protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
ClaimsIdentity sourceIdentity = principal.Identities.First();
ClaimsIdentity destinationIndentity = new ClaimsIdentity("Sample");
CopyClaim(sourceIdentity, destinationIndentity);
return destinationIndentity;
}
protected override System.Security.Claims.ClaimsIdentity GetOutputClaimsIdentity(System.Security.Claims.ClaimsPrincipal principal, System.IdentityModel.Protocols.WSTrust.RequestSecurityToken request, Scope scope)
{
ClaimsIdentity outgoingIdentity = new ClaimsIdentity();
outgoingIdentity.AddClaim(new Claim("http://schemas.microsoft.com/ws/2008/06/identity/claims/role", "Student"));
return outgoingIdentity;
}
protected override Scope GetScope(ClaimsPrincipal principal, RequestSecurityToken request)
{
// Validate the AppliesTo address
ValidateAppliesTo( request.AppliesTo );
// Create the scope using the request AppliesTo address and the RP identity
Scope scope = new Scope( request.AppliesTo.Uri.AbsoluteUri, _signingCreds );
if (Uri.IsWellFormedUriString(request.ReplyTo, UriKind.Absolute))
{
if (request.AppliesTo.Uri.Host != new Uri(request.ReplyTo).Host)
scope.ReplyToAddress = request.AppliesTo.Uri.AbsoluteUri;
else
scope.ReplyToAddress = request.ReplyTo;
}
else
{
Uri resultUri = null;
if (Uri.TryCreate(request.AppliesTo.Uri, request.ReplyTo, out resultUri))
scope.ReplyToAddress = resultUri.AbsoluteUri;
else
scope.ReplyToAddress = request.AppliesTo.Uri.ToString() ;
}
// Note: In this sample app only a single RP identity is shown, which is localhost, and the certificate of that RP is
// populated as _encryptingCreds
// If you have multiple RPs for the STS you would select the certificate that is specific to
// the RP that requests the token and then use that for _encryptingCreds
scope.EncryptingCredentials = _encryptingCreds;
return scope;
}
protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
if (null == principal)
{
throw new ArgumentNullException("principal");
}
var outputIdentity = new ClaimsIdentity();
IEnumerable<Claim> outputClaims;
if (this.scopeModel.UseClaimsPolicyEngine)
{
IClaimsPolicyEvaluator evaluator = new ClaimsPolicyEvaluator(PolicyStoreFactory.Instance);
outputClaims = evaluator.Evaluate(new Uri(scope.AppliesToAddress), ((ClaimsIdentity)principal.Identity).Claims);
}
else
{
outputClaims = ((ClaimsIdentity)principal.Identity).Claims;
}
outputIdentity.AddClaims(outputClaims);
if (outputIdentity.Name == null && outputIdentity.Claims.SingleOrDefault(c => c.Type == ClaimTypes.NameIdentifier) != null)
outputIdentity.AddClaim(new Claim(ClaimTypes.Name, outputIdentity.Claims.SingleOrDefault(c => c.Type == ClaimTypes.NameIdentifier).Value));
var isPersistent =
((ClaimsIdentity)principal.Identity).Claims.SingleOrDefault(c => c.Type == ClaimTypes.IsPersistent);
if (isPersistent != null)
{
outputIdentity.AddClaim(new Claim(ClaimTypes.IsPersistent, isPersistent.Value));
}
return outputIdentity;
}
protected override Scope GetScope(System.Security.Claims.ClaimsPrincipal principal, System.IdentityModel.Protocols.WSTrust.RequestSecurityToken request)
{
Scope scope = new Scope(request.AppliesTo.Uri.AbsoluteUri);
scope.TokenEncryptionRequired = false;
scope.SymmetricKeyEncryptionRequired = false;
return scope;
}
protected override Scope GetScope(ClaimsPrincipal principal, RequestSecurityToken request)
{
//
// TODO: Limit use of STS (via RequestSecurityToken.AppliesTo property) and add encryption in this method.
//
ValidateAppliesTo(request.AppliesTo);
var scope = new Scope(request.AppliesTo.Uri.OriginalString, SecurityTokenServiceConfiguration.SigningCredentials);
if (!string.IsNullOrEmpty(ConfigurationManager.AppSettings["EncryptionCertificate"]))
{
// Important note on setting the encrypting credentials.
// In a production deployment, you would need to select a certificate that is specific to the RP that is requesting the token.
// You can examine the 'request' to obtain information to determine the certificate to use.
var encryptingCertificate = GetCertificate(ConfigurationManager.AppSettings["EncryptionCertificate"]);
var encryptingCredentials = new X509EncryptingCredentials(encryptingCertificate);
scope.EncryptingCredentials = encryptingCredentials;
}
else
{
// If there is no encryption certificate specified, the STS will not perform encryption.
// This will succeed for tokens that are created without keys (BearerTokens) or asymmetric keys.
scope.TokenEncryptionRequired = false;
}
// Specify where the user will be redirected to, upon posting the form.
scope.ReplyToAddress = request.ReplyTo;
return scope;
}
protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
if (principal == null)
{
throw new InvalidRequestException("The caller's principal is null.");
}
// check github
string ak = principal.FindFirst(Constants.CLAIM_TYPE_GITHUB_AK).Value;
string openid = Utility.GetOpenId(ak);
// check account
ADAccountInfo info = AccountHelper.GetHelper().GetAccount(openid);
if (info == null)
{
throw new InvalidRequestException("wrong github login or not binded, cannot login.");
}
var claims = new[]
{
new Claim(Constants.CLAIM_TYPE_PRIMARY_SID, info.primarysid),
new Claim(System.IdentityModel.Claims.ClaimTypes.Upn, info.upnUpper),
new Claim(System.IdentityModel.Claims.ClaimTypes.Upn, info.upnLower),
new Claim(System.IdentityModel.Claims.ClaimTypes.Name, info.name),
};
var id = new ClaimsIdentity(claims);
return id;
}
protected override Scope GetScope(ClaimsPrincipal principal, RequestSecurityToken request)
{
ValidateAppliesTo(request.AppliesTo);
var scope = new Scope(request.AppliesTo.Uri.AbsoluteUri, SecurityTokenServiceConfiguration.SigningCredentials);
if (Uri.IsWellFormedUriString(request.ReplyTo, UriKind.Absolute))
{
if (request.AppliesTo.Uri.Host != new Uri(request.ReplyTo).Host)
scope.ReplyToAddress = request.AppliesTo.Uri.AbsoluteUri;
else
scope.ReplyToAddress = request.ReplyTo;
}
else
{
Uri resultUri = null;
if (Uri.TryCreate(request.AppliesTo.Uri, request.ReplyTo, out resultUri))
scope.ReplyToAddress = resultUri.AbsoluteUri;
else
scope.ReplyToAddress = request.AppliesTo.Uri.ToString();
}
scope.TokenEncryptionRequired = false;
scope.SymmetricKeyEncryptionRequired = false;
return scope;
}
protected override Scope GetScope(ClaimsPrincipal principal, System.IdentityModel.Protocols.WSTrust.RequestSecurityToken request)
{
var s = new Scope();
s.SigningCredentials = SecurityTokenServiceConfiguration.SigningCredentials;
s.TokenEncryptionRequired = false;
s.SymmetricKeyEncryptionRequired = false;
s.ReplyToAddress = request.ReplyTo;
s.AppliesToAddress = request.AppliesTo.Uri.ToString();
return s;
}
protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
var config = ClaimsConfiguration.ConfigurationFactory();
var realm = request.AppliesTo.Uri.AbsoluteUri;
var claims = new List<Claim>();
claims.AddRange(GetClaimsForRealm("common", config));
claims.AddRange(GetClaimsForRealm(realm,config));
return new ClaimsIdentity(claims);
}
protected override Scope GetScope(ClaimsPrincipal principal, RequestSecurityToken request)
{
var scope = new Scope(request.AppliesTo.Uri.AbsoluteUri,
this.SecurityTokenServiceConfiguration.SigningCredentials)
{
TokenEncryptionRequired = false
};
scope.ReplyToAddress = string.IsNullOrWhiteSpace(request.ReplyTo)
? scope.AppliesToAddress
: scope.ReplyToAddress;
return scope;
}
protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
var claims = new[]
{
new Claim(System.IdentityModel.Claims.ClaimTypes.Name, principal.Identity.Name),
new Claim(System.IdentityModel.Claims.ClaimTypes.NameIdentifier, principal.Identity.Name),
};
var identity = new ClaimsIdentity(claims);
return identity;
}
protected override Scope GetScope(ClaimsPrincipal principal, RequestSecurityToken request)
{
var scope = new Scope(request.AppliesTo.Uri.OriginalString, SecurityTokenServiceConfiguration.SigningCredentials)
{
ReplyToAddress = request.ReplyTo,
TokenEncryptionRequired = false,
};
if (_encryptingCredentials != null)
{
scope.EncryptingCredentials = _encryptingCredentials;
}
return scope;
}
protected override ClaimsIdentity GetOutputClaimsIdentity( ClaimsPrincipal principal, RequestSecurityToken request, Scope scope )
{
ClaimsIdentity outgoingIdentity = new ClaimsIdentity();
outgoingIdentity.AddClaims(principal.Claims);
List<Role> roles = (List<Role>)HttpContext.Current.Session["User_Roles_" + principal.Identity.Name];
RBACHelper rbacHelper = new RBACHelper();
Permission[] permissions = rbacHelper.GetUserPermissions(Factory.Session(Factory.User(principal.Identity.Name), roles.ToArray()));
outgoingIdentity.AddClaim(new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/permissions", Serialize(permissions)));
return outgoingIdentity;
}
protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
var claims = new[]
{
new System.Security.Claims.Claim(System.IdentityModel.Claims.ClaimTypes.Name, principal.Identity.Name),
new System.Security.Claims.Claim(System.IdentityModel.Claims.ClaimTypes.NameIdentifier, principal.Identity.Name),
new System.Security.Claims.Claim(System.IdentityModel.Claims.ClaimTypes.PostalCode, "92110"),
new System.Security.Claims.Claim(System.IdentityModel.Claims.ClaimTypes.Country, "France"),
new System.Security.Claims.Claim(System.Security.Claims.ClaimTypes.Role, "Admin"),
};
var identity = new ClaimsIdentity(claims);
return identity;
}
protected override Scope GetScope(ClaimsPrincipal claimsPrincipal, RequestSecurityToken requestSecurityToken)
{
if (requestSecurityToken.AppliesTo == null)
{
throw new InvalidRequestException("Request for security token does not have a realm.");
}
var scope = new Scope(requestSecurityToken.AppliesTo.Uri.AbsoluteUri,
this.securityTokenServiceConfiguration.SigningCredentials)
{TokenEncryptionRequired = false,
ReplyToAddress = requestSecurityToken.AppliesTo.Uri.AbsoluteUri};
requestSecurityToken.TokenType = SamlTwoTokenType;
return scope;
}
protected override Scope GetScope(ClaimsPrincipal principal, RequestSecurityToken request)
{
Scope scope = new Scope(request.AppliesTo.Uri.ToString(), _signingCredentials);
if (_encryptingCredentials != null)
{
scope.EncryptingCredentials = _encryptingCredentials;
}
else
{
scope.TokenEncryptionRequired = false;
}
if (Uri.IsWellFormedUriString(request.ReplyTo, UriKind.Absolute))
{
if (request.AppliesTo.Uri.Host != new Uri(request.ReplyTo).Host)
{
scope.ReplyToAddress = request.AppliesTo.Uri.AbsoluteUri;
}
else
{
scope.ReplyToAddress = request.ReplyTo;
}
}
else
{
Uri resulturi = null;
if (Uri.TryCreate(request.AppliesTo.Uri.AbsoluteUri, UriKind.Absolute, out resulturi))
{
scope.ReplyToAddress = resulturi.AbsoluteUri;
}
else
{
scope.ReplyToAddress = request.AppliesTo.Uri.AbsoluteUri;
}
}
return scope;
}
protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
ClaimsIdentity userIdentity = principal?.Identities?.First();
if (userIdentity == null)
throw new Exception("User Identity not found.");
var inheritedClaims =
userIdentity.Claims.Where(i => !i.Type.In(ClaimTypes.AuthenticationInstant, ClaimTypes.AuthenticationMethod))
.Select(c => new Claim(c.Type, c.Value));
var relyingParty = (scope as RequestScope).RelyingParty;
var outputIdentity = new ClaimsIdentity(relyingParty.IssuerName);
// We also have the ClaimTypes.AuthenticationMethod that shows which was the original authenticator
outputIdentity.AddClaim(new Claim(ClaimTypes.AuthenticationInstant,
DateTime.UtcNow.ToString("yyyy-MM-dd'T'HH:mm:ss'Z'"),
ClaimValueTypes.DateTime, relyingParty.IssuerName));
outputIdentity.AddClaim(new Claim(ClaimTypes.AuthenticationMethod,
relyingParty.AuthenticationUrl,
ClaimValueTypes.String, relyingParty.IssuerName));
outputIdentity.AddClaims(inheritedClaims);
return outputIdentity;
}
protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
var id = principal.Claims.First(x => x.Type == ClaimTypes.NameIdentifier).Value;
var availableProviders =
ConfigurationManager.AppSettings["AuthenticationProviders"].Split(',')
.Select(x => x.Trim())
.Where(x => !string.IsNullOrEmpty(x))
.ToArray();
var user = AsyncRunner.RunNoSynchronizationContext(() => _userStore.FindByIdAsync(id));
var connectedProviders = AsyncRunner.RunNoSynchronizationContext(() => _userStore.GetLoginsAsync(user)).Select(x => x.LoginProvider).ToList();
var loginClaims = connectedProviders.Select(x => new Claim(Consts.ManagementConnectedAccountType, x)).Concat(
availableProviders.Except(connectedProviders).Select(x => new Claim(Consts.ManagementDisconnectedAccountType, x))).ToList();
var hasLocalAccount = !string.IsNullOrWhiteSpace(user.PasswordHash);
loginClaims.Add(new Claim(hasLocalAccount ? Consts.ManagementConnectedAccountType : Consts.ManagementDisconnectedAccountType, "Local"));
var serviceClaims = AsyncRunner.RunNoSynchronizationContext(() => _userStore.GetServicesAsync(user)).Select(x => new Claim(Consts.RegisteredServiceType, x));
var claims = new[]
{
new Claim(ClaimTypes.Name, id),
new Claim(ClaimTypes.NameIdentifier, id),
new Claim(ClaimTypes.Email, principal.Identity.Name),
new Claim(Consts.ManagementUrlType, System.Web.HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path) + "?action=[action]&data=[data]"),
};
return new ClaimsIdentity(claims.Concat(loginClaims).Concat(serviceClaims));
}
protected override Scope GetScope(ClaimsPrincipal principal, RequestSecurityToken request)
{
this.ValidateAppliesTo(request.AppliesTo);
Scope scope = new Scope(request.AppliesTo.Uri.OriginalString, SecurityTokenServiceConfiguration.SigningCredentials);
scope.TokenEncryptionRequired = false;
scope.SymmetricKeyEncryptionRequired = false;
if (string.IsNullOrEmpty(request.ReplyTo))
{
scope.ReplyToAddress = scope.AppliesToAddress;
}
else
{
scope.ReplyToAddress = request.ReplyTo;
}
return scope;
}
protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
return m_claims;
}
/// <summary>
/// Produces the output identity that gets transformed into a token
/// </summary>
/// <param name="principal">The principal.</param>
/// <param name="request">The request.</param>
/// <param name="scope">The scope.</param>
/// <returns>An IClaimsIdentity describing the subject</returns>
protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal,
RequestSecurityToken request, Scope scope)
{
var requestDetails = (scope as RequestDetailsScope).RequestDetails;
// externally authenticated user
if (
principal.HasClaim(
c => c.Type == Constants.Claims.IdentityProvider && c.Issuer == Constants.InternalIssuer))
{
Tracing.Information("Issuing a token for an external user.");
return GetExternalOutputClaims(principal, requestDetails);
}
var userClaims = GetOutputClaims(principal, requestDetails, ClaimsRepository);
var outputIdentity = new ClaimsIdentity(userClaims, "IdSrv");
if (requestDetails.IsActAsRequest)
{
Tracing.Information("Issuing act as token");
return GetActAsClaimsIdentity(outputIdentity, requestDetails);
}
Tracing.Information("Issuing identity token");
return outputIdentity;
}
protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, System.IdentityModel.Protocols.WSTrust.RequestSecurityToken request, Scope scope)
{
return principal.Identity as ClaimsIdentity;
}
protected override System.Security.Claims.ClaimsIdentity GetOutputClaimsIdentity(System.Security.Claims.ClaimsPrincipal principal, System.IdentityModel.Protocols.WSTrust.RequestSecurityToken request, Scope scope)
{
throw new NotImplementedException();
}
/// <summary>
/// Begins async call for GetOutputSubjects routine. Default implementation will throw a NotImplementedExcetion.
/// Refer MSDN articles on Using an AsyncCallback Delegate to End an Asynchronous Operation.
/// </summary>
/// <param name="principal">The authorization context that represents the identity of the requestor.</param>
/// <param name="request">The token request parameters that arrived in the call.</param>
/// <param name="scope">The scope information about the Relying Party.</param>
/// <param name="callback">The callback to be invoked when the user Asynchronous operation completed.</param>
/// <param name="state">The state object.</param>
/// <returns>IAsyncResult. Represents the status of an asynchronous operation. This will be passed into
/// EndGetOutputClaimsIdentity.</returns>
protected virtual IAsyncResult BeginGetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope, AsyncCallback callback, object state)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new NotImplementedException(SR.GetString(SR.ID2081)));
}
/// <summary> /// When overridden in a derived class, this method should return a collection of output subjects to be included in the issued token. /// </summary> /// <param name="principal">The ClaimsPrincipal that represents the identity of the requestor.</param> /// <param name="request">The token request parameters that arrived in the call.</param> /// <param name="scope">The scope information about the Relying Party.</param> /// <returns>The ClaimsIdentity representing the collection of claims that will be placed in the issued security token.</returns> protected abstract ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope);
/// <summary>
/// Gets the proof token.
/// </summary>
/// <param name="request">The incoming token request.</param>
/// <param name="scope">The scope instance encapsulating information about the relying party.</param>
/// <returns>The newly created proof decriptor that could be either asymmetric proof descriptor or symmetric proof descriptor or null in the bearer token case.</returns>
protected virtual ProofDescriptor GetProofToken(RST request, Scope scope)
{
if (request == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("request");
}
if (scope == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("scope");
}
EncryptingCredentials requestorWrappingCredentials = GetRequestorProofEncryptingCredentials(request);
if (scope.EncryptingCredentials != null &&
!(scope.EncryptingCredentials.SecurityKey is AsymmetricSecurityKey))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new SecurityTokenException(SR.GetString(SR.ID4179)));
}
EncryptingCredentials targetWrappingCredentials = scope.EncryptingCredentials;
//
// Generate the proof key
//
string keyType = (string.IsNullOrEmpty(request.KeyType)) ? KeyTypes.Symmetric : request.KeyType;
ProofDescriptor result = null;
if (StringComparer.Ordinal.Equals(keyType, KeyTypes.Asymmetric))
{
//
// Asymmetric is only supported with UseKey
//
if (request.UseKey == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidRequestException(SR.GetString(SR.ID3091)));
}
result = new AsymmetricProofDescriptor(request.UseKey.SecurityKeyIdentifier);
}
else if (StringComparer.Ordinal.Equals(keyType, KeyTypes.Symmetric))
{
//
// Only support PSHA1. Overwrite STS to support custom key algorithm
//
if (request.ComputedKeyAlgorithm != null && !StringComparer.Ordinal.Equals(request.ComputedKeyAlgorithm, ComputedKeyAlgorithms.Psha1))
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new RequestFailedException(SR.GetString(SR.ID2011, request.ComputedKeyAlgorithm)));
}
//
// We must wrap the symmetric key inside the security token
//
if (targetWrappingCredentials == null && scope.SymmetricKeyEncryptionRequired)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new RequestFailedException(SR.GetString(SR.ID4007)));
}
//
// We are encrypting the proof token or the server entropy using client's encrypting credential if present,
// which will be used to encrypt the key during serialization.
// Otherwise, we can only send back the key in plain text. However, the current implementation of
// WSTrustServiceContract sets the rst.ProofEncryption = null by default. Therefore, the server entropy
// or the proof token will be sent in plain text no matter the client's entropy is sent encrypted or unencrypted.
//
if (request.KeySizeInBits.HasValue)
{
if (request.Entropy != null)
{
result = new SymmetricProofDescriptor(request.KeySizeInBits.Value, targetWrappingCredentials, requestorWrappingCredentials,
request.Entropy.GetKeyBytes(), request.EncryptWith);
}
else
{
result = new SymmetricProofDescriptor(request.KeySizeInBits.Value, targetWrappingCredentials,
requestorWrappingCredentials, request.EncryptWith);
}
}
else
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new RequestFailedException(SR.GetString(SR.ID2059)));
}
}
else if (StringComparer.Ordinal.Equals(keyType, KeyTypes.Bearer))
{
//
// Intentionally empty, no proofDescriptor
//
}
return result;
}
protected override ClaimsIdentity GetOutputClaimsIdentity(ClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
if (principal == null)
{
throw new InvalidRequestException("The caller's principal is null.");
}
var claimsIdentity = principal.Identity as ClaimsIdentity;
if (claimsIdentity == null)
{
throw new InvalidRequestException("The caller's identity is invalid.");
}
return claimsIdentity;
}
protected override Scope GetScope(ClaimsPrincipal principal, RequestSecurityToken request)
{
if (request.AppliesTo == null)
{
throw new InvalidRequestException("The AppliesTo is null.");
}
var scope = new Scope(request.AppliesTo.Uri.OriginalString, SecurityTokenServiceConfiguration.SigningCredentials)
{
TokenEncryptionRequired = false,
SymmetricKeyEncryptionRequired = false
};
scope.ReplyToAddress = string.IsNullOrEmpty(request.ReplyTo) ? scope.AppliesToAddress : request.ReplyTo;
return scope;
}
/// <summary>
/// Creates an instance of a <see cref="SecurityTokenDescriptor"/>.
/// </summary>
/// <param name="request">The incoming token request.</param>
/// <param name="scope">The <see cref="Scope"/> object returned from <see cref="SecurityTokenService.GetScope"/>.</param>
/// <returns>The <see cref="SecurityTokenDescriptor"/>.</returns>
/// <remarks>Invoked during token issuance after <see cref="SecurityTokenService.GetScope"/>.</remarks>
protected virtual SecurityTokenDescriptor CreateSecurityTokenDescriptor(RST request, Scope scope)
{
if (request == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("request");
}
if (scope == null)
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("scope");
}
SecurityTokenDescriptor d = new SecurityTokenDescriptor();
d.AppliesToAddress = scope.AppliesToAddress;
d.ReplyToAddress = scope.ReplyToAddress;
d.SigningCredentials = scope.SigningCredentials;
if (null == d.SigningCredentials)
{
d.SigningCredentials = this.SecurityTokenServiceConfiguration.SigningCredentials;
}
//
// The encrypting credentials specified on the Scope object
// are invariant relative to a specific RP. Allowing the STS to
// cache the Scope for each RP.
// Our default implementation will generate the symmetric bulk
// encryption key on the fly.
//
if (scope.EncryptingCredentials != null &&
scope.EncryptingCredentials.SecurityKey is AsymmetricSecurityKey
)
{
if ((request.EncryptionAlgorithm == null || request.EncryptionAlgorithm == SecurityAlgorithms.Aes256Encryption) &&
(request.SecondaryParameters == null || request.SecondaryParameters.EncryptionAlgorithm == null || request.SecondaryParameters.EncryptionAlgorithm == SecurityAlgorithms.Aes256Encryption)
)
{
d.EncryptingCredentials = new EncryptedKeyEncryptingCredentials(scope.EncryptingCredentials, 256, SecurityAlgorithms.Aes256Encryption);
}
}
return d;
}