private void FillSigningKey(RoleDescriptor sts)
{
var signingKey = new KeyDescriptor(SigningCredentials.SigningKeyIdentifier)
{
Use = KeyType.Signing
};
sts.Keys.Add(signingKey);
}
private KeyDescriptor GetSigningKeyDescriptor()
{
var certificate = _options.SigningCertificate;
var clause = new X509SecurityToken(certificate).CreateKeyIdentifierClause<X509RawDataKeyIdentifierClause>();
var key = new KeyDescriptor(new SecurityKeyIdentifier(clause));
key.Use = KeyType.Signing;
return key;
}
public string GetFederationMetadata(Uri endpoint)
{
// hostname
var passiveEndpoint = new EndpointReference(endpoint.AbsoluteUri);
var activeEndpoint = new EndpointReference(endpoint.AbsoluteUri);
// metadata document
var entity = new EntityDescriptor(new EntityId(TwitterClaims.IssuerName));
var sts = new SecurityTokenServiceDescriptor();
entity.RoleDescriptors.Add(sts);
// signing key
var signingKey = new KeyDescriptor(SigningCredentials.SigningKeyIdentifier) { Use = KeyType.Signing };
sts.Keys.Add(signingKey);
// claim types
sts.ClaimTypesOffered.Add(new DisplayClaim(ClaimTypes.Name, "Name", "User name"));
sts.ClaimTypesOffered.Add(new DisplayClaim(ClaimTypes.NameIdentifier, "Name Identifier", "User name identifier"));
sts.ClaimTypesOffered.Add(new DisplayClaim(TwitterClaims.TwitterToken, "Token", "Service token"));
sts.ClaimTypesOffered.Add(new DisplayClaim(TwitterClaims.TwitterTokenSecret, "Token Secret", "Service token secret"));
// passive federation endpoint
sts.PassiveRequestorEndpoints.Add(passiveEndpoint);
// supported protocols
//Inaccessable due to protection level
//sts.ProtocolsSupported.Add(new Uri(WSFederationConstants.Namespace));
sts.ProtocolsSupported.Add(new Uri("http://docs.oasis-open.org/wsfed/federation/200706"));
// add passive STS endpoint
sts.SecurityTokenServiceEndpoints.Add(activeEndpoint);
// metadata signing
entity.SigningCredentials = SigningCredentials;
// serialize
var serializer = new MetadataSerializer();
using (var memoryStream = new MemoryStream())
{
serializer.WriteMetadata(memoryStream, entity);
return Encoding.UTF8.GetString(memoryStream.ToArray());
}
}
public byte[] GetFederationMetadata(Uri passiveSignInUrl, Uri identifier, X509Certificate2 signingCertificate)
{
var credentials = new X509SigningCredentials(signingCertificate);
// Figure out the hostname exposed from Azure and what port the service is listening on
var realm = new EndpointAddress(identifier);
var passiveEndpoint = new EndpointReference(passiveSignInUrl.AbsoluteUri);
// Create metadata document for relying party
EntityDescriptor entity = new EntityDescriptor(new EntityId(realm.Uri.AbsoluteUri));
SecurityTokenServiceDescriptor sts = new SecurityTokenServiceDescriptor();
entity.RoleDescriptors.Add(sts);
// Add STS's signing key
KeyDescriptor signingKey = new KeyDescriptor(credentials.SigningKeyIdentifier);
signingKey.Use = KeyType.Signing;
sts.Keys.Add(signingKey);
// Add offered claim types
sts.ClaimTypesOffered.Add(new DisplayClaim(ClaimTypes.AuthenticationMethod));
sts.ClaimTypesOffered.Add(new DisplayClaim(ClaimTypes.AuthenticationInstant));
sts.ClaimTypesOffered.Add(new DisplayClaim(ClaimTypes.Name));
// Add passive federation endpoint
sts.PassiveRequestorEndpoints.Add(passiveEndpoint);
// Add supported protocols
sts.ProtocolsSupported.Add(new Uri(WSFederationConstants.Namespace));
// Add passive STS endpoint
sts.SecurityTokenServiceEndpoints.Add(passiveEndpoint);
// Set credentials with which to sign the metadata
entity.SigningCredentials = credentials;
// Serialize the metadata and convert it to an XElement
MetadataSerializer serializer = new MetadataSerializer();
MemoryStream stream = new MemoryStream();
serializer.WriteMetadata(stream, entity);
stream.Flush();
return stream.ToArray();
}
public ActionResult FederationMetadata()
{
var endpoint = Request.Url.Scheme + "://" + Request.Url.Host + ":" + Request.Url.Port;
var entityDescriptor = new EntityDescriptor(new EntityId(ConfigurationManager.AppSettings["stsName"]))
{
SigningCredentials = CertificateFactory.GetSigningCredentials()
};
var roleDescriptor = new SecurityTokenServiceDescriptor();
roleDescriptor.Contacts.Add(new ContactPerson(ContactType.Administrative));
var clause = new X509RawDataKeyIdentifierClause(CertificateFactory.GetCertificate());
var securityKeyIdentifier = new SecurityKeyIdentifier(clause);
var signingKey = new KeyDescriptor(securityKeyIdentifier) {Use = KeyType.Signing};
roleDescriptor.Keys.Add(signingKey);
var endpointAddress =
new System.IdentityModel.Protocols.WSTrust.EndpointReference(endpoint + "/Security/Authorize");
roleDescriptor.PassiveRequestorEndpoints.Add(endpointAddress);
roleDescriptor.SecurityTokenServiceEndpoints.Add(endpointAddress);
roleDescriptor.ProtocolsSupported.Add(new Uri("http://docs.oasis-open.org/wsfed/federation/200706"));
entityDescriptor.RoleDescriptors.Add(roleDescriptor);
var serializer = new MetadataSerializer();
var settings = new XmlWriterSettings {Encoding = Encoding.UTF8};
var memoryStream = new MemoryStream();
var writer = XmlWriter.Create(memoryStream, settings);
serializer.WriteMetadata(writer,entityDescriptor);
writer.Flush();
var content = Content(Encoding.UTF8.GetString(memoryStream.GetBuffer()), "text/xml");
writer.Dispose();
return content;
}
private KeyDescriptor GetEncryptionDescriptor(X509Certificate2 certificate)
{
var clause = new X509SecurityToken(certificate).CreateKeyIdentifierClause<X509RawDataKeyIdentifierClause>();
var key = new KeyDescriptor(new SecurityKeyIdentifier(clause));
key.Use = KeyType.Encryption;
return key;
}