/// <summary> /// The the purposes of this method are: /// 1. To enable layers above to get to the bootstrap tokens /// 2. To ensure an ClaimsPrincipal is inside the SCT authorization policies. This is needed so that /// a CustomPrincipal will be created and can be set. This is required as we set the principal permission mode to custom /// 3. To set the IAuthorizationPolicy collection on the SCT to be one of IDFx's Authpolicy. /// This allows SCT cookie and SCT cached to be treated the same, futher up the stack. /// /// This method is call AFTER the final SCT has been created and the bootstrap tokens are around. Itis not called during the SP/TLS nego bootstrap. /// </summary> /// <param name="sct"></param> internal void SetPrincipalBootstrapTokensAndBindIdfxAuthPolicy(SecurityContextSecurityToken sct) { if (sct == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("sct"); } List <IAuthorizationPolicy> iaps = new List <IAuthorizationPolicy>(); // // The SecurityContextToken is cached first before the OnTokenIssued is called. So in the Session SCT // case the AuthorizationPolicies will have already been updated. So check the sct.AuthorizationPolicies // policy to see if the first is a AuthorizationPolicy. // if ((sct.AuthorizationPolicies != null) && (sct.AuthorizationPolicies.Count > 0) && (ContainsEndpointAuthPolicy(sct.AuthorizationPolicies))) { // We have already seen this sct and have fixed up the AuthorizationPolicy // collection. Just return. return; } // // Nego SCT just has a cookie, there are no IAuthorizationPolicy. In this case, // we want to add the EndpointAuthorizationPolicy alone to the SCT. // if ((sct.AuthorizationPolicies != null) && (sct.AuthorizationPolicies.Count > 0)) { // // Create a principal with known policies. // AuthorizationPolicy sctAp = IdentityModelServiceAuthorizationManager.TransformAuthorizationPolicies(sct.AuthorizationPolicies, _securityTokenHandlerCollection, false); // Replace the WCF authorization policies with our IDFx policies. // The principal is needed later on to set the custom principal by WCF runtime. iaps.Add(sctAp); // // Convert the claim from WCF unconditional policy to an SctAuthorizationPolicy. The SctAuthorizationPolicy simply // captures the primary identity claim from the WCF unconditional policy which IdFX will eventually throw away. // If we don't capture that claim, then in a token renewal scenario WCF will fail due to identities being different // for the issuedToken and the renewedToken. // SysClaim claim = GetPrimaryIdentityClaim(SystemAuthorizationContext.CreateDefaultAuthorizationContext(sct.AuthorizationPolicies)); SctAuthorizationPolicy sctAuthPolicy = new SctAuthorizationPolicy(claim); iaps.Add(sctAuthPolicy); } iaps.Add(new EndpointAuthorizationPolicy(_endpointId)); sct.AuthorizationPolicies = iaps.AsReadOnly(); }
static void AssignClaimFromStringResourceSysClaim(System.IdentityModel.Claims.Claim claim, out string claimType, out string claimValue) { claimType = claim.ClaimType; claimValue = (string)claim.Resource; if (StringComparer.Ordinal.Equals(claim.ClaimType, ClaimTypes.Sid)) { if (claim.Right == System.IdentityModel.Claims.Rights.Identity) { claimType = ClaimTypes.PrimarySid; } else { claimType = ClaimTypes.GroupSid; } } }
public static System.Security.Claims.Claim CreateClaimFromWcfClaim(System.IdentityModel.Claims.Claim wcfClaim, string issuer) { string claimType = null; string value = null; string valueType = ClaimValueTypes.String; string originalIssuer = issuer; string samlNameIdentifierFormat = null; string samlNameIdentifierNameQualifier = null; if (wcfClaim == null) { throw new ArgumentNullException("claim"); } if (wcfClaim.Resource == null) { throw new InvalidOperationException(); } if (string.IsNullOrEmpty(issuer)) { issuer = ClaimsIdentity.DefaultIssuer; } if (wcfClaim.Resource is string) { AssignClaimFromStringResourceSysClaim(wcfClaim, out claimType, out value); } else { AssignClaimFromSysClaim(wcfClaim, out claimType, out value, out valueType, out samlNameIdentifierFormat, out samlNameIdentifierNameQualifier); } if (value == null) { throw new InvalidOperationException(); } System.Security.Claims.Claim newClaim = new System.Security.Claims.Claim(claimType, value, valueType, issuer, originalIssuer); newClaim.Properties[ClaimProperties.SamlNameIdentifierFormat] = samlNameIdentifierFormat; newClaim.Properties[ClaimProperties.SamlNameIdentifierNameQualifier] = samlNameIdentifierNameQualifier; return(newClaim); }
public UpnEndpointIdentity(System.IdentityModel.Claims.Claim identity) { }
public static System.ServiceModel.EndpointIdentity CreateIdentity(System.IdentityModel.Claims.Claim identity) { Contract.Ensures(Contract.Result <System.ServiceModel.EndpointIdentity>() != null); return(default(System.ServiceModel.EndpointIdentity)); }
protected void Initialize(System.IdentityModel.Claims.Claim identityClaim, IEqualityComparer <System.IdentityModel.Claims.Claim> claimComparer) { }
protected void Initialize(System.IdentityModel.Claims.Claim identityClaim) { }
public static System.Security.Claims.Claim CreateClaimFromWcfClaim(System.IdentityModel.Claims.Claim wcfClaim) { return(CreateClaimFromWcfClaim(wcfClaim, null)); }
static void AssignClaimFromSysClaim(System.IdentityModel.Claims.Claim claim, out string _type, out string _value, out string _valueType, out string samlNameIdentifierFormat, out string samlNameIdentifierNameQualifier) { samlNameIdentifierFormat = null; samlNameIdentifierNameQualifier = null; _type = null; _value = null; _valueType = null; if (StringComparer.Ordinal.Equals(claim.ClaimType, ClaimTypes.Sid) && claim.Resource is SecurityIdentifier) { if (claim.Right == System.IdentityModel.Claims.Rights.Identity) { _type = ClaimTypes.PrimarySid; } else { _type = ClaimTypes.GroupSid; } _value = ((SecurityIdentifier)claim.Resource).Value; } else if (StringComparer.Ordinal.Equals(claim.ClaimType, ClaimTypes.Email) && claim.Resource is MailAddress) { _type = claim.ClaimType; _value = ((MailAddress)claim.Resource).Address; } else if (StringComparer.Ordinal.Equals(claim.ClaimType, ClaimTypes.Thumbprint) && claim.Resource is byte[]) { _type = claim.ClaimType; _value = Convert.ToBase64String(((byte[])claim.Resource)); _valueType = ClaimValueTypes.Base64Binary; } else if (StringComparer.Ordinal.Equals(claim.ClaimType, ClaimTypes.Hash) && claim.Resource is byte[]) { _type = claim.ClaimType; _value = Convert.ToBase64String(((byte[])claim.Resource)); _valueType = ClaimValueTypes.Base64Binary; } else if (StringComparer.Ordinal.Equals(claim.ClaimType, ClaimTypes.NameIdentifier) && claim.Resource is SamlNameIdentifierClaimResource) { _type = claim.ClaimType; _value = ((SamlNameIdentifierClaimResource)claim.Resource).Name; if (((SamlNameIdentifierClaimResource)claim.Resource).Format != null) { samlNameIdentifierFormat = ((SamlNameIdentifierClaimResource)claim.Resource).Format; } if (((SamlNameIdentifierClaimResource)claim.Resource).NameQualifier != null) { samlNameIdentifierNameQualifier = ((SamlNameIdentifierClaimResource)claim.Resource).NameQualifier; } } else if (StringComparer.Ordinal.Equals(claim.ClaimType, ClaimTypes.X500DistinguishedName) && claim.Resource is X500DistinguishedName) { _type = claim.ClaimType; _value = ((X500DistinguishedName)claim.Resource).Name; _valueType = ClaimValueTypes.X500Name; } else if (StringComparer.Ordinal.Equals(claim.ClaimType, ClaimTypes.Uri) && claim.Resource is Uri) { _type = claim.ClaimType; _value = ((Uri)claim.Resource).ToString(); } else if (StringComparer.Ordinal.Equals(claim.ClaimType, ClaimTypes.Rsa) && claim.Resource is RSA) { _type = claim.ClaimType; _value = ((RSA)claim.Resource).ToXmlString(false); _valueType = ClaimValueTypes.RsaKeyValue; } else if (StringComparer.Ordinal.Equals(claim.ClaimType, ClaimTypes.DenyOnlySid) && claim.Resource is SecurityIdentifier) { _type = claim.ClaimType; _value = ((SecurityIdentifier)claim.Resource).Value; } }