private static CommandResult RedirectToDiscoveryService(
string returnPath,
ISPOptions spOptions,
AuthServicesUrls authServicesUrls)
{
string returnUrl = authServicesUrls.SignInUrl.OriginalString;
if (!string.IsNullOrEmpty(returnPath))
{
returnUrl += "?ReturnUrl=" + Uri.EscapeDataString(returnPath);
}
var redirectLocation = string.Format(
CultureInfo.InvariantCulture,
"{0}?entityID={1}&return={2}&returnIDParam=idp",
spOptions.DiscoveryServiceUrl,
Uri.EscapeDataString(spOptions.EntityId.Id),
Uri.EscapeDataString(returnUrl));
return(new CommandResult()
{
HttpStatusCode = HttpStatusCode.SeeOther,
Location = new Uri(redirectLocation)
});
}
private static CommandResult RedirectToDiscoveryService(
string returnPath,
ISPOptions spOptions,
AuthServicesUrls authServicesUrls)
{
string returnUrl = authServicesUrls.SignInUrl.OriginalString;
if(!string.IsNullOrEmpty(returnPath))
{
returnUrl += "?ReturnUrl=" + Uri.EscapeDataString(returnPath);
}
var redirectLocation = string.Format(
CultureInfo.InvariantCulture,
"{0}?entityID={1}&return={2}&returnIDParam=idp",
spOptions.DiscoveryServiceUrl,
Uri.EscapeDataString(spOptions.EntityId.Id),
Uri.EscapeDataString(returnUrl));
return new CommandResult()
{
HttpStatusCode = HttpStatusCode.SeeOther,
Location = new Uri(redirectLocation)
};
}
private static CommandResult RedirectToDiscoveryService(
string returnPath,
SPOptions spOptions,
AuthServicesUrls authServicesUrls,
IDictionary <string, string> relayData)
{
string returnUrl = authServicesUrls.SignInUrl.OriginalString;
var relayState = SecureKeyGenerator.CreateRelayState();
returnUrl += "?RelayState=" + Uri.EscapeDataString(relayState);
var redirectLocation = string.Format(
CultureInfo.InvariantCulture,
"{0}?entityID={1}&return={2}&returnIDParam=idp",
spOptions.DiscoveryServiceUrl,
Uri.EscapeDataString(spOptions.EntityId.Id),
Uri.EscapeDataString(returnUrl));
var requestState = new StoredRequestState(
null,
returnPath == null ? null : new Uri(returnPath, UriKind.RelativeOrAbsolute),
null,
relayData);
return(new CommandResult()
{
HttpStatusCode = HttpStatusCode.SeeOther,
Location = new Uri(redirectLocation),
RequestState = requestState,
SetCookieName = "Kentor." + relayState
});
}
public CommandResult Run(HttpRequestData request, IOptions options)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
var urls = new AuthServicesUrls(request, options);
var metadata = options.SPOptions.CreateMetadata(urls);
options.Notifications.MetadataCreated(metadata, urls);
var result = new CommandResult()
{
Content = metadata.ToXmlString(
options.SPOptions.SigningServiceCertificate,
options.SPOptions.SigningAlgorithm),
ContentType = "application/samlmetadata+xml"
};
options.Notifications.MetadataCommandResultCreated(result);
return(result);
}
public void AuthServicesUrls_Ctor_HandlesApplicationInRoot()
{
var appUrl = new Uri("http://localhost:42/");
var modulePath = "/modulePath";
var subject = new AuthServicesUrls(appUrl, modulePath);
subject.AssertionConsumerServiceUrl.Should().Be(new Uri("http://localhost:42/modulePath/Acs"));
subject.SignInUrl.Should().Be(new Uri("http://localhost:42/modulePath/SignIn"));
}
public static CommandResult Run(
EntityId idpEntityId,
string returnPath,
HttpRequestData request,
IOptions options,
IDictionary <string, string> relayData)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
var urls = new AuthServicesUrls(request, options.SPOptions);
IdentityProvider idp;
if (idpEntityId == null || idpEntityId.Id == null)
{
if (options.SPOptions.DiscoveryServiceUrl != null)
{
return(RedirectToDiscoveryService(returnPath, options.SPOptions, urls));
}
idp = options.IdentityProviders.Default;
}
else
{
if (!options.IdentityProviders.TryGetValue(idpEntityId, out idp))
{
throw new InvalidOperationException("Unknown idp");
}
}
Uri returnUrl = null;
if (!string.IsNullOrEmpty(returnPath))
{
var appRelativePath = request.Url.AbsolutePath.Substring(
request.ApplicationUrl.AbsolutePath.Length).TrimStart('/');
returnUrl = new Uri(new Uri(urls.ApplicationUrl, appRelativePath), returnPath);
}
var authnRequest = idp.CreateAuthenticateRequest(urls);
var commandResult = idp.Bind(authnRequest);
commandResult.RequestState = new StoredRequestState(
idp.EntityId, returnUrl, authnRequest.Id, relayData);
commandResult.SetCookieName = "Kentor." + authnRequest.RelayState;
return(commandResult);
}
private static Uri GetReturnUrl(HttpRequestData request, string returnPath, IOptions options)
{
var urls = new AuthServicesUrls(request, options.SPOptions);
if (!string.IsNullOrEmpty(returnPath))
{
return(new Uri(urls.ApplicationUrl, returnPath));
}
else
{
return(urls.ApplicationUrl);
}
}
public static CommandResult Run(
EntityId idpEntityId,
string returnPath,
HttpRequestData request,
IOptions options,
IDictionary <string, string> relayData)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
var urls = new AuthServicesUrls(request, options);
IdentityProvider idp = options.Notifications.SelectIdentityProvider(idpEntityId, relayData);
if (idp == null)
{
var idpEntityIdString = idpEntityId?.Id;
if (idpEntityIdString == null)
{
if (options.SPOptions.DiscoveryServiceUrl != null)
{
var commandResult = RedirectToDiscoveryService(returnPath, options.SPOptions, urls);
options.Notifications.SignInCommandResultCreated(commandResult, relayData);
options.SPOptions.Logger.WriteInformation("Redirecting to Discovery Service to select Idp.");
return(commandResult);
}
idp = options.IdentityProviders.Default;
options.SPOptions.Logger.WriteVerbose(
"No specific idp requested and no Discovery Service configured. " +
"Falling back to use configured default Idp " + idp.EntityId.Id);
}
else
{
if (!options.IdentityProviders.TryGetValue(idpEntityId, out idp))
{
throw new InvalidOperationException("Unknown idp " + idpEntityIdString);
}
}
}
var returnUrl = string.IsNullOrEmpty(returnPath)
? null
: new Uri(returnPath, UriKind.RelativeOrAbsolute);
options.SPOptions.Logger.WriteInformation("Initiating login to " + idp.EntityId.Id);
return(InitiateLoginToIdp(options, relayData, urls, idp, returnUrl));
}
public CommandResult Run(HttpRequestData request, IOptions options)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
var urls = new AuthServicesUrls(request, options.SPOptions);
return(new CommandResult()
{
Content = options.SPOptions.CreateMetadata(urls).ToXmlString(),
ContentType = "application/samlmetadata+xml"
});
}
public CommandResult Run(HttpRequestData request, IOptions options)
{
if (options == null)
{
throw new ArgumentNullException("options");
}
var urls = new AuthServicesUrls(request, options.SPOptions);
return new CommandResult()
{
Content = options.SPOptions.CreateMetadata(urls, _entityIdSuffix).ToXmlString(options.SPOptions.SigningServiceCertificate),
ContentType = "application/samlmetadata+xml"
};
}
public CommandResult Run(HttpRequestData request, IOptions options)
{
if(options == null)
{
throw new ArgumentNullException(nameof(options));
}
var urls = new AuthServicesUrls(request, options.SPOptions);
return new CommandResult()
{
Content = options.SPOptions.CreateMetadata(urls).ToXmlString(),
ContentType = "application/samlmetadata+xml"
};
}
public static ExtendedEntityDescriptor CreateMetadata(this ISPOptions spOptions, AuthServicesUrls urls)
{
var ed = new ExtendedEntityDescriptor
{
EntityId = spOptions.EntityId,
Organization = spOptions.Organization,
CacheDuration = spOptions.MetadataCacheDuration
};
foreach (var contact in spOptions.Contacts)
{
ed.Contacts.Add(contact);
}
var spsso = new ExtendedServiceProviderSingleSignOnDescriptor();
spsso.ProtocolsSupported.Add(new Uri("urn:oasis:names:tc:SAML:2.0:protocol"));
spsso.AssertionConsumerServices.Add(0, new IndexedProtocolEndpoint()
{
Index = 0,
IsDefault = true,
Binding = Saml2Binding.HttpPostUri,
Location = urls.AssertionConsumerServiceUrl
});
foreach(var attributeService in spOptions.AttributeConsumingServices)
{
spsso.AttributeConsumingServices.Add(attributeService);
}
ed.RoleDescriptors.Add(spsso);
if(spOptions.DiscoveryServiceUrl != null
&& !string.IsNullOrEmpty(spOptions.DiscoveryServiceUrl.OriginalString))
{
ed.Extensions.DiscoveryResponse = new IndexedProtocolEndpoint
{
Binding = Saml2Binding.DiscoveryResponseUri,
Index = 0,
IsDefault = true,
Location = urls.SignInUrl
};
}
return ed;
}
public static CommandResult Run(
EntityId idpEntityId,
string returnPath,
HttpRequestData request,
IOptions options,
object relayData)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
var urls = new AuthServicesUrls(request, options.SPOptions);
IdentityProvider idp;
if (idpEntityId == null || idpEntityId.Id == null)
{
if (options.SPOptions.DiscoveryServiceUrl != null)
{
return(RedirectToDiscoveryService(returnPath, options.SPOptions, urls));
}
idp = options.IdentityProviders.Default;
}
else
{
if (!options.IdentityProviders.TryGetValue(idpEntityId, out idp))
{
throw new InvalidOperationException("Unknown idp");
}
}
Uri returnUrl = null;
if (!string.IsNullOrEmpty(returnPath))
{
Uri.TryCreate(request.Url, returnPath, out returnUrl);
}
var authnRequest = idp.CreateAuthenticateRequest(returnUrl, urls, relayData);
return(idp.Bind(authnRequest));
}
public static CommandResult Run(
EntityId idpEntityId,
string returnPath,
HttpRequestData request,
IOptions options,
IDictionary <string, string> relayData)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
var urls = new AuthServicesUrls(request, options);
IdentityProvider idp = options.Notifications.SelectIdentityProvider(idpEntityId, relayData);
if (idp == null)
{
if (idpEntityId?.Id == null)
{
if (options.SPOptions.DiscoveryServiceUrl != null)
{
var commandResult = RedirectToDiscoveryService(returnPath, options.SPOptions, urls);
options.Notifications.SignInCommandResultCreated(commandResult, relayData);
return(commandResult);
}
idp = options.IdentityProviders.Default;
}
else
{
if (!options.IdentityProviders.TryGetValue(idpEntityId, out idp))
{
throw new InvalidOperationException("Unknown idp");
}
}
}
var returnUrl = string.IsNullOrEmpty(returnPath)
? null
: new Uri(returnPath, UriKind.RelativeOrAbsolute);
return(InitiateLoginToIdp(options, relayData, urls, idp, returnUrl));
}
public static CommandResult Run(
EntityId idpEntityId,
string returnPath,
HttpRequestData request,
IOptions options,
object relayData)
{
if(options == null)
{
throw new ArgumentNullException(nameof(options));
}
var urls = new AuthServicesUrls(request, options.SPOptions);
IdentityProvider idp;
if (idpEntityId == null || idpEntityId.Id == null)
{
if (options.SPOptions.DiscoveryServiceUrl != null)
{
return RedirectToDiscoveryService(returnPath, options.SPOptions, urls);
}
idp = options.IdentityProviders.Default;
}
else
{
if (!options.IdentityProviders.TryGetValue(idpEntityId, out idp))
{
throw new InvalidOperationException("Unknown idp");
}
}
Uri returnUrl = null;
if (!string.IsNullOrEmpty(returnPath))
{
Uri.TryCreate(request.Url, returnPath, out returnUrl);
}
var authnRequest = idp.CreateAuthenticateRequest(returnUrl, urls, relayData);
return idp.Bind(authnRequest);
}
public static CommandResult Run(
EntityId idpEntityId,
string returnPath,
HttpRequestData request,
IOptions options,
IDictionary<string, string> relayData)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
var urls = new AuthServicesUrls(request, options.SPOptions);
IdentityProvider idp = options.Notifications.SelectIdentityProvider(idpEntityId, relayData);
if (idp == null)
{
if (idpEntityId?.Id == null)
{
if (options.SPOptions.DiscoveryServiceUrl != null)
{
var commandResult = RedirectToDiscoveryService(returnPath, options.SPOptions, urls);
options.Notifications.SignInCommandResultCreated(commandResult, relayData);
return commandResult;
}
idp = options.IdentityProviders.Default;
}
else
{
if (!options.IdentityProviders.TryGetValue(idpEntityId, out idp))
{
throw new InvalidOperationException("Unknown idp");
}
}
}
var returnUrl = string.IsNullOrEmpty(returnPath)
? null
: new Uri(returnPath, UriKind.RelativeOrAbsolute);
return InitiateLoginToIdp(options, relayData, urls, idp, returnUrl);
}
public CommandResult Run(HttpRequestData request, IOptions options)
{
if(options == null)
{
throw new ArgumentNullException(nameof(options));
}
var urls = new AuthServicesUrls(request, options);
var metadata = options.SPOptions.CreateMetadata(urls);
options.Notifications.MetadataCreated(metadata, urls);
var result = new CommandResult()
{
Content = metadata.ToXmlString(options.SPOptions.SigningServiceCertificate),
ContentType = "application/samlmetadata+xml"
};
options.Notifications.MetadataCommandResultCreated(result);
return result;
}
public void AuthServiecsUrls_Ctor_AcceptsFullUrls()
{
var acsUrl = new Uri("http://localhost:73/MyApp/MyAcs");
var signinUrl = new Uri("http://localhost:73/MyApp/MySignin");
var appUrl = new Uri("http://localhost:73/MyApp");
var subject = new AuthServicesUrls(acsUrl, signinUrl, appUrl);
subject.AssertionConsumerServiceUrl.ToString().Should().Be(acsUrl.ToString());
subject.SignInUrl.ToString().Should().Be(signinUrl.ToString());
subject.ApplicationUrl.Should().Be(appUrl.ToString());
}
/// <summary>
/// Create an authenticate request aimed for this idp.
/// </summary>
/// <param name="returnUrl">The return url where the browser should be sent after
/// successful authentication.</param>
/// <param name="authServicesUrls">Urls for AuthServices, used to populate fields
/// in the created AuthnRequest</param>
/// <param name="relayData">Aux data that should be preserved across the authentication</param>
/// <returns>AuthnRequest</returns>
public Saml2AuthenticationRequest CreateAuthenticateRequest(
Uri returnUrl,
AuthServicesUrls authServicesUrls,
object relayData)
{
if (authServicesUrls == null)
{
throw new ArgumentNullException("authServicesUrls");
}
var authnRequest = new Saml2AuthenticationRequest()
{
DestinationUrl = SingleSignOnServiceUrl,
AssertionConsumerServiceUrl = authServicesUrls.AssertionConsumerServiceUrl,
Issuer = spOptions.EntityId,
// For now we only support one attribute consuming service.
AttributeConsumingServiceIndex = spOptions.AttributeConsumingServices.Any() ? 0 : (int?)null
};
var responseData = new StoredRequestState(EntityId, returnUrl, relayData);
PendingAuthnRequests.Add(new Saml2Id(authnRequest.Id), responseData);
return authnRequest;
}
private static CommandResult InitiateLoginToIdp(IOptions options, IDictionary<string, string> relayData, AuthServicesUrls urls, IdentityProvider idp, Uri returnUrl)
{
var authnRequest = idp.CreateAuthenticateRequest(urls);
options.Notifications.AuthenticationRequestCreated(authnRequest, idp, relayData);
var commandResult = idp.Bind(authnRequest);
commandResult.RequestState = new StoredRequestState(
idp.EntityId, returnUrl, authnRequest.Id, relayData);
commandResult.SetCookieName = "Kentor." + authnRequest.RelayState;
options.Notifications.SignInCommandResultCreated(commandResult, relayData);
return commandResult;
}
private static Uri ExpandReturnUrl(string returnPath, HttpRequestData request, AuthServicesUrls urls)
{
Uri returnUrl = null;
if (!string.IsNullOrEmpty(returnPath))
{
var appRelativePath = request.Url.AbsolutePath.Substring(
request.ApplicationUrl.AbsolutePath.Length).TrimStart('/');
returnUrl = new Uri(new Uri(urls.ApplicationUrl, appRelativePath), returnPath);
}
return returnUrl;
}
/// <summary>
/// Create an authenticate request aimed for this idp.
/// </summary>
/// <param name="returnUrl">The return url where the browser should be sent after
/// successful authentication.</param>
/// <param name="authServicesUrls">Urls for AuthServices, used to populate fields
/// in the created AuthnRequest</param>
/// <returns>AuthnRequest</returns>
public Saml2AuthenticationRequest CreateAuthenticateRequest(
Uri returnUrl,
AuthServicesUrls authServicesUrls)
{
return CreateAuthenticateRequest(returnUrl, authServicesUrls, null);
}
public static ExtendedEntityDescriptor CreateMetadata(this ISPOptions spOptions, AuthServicesUrls urls)
{
var ed = new ExtendedEntityDescriptor
{
EntityId = spOptions.EntityId,
Organization = spOptions.Organization,
CacheDuration = spOptions.MetadataCacheDuration
};
foreach (var contact in spOptions.Contacts)
{
ed.Contacts.Add(contact);
}
var spsso = new ExtendedServiceProviderSingleSignOnDescriptor();
spsso.ProtocolsSupported.Add(new Uri("urn:oasis:names:tc:SAML:2.0:protocol"));
spsso.AssertionConsumerServices.Add(0, new IndexedProtocolEndpoint()
{
Index = 0,
IsDefault = true,
Binding = Saml2Binding.HttpPostUri,
Location = urls.AssertionConsumerServiceUrl
});
spsso.AssertionConsumerServices.Add(1, new IndexedProtocolEndpoint()
{
Index = 1,
IsDefault = false,
Binding = Saml2Binding.HttpArtifactUri,
Location = urls.AssertionConsumerServiceUrl
});
foreach(var attributeService in spOptions.AttributeConsumingServices)
{
spsso.AttributeConsumingServices.Add(attributeService);
}
if (spOptions.ServiceCertificates != null)
{
var publishCertificates = spOptions.MetadataCertificates;
foreach (var serviceCert in publishCertificates)
{
using (var securityToken = new X509SecurityToken(serviceCert.Certificate))
{
spsso.Keys.Add(
new KeyDescriptor
{
Use = (KeyType)(byte)serviceCert.Use,
KeyInfo = new SecurityKeyIdentifier(securityToken.CreateKeyIdentifierClause<X509RawDataKeyIdentifierClause>())
}
);
}
}
}
if (spOptions.DiscoveryServiceUrl != null
&& !string.IsNullOrEmpty(spOptions.DiscoveryServiceUrl.OriginalString))
{
spsso.Extensions.DiscoveryResponse = new IndexedProtocolEndpoint
{
Binding = Saml2Binding.DiscoveryResponseUri,
Index = 0,
IsDefault = true,
Location = urls.SignInUrl
};
}
ed.RoleDescriptors.Add(spsso);
return ed;
}
public void AuthServicesUrls_Ctor_EnsuresApplicationUrlEndsWithSlash()
{
var request = new HttpRequestData(
"GET",
new Uri("http://localhost:1234/Foo/Bar"),
"/Foo",
null,
null,
null);
var options = StubFactory.CreateOptions();
var subject = new AuthServicesUrls(request, options.SPOptions);
subject.ApplicationUrl.OriginalString.Should().EndWith("/");
}
public void AuthServicesUrls_Ctor_FromHttpRequest_PublicOrigin()
{
var url = new Uri("http://example.com:42/ApplicationPath/Path?name=DROP%20TABLE%20STUDENTS");
string appPath = "/ApplicationPath";
var request = Substitute.For<HttpRequestBase>();
request.HttpMethod.Returns("GET");
request.Url.Returns(url);
request.Form.Returns(new NameValueCollection { { "Key", "Value" } });
request.ApplicationPath.Returns(appPath);
var options = StubFactory.CreateOptionsPublicOrigin(new Uri("https://my.public.origin:8443/OtherPath"));
var subject = request.ToHttpRequestData();
var urls = new AuthServicesUrls(subject, options.SPOptions);
urls.AssertionConsumerServiceUrl.ShouldBeEquivalentTo("https://my.public.origin:8443/OtherPath/AuthServices/Acs");
urls.SignInUrl.ShouldBeEquivalentTo("https://my.public.origin:8443/OtherPath/AuthServices/SignIn");
}
public async Task AuthServicesUrls_Ctor_FromOwinHttpRequestData_PublicOrigin()
{
var ctx = OwinTestHelpers.CreateOwinContext();
var options = StubFactory.CreateOptionsPublicOrigin(new Uri("https://my.public.origin:8443/"));
var subject = await ctx.ToHttpRequestData(null);
var urls = new AuthServicesUrls(subject, options.SPOptions);
urls.AssertionConsumerServiceUrl.ShouldBeEquivalentTo("https://my.public.origin:8443/AuthServices/Acs");
urls.SignInUrl.ShouldBeEquivalentTo("https://my.public.origin:8443/AuthServices/SignIn");
}
public void AuthServicesUrls_Ctor_PerRequest_PublicOrigin()
{
var options = StubFactory.CreateOptionsPublicOrigin(new Uri("https://my.public.origin:8443/"));
options.Notifications.GetPublicOrigin = (requestData) =>
{
return new Uri("https://special.public.origin/");
};
var urls = new AuthServicesUrls(new HttpRequestData("get", new Uri("http://servername/")), options);
urls.AssertionConsumerServiceUrl.ShouldBeEquivalentTo("https://special.public.origin/AuthServices/Acs");
urls.SignInUrl.ShouldBeEquivalentTo("https://special.public.origin/AuthServices/SignIn");
}
public void AuthServicesUrls_Ctor_AllowsNullAcs()
{
// AssertionConsumerServiceURL is optional in the SAML spec
var subject = new AuthServicesUrls(null, new Uri("http://localhost/signin"), null);
subject.AssertionConsumerServiceUrl.Should().Be(null);
subject.SignInUrl.ToString().Should().Be("http://localhost/signin");
}
public Saml2AuthenticationRequest CreateAuthenticateRequest(
AuthServicesUrls authServicesUrls)
{
if (authServicesUrls == null)
{
throw new ArgumentNullException(nameof(authServicesUrls));
}
var authnRequest = new Saml2AuthenticationRequest()
{
DestinationUrl = SingleSignOnServiceUrl,
AssertionConsumerServiceUrl = authServicesUrls.AssertionConsumerServiceUrl,
Issuer = spOptions.EntityId,
// For now we only support one attribute consuming service.
AttributeConsumingServiceIndex = spOptions.AttributeConsumingServices.Any() ? 0 : (int?)null,
NameIdPolicy = spOptions.NameIdPolicy,
RequestedAuthnContext = spOptions.RequestedAuthnContext
};
if (spOptions.AuthenticateRequestSigningBehavior == SigningBehavior.Always
|| (spOptions.AuthenticateRequestSigningBehavior == SigningBehavior.IfIdpWantAuthnRequestsSigned
&& WantAuthnRequestsSigned))
{
if (spOptions.SigningServiceCertificate == null)
{
throw new ConfigurationErrorsException(
string.Format(
CultureInfo.InvariantCulture,
"Idp \"{0}\" is configured for signed AuthenticateRequests, but ServiceCertificates configuration contains no certificate with usage \"Signing\" or \"Both\". To resolve this issue you can a) add a service certificate with usage \"Signing\" or \"Both\" (default if not specified is \"Both\") or b) Set the AuthenticateRequestSigningBehavior configuration property to \"Never\".",
EntityId.Id));
}
authnRequest.SigningCertificate = spOptions.SigningServiceCertificate;
}
return authnRequest;
}
public Saml2AuthenticationRequest CreateAuthenticateRequest(
Uri returnUrl,
AuthServicesUrls authServicesUrls,
object relayData)
{
if (authServicesUrls == null)
{
throw new ArgumentNullException(nameof(authServicesUrls));
}
var authnRequest = new Saml2AuthenticationRequest()
{
DestinationUrl = SingleSignOnServiceUrl,
AssertionConsumerServiceUrl = authServicesUrls.AssertionConsumerServiceUrl,
Issuer = spOptions.EntityId,
// For now we only support one attribute consuming service.
AttributeConsumingServiceIndex = spOptions.AttributeConsumingServices.Any() ? 0 : (int?)null,
};
if(spOptions.AuthenticateRequestSigningBehavior == SigningBehavior.Always)
{
if(spOptions.SigningServiceCertificate == null)
{
throw new ConfigurationErrorsException(
string.Format(
CultureInfo.InvariantCulture,
"Idp \"{0}\" is configured for signed AuthenticateRequests, but ServiceCertificates configuration contains no certificate with usage \"Signing\" or \"Both\".",
EntityId.Id));
}
authnRequest.SigningCertificate = spOptions.SigningServiceCertificate;
}
var responseData = new StoredRequestState(EntityId, returnUrl, authnRequest.Id, relayData);
PendingAuthnRequests.Add(authnRequest.RelayState, responseData);
return authnRequest;
}
public static ExtendedEntityDescriptor CreateMetadata(this ISPOptions spOptions, AuthServicesUrls urls, string entityIdSuffix)
{
var eid = string.IsNullOrEmpty(entityIdSuffix)
? spOptions.EntityId
: new EntityId(spOptions.EntityId.Id + entityIdSuffix);
var ed = new ExtendedEntityDescriptor
{
EntityId = eid,
Organization = spOptions.Organization,
CacheDuration = spOptions.MetadataCacheDuration,
};
if(spOptions.MetadataValidDuration.HasValue)
{
ed.ValidUntil = DateTime.UtcNow.Add(spOptions.MetadataValidDuration.Value);
}
foreach (var contact in spOptions.Contacts)
{
ed.Contacts.Add(contact);
}
var spsso = new ExtendedServiceProviderSingleSignOnDescriptor()
{
WantAssertionsSigned = spOptions.WantAssertionsSigned,
AuthenticationRequestsSigned = spOptions.AuthenticateRequestSigningBehavior == SigningBehavior.Always
};
spsso.ProtocolsSupported.Add(new Uri("urn:oasis:names:tc:SAML:2.0:protocol"));
spsso.AssertionConsumerServices.Add(0, new IndexedProtocolEndpoint()
{
Index = 0,
IsDefault = true,
Binding = Saml2Binding.HttpPostUri,
Location = urls.AssertionConsumerServiceUrl
});
spsso.AssertionConsumerServices.Add(1, new IndexedProtocolEndpoint()
{
Index = 1,
IsDefault = false,
Binding = Saml2Binding.HttpArtifactUri,
Location = urls.AssertionConsumerServiceUrl
});
foreach(var attributeService in spOptions.AttributeConsumingServices)
{
spsso.AttributeConsumingServices.Add(attributeService);
}
if (spOptions.ServiceCertificates != null)
{
var publishCertificates = spOptions.MetadataCertificates;
foreach (var serviceCert in publishCertificates)
{
using (var securityToken = new X509SecurityToken(serviceCert.Certificate))
{
spsso.Keys.Add(
new KeyDescriptor
{
Use = (KeyType)(byte)serviceCert.Use,
KeyInfo = new SecurityKeyIdentifier(securityToken.CreateKeyIdentifierClause<X509RawDataKeyIdentifierClause>())
}
);
}
}
}
if(spOptions.SigningServiceCertificate != null)
{
spsso.SingleLogoutServices.Add(new ProtocolEndpoint(
Saml2Binding.HttpRedirectUri, urls.LogoutUrl));
spsso.SingleLogoutServices.Add(new ProtocolEndpoint(
Saml2Binding.HttpPostUri, urls.LogoutUrl));
}
if (spOptions.DiscoveryServiceUrl != null
&& !string.IsNullOrEmpty(spOptions.DiscoveryServiceUrl.OriginalString))
{
spsso.Extensions.DiscoveryResponse = new IndexedProtocolEndpoint
{
Binding = Saml2Binding.DiscoveryResponseUri,
Index = 0,
IsDefault = true,
Location = urls.SignInUrl
};
}
ed.RoleDescriptors.Add(spsso);
return ed;
}
public static ExtendedEntityDescriptor CreateMetadata(this ISPOptions spOptions, AuthServicesUrls urls)
{
return spOptions.CreateMetadata(urls, string.Empty);
}
private static CommandResult InitiateLoginToIdp(IOptions options, IDictionary <string, string> relayData, AuthServicesUrls urls, IdentityProvider idp, Uri returnUrl)
{
var authnRequest = idp.CreateAuthenticateRequest(urls);
options.Notifications.AuthenticationRequestCreated(authnRequest, idp, relayData);
var commandResult = idp.Bind(authnRequest);
commandResult.RequestState = new StoredRequestState(
idp.EntityId, returnUrl, authnRequest.Id, relayData);
commandResult.SetCookieName = "Kentor." + authnRequest.RelayState;
options.Notifications.SignInCommandResultCreated(commandResult, relayData);
return(commandResult);
}
private static Uri ExpandReturnUrl(string returnPath, HttpRequestData request, AuthServicesUrls urls)
{
Uri returnUrl = null;
if (!string.IsNullOrEmpty(returnPath))
{
var appRelativePath = request.Url.AbsolutePath.Substring(
request.ApplicationUrl.AbsolutePath.Length).TrimStart('/');
returnUrl = new Uri(new Uri(urls.ApplicationUrl, appRelativePath), returnPath);
}
return(returnUrl);
}
private static Uri GetReturnUrl(HttpRequestData request, string returnPath, IOptions options)
{
var urls = new AuthServicesUrls(request, options.SPOptions);
if (!string.IsNullOrEmpty(returnPath))
{
return new Uri(urls.ApplicationUrl, returnPath);
}
else
{
return urls.ApplicationUrl;
}
}
