/// <summary>
/// Helper function which deletes the relying party and commits the change immediately.
/// </summary>
/// <param name="name"></param>
static void DeleteRelyingPartyByNameIfExists(string name)
{
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
svc.DeleteRelyingPartyByNameIfExists(name);
svc.SaveChangesBatch();
}
/// <summary>
/// Display all rules given a rule group name.
/// </summary>
private static void DisplayAllRulesInGroup(string ruleGroupName)
{
Console.WriteLine("\nRetrieve rules in rule group (Name = {0})\n", ruleGroupName);
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
RuleGroup rg = svc.RuleGroups.Expand("Rules").Where(g => g.Name == ruleGroupName).FirstOrDefault();
if (rg != null)
{
Console.WriteLine("\tId = {0}\n", rg.Id);
Console.WriteLine("\tName = {0}\n", rg.Name);
foreach (Rule rule in rg.Rules)
{
Console.WriteLine("\tRule (Id = {0})\n", rule.Id);
Console.WriteLine("\t\tId = {0}\n", rule.Id);
Console.WriteLine("\t\tInputClaimIssuerId = {0}\n", rule.IssuerId);
Console.WriteLine("\t\tInputClaimType = {0}\n", rule.InputClaimType);
Console.WriteLine("\t\tInputClaimValue = {0}\n", rule.InputClaimValue);
Console.WriteLine("\t\tOutputClaimType = {0}\n", rule.OutputClaimType);
Console.WriteLine("\t\tOutputClaimValue = {0}\n", rule.OutputClaimValue);
Console.WriteLine("\t\tDescription = {0}\n", rule.Description);
}
}
}
/// <summary>
/// Helper function which deletes the service identity and commits immediately.
/// </summary>
/// <param name="name"></param>
private static void DeleteServiceIdentityIfExists(string name)
{
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
svc.DeleteServiceIdentityIfExists(name);
svc.SaveChangesBatch();
}
static void CreateSampleRelyingParty()
{
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
DateTime startDate = DateTime.UtcNow;
DateTime endDate = startDate.AddYears(1);
// Create Relying Party
RelyingParty relyingParty = svc.CreateRelyingParty(TestRelyingPartyNameString, "http://TestRelyingParty.com/Realm", "http://TestRelyingParty.com/Reply", RelyingPartyTokenType.SAML_2_0, false);
string pfxFileName = "SampleCert.pfx";
string pfxPassword = @"pass@word1";
byte[] signingCertificate = ManagementServiceHelper.ReadBytesFromPfxFile(pfxFileName, pfxPassword);
svc.CreateRelyingPartyKey(relyingParty, signingCertificate, pfxPassword, RelyingPartyKeyType.X509Certificate, RelyingPartyKeyUsage.Signing, true);
// Create a rule group and you can follow the 'Rule' sample code to add rules to it as needed.
string sampleRuleGroupName = "Sample Rule Group for " + relyingParty.Name;
RuleGroup ruleGroup = svc.RuleGroups.Where(rg => rg.Name == sampleRuleGroupName).FirstOrDefault();
if (ruleGroup == null)
{
ruleGroup = new RuleGroup()
{
Name = sampleRuleGroupName
};
svc.AddToRuleGroups(ruleGroup);
}
svc.AssignRuleGroupToRelyingParty(ruleGroup, relyingParty);
svc.SaveChangesBatch();
}
private static void CreateSymmetricServiceIdentity(string name, byte[] key)
{
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
svc.CreateServiceIdentity(name, key, ServiceIdentityKeyType.Symmetric, ServiceIdentityKeyUsage.Signing);
svc.SaveChangesBatch();
}
private static void CreatePasswordServiceIdentity(string name, string password)
{
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
svc.CreateServiceIdentity(name, Encoding.UTF8.GetBytes(password), ServiceIdentityKeyType.Password, ServiceIdentityKeyUsage.Password);
svc.SaveChangesBatch();
}
private static void DisplayIdentityProvider(string identityProviderName)
{
Console.WriteLine("\nRetrieve Identity Provider (Name = {0})\n", identityProviderName);
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
IdentityProvider identityProvider = svc.GetIdentityProviderByName(identityProviderName, true);
// Display the values of returned Identity Provider
if (identityProvider != null)
{
Console.WriteLine("\tId = {0}\n", identityProvider.Id);
Console.WriteLine("\tDisplayName = {0}\n", identityProvider.DisplayName);
Console.WriteLine("\tLoginParameters = {0}\n", identityProvider.LoginParameters);
Console.WriteLine("\tWebSSOProtocolType = {0}\n", identityProvider.WebSSOProtocolType);
// display keys associated to the Identity Provider
foreach (IdentityProviderKey identityProviderKey in identityProvider.IdentityProviderKeys)
{
DisplayIdentityProviderKey(identityProviderKey);
}
// display addresses associated to the Identity Provider
foreach (IdentityProviderAddress identityProviderAddress in identityProvider.IdentityProviderAddresses)
{
DisplayIdentityProviderAddress(identityProviderAddress);
}
}
}
private static void UpdateWSFederationIdentityProvider(string identityProviderName)
{
Console.WriteLine("Updating identity provider properties...");
Console.WriteLine();
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
// Retrieve Identity Provider
IdentityProvider identityProvider = svc.GetIdentityProviderByName(identityProviderName, true);
if (identityProvider != null)
{
// update DisplayName
identityProvider.DisplayName = "*SampleIdentityProviderNewDisplayName*";
//update sign-in address
IdentityProviderAddress signInAddress = identityProvider.IdentityProviderAddresses.Where(m => m.EndpointType == IdentityProviderEndpointType.SignIn.ToString()).FirstOrDefault();
if (signInAddress != null)
{
signInAddress.Address = "http://SampleIdentityProvider/New-Sign-In";
svc.UpdateObject(signInAddress);
}
svc.UpdateObject(identityProvider);
svc.SaveChangesBatch();
}
}
/// <summary>
/// CRUD for service identity & service identity symmetric 'Signing' key.
/// </summary>
private static void SymmetricSigningServiceIdentityCRUD()
{
string name = "SymmetricSigningIdentity";
//
// Generate a 32-byte symmetric key.
//
byte[] signingKey = new byte[32];
RNGCryptoServiceProvider rngCryptoServiceProvider = new RNGCryptoServiceProvider();
rngCryptoServiceProvider.GetBytes(signingKey);
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
DeleteServiceIdentityIfExists(name);
CreateSymmetricServiceIdentity(name, signingKey);
DisplayServiceIdentity(name);
byte[] updatedkey = Convert.FromBase64String("UXFUvbfJnDtgL3SD19hxuCvpMYy7Vla6s50n0GQkFAg=");
UpdateServiceIdentityKey(name, updatedkey, ServiceIdentityKeyType.Symmetric);
DisplayServiceIdentity(name);
DeleteServiceIdentityIfExists(name);
}
private static void CreateFacebookIdentityProvider(string applicationId)
{
const string applicationSecret = "appSecret";
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
svc.CreateFacebookIdentityProvider(applicationId, applicationSecret, "email,user_about_me");
svc.SaveChangesBatch();
}
private static void ImportIdentityProviderFromMetadata(string fedMetadataFile)
{
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
using (Stream metadataFileStream = new FileStream(fedMetadataFile, FileMode.Open, FileAccess.Read))
{
svc.ImportIdentityProviderFromStream(metadataFileStream);
}
}
/// <summary>
/// Copies the source rule group into a new rule group
/// </summary>
private static void CopyRuleGroup(string source, string newRuleGroupName)
{
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
RuleGroup rg = svc.RuleGroups.Where(g => g.Name == source).FirstOrDefault();
svc.CopyRuleGroup(rg, newRuleGroupName);
svc.SaveChangesBatch();
}
/// <summary>
/// Delete a rule group by its name.
/// </summary>
private static void DeleteRuleGroupByNameIfExists(string name)
{
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
RuleGroup rg = svc.RuleGroups.Where(g => g.Name == name).FirstOrDefault();
if (rg != null)
{
svc.DeleteObject(rg);
svc.SaveChangesBatch();
}
}
/// <summary>
/// Display a rule group given a name.
/// </summary>
private static void DisplayRuleGroup(string name)
{
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
RuleGroup rg = svc.RuleGroups.Where(g => g.Name == name).FirstOrDefault();
if (rg != null)
{
Console.WriteLine("\tId = {0}\n", rg.Id);
Console.WriteLine("\tName = {0}\n", rg.Name);
}
}
/// <summary>
/// Add a rule group.
/// </summary>
private static void AddRuleGroup(string name)
{
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
RuleGroup rg = new RuleGroup()
{
Name = name
};
svc.AddToRuleGroups(rg);
svc.SaveChangesBatch();
}
/// <summary>
/// Update the name of a rule group.
/// </summary>
private static void UpdateRuleGroupName(string name, string newName)
{
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
RuleGroup rg = svc.RuleGroups.Where(g => g.Name == name).FirstOrDefault();
if (rg != null)
{
rg.Name = newName;
svc.UpdateObject(rg);
svc.SaveChangesBatch();
}
}
/// <summary>
/// Adds a relying party
/// </summary>
private static void AddRelyingParty(string relyingPartyName)
{
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
RelyingParty relyingParty = svc.CreateRelyingParty(relyingPartyName,
"http://localhost",
"http://localhost",
RelyingPartyTokenType.SAML_2_0,
false);
// Associate this new relying party with all identity providers
svc.AssociateIdentityProvidersWithRelyingParties(svc.IdentityProviders,
new [] { relyingParty });
svc.SaveChangesBatch();
}
/// <summary>
/// Delete all rules within a rule group.
/// </summary>
private static void DeleteAllRulesInGroup(string ruleGroupName)
{
Console.WriteLine("\nDelete rules in rule group (Name = {0})\n", ruleGroupName);
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
RuleGroup rg = svc.RuleGroups.Expand("Rules").Where(g => g.Name == ruleGroupName).FirstOrDefault();
if (rg != null)
{
foreach (Rule r in rg.Rules)
{
svc.DeleteObject(r);
}
svc.SaveChangesBatch();
}
}
/// <summary>
/// Generates the rules for the relying party
/// </summary>
private static void GenerateRules(string ruleGroupName, string relyingPartyName)
{
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
// Get the identity providers for the relying party
RelyingParty relyingParty = svc.GetRelyingPartyByName(relyingPartyName);
IEnumerable <IdentityProvider> rpIdentityProviders = svc.GetRelyingPartyIdentityProviders(relyingParty);
// Generate rules for the rule group
RuleGroup ruleGroup = svc.RuleGroups.Where(rg => rg.Name == ruleGroupName).FirstOrDefault();
svc.GenerateRules(ruleGroup, rpIdentityProviders);
// Assign the rule group to relying party
svc.AssignRuleGroupToRelyingParty(ruleGroup, relyingParty);
svc.SaveChangesBatch();
}
private static void CreateSampleWSFederationIdentityProvider(string identityProviderName)
{
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
DateTime startDate = DateTime.UtcNow;
DateTime endDate = startDate.AddYears(1);
// Signing certificates can be found in a WSFederation IdP's fed-metadata.
const string signingCertFileName = "identitykey.cer";
IdentityProvider idp = svc.CreateWsFederationIdentityProvider(identityProviderName,
X509Certificate.CreateFromCertFile(signingCertFileName).GetRawCertData(),
startDate,
endDate,
"http://SampleIdentityProvider.com/sign-in/");
// Do not include the ACS Management Relying Party
svc.AssociateIdentityProvidersWithRelyingParties(new[] { idp }, svc.RelyingParties.Where(rp => rp.Name != "AccessControlManagement"));
svc.SaveChangesBatch();
}
/// <summary>
/// Update the service identity key value.
/// </summary>
private static void UpdateServiceIdentityKey(string name, byte[] keyValue, ServiceIdentityKeyType keyType)
{
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
ServiceIdentity serviceIdentity = svc.GetServiceIdentityByName(name);
if (serviceIdentity != null)
{
foreach (ServiceIdentityKey key in serviceIdentity.ServiceIdentityKeys)
{
if (key.Type == keyType.ToString())
{
key.Value = keyValue;
svc.UpdateObject(key);
}
}
}
svc.SaveChangesBatch();
}
static void DisplayRelyingParty(string relyingPartyName)
{
Console.WriteLine("\nRetrieve Relying Party (Name = {0})\n", relyingPartyName);
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
// Retrieve Relying Party
RelyingParty relyingParty = svc.GetRelyingPartyByName(relyingPartyName, true);
// Display the values of returned Relying Party
if (relyingParty != null)
{
Console.WriteLine("\tId = {0}\n", relyingParty.Id);
Console.WriteLine("\tName = {0}\n", relyingParty.Name);
Console.WriteLine("\tDisplayName = {0}\n", relyingParty.DisplayName);
Console.WriteLine("\tAsymmetricTokenEncryptionRequired = {0}\n", relyingParty.AsymmetricTokenEncryptionRequired);
Console.WriteLine("\tTokenType = {0}\n", relyingParty.TokenType);
Console.WriteLine("\tTokenLifetime = {0}\n", relyingParty.TokenLifetime);
// display keys associated to the Relying Party
foreach (RelyingPartyKey relyingPartyKey in relyingParty.RelyingPartyKeys.Where(m => m.Type == "X509Certificate"))
{
DisplayRelyingPartyKey(relyingPartyKey);
}
// display addresses associated to the Relying Party
foreach (RelyingPartyAddress relyingPartyAddress in relyingParty.RelyingPartyAddresses.ToList())
{
DisplayRelyingPartyAddress(relyingPartyAddress);
}
Console.WriteLine("\tRule Groups:\n");
foreach (RelyingPartyRuleGroup relyingPartyRuleGroup in svc
.RelyingPartyRuleGroups.Expand("RuleGroup")
.Where(r => r.RelyingPartyId == relyingParty.Id))
{
Console.WriteLine("\t\tName: {0}\n", relyingPartyRuleGroup.RuleGroup.Name);
}
}
}
static void UpdateSampleRelyingParty(string relyingPartyName)
{
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
// Retrieve Relying Party and then delete it
RelyingParty relyingParty = svc.RelyingParties.Expand("RelyingPartyAddresses").Where(m => m.Name == relyingPartyName).FirstOrDefault();
if (relyingParty != null)
{
// update DisplayName
relyingParty.DisplayName = "TestRelyingPartyNewDisplayName";
//update Realm
RelyingPartyAddress realm = relyingParty.RelyingPartyAddresses.Where(m => m.EndpointType == "Realm").FirstOrDefault();
if (realm != null)
{
realm.Address = "http://TestRelyingParty/NewRealm";
svc.UpdateObject(realm);
}
svc.UpdateObject(relyingParty);
svc.SaveChangesBatch();
}
}
/// <summary>
/// Enumerate Service Identities.
/// </summary>
private static void DisplayServiceIdentity(string name)
{
Console.WriteLine("\nRetrieve Service Identity (Name = {0})\n", name);
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
ServiceIdentity sid = svc.GetServiceIdentityByName(name);
if (sid != null)
{
Console.WriteLine("\tId = {0}\n", sid.Id);
Console.WriteLine("\tName = {0}\n", sid.Name);
foreach (ServiceIdentityKey key in sid.ServiceIdentityKeys)
{
string keyValue = null;
if (key.Type == ServiceIdentityKeyType.Password.ToString())
{
keyValue = Encoding.ASCII.GetString(key.Value);
}
else
{
keyValue = Convert.ToBase64String(key.Value);
}
Console.WriteLine("\tService identity key (Id = {0})\n", key.Id);
Console.WriteLine("\t\tId = {0}\n", key.Id);
Console.WriteLine("\t\tDisplayName = {0}\n", key.DisplayName);
Console.WriteLine("\t\tType = {0}\n", key.Type);
Console.WriteLine("\t\tUsage = {0}\n", key.Usage);
Console.WriteLine("\t\tStartDate = {0}\n", key.StartDate);
Console.WriteLine("\t\tEndDate = {0}\n", key.EndDate);
Console.WriteLine("\t\tValue = {0}\n", keyValue);
}
}
}
/// <summary>
/// Add rules to a rule group.
/// </summary>
private static void AddRulesToRuleGroup(string ruleGroupName)
{
Console.WriteLine("\nAdding rules in rule group (Name = {0})\n", ruleGroupName);
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
RuleGroup rg = svc.RuleGroups.Where(g => g.Name == ruleGroupName).FirstOrDefault();
// "LOCAL AUTHORITY" is a built-in issuer name, representing the service namespace itself.
Issuer localAuthority = svc.GetIssuerByName("LOCAL AUTHORITY");
Rule basicRule = new Rule()
{
InputClaimType = "https://acs/your-input-type",
InputClaimValue = "inputValue",
OutputClaimType = "https://acs/your-output-type",
OutputClaimValue = "outputValue",
};
basicRule.Description = string.Format(CultureInfo.InvariantCulture,
"Transforms claim from {0} with type: {1}, value: {2}, into a new claim with type: {3}, value:{4}",
"ACS",
basicRule.InputClaimType,
basicRule.InputClaimValue,
basicRule.OutputClaimType,
basicRule.OutputClaimValue);
svc.AddToRules(basicRule);
svc.SetLink(basicRule, "RuleGroup", rg);
svc.SetLink(basicRule, "Issuer", localAuthority);
Rule passthroughSpecificClaimRule = new Rule()
{
InputClaimType = "https://acs/your-input-type2",
InputClaimValue = "inputValue2",
};
passthroughSpecificClaimRule.Description = string.Format(CultureInfo.InvariantCulture,
"Passthrough claim from {0} with type: {1}, value: {2}",
"ACS",
passthroughSpecificClaimRule.InputClaimType,
passthroughSpecificClaimRule.InputClaimValue);
svc.AddToRules(passthroughSpecificClaimRule);
svc.SetLink(passthroughSpecificClaimRule, "RuleGroup", rg);
svc.SetLink(passthroughSpecificClaimRule, "Issuer", localAuthority);
Rule passthroughAnyClaimWithSpecificTypeRule = new Rule()
{
InputClaimType = "https://acs/your-input-type3",
};
passthroughAnyClaimWithSpecificTypeRule.Description = string.Format(CultureInfo.InvariantCulture,
"Passthrough claim from {0} with type: {1}, and any value",
"ACS",
passthroughSpecificClaimRule.InputClaimType);
svc.AddToRules(passthroughAnyClaimWithSpecificTypeRule);
svc.SetLink(passthroughAnyClaimWithSpecificTypeRule, "RuleGroup", rg);
svc.SetLink(passthroughAnyClaimWithSpecificTypeRule, "Issuer", localAuthority);
Rule complexTransformationRule = new Rule()
{
InputClaimType = "https://acs/your-input-type4",
OutputClaimType = "https://acs/your-output-type2",
};
complexTransformationRule.Description = string.Format(CultureInfo.InvariantCulture,
"Transforms claim from {0} with type: {1}, and any value, into a new claim with type: {2}, keeping(passingthrough) old value",
"ACS",
complexTransformationRule.InputClaimType,
complexTransformationRule.OutputClaimType);
svc.AddToRules(complexTransformationRule);
svc.SetLink(complexTransformationRule, "RuleGroup", rg);
svc.SetLink(complexTransformationRule, "Issuer", localAuthority);
svc.SaveChangesBatch();
}
static void Main(string[] args)
{
//
// This is the OpenID identifier of the identity provider.
// This could be changed to be any OpenID provider.
//
const string siteIdentifier = "myopenid.com";
const string providerName = "MyOpenID";
Console.WriteLine("Attempting OpenID discovery for identifier '{0}'", siteIdentifier);
try
{
IdentityProviderYadisDocument discoveryDocument = OpenIdDiscovery.DiscoverIdentityProvider(siteIdentifier);
if (discoveryDocument != null && !string.IsNullOrEmpty(discoveryDocument.OpenIdEndpoint))
{
Console.WriteLine("Successfully discovered OpenID sign-in address: '{0}'.", discoveryDocument.OpenIdEndpoint);
Console.WriteLine("Provider supports attribute exchange? {0}", discoveryDocument.SupportsAttributeExchange);
//
// OpenID discovery was successful. Add the discovered IdentityProvider to ACS.
//
ManagementService svc = ManagementServiceHelper.CreateManagementServiceClient();
svc.DeleteIdentityProviderIfExists(providerName);
svc.SaveChangesBatch();
IdentityProvider idp = svc.CreateOpenIdIdentityProvider(providerName, discoveryDocument.OpenIdEndpoint);
//
// Associate this identity provider with all relying parties.
//
svc.AssociateIdentityProvidersWithRelyingParties(new[] { idp }, svc.RelyingParties.Where(rp => rp.Name != "AccessControlManagement"));
svc.SaveChangesBatch();
Console.WriteLine("\nSuccessfully added identity provider '{0}' to ACS.", providerName);
Console.WriteLine("Press ENTER to continue....\n");
Console.ReadLine();
//
// Deleting the issuer also causes the identity provider and any associated objects to be deleted.
//
svc.DeleteObject(idp.Issuer);
svc.SaveChanges();
Console.WriteLine("\nSuccessfully deleted identity provider.");
}
else
{
Console.WriteLine("OpenID discovery failed. Ensure that the identifier is valid.");
}
}
catch (Exception e)
{
Console.WriteLine("Exception was thrown: " + e.ToString());
}
Console.WriteLine("Done. Press ENTER to continue....\n");
Console.ReadLine();
}