public void Validation () { Authenticator a = new Authenticator ( new SecurityTokenAuthenticator [] { new CustomUserNameSecurityTokenAuthenticator (UserNamePasswordValidator.None), new X509SecurityTokenAuthenticator (X509CertificateValidator.None), }); PolicyCollection pl = a.ValidateToken (GetSamlToken ()); Assert.AreEqual (1, pl.Count, "#1"); IAuthorizationPolicy p = pl [0]; Assert.AreEqual (ClaimSet.System, p.Issuer, "#2"); TestEvaluationContext ec = new TestEvaluationContext (); object o = null; Assert.IsTrue (p.Evaluate (ec, ref o), "#3"); Assert.AreEqual (DateTime.MaxValue.AddDays (-1), ec.ExpirationTime, "#4"); IList<IIdentity> identities = ec.Properties ["Identities"] as IList<IIdentity>; Assert.IsNotNull (identities, "#5"); Assert.AreEqual (1, identities.Count, "#6"); IIdentity ident = identities [0]; Assert.AreEqual (true, ident.IsAuthenticated, "#6-2"); // it's implementation details. //Assert.AreEqual ("NoneUserNamePasswordValidator", ident.AuthenticationType, "#6-3"); Assert.AreEqual ("mono", ident.Name, "#6-4"); Assert.AreEqual (1, ec.ClaimSets.Count, "#7"); Assert.IsTrue (p.Evaluate (ec, ref o), "#8"); identities = ec.Properties ["Identities"] as IList<IIdentity>; Assert.AreEqual (2, identities.Count, "#9"); Assert.AreEqual (2, ec.ClaimSets.Count, "#10"); }
public void Validation() { Authenticator a = new Authenticator( new SecurityTokenAuthenticator [] { new CustomUserNameSecurityTokenAuthenticator(UserNamePasswordValidator.None), new X509SecurityTokenAuthenticator(X509CertificateValidator.None), }); PolicyCollection pl = a.ValidateToken(GetSamlToken()); Assert.AreEqual(1, pl.Count, "#1"); IAuthorizationPolicy p = pl [0]; Assert.AreEqual(ClaimSet.System, p.Issuer, "#2"); TestEvaluationContext ec = new TestEvaluationContext(); object o = null; Assert.IsTrue(p.Evaluate(ec, ref o), "#3"); Assert.AreEqual(DateTime.MaxValue.AddDays(-1), ec.ExpirationTime, "#4"); IList <IIdentity> identities = ec.Properties ["Identities"] as IList <IIdentity>; Assert.IsNotNull(identities, "#5"); Assert.AreEqual(1, identities.Count, "#6"); IIdentity ident = identities [0]; Assert.AreEqual(true, ident.IsAuthenticated, "#6-2"); // it's implementation details. //Assert.AreEqual ("NoneUserNamePasswordValidator", ident.AuthenticationType, "#6-3"); Assert.AreEqual("mono", ident.Name, "#6-4"); Assert.AreEqual(1, ec.ClaimSets.Count, "#7"); Assert.IsTrue(p.Evaluate(ec, ref o), "#8"); identities = ec.Properties ["Identities"] as IList <IIdentity>; Assert.AreEqual(2, identities.Count, "#9"); Assert.AreEqual(2, ec.ClaimSets.Count, "#10"); }
public override IAuthorizationPolicy CreatePolicy(ClaimSet issuer, SamlSecurityTokenAuthenticator samlAuthenticator) { if (issuer == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("issuer"); } if (this.policy == null) { List<ClaimSet> list = new List<ClaimSet>(); ClaimSet item = this.subject.ExtractSubjectKeyClaimSet(samlAuthenticator); if (item != null) { list.Add(item); } List<Claim> claims = new List<Claim>(); ReadOnlyCollection<Claim> onlys = this.subject.ExtractClaims(); for (int i = 0; i < onlys.Count; i++) { claims.Add(onlys[i]); } this.AddClaimsToList(claims); list.Add(new DefaultClaimSet(issuer, claims)); this.policy = new UnconditionalPolicy(this.subject.Identity, list.AsReadOnly(), System.IdentityModel.SecurityUtils.MaxUtcDateTime); } return this.policy; }
public override IAuthorizationPolicy CreatePolicy(ClaimSet issuer, SamlSecurityTokenAuthenticator samlAuthenticator) { if (issuer == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("issuer"); // SupportingTokenAuthenticator collection can be null when the Subject does not // contain a key. if (this.policy == null) { List<ClaimSet> claimSets = new List<ClaimSet>(); ClaimSet subjectKeyClaimset = this.subject.ExtractSubjectKeyClaimSet(samlAuthenticator); if (subjectKeyClaimset != null) claimSets.Add(subjectKeyClaimset); List<Claim> claims = new List<Claim>(); ReadOnlyCollection<Claim> subjectClaims = this.subject.ExtractClaims(); for (int i = 0; i < subjectClaims.Count; ++i) { claims.Add(subjectClaims[i]); } AddClaimsToList(claims); claimSets.Add(new DefaultClaimSet(issuer, claims)); this.policy = new UnconditionalPolicy(this.subject.Identity, claimSets.AsReadOnly(), SecurityUtils.MaxUtcDateTime); } return this.policy; }
private SamlSecurityTokenAuthenticator CreateSamlTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver outOfBandTokenResolver) { SamlSecurityTokenAuthenticator authenticator; if (recipientRequirement == null) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("recipientRequirement"); } Collection<SecurityToken> collection = new Collection<SecurityToken>(); if (this.parent.ServiceCertificate.Certificate != null) { collection.Add(new X509SecurityToken(this.parent.ServiceCertificate.Certificate)); } List<SecurityTokenAuthenticator> supportingAuthenticators = new List<SecurityTokenAuthenticator>(); if ((this.parent.IssuedTokenAuthentication.KnownCertificates != null) && (this.parent.IssuedTokenAuthentication.KnownCertificates.Count > 0)) { for (int i = 0; i < this.parent.IssuedTokenAuthentication.KnownCertificates.Count; i++) { collection.Add(new X509SecurityToken(this.parent.IssuedTokenAuthentication.KnownCertificates[i])); } } X509CertificateValidator certificateValidator = this.parent.IssuedTokenAuthentication.GetCertificateValidator(); supportingAuthenticators.Add(new X509SecurityTokenAuthenticator(certificateValidator)); if (this.parent.IssuedTokenAuthentication.AllowUntrustedRsaIssuers) { supportingAuthenticators.Add(new RsaSecurityTokenAuthenticator()); } outOfBandTokenResolver = (collection.Count > 0) ? SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection<SecurityToken>(collection), false) : null; if ((recipientRequirement.SecurityBindingElement == null) || (recipientRequirement.SecurityBindingElement.LocalServiceSettings == null)) { authenticator = new SamlSecurityTokenAuthenticator(supportingAuthenticators); } else { authenticator = new SamlSecurityTokenAuthenticator(supportingAuthenticators, recipientRequirement.SecurityBindingElement.LocalServiceSettings.MaxClockSkew); } authenticator.AudienceUriMode = this.parent.IssuedTokenAuthentication.AudienceUriMode; IList<string> allowedAudienceUris = authenticator.AllowedAudienceUris; if (this.parent.IssuedTokenAuthentication.AllowedAudienceUris != null) { for (int j = 0; j < this.parent.IssuedTokenAuthentication.AllowedAudienceUris.Count; j++) { allowedAudienceUris.Add(this.parent.IssuedTokenAuthentication.AllowedAudienceUris[j]); } } if (recipientRequirement.ListenUri != null) { allowedAudienceUris.Add(recipientRequirement.ListenUri.AbsoluteUri); } return authenticator; }
/// <summary> /// Token Constructor /// </summary> /// <param name="xmlToken">Encrypted xml token</param> public Token(String xmlToken) { byte[] decryptedData = decryptToken(xmlToken); XmlReader reader = new XmlTextReader(new StreamReader(new MemoryStream(decryptedData), Encoding.UTF8)); m_token = (SamlSecurityToken)WSSecurityTokenSerializer.DefaultInstance.ReadToken(reader, null); SamlSecurityTokenAuthenticator authenticator = new SamlSecurityTokenAuthenticator(new List<SecurityTokenAuthenticator>( new SecurityTokenAuthenticator[]{ new RsaSecurityTokenAuthenticator(), new X509SecurityTokenAuthenticator() }), MaximumTokenSkew); if (authenticator.CanValidateToken(m_token)) { ReadOnlyCollection<IAuthorizationPolicy> policies = authenticator.ValidateToken(m_token); m_authorizationContext = AuthorizationContext.CreateDefaultAuthorizationContext(policies); FindIdentityClaims(); } else { throw new Exception("Unable to validate the token."); } }
public abstract IAuthorizationPolicy CreatePolicy(ClaimSet issuer, SamlSecurityTokenAuthenticator samlAuthenticator);
public virtual ClaimSet ExtractSubjectKeyClaimSet(SamlSecurityTokenAuthenticator samlAuthenticator) { if ((this.subjectKeyClaimset == null) && (this.securityKeyIdentifier != null)) { if (samlAuthenticator == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("samlAuthenticator"); } if (this.subjectToken != null) { this.subjectKeyClaimset = samlAuthenticator.ResolveClaimSet(this.subjectToken); this.identity = samlAuthenticator.ResolveIdentity(this.subjectToken); if ((this.identity == null) && (this.subjectKeyClaimset != null)) { Claim claim = null; foreach (Claim claim2 in this.subjectKeyClaimset.FindClaims(null, Rights.Identity)) { claim = claim2; break; } if (claim != null) { this.identity = System.IdentityModel.SecurityUtils.CreateIdentity(claim.Resource.ToString(), base.GetType().Name); } } } if (this.subjectKeyClaimset == null) { this.subjectKeyClaimset = samlAuthenticator.ResolveClaimSet(this.securityKeyIdentifier); this.identity = samlAuthenticator.ResolveIdentity(this.securityKeyIdentifier); } } return this.subjectKeyClaimset; }
/// <summary> /// Token Authentication. Translates the decrypted data into a AuthContext. /// </summary> /// <param name="reader">The token XML reader.</param> /// <param name="audience">The audience that the token must be scoped for. /// Use <c>null</c> to indicate any audience is acceptable.</param> /// <returns> /// The authorization context carried by the token. /// </returns> internal static AuthorizationContext AuthenticateToken(XmlReader reader, Uri audience) { Contract.Ensures(Contract.Result<AuthorizationContext>() != null); // Extensibility Point: // in order to accept different token types, you would need to add additional // code to create an authenticationcontext from the security token. // This code only supports SamlSecurityToken objects. SamlSecurityToken token = WSSecurityTokenSerializer.DefaultInstance.ReadToken(reader, null) as SamlSecurityToken; if (null == token) { throw new InformationCardException("Unable to read security token"); } if (null != token.SecurityKeys && token.SecurityKeys.Count > 0) { throw new InformationCardException("Token Security Keys Exist"); } if (audience == null) { Logger.InfoCard.Warn("SAML token Audience checking will be skipped."); } else { if (token.Assertion.Conditions != null && token.Assertion.Conditions.Conditions != null) { foreach (SamlCondition condition in token.Assertion.Conditions.Conditions) { SamlAudienceRestrictionCondition audienceCondition = condition as SamlAudienceRestrictionCondition; if (audienceCondition != null) { Logger.InfoCard.DebugFormat("SAML token audience(s): {0}", audienceCondition.Audiences.ToStringDeferred()); bool match = audienceCondition.Audiences.Contains(audience); if (!match && Logger.InfoCard.IsErrorEnabled) { Logger.InfoCard.ErrorFormat("Expected SAML token audience of {0} but found {1}.", audience.AbsoluteUri, audienceCondition.Audiences.Select(aud => aud.AbsoluteUri).ToStringDeferred()); } // The token is invalid if any condition is not valid. // An audience restriction condition is valid if any audience // matches the Relying Party. InfoCardErrorUtilities.VerifyInfoCard(match, InfoCardStrings.AudienceMismatch); } } } } var samlAuthenticator = new SamlSecurityTokenAuthenticator( new List<SecurityTokenAuthenticator>( new SecurityTokenAuthenticator[] { new RsaSecurityTokenAuthenticator(), new X509SecurityTokenAuthenticator(), }), MaximumClockSkew); return AuthorizationContext.CreateDefaultAuthorizationContext(samlAuthenticator.ValidateToken(token)); }
private void ParseToken(string xmlToken, X509Certificate2 cert) { int skew = 300; // default to 5 minutes string tokenskew = System.Configuration.ConfigurationManager.AppSettings["MaximumClockSkew"]; if (!string.IsNullOrEmpty(tokenskew)) skew = Int32.Parse(tokenskew); XmlReader tokenReader = new XmlTextReader(new StringReader(xmlToken)); EncryptedData enc = new EncryptedData(); enc.TokenSerializer = WSSecurityTokenSerializer.DefaultInstance; enc.ReadFrom(tokenReader); List<SecurityToken> tokens = new List<SecurityToken>(); SecurityToken encryptingToken = new X509SecurityToken(cert); tokens.Add(encryptingToken); SecurityTokenResolver tokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(tokens.AsReadOnly(), false); SymmetricSecurityKey encryptingCrypto; // an error here usually means that you have selected the wrong key. encryptingCrypto = (SymmetricSecurityKey)tokenResolver.ResolveSecurityKey(enc.KeyIdentifier[0]); SymmetricAlgorithm algorithm = encryptingCrypto.GetSymmetricAlgorithm(enc.EncryptionMethod); byte[] decryptedData = enc.GetDecryptedBuffer(algorithm); SecurityTokenSerializer tokenSerializer = WSSecurityTokenSerializer.DefaultInstance; XmlReader reader = new XmlTextReader(new StreamReader(new MemoryStream(decryptedData), Encoding.UTF8)); m_token = (SamlSecurityToken)tokenSerializer.ReadToken(reader, tokenResolver); SamlSecurityTokenAuthenticator authenticator = new SamlSecurityTokenAuthenticator(new List<SecurityTokenAuthenticator>( new SecurityTokenAuthenticator[]{ new RsaSecurityTokenAuthenticator(), new X509SecurityTokenAuthenticator() }), new TimeSpan(0, 0, skew)); if (authenticator.CanValidateToken(m_token)) { ReadOnlyCollection<IAuthorizationPolicy> policies = authenticator.ValidateToken(m_token); m_authorizationContext = AuthorizationContext.CreateDefaultAuthorizationContext(policies); m_identityClaims = FindIdentityClaims(m_authorizationContext); } else { throw new Exception("Unable to validate the token."); } }
SamlSecurityTokenAuthenticator CreateSamlTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, out SecurityTokenResolver outOfBandTokenResolver) { if (recipientRequirement == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("recipientRequirement"); Collection<SecurityToken> outOfBandTokens = new Collection<SecurityToken>(); if (parent.ServiceCertificate.Certificate != null) { outOfBandTokens.Add(new X509SecurityToken(parent.ServiceCertificate.Certificate)); } List<SecurityTokenAuthenticator> supportingAuthenticators = new List<SecurityTokenAuthenticator>(); if ((parent.IssuedTokenAuthentication.KnownCertificates != null) && (parent.IssuedTokenAuthentication.KnownCertificates.Count > 0)) { for (int i = 0; i < parent.IssuedTokenAuthentication.KnownCertificates.Count; ++i) { outOfBandTokens.Add(new X509SecurityToken(parent.IssuedTokenAuthentication.KnownCertificates[i])); } } X509CertificateValidator validator = parent.IssuedTokenAuthentication.GetCertificateValidator(); supportingAuthenticators.Add(new X509SecurityTokenAuthenticator(validator)); if (parent.IssuedTokenAuthentication.AllowUntrustedRsaIssuers) { supportingAuthenticators.Add(new RsaSecurityTokenAuthenticator()); } outOfBandTokenResolver = (outOfBandTokens.Count > 0) ? SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection<SecurityToken>(outOfBandTokens), false) : null; SamlSecurityTokenAuthenticator ssta; if ((recipientRequirement.SecurityBindingElement == null) || (recipientRequirement.SecurityBindingElement.LocalServiceSettings == null)) { ssta = new SamlSecurityTokenAuthenticator(supportingAuthenticators); } else { ssta = new SamlSecurityTokenAuthenticator(supportingAuthenticators, recipientRequirement.SecurityBindingElement.LocalServiceSettings.MaxClockSkew); } // set audience uri restrictions ssta.AudienceUriMode = parent.IssuedTokenAuthentication.AudienceUriMode; IList<string> allowedAudienceUris = ssta.AllowedAudienceUris; if (parent.IssuedTokenAuthentication.AllowedAudienceUris != null) { for (int i = 0; i < parent.IssuedTokenAuthentication.AllowedAudienceUris.Count; i++) allowedAudienceUris.Add(parent.IssuedTokenAuthentication.AllowedAudienceUris[i]); } if (recipientRequirement.ListenUri != null) { allowedAudienceUris.Add(recipientRequirement.ListenUri.AbsoluteUri); } return ssta; }
public virtual ClaimSet ExtractSubjectKeyClaimSet ( SamlSecurityTokenAuthenticator samlAuthenticator) { throw new NotImplementedException (); }
public override IAuthorizationPolicy CreatePolicy ( ClaimSet issuer, SamlSecurityTokenAuthenticator samlAuthenticator) { throw new NotImplementedException (); }
/// <summary> /// Token Authentication. Translates the decrypted data into a AuthContext /// /// This method makes a strong assumption that the decrypted token in in UTF-8 format. /// </summary> /// <param name="decryptedTokenData">Decrypted token</param> public static AuthorizationContext AuthenticateToken(byte[] decryptedTokenData) { string t = Encoding.UTF8.GetString(decryptedTokenData); XmlReader reader = new XmlTextReader(new StreamReader(new MemoryStream(decryptedTokenData), Encoding.UTF8)); // Extensibility Point: // in order to accept different token types, you would need to add additional // code to create an authenticationcontext from the security token. // This code only supports SamlSecurityToken objects. SamlSecurityToken token = WSSecurityTokenSerializer.DefaultInstance.ReadToken(reader, null) as SamlSecurityToken; if( null == token ) throw new InformationCardException("Unable to read security token"); if (null != token.SecurityKeys && token.SecurityKeys.Count > 0) throw new InformationCardException("Token Security Keys Exist"); if (null != _audience && null != token.Assertion.Conditions && null != token.Assertion.Conditions.Conditions) { foreach (SamlCondition condition in token.Assertion.Conditions.Conditions) { SamlAudienceRestrictionCondition audienceCondition = condition as SamlAudienceRestrictionCondition; if (null != audienceCondition) { bool match = false; foreach (Uri audience in audienceCondition.Audiences) { match = audience.Equals(_audience); if (match) break; } // // The token is invalid if any condition is not valid. // An audience restriction condition is valid if any audience // matches the Relying Party. // if (!match) { throw new InformationCardException("The token is invalid: The audience restrictions does not match the Relying Party."); } } } } /*SamlSecurityTokenAuthenticator SamlAuthenticator = new SamlSecurityTokenAuthenticator(new List<SecurityTokenAuthenticator>( new SecurityTokenAuthenticator[]{ new RsaSecurityTokenAuthenticator(), new X509SecurityTokenAuthenticator() }), MaximumTokenSkew);*/ SamlSecurityTokenAuthenticator SamlAuthenticator = new SamlSecurityTokenAuthenticator(new List<SecurityTokenAuthenticator>( new SecurityTokenAuthenticator[]{ new RsaSecurityTokenAuthenticator(), new X509SecurityTokenAuthenticator(X509CertificateValidator.None) }), MaximumTokenSkew); return AuthorizationContext.CreateDefaultAuthorizationContext(SamlAuthenticator.ValidateToken(token)); }
public SamlAuthorizationPolicy (SamlSecurityTokenAuthenticator authenticator, SamlSecurityToken token) : base (new UniqueId ().ToString ()) { this.authenticator = authenticator; this.token = token; }