token, string tokenString, Saml2Response saml2Response) #endif { var saml2SecurityToken = token as Saml2SecurityToken; #if NETFULL ValidateConditions(saml2SecurityToken.Assertion.Conditions, SamlSecurityTokenRequirement.ShouldEnforceAudienceRestriction(Configuration.AudienceRestriction.AudienceMode, saml2SecurityToken)); #else ValidateConditions(saml2SecurityToken, TokenValidationParameters); #endif #if NETFULL if (Configuration.DetectReplayedTokens) { DetectReplayedToken(saml2SecurityToken); } #else if (TokenValidationParameters.ValidateTokenReplay) { ValidateTokenReplay(saml2SecurityToken.Assertion.Conditions.NotBefore, tokenString, TokenValidationParameters); } #endif #if NETFULL var identity = CreateClaims(saml2SecurityToken); #else var identity = CreateClaimsIdentity(saml2SecurityToken, TokenValidationParameters.ValidIssuer, TokenValidationParameters); #endif if (saml2SecurityToken.Assertion.Subject.NameId != null) { saml2Response.NameId = saml2SecurityToken.Assertion.Subject.NameId; identity.AddClaim(new Claim(Saml2ClaimTypes.NameId, saml2Response.NameId.Value)); if (saml2Response.NameId.Format != null) { identity.AddClaim(new Claim(Saml2ClaimTypes.NameIdFormat, saml2Response.NameId.Format.OriginalString)); } } var sessionIndex = (saml2SecurityToken.Assertion.Statements.Where(s => s is Saml2AuthenticationStatement).FirstOrDefault() as Saml2AuthenticationStatement)?.SessionIndex; if (sessionIndex != null) { saml2Response.SessionIndex = sessionIndex; identity.AddClaim(new Claim(Saml2ClaimTypes.SessionIndex, saml2Response.SessionIndex)); } #if NETFULL if (Configuration.SaveBootstrapContext) { identity.BootstrapContext = new BootstrapContext(saml2SecurityToken, this); } #else if (TokenValidationParameters.SaveSigninToken) { identity.BootstrapContext = tokenString; } #endif return(new List <ClaimsIdentity>(1) { identity }.AsReadOnly()); }
public HttpSamlSecurityTokenHandler(SamlSecurityTokenRequirement requirement) : base(requirement) { }
public SubjectConfirmationDataSaml2SecurityTokenHandler(SamlSecurityTokenRequirement samlSecurityTokenRequirement, SubjectRecipientValidationMode subjectRecipientValidationMode) : base(samlSecurityTokenRequirement) { _subjectRecipientValidationMode = subjectRecipientValidationMode; }
public SubjectConfirmationDataSaml2SecurityTokenHandler(SamlSecurityTokenRequirement samlSecurityTokenRequirement) : base(samlSecurityTokenRequirement) { }
public BpSaml2SecurityTokenHandler(string samlXml, SamlSecurityTokenRequirement samlSecurityTokenRequirement) : base(samlSecurityTokenRequirement) { _samlXml = samlXml; }
public SamlImpersonatableSecurityTokenHandler(SamlSecurityTokenRequirement samlSecurityTokenRequirement) : base(samlSecurityTokenRequirement) { }