private static void FederatedAuthentication_FederationConfigurationCreated(object sender, FederationConfigurationCreatedEventArgs e)
{
//from appsettings...
const string allowedAudience = "http://audience1/user/get";
const string rpRealm = "http://audience1/";
const string domain = "";
const bool requireSsl = false;
const string issuer = "http://sts/token/create;
const string certThumbprint = " mythumbprint ";
const string authCookieName = " StsAuth ";
var federationConfiguration = new FederationConfiguration();
federationConfiguration.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(allowedAudience));
var issuingAuthority = new IssuingAuthority(internalSts);
issuingAuthority.Thumbprints.Add(certThumbprint);
issuingAuthority.Issuers.Add(internalSts);
var issuingAuthorities = new List<IssuingAuthority> {issuingAuthority};
var validatingIssuerNameRegistry = new ValidatingIssuerNameRegistry {IssuingAuthorities = issuingAuthorities};
federationConfiguration.IdentityConfiguration.IssuerNameRegistry = validatingIssuerNameRegistry;
federationConfiguration.IdentityConfiguration.CertificateValidationMode = X509CertificateValidationMode.None;
var chunkedCookieHandler = new ChunkedCookieHandler {RequireSsl = false, Name = authCookieName, Domain = domain, PersistentSessionLifetime = new TimeSpan(0, 0, 30, 0)};
federationConfiguration.CookieHandler = chunkedCookieHandler;
federationConfiguration.WsFederationConfiguration.Issuer = issuer;
federationConfiguration.WsFederationConfiguration.Realm = rpRealm;
federationConfiguration.WsFederationConfiguration.RequireHttps = requireSsl;
e.FederationConfiguration = federationConfiguration;
}
public static void RefreshKeys(string metadataAddress)
{
IssuingAuthority ia =
ValidatingIssuerNameRegistry.GetIssuingAuthority(metadataAddress);
bool newKeys = false;
foreach (string thumbp in ia.Thumbprints)
{
if (!ContainsKey(thumbp))
{
newKeys = true;
break;
}
}
if (newKeys)
{
XElement keysRoot =
(XElement)(from tt in doc.Descendants("keys") select tt).First();
keysRoot.RemoveNodes();
foreach (string thumbp in ia.Thumbprints)
{
XElement node = new XElement("key", new XAttribute("id", thumbp));
keysRoot.Add(node);
}
doc.Save(filePath);
}
}
public static FederationConfiguration Create(string relyingPartyUrl, string stsUrl, string domain, string certificateThumbprint, string authCookieName, bool requireSsl)
{
var federationConfiguration = new FederationConfiguration();
federationConfiguration.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(relyingPartyUrl));
var issuingAuthority = new IssuingAuthority(stsUrl);
issuingAuthority.Thumbprints.Add(certificateThumbprint);
issuingAuthority.Issuers.Add(stsUrl);
var issuingAuthorities = new List<IssuingAuthority> { issuingAuthority };
var validatingIssuerNameRegistry = new ValidatingIssuerNameRegistry { IssuingAuthorities = issuingAuthorities };
federationConfiguration.IdentityConfiguration.IssuerNameRegistry = validatingIssuerNameRegistry;
federationConfiguration.IdentityConfiguration.CertificateValidationMode = X509CertificateValidationMode.None;
var chunkedCookieHandler = new ChunkedCookieHandler
{
RequireSsl = requireSsl,
Name = authCookieName,
Domain = domain,
PersistentSessionLifetime = new TimeSpan(0, 0, 30, 0)
};
federationConfiguration.CookieHandler = chunkedCookieHandler;
var issuerOfToken = stsUrl;
federationConfiguration.WsFederationConfiguration.Issuer = issuerOfToken;
federationConfiguration.WsFederationConfiguration.Realm = relyingPartyUrl;
federationConfiguration.WsFederationConfiguration.RequireHttps = requireSsl;
return federationConfiguration;
}
/// <summary>
/// RefreshKeys
/// </summary>
/// <param name="metadataLocation"></param>
public static void RefreshKeys(string metadataLocation)
{
IssuingAuthority issuingAuthority = ValidatingIssuerNameRegistry.GetIssuingAuthority(metadataLocation);
bool newKeys = false;
foreach (string thumbprint in issuingAuthority.Thumbprints)
{
if (!ContainsKey(thumbprint))
{
newKeys = true;
break;
}
}
if (newKeys)
{
using (MyCompanyContext context = new MyCompanyContext())
{
context.IssuingAuthorityKeys.RemoveRange(context.IssuingAuthorityKeys);
foreach (string thumbprint in issuingAuthority.Thumbprints)
{
context.IssuingAuthorityKeys.Add(new IssuingAuthorityKey {
Id = thumbprint
});
}
context.SaveChanges();
}
}
}
public static void RefreshKeys(string metadataLocation)
{
IssuingAuthority issuingAuthority = ValidatingIssuerNameRegistry.GetIssuingAuthority(metadataLocation);
bool newKeys = false;
bool refreshTenant = false;
foreach (string thumbprint in issuingAuthority.Thumbprints)
{
if (!ContainsKey(thumbprint))
{
newKeys = true;
refreshTenant = true;
break;
}
}
foreach (string issuer in issuingAuthority.Issuers)
{
if (!ContainsTenant(GetIssuerId(issuer)))
{
refreshTenant = true;
break;
}
}
if (newKeys || refreshTenant)
{
using (TenantDbContext context = new TenantDbContext())
{
if (newKeys)
{
context.IssuingAuthorityKeys.RemoveRange(context.IssuingAuthorityKeys);
foreach (string thumbprint in issuingAuthority.Thumbprints)
{
context.IssuingAuthorityKeys.Add(new IssuingAuthorityKey {
Id = thumbprint
});
}
}
if (refreshTenant)
{
// Add the default tenant to the registry.
// Comment or remove the following code if you do not wish to have the default tenant use the application.
foreach (string issuer in issuingAuthority.Issuers)
{
string issuerId = GetIssuerId(issuer);
if (!ContainsTenant(issuerId))
{
context.Tenants.Add(new Tenant {
Id = issuerId
});
}
}
}
context.SaveChanges();
}
}
}
public static void RefreshKeys(string metadataLocation)
{
IssuingAuthority issuingAuthority = ValidatingIssuerNameRegistry.GetIssuingAuthority(metadataLocation);
bool newKeys = false;
bool refreshTenant = false;
foreach (string thumbprint in issuingAuthority.Thumbprints)
{
if (!ContainsKey(thumbprint))
{
newKeys = true;
refreshTenant = true;
break;
}
}
foreach (string issuer in issuingAuthority.Issuers)
{
if (!ContainsTenant(GetIssuerId(issuer)))
{
refreshTenant = true;
break;
}
}
if (newKeys || refreshTenant)
{
using (TenantDbContext context = new TenantDbContext())
{
if (newKeys)
{
context.IssuingAuthorityKeys.RemoveRange(context.IssuingAuthorityKeys);
foreach (string thumbprint in issuingAuthority.Thumbprints)
{
context.IssuingAuthorityKeys.Add(new IssuingAuthorityKey {
Id = thumbprint
});
}
}
if (refreshTenant)
{
foreach (string issuer in issuingAuthority.Issuers)
{
string issuerId = GetIssuerId(issuer);
if (!ContainsTenant(issuerId))
{
context.Tenants.Add(new Tenant {
Id = issuerId
});
}
}
}
context.SaveChanges();
}
}
}
private static void RefreshIssuerKeys()
{
// http://msdn.microsoft.com/en-us/library/azure/dn641920.aspx
var configPath = AppDomain.CurrentDomain.BaseDirectory + "\\" + "Web.config";
var metadataAddress = ConfigurationManager.AppSettings["ida:FederationMetadataLocation"];
ValidatingIssuerNameRegistry.WriteToConfig(metadataAddress, configPath);
}
protected void RefreshValidationSettings()
{
string configPath = Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "Web.config");
string metadataAddress =
ConfigurationManager.AppSettings["ida:FederationMetadataLocation"];
ValidatingIssuerNameRegistry.WriteToConfig(metadataAddress, configPath);
}
protected void RefreshValidationSettings()
{
if (!RoleEnvironment.IsAvailable)
{
string configPath = AppDomain.CurrentDomain.BaseDirectory + "\\" + "Web.config";
string metadataAddress = ConfigurationManager.AppSettings["FederationMetadataLocation"];
ValidatingIssuerNameRegistry.WriteToConfig(metadataAddress, configPath);
}
// else { // See WebRole.cs file }
}
public static void RefreshKeys(string metadataLocation)
{
IssuingAuthority issuingAuthority = ValidatingIssuerNameRegistry.GetIssuingAuthority(metadataLocation);
bool newKeys = false;
bool refreshTenant = false;
foreach (string thumbprint in issuingAuthority.Thumbprints)
{
if (!ContainsKey(thumbprint))
{
newKeys = true;
refreshTenant = true;
break;
}
}
foreach (string issuer in issuingAuthority.Issuers)
{
if (!ContainsTenant(GetIssuerId(issuer)))
{
refreshTenant = true;
break;
}
}
if (newKeys || refreshTenant)
{
if (newKeys)
{
session.RemoveBatch <IssuingAuthorityKey>(session.GetQueryable <IssuingAuthorityKey>().Select(i => i.Id).ToList());
foreach (string thumbprint in issuingAuthority.Thumbprints)
{
session.Add(new IssuingAuthorityKey {
Id = thumbprint
});
}
}
if (refreshTenant)
{
foreach (string issuer in issuingAuthority.Issuers)
{
string issuerId = GetIssuerId(issuer);
if (!ContainsTenant(issuerId))
{
session.Add(new Tenant {
Id = issuerId
});
}
}
}
}
}
private static IssuingAuthority GetIssuingAuthority()
{
IssuingAuthority issuingAuthority = issuingAuthorityCache[IssuingAuthorityCacheKey] as IssuingAuthority;
if (issuingAuthority == null)
{
issuingAuthority = ValidatingIssuerNameRegistry.GetIssuingAuthority(MetadataLocation);
issuingAuthorityCache.Add(IssuingAuthorityCacheKey, issuingAuthority, DateTimeOffset.UtcNow.AddHours(1.0));
}
return(issuingAuthority);
}
public static void RefreshKeys(string metadataLocation)
{
IssuingAuthority issuingAuthority = ValidatingIssuerNameRegistry.GetIssuingAuthority(metadataLocation);
bool newKeys = false;
bool refreshTenant = false;
foreach (string thumbprint in issuingAuthority.Thumbprints)
{
if (!ContainsKey(thumbprint))
{
newKeys = true;
refreshTenant = true;
break;
}
}
foreach (string issuer in issuingAuthority.Issuers)
{
if (!ContainsTenant(GetIssuerId(issuer)))
{
refreshTenant = true;
break;
}
}
if (!newKeys && !refreshTenant)
{
return;
}
if (newKeys)
{
//IssuingAuthorityKeys.RemoveRange(context.IssuingAuthorityKeys);
IssuingAuthorityKeys.Clear();
foreach (var thumbprint in issuingAuthority.Thumbprints)
{
IssuingAuthorityKeys.Add(new IssuingAuthorityKey {
Id = thumbprint
});
}
}
foreach (
string issuerId in
issuingAuthority.Issuers.Select(GetIssuerId).Where(issuerId => !ContainsTenant(issuerId)))
{
Tenants.Add(new Tenant {
Id = issuerId
});
}
}
protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
// ....
string configPath = AppDomain.CurrentDomain.BaseDirectory + "\\" + "Web.config";
string metadataAddress =
ConfigurationManager.AppSettings["ida:FederationMetadataLocation"];
ValidatingIssuerNameRegistry.WriteToConfig(metadataAddress, configPath);
// Make sure we don't use the Webforms view engine in any way.
ViewEngines.Engines.Clear();
ViewEngines.Engines.Add(new RazorViewEngine());
RegisterGlobalFilters(GlobalFilters.Filters);
RegisterRoutes(RouteTable.Routes);
}
public static FederationConfiguration LoadConfigurationSection()
{
var allowedAudience = MortysMixedAuthenticationConfiguration.Settings.ClientApplicationUri;
var rpRealm = MortysMixedAuthenticationConfiguration.Settings.ClientApplicationUri;
var domain = "";
var requireSsl = true;
var issuer = MortysMixedAuthenticationConfiguration.Settings.SecurityTokenIssuerUri;
var certThumbprint = MortysMixedAuthenticationConfiguration.Settings.TokenSigningSertificateThumbprint;
var issuingAuthorityUri = MortysMixedAuthenticationConfiguration.Settings.TokenIssuingAuthorityUri;
var authCookieName = "FocusFederatedAuth";
var federationConfiguration = new FederationConfiguration();
federationConfiguration.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(allowedAudience));
var issuingAuthority = new IssuingAuthority(issuingAuthorityUri);
issuingAuthority.Thumbprints.Add(certThumbprint);
issuingAuthority.Issuers.Add(issuingAuthorityUri);
var validatingIssuerNameRegistry = new ValidatingIssuerNameRegistry
{
IssuingAuthorities = new List <IssuingAuthority> {
issuingAuthority
}
};
federationConfiguration.IdentityConfiguration.IssuerNameRegistry = validatingIssuerNameRegistry;
federationConfiguration.IdentityConfiguration.CertificateValidationMode = X509CertificateValidationMode.None;
var chunkedCookieHandler = new ChunkedCookieHandler {
RequireSsl = false, Name = authCookieName, Domain = domain, PersistentSessionLifetime = new TimeSpan(0, 0, 30, 0)
};
federationConfiguration.CookieHandler = chunkedCookieHandler;
federationConfiguration.WsFederationConfiguration.Issuer = issuer;
federationConfiguration.WsFederationConfiguration.Realm = rpRealm;
federationConfiguration.WsFederationConfiguration.RequireHttps = requireSsl;
federationConfiguration.WsFederationConfiguration.PassiveRedirectEnabled = true;
return(federationConfiguration);
}
public static FederationConfiguration Create(string relyingPartyUrl, string stsUrl, string domain, string certificateThumbprint, string authCookieName, bool requireSsl)
{
var federationConfiguration = new FederationConfiguration();
federationConfiguration.IdentityConfiguration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(relyingPartyUrl));
var issuingAuthority = new IssuingAuthority(stsUrl);
issuingAuthority.Thumbprints.Add(certificateThumbprint);
issuingAuthority.Issuers.Add(stsUrl);
var issuingAuthorities = new List <IssuingAuthority> {
issuingAuthority
};
var validatingIssuerNameRegistry = new ValidatingIssuerNameRegistry {
IssuingAuthorities = issuingAuthorities
};
federationConfiguration.IdentityConfiguration.IssuerNameRegistry = validatingIssuerNameRegistry;
federationConfiguration.IdentityConfiguration.CertificateValidationMode = X509CertificateValidationMode.None;
var chunkedCookieHandler = new ChunkedCookieHandler
{
RequireSsl = requireSsl,
Name = authCookieName,
Domain = domain,
PersistentSessionLifetime = new TimeSpan(0, 0, 30, 0)
};
federationConfiguration.CookieHandler = chunkedCookieHandler;
var issuerOfToken = stsUrl;
federationConfiguration.WsFederationConfiguration.Issuer = issuerOfToken;
federationConfiguration.WsFederationConfiguration.Realm = relyingPartyUrl;
federationConfiguration.WsFederationConfiguration.RequireHttps = requireSsl;
return(federationConfiguration);
}
public static void RefreshKeys(string metadataLocation)
{
IssuingAuthority issuingAuthority = ValidatingIssuerNameRegistry.GetIssuingAuthority(metadataLocation);
bool newKeys = false;
foreach (string thumbprint in issuingAuthority.Thumbprints)
{
if (!ContainsKey(thumbprint))
{
newKeys = true;
break;
}
}
if (newKeys)
{
using (TenantDbContext context = new TenantDbContext())
{
context.IssuingAuthorityKeys.RemoveRange(context.IssuingAuthorityKeys);
foreach (string thumbprint in issuingAuthority.Thumbprints)
{
context.IssuingAuthorityKeys.Add(new IssuingAuthorityKey {
Id = thumbprint
});
}
foreach (string issuer in issuingAuthority.Issuers)
{
context.Tenants.Add(new Tenant {
Id = issuer.TrimEnd('/').Split('/').Last()
});
}
context.SaveChanges();
}
}
}
//public override ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
//{
// //var identity = new GenericIdentity("*****@*****.**");
// //identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, "*****@*****.**"));
// //ClaimsPrincipal claimsPrincipal = new ClaimsPrincipal(identity);
// //validatedToken = new JwtSecurityToken("https://asemshop1.accesscontrol.windows.net/", "https://localhost/ACSWebShop/", new List<Claim>(), DateTime.Now.AddDays(-1), DateTime.Now.AddDays(10));
// //return claimsPrincipal;
// return base.ValidateToken(securityToken, validationParameters, out validatedToken);
//}
public override System.Collections.ObjectModel.ReadOnlyCollection <ClaimsIdentity> ValidateToken(SecurityToken token)
{
JwtSecurityToken jwtToken = (JwtSecurityToken)token;
// Get the configuration from the configuration file (element "issuerNameRegistry").
ValidatingIssuerNameRegistry issuerNameRegistry = (ValidatingIssuerNameRegistry)
Configuration.IssuerNameRegistry;
IssuingAuthority issuingAuthority = issuerNameRegistry.IssuingAuthorities.First();
// Set the validation parameters from the configuration.
var validationParameters = new TokenValidationParameters
{
// Get the audiences that are expected.
ValidAudiences = Configuration.AudienceRestriction.AllowedAudienceUris.Select(s => s.ToString()),
// Get the issuer that are expected.
ValidIssuers = issuingAuthority.Issuers,
// Get the symmetric key token that is used to sign (if configured).
// Did not get this one working though.
IssuerSigningToken = new BinarySecretSecurityToken(Convert.FromBase64String(issuingAuthority.SymmetricKeys.FirstOrDefault())),
// Get how to validate the certificate.
CertificateValidator = Configuration.CertificateValidator,
// Get if the token should be preserved.
SaveSigninToken = Configuration.SaveBootstrapContext
};
// Call the correct validation method.
SecurityToken validatedToken;
ClaimsPrincipal validated = ValidateToken(jwtToken.RawData, validationParameters, out validatedToken);
// Return the claim identities.
return(new ReadOnlyCollection <ClaimsIdentity>(validated.Identities.ToList()));
}
public override bool OnStart()
{
// For information on handling configuration changes
// See the MSDN topic at http://go.microsoft.com/fwlink/?LinkId=166357.
RoleEnvironment.Changing += RoleEnvironmentChanging;
//Comment following code to debug the cloud service on local emulator
#region Copy the config in web.config
using (var server = new ServerManager())
{
string siteNameFromServiceModel = "Web";
string siteName = string.Format("{0}_{1}", RoleEnvironment.CurrentRoleInstance.Id, siteNameFromServiceModel);
string configFilePath = server.Sites[siteName].Applications[0].VirtualDirectories[0].PhysicalPath + "\\Web.config";
XElement element = XElement.Load(configFilePath);
string strSetting;
if (!(String.IsNullOrEmpty(strSetting = RoleEnvironment.GetConfigurationSettingValue("connectionString"))))
{
var v = from appSetting in element.Element("connectionStrings").Elements("add")
where "WindowsAzureStorage" == appSetting.Attribute("name").Value
select appSetting;
if (v != null)
{
v.First().Attribute("connectionString").Value = strSetting;
}
}
if (!(String.IsNullOrEmpty(strSetting = RoleEnvironment.GetConfigurationSettingValue("bingCredential"))))
{
var v = from appSetting in element.Element("appSettings").Elements("add")
where "bingCredential" == appSetting.Attribute("key").Value
select appSetting;
if (v != null)
{
v.First().Attribute("value").Value = strSetting;
}
}
if (!(String.IsNullOrEmpty(strSetting = RoleEnvironment.GetConfigurationSettingValue("FederationMetadataLocation"))))
{
var v = from appSetting in element.Element("appSettings").Elements("add")
where "FederationMetadataLocation" == appSetting.Attribute("key").Value
select appSetting;
if (v != null)
{
v.First().Attribute("value").Value = strSetting;
}
}
if (!(String.IsNullOrEmpty(strSetting = RoleEnvironment.GetConfigurationSettingValue("audienceUri"))))
{
element.Element("system.identityModel").Element("identityConfiguration").Element("audienceUris").Element("add").Attribute("value").Value = strSetting;
}
if (!(String.IsNullOrEmpty(strSetting = RoleEnvironment.GetConfigurationSettingValue("trustedIssuerName"))))
{
element.Element("system.identityModel").Element("identityConfiguration").Element("issuerNameRegistry").Element("authority").Attribute("name").Value = strSetting;
element.Element("system.identityModel").Element("identityConfiguration").Element("issuerNameRegistry").Element("authority").Element("validIssuers").Element("add").Attribute("name").Value = strSetting;
}
if (!(String.IsNullOrEmpty(strSetting = RoleEnvironment.GetConfigurationSettingValue("issuer"))))
{
element.Element("system.identityModel.services").Element("federationConfiguration").Element("wsFederation").Attribute("issuer").Value = strSetting;
}
if (!(String.IsNullOrEmpty(strSetting = RoleEnvironment.GetConfigurationSettingValue("realm"))))
{
element.Element("system.identityModel.services").Element("federationConfiguration").Element("wsFederation").Attribute("realm").Value = strSetting;
}
element.Save(configFilePath);
if (!(String.IsNullOrEmpty(strSetting = RoleEnvironment.GetConfigurationSettingValue("FederationMetadataLocation"))))
{
ValidatingIssuerNameRegistry.WriteToConfig(strSetting, configFilePath);
}
server.CommitChanges();
}
#endregion
return(base.OnStart());
}
