/// <summary> /// Creates an instance of Saml2AuthenticationContext. /// </summary> /// <param name="authenticationContext">The authentication context of this statement.</param> /// <param name="authenticationInstant">The time of the authentication.</param> public Saml2AuthenticationStatement(Saml2AuthenticationContext authenticationContext, DateTime authenticationInstant) { if (null == authenticationContext) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("authenticationContext"); } this.authnContext = authenticationContext; this.authnInstant = DateTimeUtil.ToUniversalTime(authenticationInstant); }
private static SecurityToken GenerateHardcodedToken() { var securityTokenDescriptor = new SecurityTokenDescriptor(); securityTokenDescriptor.Subject = ClaimsPrincipal.Current.Identity as ClaimsIdentity; securityTokenDescriptor.Lifetime = new Lifetime(DateTime.Now, DateTime.Now.AddDays(2)); securityTokenDescriptor.TokenIssuerName = "http://identityserver.v2.thinktecture.com/trust/changethis"; securityTokenDescriptor.AppliesToAddress = "https://windows7:444/identity/wstrust/bearer"; securityTokenDescriptor.SigningCredentials = GenerateSigningCredentials(); Saml2SecurityTokenHandler saml2SecurityTokenHandler = new Saml2SecurityTokenHandler(); var saml2SecurityToken = saml2SecurityTokenHandler.CreateToken(securityTokenDescriptor) as Saml2SecurityToken; var authenticationMethod = "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"; var authenticationContext = new Saml2AuthenticationContext(new Uri(authenticationMethod)); saml2SecurityToken.Assertion.Statements.Add(new Saml2AuthenticationStatement(authenticationContext)); return saml2SecurityToken; }
/// <summary> /// Creates a Saml2AuthenticationStatement. /// </summary> /// <param name="authenticationContext">The authentication context of this statement.</param> public Saml2AuthenticationStatement(Saml2AuthenticationContext authenticationContext) : this(authenticationContext, DateTime.UtcNow) { }
/// <summary> /// Writes the <saml:AuthnContext> element. /// </summary> /// <param name="writer">A <see cref="XmlWriter"/> to serialize the <see cref="Saml2AuthenticationContext"/>.</param> /// <param name="data">The <see cref="Saml2AuthenticationContext"/> to serialize.</param> protected virtual void WriteAuthenticationContext(XmlWriter writer, Saml2AuthenticationContext data) { if (null == writer) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("writer"); } if (null == data) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("data"); } // One of ClassRef and DeclRef must be present. if (null == data.ClassReference && null == data.DeclarationReference) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError( new InvalidOperationException(SR.GetString(SR.ID4117))); } // <AuthnContext> writer.WriteStartElement(Saml2Constants.Elements.AuthnContext, Saml2Constants.Namespace); // <AuthnContextClassReference> 0-1 if (null != data.ClassReference) { writer.WriteElementString(Saml2Constants.Elements.AuthnContextClassRef, Saml2Constants.Namespace, data.ClassReference.AbsoluteUri); } // <AuthnContextDeclRef> 0-1 if (null != data.DeclarationReference) { writer.WriteElementString(Saml2Constants.Elements.AuthnContextDeclRef, Saml2Constants.Namespace, data.DeclarationReference.AbsoluteUri); } // <AuthenticatingAuthority> 0-OO foreach (Uri authority in data.AuthenticatingAuthorities) { writer.WriteElementString(Saml2Constants.Elements.AuthenticatingAuthority, Saml2Constants.Namespace, authority.AbsoluteUri); } // </AuthnContext> writer.WriteEndElement(); }
/// <summary> /// Reads the <saml:AuthnContext> element. /// </summary> /// <remarks> /// The default implementation does not handle the optional /// <saml:AuthnContextDecl> element. To handle by-value /// authentication context declarations, override this method. /// </remarks> /// <param name="reader">A <see cref="XmlReader"/> positioned at a <see cref="Saml2AuthenticationContext"/> element.</param> /// <returns>A <see cref="Saml2AuthenticationContext"/> instance.</returns> protected virtual Saml2AuthenticationContext ReadAuthenticationContext(XmlReader reader) { if (null == reader) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("reader"); } // throw if wrong element if (!reader.IsStartElement(Saml2Constants.Elements.AuthnContext, Saml2Constants.Namespace)) { reader.ReadStartElement(Saml2Constants.Elements.AuthnContext, Saml2Constants.Namespace); } try { // Disallow empty if (reader.IsEmptyElement) { throw DiagnosticUtility.ThrowHelperXml(reader, SR.GetString(SR.ID3061, Saml2Constants.Elements.AuthnContext, Saml2Constants.Namespace)); } // @attributes // @xsi:type XmlUtil.ValidateXsiType(reader, Saml2Constants.Types.AuthnContextType, Saml2Constants.Namespace); // Content reader.ReadStartElement(); // At least one of ClassRef and ( Decl XOR DeclRef) must be present // At this time, we do not support Decl, which is a by-value // authentication context declaration. Uri classRef = null; Uri declRef = null; // <AuthnContextClassRef> - see comment above if (reader.IsStartElement(Saml2Constants.Elements.AuthnContextClassRef, Saml2Constants.Namespace)) { classRef = ReadSimpleUriElement(reader); } // <AuthnContextDecl> - see comment above if (reader.IsStartElement(Saml2Constants.Elements.AuthnContextDecl, Saml2Constants.Namespace)) { throw DiagnosticUtility.ThrowHelperXml(reader, SR.GetString(SR.ID4118)); } // <AuthnContextDeclRef> - see comment above // If there was no ClassRef, there must be a DeclRef if (reader.IsStartElement(Saml2Constants.Elements.AuthnContextDeclRef, Saml2Constants.Namespace)) { declRef = ReadSimpleUriElement(reader); } else if (null == classRef) { reader.ReadStartElement(Saml2Constants.Elements.AuthnContextDeclRef, Saml2Constants.Namespace); } // Now we have enough data to create the object Saml2AuthenticationContext authnContext = new Saml2AuthenticationContext(classRef, declRef); // <AuthenticatingAuthority> - 0-OO while (reader.IsStartElement(Saml2Constants.Elements.AuthenticatingAuthority, Saml2Constants.Namespace)) { authnContext.AuthenticatingAuthorities.Add(ReadSimpleUriElement(reader)); } reader.ReadEndElement(); return authnContext; } catch (Exception e) { if (System.Runtime.Fx.IsFatal(e)) throw; Exception wrapped = TryWrapReadException(reader, e); if (null == wrapped) { throw; } else { throw wrapped; } } }
/// <summary> /// Given an AuthenticationInformation object, this routine creates a Saml2AuthenticationStatement /// to be added to the Saml2Assertion that is produced by the factory. /// </summary> /// <param name="authInfo"> /// An AuthenticationInformation object containing the state to be wrapped as a Saml2AuthenticationStatement /// object. /// </param> /// <param name="tokenDescriptor">The token descriptor.</param> /// <returns> /// The Saml2AuthenticationStatement to add to the assertion being created or null to ignore the AuthenticationInformation /// being wrapped as a statement. /// </returns> protected virtual Saml2AuthenticationStatement CreateAuthenticationStatement(AuthenticationInformation authInfo, SecurityTokenDescriptor tokenDescriptor) { if (tokenDescriptor == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("tokenDescriptor"); } if (tokenDescriptor.Subject == null) { return null; } string authenticationMethod = null; string authenticationInstant = null; // Search for an Authentication Claim. IEnumerable<Claim> claimCollection = from c in tokenDescriptor.Subject.Claims where c.Type == ClaimTypes.AuthenticationMethod select c; if (claimCollection.Count<Claim>() > 0) { // We support only one authentication statement and hence we just pick the first authentication type // claim found in the claim collection. Since the spec allows multiple Auth Statements, // we do not throw an error. authenticationMethod = claimCollection.First<Claim>().Value; } claimCollection = from c in tokenDescriptor.Subject.Claims where c.Type == ClaimTypes.AuthenticationInstant select c; if (claimCollection.Count<Claim>() > 0) { authenticationInstant = claimCollection.First<Claim>().Value; } if (authenticationMethod == null && authenticationInstant == null) { return null; } else if (authenticationMethod == null) { throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4270, "AuthenticationMethod", "SAML2")); } else if (authenticationInstant == null) { throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4270, "AuthenticationInstant", "SAML2")); } Uri saml2AuthenticationClass; if (!UriUtil.TryCreateValidUri(this.DenormalizeAuthenticationType(authenticationMethod), UriKind.Absolute, out saml2AuthenticationClass)) { throw DiagnosticUtility.ThrowHelperInvalidOperation(SR.GetString(SR.ID4185, authenticationMethod)); } Saml2AuthenticationContext authCtx = new Saml2AuthenticationContext(saml2AuthenticationClass); DateTime authInstantTime = DateTime.ParseExact(authenticationInstant, DateTimeFormats.Accepted, DateTimeFormatInfo.InvariantInfo, DateTimeStyles.None).ToUniversalTime(); Saml2AuthenticationStatement authnStatement = new Saml2AuthenticationStatement(authCtx, authInstantTime); if (authInfo != null) { if (!string.IsNullOrEmpty(authInfo.DnsName) || !string.IsNullOrEmpty(authInfo.Address)) { authnStatement.SubjectLocality = new Saml2SubjectLocality(authInfo.Address, authInfo.DnsName); } if (!string.IsNullOrEmpty(authInfo.Session)) { authnStatement.SessionIndex = authInfo.Session; } authnStatement.SessionNotOnOrAfter = authInfo.NotOnOrAfter; } return authnStatement; }