public void TestInitialize() { _responseGenerator = Substitute.For <IWsFederationResponseGenerator>(); _userSession = Substitute.For <IUserSession>(); _validatedRequest = Substitute.For <ValidatedWsFederationSigninRequest>(); _signinValidator = Substitute.For <IWsFederationSigninValidator>(); _signinValidator.ValidateAsync(default, default).ReturnsForAnyArgs(new WsFederationSigninValidationResult(_validatedRequest));
public async Task <string> GenerateSerializedRstr(ValidatedWsFederationSigninRequest request) { var now = _clock.UtcNow.UtcDateTime; var principal = request.Subject.Identity as ClaimsIdentity; var nameIdClaim = principal.FindFirst(ClaimTypes.NameIdentifier); if (nameIdClaim == null) { nameIdClaim = new Claim(ClaimTypes.NameIdentifier, principal.Name); nameIdClaim.Properties.Add(ClaimProperties.SamlNameIdentifierFormat, Saml2Constants.NameIdentifierFormats.UnspecifiedString); principal.AddClaim(nameIdClaim); } var tokenDescriptor = new SecurityTokenDescriptor { Audience = request.RequestMessage.Wtrealm, Expires = now.AddSeconds(request.Client.IdentityTokenLifetime), IssuedAt = now, Issuer = _options.IssuerUri, NotBefore = now, SigningCredentials = await _keys.GetSigningCredentialsAsync(), Subject = principal }; //For whatever reason, the Digest method isn't specified in the builder extensions for identity server. //Not a good solution to force the user to use th eoverload that takes SigningCredentials //IdentityServer4/Configuration/DependencyInjection/BuilderExtensions/Crypto.cs //Instead, it should be supported in: // The overload that takes a X509Certificate2 // The overload that looks it up in a cert store // The overload that takes an RsaSecurityKey // AddDeveloperSigningCredential //For now, this is a workaround. if (tokenDescriptor.SigningCredentials.Digest == null) { _logger.LogInformation($"SigningCredentials does not have a digest specified. Using default digest algorithm of {SecurityAlgorithms.Sha256Digest}"); tokenDescriptor.SigningCredentials = new SigningCredentials(tokenDescriptor.SigningCredentials.Key, tokenDescriptor.SigningCredentials.Algorithm, SecurityAlgorithms.Sha256Digest); } _logger.LogDebug("Creating SAML 2.0 security token."); var tokenHandler = new Saml2SecurityTokenHandler(); var token = tokenHandler.CreateToken(tokenDescriptor); _logger.LogDebug("Serializing RSTR."); var rstr = new RequestSecurityTokenResponse { AppliesTo = new AppliesTo(request.RequestMessage.Wtrealm), KeyType = "http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey", Lifetime = new Lifetime(now, now.AddSeconds(request.Client.IdentityTokenLifetime)), RequestedSecurityToken = token, RequestType = "http://schemas.xmlsoap.org/ws/2005/02/trust/Issue", TokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" }; return(RequestSecurityTokenResponseSerializer.Serialize(rstr)); }
public async Task <WsFederationSigninResponse> GenerateResponseAsync(ValidatedWsFederationSigninRequest request) { _logger.LogDebug("Creating WsFederation Signin Response."); var responseMessage = new WsFederationMessage { IssuerAddress = request.RequestMessage.Wreply, Wa = request.RequestMessage.Wa, Wctx = request.RequestMessage.Wctx, Wresult = await GenerateSerializedRstr(request) }; var response = new WsFederationSigninResponse { Request = request, ResponseMessage = responseMessage }; return(response); }
private ValidatedWsFederationSigninRequest GetDefaultValidatedRequest() { var client = new Client { IdentityTokenLifetime = 300 }; var request = new ValidatedWsFederationSigninRequest { Client = client, RequestMessage = new WsFederationMessage { Wa = WsFederationConstants.WsFederationActions.SignIn, Wctx = "Context", Wreply = "http://example.com/mywreply", Wtrealm = "http://example.com/myrealm" }, Subject = new ClaimsPrincipal(new ClaimsIdentity(new List <Claim> { new Claim(ClaimTypes.Name, "bob") })) }; request.SetClient(client); return(request); }
public WsFederationLoginPageResult(ValidatedWsFederationSigninRequest request) { _request = request; }