private SecurityTokenSerializer WrapTokenHandlersAsSecurityTokenSerializer(SecurityTokenVersion version)
{
TrustVersion trustVersion = TrustVersion.WSTrust13;
SecureConversationVersion scVersion = SecureConversationVersion.WSSecureConversation13;
SecurityVersion securityVersion = SecurityVersion.WSSecurity11;
foreach (string securitySpecification in version.GetSecuritySpecifications())
{
if (StringComparer.Ordinal.Equals(securitySpecification, WSTrustFeb2005Constants.NamespaceURI))
{
trustVersion = TrustVersion.WSTrustFeb2005;
}
else if (StringComparer.Ordinal.Equals(securitySpecification, WSTrust13Constants.NamespaceURI))
{
trustVersion = TrustVersion.WSTrust13;
}
else if (StringComparer.Ordinal.Equals(securitySpecification, System.IdentityModel.WSSecureConversationFeb2005Constants.Namespace))
{
scVersion = SecureConversationVersion.WSSecureConversationFeb2005;
}
else if (StringComparer.Ordinal.Equals(securitySpecification, System.IdentityModel.WSSecureConversation13Constants.Namespace))
{
scVersion = SecureConversationVersion.WSSecureConversation13;
}
}
securityVersion = FederatedSecurityTokenManager.GetSecurityVersion(version);
//
//
SecurityTokenHandlerCollectionManager sthcm = this.parent.SecurityTokenHandlerCollectionManager;
WsSecurityTokenSerializerAdapter adapter = new WsSecurityTokenSerializerAdapter(sthcm[SecurityTokenHandlerCollectionManager.Usage.Default], securityVersion, trustVersion, scVersion, false, null, null, null);
return(adapter);
}
static public SessionSecurityToken ConvertSctToSessionToken(SecurityContextSecurityToken sct, SecureConversationVersion version)
{
string endpointId = String.Empty;
for (int i = 0; i < sct.AuthorizationPolicies.Count; ++i)
{
EndpointAuthorizationPolicy epAuthPolicy = sct.AuthorizationPolicies[i] as EndpointAuthorizationPolicy;
if (epAuthPolicy != null)
{
endpointId = epAuthPolicy.EndpointId;
break;
}
}
SctAuthorizationPolicy sctAuthPolicy = null;
for (int i = 0; i < sct.AuthorizationPolicies.Count; i++)
{
IAuthorizationPolicy authPolicy = sct.AuthorizationPolicies[i];
// The WCF SCT will have a SctAuthorizationPolicy that wraps the Primary Identity
// of the bootstrap token. This is required for SCT renewal scenarios. Write the
// SctAuthorizationPolicy if one is available.
sctAuthPolicy = authPolicy as SctAuthorizationPolicy;
if (sctAuthPolicy != null)
{
break;
}
}
ClaimsPrincipal claimsPrincipal = null;
// these can be empty in transport security
if (sct.AuthorizationPolicies != null && sct.AuthorizationPolicies.Count > 0)
{
AuthorizationPolicy ap = null;
for (int i = 0; i < sct.AuthorizationPolicies.Count; ++i)
{
ap = sct.AuthorizationPolicies[i] as AuthorizationPolicy;
if (ap != null)
{
// We should have exactly one IAuthorizationPolicy of type AuthorizationPolicy.
break;
}
}
if (ap != null)
{
if (ap.IdentityCollection != null)
{
claimsPrincipal = new ClaimsPrincipal(ap.IdentityCollection);
}
}
}
if (claimsPrincipal == null)
{
// When _securityContextTokenWrapper is true, this implies WCF.
// Authpolicies not found occurs when the SCT represents a bootstrap nego that is used obtain a key
// for the outer or actual SCT {unfortunate but true and we haven't found a way to distinguish this otherwise}.
// So return an empty ClaimsPrincipal so that when written on wire in cookie mode we DO NOT write an empty identity.
// If we did, then when the actual bootstrap token, such as a SAML token arrives, we will add the bootstrap AND the SAML identities to the ClaimsPrincipal
// and end up with multiple, one of them anonymous.
//
claimsPrincipal = new ClaimsPrincipal();
}
return new SessionSecurityToken(claimsPrincipal, sct.ContextId, sct.Id, String.Empty, sct.GetKeyBytes(), endpointId, sct.ValidFrom, sct.ValidTo, sct.KeyGeneration, sct.KeyEffectiveTime, sct.KeyExpirationTime, sctAuthPolicy, new Uri(version.Namespace.Value));
}
static public SessionSecurityToken ConvertSctToSessionToken(SecurityContextSecurityToken sct, SecureConversationVersion version)
{
string endpointId = String.Empty;
for (int i = 0; i < sct.AuthorizationPolicies.Count; ++i)
{
EndpointAuthorizationPolicy epAuthPolicy = sct.AuthorizationPolicies[i] as EndpointAuthorizationPolicy;
if (epAuthPolicy != null)
{
endpointId = epAuthPolicy.EndpointId;
break;
}
}
SctAuthorizationPolicy sctAuthPolicy = null;
for (int i = 0; i < sct.AuthorizationPolicies.Count; i++)
{
IAuthorizationPolicy authPolicy = sct.AuthorizationPolicies[i];
// The WCF SCT will have a SctAuthorizationPolicy that wraps the Primary Identity
// of the bootstrap token. This is required for SCT renewal scenarios. Write the
// SctAuthorizationPolicy if one is available.
sctAuthPolicy = authPolicy as SctAuthorizationPolicy;
if (sctAuthPolicy != null)
{
break;
}
}
ClaimsPrincipal claimsPrincipal = null;
// these can be empty in transport security
if (sct.AuthorizationPolicies != null && sct.AuthorizationPolicies.Count > 0)
{
AuthorizationPolicy ap = null;
for (int i = 0; i < sct.AuthorizationPolicies.Count; ++i)
{
ap = sct.AuthorizationPolicies[i] as AuthorizationPolicy;
if (ap != null)
{
// We should have exactly one IAuthorizationPolicy of type AuthorizationPolicy.
break;
}
}
if (ap != null)
{
if (ap.IdentityCollection != null)
{
claimsPrincipal = new ClaimsPrincipal(ap.IdentityCollection);
}
}
}
if (claimsPrincipal == null)
{
// When _securityContextTokenWrapper is true, this implies WCF.
// Authpolicies not found occurs when the SCT represents a bootstrap nego that is used obtain a key
// for the outer or actual SCT {unfortunate but true and we haven't found a way to distinguish this otherwise}.
// So return an empty ClaimsPrincipal so that when written on wire in cookie mode we DO NOT write an empty identity.
// If we did, then when the actual bootstrap token, such as a SAML token arrives, we will add the bootstrap AND the SAML identities to the ClaimsPrincipal
// and end up with multiple, one of them anonymous.
//
claimsPrincipal = new ClaimsPrincipal();
}
return(new SessionSecurityToken(claimsPrincipal, sct.ContextId, sct.Id, String.Empty, sct.GetKeyBytes(), endpointId, sct.ValidFrom, sct.ValidTo, sct.KeyGeneration, sct.KeyEffectiveTime, sct.KeyExpirationTime, sctAuthPolicy, new Uri(version.Namespace.Value)));
}
