private RequestSecurityTokenResponse Issue(RequestSecurityToken rst) { // If rst is null, we're toast if (rst == null) { throw new ArgumentNullException("rst"); } // Create an RSTR object RequestSecurityTokenResponse rstr = new RequestSecurityTokenResponse(); string tokenType = rst.TokenType; Console.WriteLine("Issue: Request for token type {0}", tokenType); if (tokenType != null && tokenType != "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1") { throw new NotSupportedException("Unsupported token type " + tokenType); } SecurityKey signingKey = issuerToken.SecurityKeys[0]; SecurityKeyIdentifier signingKeyIdentifier = new SecurityKeyIdentifier(issuerToken.CreateKeyIdentifierClause <X509ThumbprintKeyIdentifierClause>()); SecurityKeyIdentifier proofKeyIdentifier = null; if (rst.IsProofKeyAsymmetric()) { throw new NotSupportedException("Public key issuance is not supported"); } // Symmetric proof key Console.WriteLine("Constructing Symmetric Proof Key"); // Construct session key. This is the symmetric key that the client and the service will share. // It actually appears twice in the response message; once for the service and // once for the client. In the former case, it is typically embedded in the issued token, // in the latter case, it is returned in a wst:RequestedProofToken element. byte[] sessionKey = GetSessionKey(rst, rstr); // Get token to use when encrypting key material for the service SecurityToken encryptingToken = DetermineEncryptingToken(rst); // Encrypt the session key for the service GetEncryptedKey(encryptingToken, sessionKey, out proofKeyIdentifier); // Issued tokens are valid for 12 hours by default DateTime effectiveTime = DateTime.Now; DateTime expirationTime = DateTime.Now + new TimeSpan(12, 0, 0); SecurityToken samlToken = CreateSAMLToken(effectiveTime, expirationTime, signingKey, signingKeyIdentifier, proofKeyIdentifier); rstr.RequestedSecurityToken = samlToken; rstr.Context = rst.Context; rstr.TokenType = tokenType; SecurityKeyIdentifierClause samlReference = samlToken.CreateKeyIdentifierClause <SamlAssertionKeyIdentifierClause>(); rstr.RequestedAttachedReference = samlReference; rstr.RequestedUnattachedReference = samlReference; return(rstr); }
private RequestSecurityTokenResponse Issue(RequestSecurityToken rst) { // If rst is null, we're toast if (rst == null) throw new ArgumentNullException("rst"); // Create an RSTR object RequestSecurityTokenResponse rstr = new RequestSecurityTokenResponse(); string tokenType = rst.TokenType; Console.WriteLine("Issue: Request for token type {0}", tokenType); if (tokenType != null && tokenType != "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1") { throw new NotSupportedException("Unsupported token type " + tokenType); } SecurityKey signingKey = issuerToken.SecurityKeys[0]; SecurityKeyIdentifier signingKeyIdentifier = new SecurityKeyIdentifier(issuerToken.CreateKeyIdentifierClause<X509ThumbprintKeyIdentifierClause>()); SecurityKeyIdentifier proofKeyIdentifier = null; if (rst.IsProofKeyAsymmetric()) { throw new NotSupportedException("Public key issuance is not supported"); } // Symmetric proof key Console.WriteLine("Constructing Symmetric Proof Key"); // Construct session key. This is the symmetric key that the client and the service will share. // It actually appears twice in the response message; once for the service and // once for the client. In the former case, it is typically embedded in the issued token, // in the latter case, it is returned in a wst:RequestedProofToken element. byte[] sessionKey = GetSessionKey(rst, rstr); // Get token to use when encrypting key material for the service SecurityToken encryptingToken = DetermineEncryptingToken(rst); // Encrypt the session key for the service GetEncryptedKey(encryptingToken, sessionKey, out proofKeyIdentifier); // Issued tokens are valid for 12 hours by default DateTime effectiveTime = DateTime.Now; DateTime expirationTime = DateTime.Now + new TimeSpan(12, 0, 0); SecurityToken samlToken = CreateSAMLToken(effectiveTime, expirationTime, signingKey, signingKeyIdentifier, proofKeyIdentifier); rstr.RequestedSecurityToken = samlToken; rstr.Context = rst.Context; rstr.TokenType = tokenType; SecurityKeyIdentifierClause samlReference = samlToken.CreateKeyIdentifierClause<SamlAssertionKeyIdentifierClause>(); rstr.RequestedAttachedReference = samlReference; rstr.RequestedUnattachedReference = samlReference; return rstr; }