|
//------------------------------------------------------------
// Copyright (c) Microsoft Corporation. All rights reserved.
//------------------------------------------------------------
using System.Collections.Generic;
using System.Collections.ObjectModel;
using System.Globalization;
using System.IdentityModel;
using System.IdentityModel.Protocols.WSTrust;
using System.IdentityModel.Selectors;
using System.IdentityModel.Tokens;
using System.ServiceModel.Description;
using System.ServiceModel.Security.Tokens;
using SR = System.ServiceModel.SR;
namespace System.ServiceModel.Security
{
/// <summary>
/// SecurityTokenManager that enables plugging custom tokens easily.
/// The SecurityTokenManager provides methods to register custom token providers,
/// serializers and authenticators. It can wrap another Token Managers and
/// delegate token operation calls to it if required.
/// </summary>
/// <remarks>
/// Framework use only - this is an implementation adapter class that is used to expose
/// the Framework SecurityTokenHandlers to WCF.
/// </remarks>
sealed class FederatedSecurityTokenManager : ServiceCredentialsSecurityTokenManager
{
static string ListenUriProperty = "http://schemas.microsoft.com/ws/2006/05/servicemodel/securitytokenrequirement/ListenUri";
ExceptionMapper _exceptionMapper;
SecurityTokenResolver _defaultTokenResolver;
SecurityTokenHandlerCollection _securityTokenHandlerCollection;
object _syncObject = new object();
ReadOnlyCollection<CookieTransform> _cookieTransforms;
SessionSecurityTokenCache _tokenCache;
/// <summary>
/// Initializes an instance of <see cref="FederatedSecurityTokenManager"/>.
/// </summary>
/// <param name="parentCredentials">ServiceCredentials that created this instance of TokenManager.</param>
/// <exception cref="ArgumentNullException">The argument 'parentCredentials' is null.</exception>
public FederatedSecurityTokenManager( ServiceCredentials parentCredentials )
: base( parentCredentials )
{
if ( parentCredentials == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "parentCredentials" );
}
if ( parentCredentials.IdentityConfiguration == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "parentCredentials.IdentityConfiguration" );
}
_exceptionMapper = parentCredentials.ExceptionMapper;
_securityTokenHandlerCollection = parentCredentials.IdentityConfiguration.SecurityTokenHandlers;
_tokenCache = _securityTokenHandlerCollection.Configuration.Caches.SessionSecurityTokenCache;
_cookieTransforms = SessionSecurityTokenHandler.DefaultCookieTransforms;
}
/// <summary>
/// Returns the list of SecurityTokenHandlers.
/// </summary>
public SecurityTokenHandlerCollection SecurityTokenHandlers
{
//
//
get { return _securityTokenHandlerCollection; }
}
/// <summary>
/// Gets or sets the ExceptionMapper to be used when throwing exceptions.
/// </summary>
public ExceptionMapper ExceptionMapper
{
get
{
return _exceptionMapper;
}
set
{
if ( value == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "value" );
}
_exceptionMapper = value;
}
}
#region SecurityTokenManager Implementation
/// <summary>
/// Overriden from the base class. Creates the requested Token Authenticator.
/// Looks up the list of Token Handlers registered with the token Manager
/// based on the TokenType Uri in the SecurityTokenRequirement. If none is found,
/// then the call is delegated to the inner Token Manager.
/// </summary>
/// <param name="tokenRequirement">Security Token Requirement for which the Authenticator should be created.</param>
/// <param name="outOfBandTokenResolver">Token resolver that resolves any out-of-band tokens.</param>
/// <returns>Instance of Security Token Authenticator.</returns>
/// <exception cref="ArgumentNullException">'tokenRequirement' parameter is null.</exception>
/// <exception cref="NotSupportedException">No Authenticator is registered for the given token type.</exception>
public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator( SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver )
{
if ( tokenRequirement == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "tokenRequirement" );
}
outOfBandTokenResolver = null;
// Check for a registered authenticator
SecurityTokenAuthenticator securityTokenAuthenticator = null;
string tokenType = tokenRequirement.TokenType;
//
// When the TokenRequirement.TokenType is null, we treat this as a SAML issued token case. It may be SAML 1.1 or SAML 2.0.
//
if ( String.IsNullOrEmpty( tokenType ) )
{
return CreateSamlSecurityTokenAuthenticator( tokenRequirement, out outOfBandTokenResolver );
}
//
// When the TokenType is set, build a token authenticator for the specified token type.
//
SecurityTokenHandler securityTokenHandler = _securityTokenHandlerCollection[tokenType];
if ( ( securityTokenHandler != null ) && ( securityTokenHandler.CanValidateToken ) )
{
outOfBandTokenResolver = GetDefaultOutOfBandTokenResolver();
if ( StringComparer.Ordinal.Equals( tokenType, SecurityTokenTypes.UserName ) )
{
UserNameSecurityTokenHandler upSecurityTokenHandler = securityTokenHandler as UserNameSecurityTokenHandler;
if ( upSecurityTokenHandler == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new InvalidOperationException( SR.GetString( SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof( UserNameSecurityTokenHandler ) ) ) );
}
securityTokenAuthenticator = new WrappedUserNameSecurityTokenAuthenticator( upSecurityTokenHandler, _exceptionMapper );
}
else if ( StringComparer.Ordinal.Equals( tokenType, SecurityTokenTypes.Kerberos ) )
{
securityTokenAuthenticator = CreateInnerSecurityTokenAuthenticator( tokenRequirement, out outOfBandTokenResolver );
}
else if ( StringComparer.Ordinal.Equals( tokenType, SecurityTokenTypes.Rsa ) )
{
RsaSecurityTokenHandler rsaSecurityTokenHandler = securityTokenHandler as RsaSecurityTokenHandler;
if ( rsaSecurityTokenHandler == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new InvalidOperationException( SR.GetString( SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof( RsaSecurityTokenHandler ) ) ) );
}
securityTokenAuthenticator = new WrappedRsaSecurityTokenAuthenticator( rsaSecurityTokenHandler, _exceptionMapper );
}
else if ( StringComparer.Ordinal.Equals( tokenType, SecurityTokenTypes.X509Certificate ) )
{
X509SecurityTokenHandler x509SecurityTokenHandler = securityTokenHandler as X509SecurityTokenHandler;
if ( x509SecurityTokenHandler == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new InvalidOperationException( SR.GetString( SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof( X509SecurityTokenHandler ) ) ) );
}
securityTokenAuthenticator = new WrappedX509SecurityTokenAuthenticator( x509SecurityTokenHandler, _exceptionMapper );
}
else if ( StringComparer.Ordinal.Equals( tokenType, SecurityTokenTypes.SamlTokenProfile11 ) ||
StringComparer.Ordinal.Equals( tokenType, SecurityTokenTypes.OasisWssSamlTokenProfile11 ) )
{
SamlSecurityTokenHandler saml11SecurityTokenHandler = securityTokenHandler as SamlSecurityTokenHandler;
if ( saml11SecurityTokenHandler == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new InvalidOperationException( SR.GetString( SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof( SamlSecurityTokenHandler ) ) ) );
}
if ( saml11SecurityTokenHandler.Configuration == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation( SR.GetString( SR.ID4274 ) );
}
securityTokenAuthenticator = new WrappedSaml11SecurityTokenAuthenticator( saml11SecurityTokenHandler, _exceptionMapper );
// The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens.
outOfBandTokenResolver = saml11SecurityTokenHandler.Configuration.ServiceTokenResolver;
}
else if ( StringComparer.Ordinal.Equals( tokenType, SecurityTokenTypes.Saml2TokenProfile11 ) ||
StringComparer.Ordinal.Equals( tokenType, SecurityTokenTypes.OasisWssSaml2TokenProfile11 ) )
{
Saml2SecurityTokenHandler saml2SecurityTokenHandler = securityTokenHandler as Saml2SecurityTokenHandler;
if ( saml2SecurityTokenHandler == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(
new InvalidOperationException( SR.GetString( SR.ID4072, securityTokenHandler.GetType(), tokenType, typeof( Saml2SecurityTokenHandler ) ) ) );
}
if ( saml2SecurityTokenHandler.Configuration == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation( SR.GetString( SR.ID4274 ) );
}
securityTokenAuthenticator = new WrappedSaml2SecurityTokenAuthenticator( saml2SecurityTokenHandler, _exceptionMapper );
// The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens.
outOfBandTokenResolver = saml2SecurityTokenHandler.Configuration.ServiceTokenResolver;
}
else if ( StringComparer.Ordinal.Equals( tokenType, ServiceModelSecurityTokenTypes.SecureConversation ) )
{
RecipientServiceModelSecurityTokenRequirement tr = tokenRequirement as RecipientServiceModelSecurityTokenRequirement;
if ( tr == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation( SR.GetString( SR.ID4240, tokenRequirement.GetType().ToString() ) );
}
securityTokenAuthenticator = SetupSecureConversationWrapper( tr, securityTokenHandler as SessionSecurityTokenHandler, out outOfBandTokenResolver );
}
else
{
securityTokenAuthenticator = new SecurityTokenAuthenticatorAdapter( securityTokenHandler, _exceptionMapper );
}
}
else
{
if ( tokenType == ServiceModelSecurityTokenTypes.SecureConversation
|| tokenType == ServiceModelSecurityTokenTypes.MutualSslnego
|| tokenType == ServiceModelSecurityTokenTypes.AnonymousSslnego
|| tokenType == ServiceModelSecurityTokenTypes.SecurityContext
|| tokenType == ServiceModelSecurityTokenTypes.Spnego )
{
RecipientServiceModelSecurityTokenRequirement tr = tokenRequirement as RecipientServiceModelSecurityTokenRequirement;
if ( tr == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation( SR.GetString( SR.ID4240, tokenRequirement.GetType().ToString() ) );
}
securityTokenAuthenticator = SetupSecureConversationWrapper( tr, null, out outOfBandTokenResolver );
}
else
{
securityTokenAuthenticator = CreateInnerSecurityTokenAuthenticator( tokenRequirement, out outOfBandTokenResolver );
}
}
return securityTokenAuthenticator;
}
/// <summary>
/// Helper method to setup the WrappedSecureConversttion
/// </summary>
SecurityTokenAuthenticator SetupSecureConversationWrapper( RecipientServiceModelSecurityTokenRequirement tokenRequirement, SessionSecurityTokenHandler tokenHandler, out SecurityTokenResolver outOfBandTokenResolver )
{
// This code requires Orcas SP1 to compile.
// WCF expects this securityTokenAuthenticator to support:
// 1. IIssuanceSecurityTokenAuthenticator
// 2. ICommunicationObject is needed for this to work right.
// WCF opens a listener in this STA that handles the nego and uses an internal class for negotiating the
// the bootstrap tokens. We want to handle ValidateToken to return our authorization policies and surface the bootstrap tokens.
// when sp1 is installed, use this one.
//SecurityTokenAuthenticator sta = base.CreateSecureConversationTokenAuthenticator( tokenRequirement as RecipientServiceModelSecurityTokenRequirement, _saveBootstrapTokensInSession, out outOfBandTokenResolver );
// use this code if SP1 is not installed
SecurityTokenAuthenticator sta = base.CreateSecurityTokenAuthenticator( tokenRequirement, out outOfBandTokenResolver );
SessionSecurityTokenHandler sessionTokenHandler = tokenHandler;
//
// If there is no SCT handler here, create one.
//
if ( tokenHandler == null )
{
sessionTokenHandler = new SessionSecurityTokenHandler( _cookieTransforms, SessionSecurityTokenHandler.DefaultTokenLifetime );
sessionTokenHandler.ContainingCollection = _securityTokenHandlerCollection;
sessionTokenHandler.Configuration = _securityTokenHandlerCollection.Configuration;
}
if ( ServiceCredentials != null )
{
sessionTokenHandler.Configuration.MaxClockSkew = ServiceCredentials.IdentityConfiguration.MaxClockSkew;
}
SctClaimsHandler claimsHandler = new SctClaimsHandler(
_securityTokenHandlerCollection,
GetNormalizedEndpointId( tokenRequirement ) );
WrappedSessionSecurityTokenAuthenticator wssta = new WrappedSessionSecurityTokenAuthenticator( sessionTokenHandler, sta,
claimsHandler, _exceptionMapper );
WrappedTokenCache wrappedTokenCache = new WrappedTokenCache( _tokenCache, claimsHandler);
SetWrappedTokenCache( wrappedTokenCache, sta, wssta, claimsHandler );
outOfBandTokenResolver = wrappedTokenCache;
return wssta;
}
/// <summary>
/// The purpose of this method is to set our WrappedTokenCache as the token cache for SCT's.
/// And to set our OnIssuedToken callback when in cookie mode.
/// We have to use reflection here as this is a private method.
/// </summary>
static void SetWrappedTokenCache(
WrappedTokenCache wrappedTokenCache,
SecurityTokenAuthenticator sta,
WrappedSessionSecurityTokenAuthenticator wssta,
SctClaimsHandler claimsHandler )
{
if ( sta is SecuritySessionSecurityTokenAuthenticator )
{
( sta as SecuritySessionSecurityTokenAuthenticator ).IssuedTokenCache = wrappedTokenCache;
}
else if ( sta is AcceleratedTokenAuthenticator )
{
( sta as AcceleratedTokenAuthenticator ).IssuedTokenCache = wrappedTokenCache;
}
else if ( sta is SpnegoTokenAuthenticator )
{
( sta as SpnegoTokenAuthenticator ).IssuedTokenCache = wrappedTokenCache;
}
else if ( sta is TlsnegoTokenAuthenticator )
{
( sta as TlsnegoTokenAuthenticator ).IssuedTokenCache = wrappedTokenCache;
}
// we need to special case this as the OnTokenIssued callback is not hooked up in the cookie mode case.
IIssuanceSecurityTokenAuthenticator issuanceTokenAuthenticator = sta as IIssuanceSecurityTokenAuthenticator;
if ( issuanceTokenAuthenticator != null )
{
issuanceTokenAuthenticator.IssuedSecurityTokenHandler = claimsHandler.OnTokenIssued;
issuanceTokenAuthenticator.RenewedSecurityTokenHandler = claimsHandler.OnTokenRenewed;
}
}
/// <summary>
/// Overriden from the base class. Creates the requested Token Serializer.
/// Returns a Security Token Serializer that is wraps the list of token
/// hanlders registerd and also the serializers from the inner token manager.
/// </summary>
/// <param name="version">SecurityTokenVersion of the serializer to be created.</param>
/// <returns>Instance of SecurityTokenSerializer.</returns>
/// <exception cref="ArgumentNullException">Input parameter is null.</exception>
public override SecurityTokenSerializer CreateSecurityTokenSerializer( SecurityTokenVersion version )
{
if ( version == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "version" );
}
TrustVersion trustVersion = null;
SecureConversationVersion scVersion = null;
foreach ( string securitySpecification in version.GetSecuritySpecifications() )
{
if ( StringComparer.Ordinal.Equals( securitySpecification, WSTrustFeb2005Constants.NamespaceURI ) )
{
trustVersion = TrustVersion.WSTrustFeb2005;
}
else if ( StringComparer.Ordinal.Equals( securitySpecification, WSTrust13Constants.NamespaceURI ) )
{
trustVersion = TrustVersion.WSTrust13;
}
else if ( StringComparer.Ordinal.Equals( securitySpecification, WSSecureConversationFeb2005Constants.Namespace ) )
{
scVersion = SecureConversationVersion.WSSecureConversationFeb2005;
}
else if ( StringComparer.Ordinal.Equals( securitySpecification, WSSecureConversation13Constants.Namespace ) )
{
scVersion = SecureConversationVersion.WSSecureConversation13;
}
if ( trustVersion != null && scVersion != null )
{
break;
}
}
if ( trustVersion == null )
{
trustVersion = TrustVersion.WSTrust13;
}
if ( scVersion == null )
{
scVersion = SecureConversationVersion.WSSecureConversation13;
}
WsSecurityTokenSerializerAdapter adapter = new WsSecurityTokenSerializerAdapter( _securityTokenHandlerCollection,
GetSecurityVersion( version ), trustVersion, scVersion, false, this.ServiceCredentials.IssuedTokenAuthentication.SamlSerializer,
this.ServiceCredentials.SecureConversationAuthentication.SecurityStateEncoder,
this.ServiceCredentials.SecureConversationAuthentication.SecurityContextClaimTypes );
adapter.MapExceptionsToSoapFaults = true;
adapter.ExceptionMapper = _exceptionMapper;
return adapter;
}
/// <summary>
/// The out-of-band token resolver to be used if the authenticator does
/// not provide another.
/// </summary>
/// <remarks>By default this will create the resolver with the service certificate and
/// know certificates collections specified in the service credentials when the STS is
/// hosted inside WCF.</remarks>
SecurityTokenResolver GetDefaultOutOfBandTokenResolver()
{
if ( _defaultTokenResolver == null )
{
lock ( _syncObject )
{
if ( _defaultTokenResolver == null )
{
//
// Create default Out-Of-Band SecurityResolver.
//
List<SecurityToken> outOfBandTokens = new List<SecurityToken>();
if ( base.ServiceCredentials.ServiceCertificate.Certificate != null )
{
outOfBandTokens.Add( new X509SecurityToken( base.ServiceCredentials.ServiceCertificate.Certificate ) );
}
if ( ( base.ServiceCredentials.IssuedTokenAuthentication.KnownCertificates != null ) && ( base.ServiceCredentials.IssuedTokenAuthentication.KnownCertificates.Count > 0 ) )
{
for ( int i = 0; i < base.ServiceCredentials.IssuedTokenAuthentication.KnownCertificates.Count; ++i )
{
outOfBandTokens.Add( new X509SecurityToken( base.ServiceCredentials.IssuedTokenAuthentication.KnownCertificates[i]));
}
}
_defaultTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver( outOfBandTokens.AsReadOnly(), false );
}
}
}
return _defaultTokenResolver;
}
/// <summary>
/// There is a bug in WCF where the version obtained from the public SecurityTokenVersion strings is wrong.
/// The internal MessageSecurityTokenVersion has the right version.
/// </summary>
internal static SecurityVersion GetSecurityVersion( SecurityTokenVersion tokenVersion )
{
if ( tokenVersion == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "tokenVersion" );
}
//
// Workaround for WCF bug.
// In .NET 3.5 WCF returns the wrong Token Specification. We need to reflect on the
// internal code so we can access the SecurityVersion directly instead of depending
// on the security specification.
//
if ( tokenVersion is MessageSecurityTokenVersion )
{
SecurityVersion sv = ( tokenVersion as MessageSecurityTokenVersion ).SecurityVersion;
if ( sv != null )
{
return sv;
}
}
else
{
if ( tokenVersion.GetSecuritySpecifications().Contains( WSSecurity11Constants.Namespace ) )
{
return SecurityVersion.WSSecurity11;
}
else if ( tokenVersion.GetSecuritySpecifications().Contains( WSSecurity10Constants.Namespace ) )
{
return SecurityVersion.WSSecurity10;
}
}
return SecurityVersion.WSSecurity11;
}
#endregion // SecurityTokenManager Implementation
/// <summary>
/// This method creates the inner security token authenticator from the base class.
/// The wrapped token cache is initialized with this authenticator.
/// </summary>
SecurityTokenAuthenticator CreateInnerSecurityTokenAuthenticator( SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver )
{
SecurityTokenAuthenticator securityTokenAuthenticator = base.CreateSecurityTokenAuthenticator( tokenRequirement, out outOfBandTokenResolver );
SctClaimsHandler claimsHandler = new SctClaimsHandler(
_securityTokenHandlerCollection,
GetNormalizedEndpointId( tokenRequirement ) );
SetWrappedTokenCache( new WrappedTokenCache( _tokenCache, claimsHandler ), securityTokenAuthenticator, null, claimsHandler );
return securityTokenAuthenticator;
}
/// <summary>
/// This method creates a SAML security token authenticator when token type is null.
/// It wraps the SAML 1.1 and the SAML 2.0 token handlers that are configured.
/// If no token handler was found, then the inner token manager is created.
/// </summary>
SecurityTokenAuthenticator CreateSamlSecurityTokenAuthenticator( SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver )
{
outOfBandTokenResolver = null;
SecurityTokenAuthenticator securityTokenAuthenticator = null;
SamlSecurityTokenHandler saml11SecurityTokenHandler = _securityTokenHandlerCollection[SecurityTokenTypes.SamlTokenProfile11] as SamlSecurityTokenHandler;
Saml2SecurityTokenHandler saml2SecurityTokenHandler = _securityTokenHandlerCollection[SecurityTokenTypes.Saml2TokenProfile11] as Saml2SecurityTokenHandler;
if ( saml11SecurityTokenHandler != null && saml11SecurityTokenHandler.Configuration == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation( SR.GetString( SR.ID4274 ) );
}
if ( saml2SecurityTokenHandler != null && saml2SecurityTokenHandler.Configuration == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation( SR.GetString( SR.ID4274 ) );
}
if ( saml11SecurityTokenHandler != null && saml2SecurityTokenHandler != null )
{
//
// Both SAML 1.1 and SAML 2.0 token handlers have been configured.
//
WrappedSaml11SecurityTokenAuthenticator wrappedSaml11SecurityTokenAuthenticator = new WrappedSaml11SecurityTokenAuthenticator( saml11SecurityTokenHandler, _exceptionMapper );
WrappedSaml2SecurityTokenAuthenticator wrappedSaml2SecurityTokenAuthenticator = new WrappedSaml2SecurityTokenAuthenticator( saml2SecurityTokenHandler, _exceptionMapper );
securityTokenAuthenticator = new WrappedSamlSecurityTokenAuthenticator( wrappedSaml11SecurityTokenAuthenticator, wrappedSaml2SecurityTokenAuthenticator );
// The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens.
List<SecurityTokenResolver> resolvers = new List<SecurityTokenResolver>();
resolvers.Add( saml11SecurityTokenHandler.Configuration.ServiceTokenResolver );
resolvers.Add( saml2SecurityTokenHandler.Configuration.ServiceTokenResolver );
outOfBandTokenResolver = new AggregateTokenResolver( resolvers );
}
else if ( saml11SecurityTokenHandler == null && saml2SecurityTokenHandler != null )
{
//
// SAML 1.1 token handler is not present but SAML 2.0 is. Set the token type to SAML 2.0
//
securityTokenAuthenticator = new WrappedSaml2SecurityTokenAuthenticator( saml2SecurityTokenHandler, _exceptionMapper );
// The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens.
outOfBandTokenResolver = saml2SecurityTokenHandler.Configuration.ServiceTokenResolver;
}
else if ( saml11SecurityTokenHandler != null && saml2SecurityTokenHandler == null )
{
//
// SAML 1.1 token handler is present but SAML 2.0 is not. Set the token type to SAML 1.1
//
securityTokenAuthenticator = new WrappedSaml11SecurityTokenAuthenticator( saml11SecurityTokenHandler, _exceptionMapper );
// The out-of-band token resolver will be used by WCF to decrypt any encrypted SAML tokens.
outOfBandTokenResolver = saml11SecurityTokenHandler.Configuration.ServiceTokenResolver;
}
else
{
securityTokenAuthenticator = CreateInnerSecurityTokenAuthenticator( tokenRequirement, out outOfBandTokenResolver );
}
return securityTokenAuthenticator;
}
/// <summary>
/// Converts the ListenUri in the <see cref="SecurityTokenRequirement"/> to a normalized string.
/// The method preserves the Uri scheme, port and absolute path and replaces the host name
/// with the string 'NormalizedHostName'.
/// </summary>
/// <param name="tokenRequirement">The <see cref="SecurityTokenRequirement"/> which contains the 'ListenUri' property.</param>
/// <returns>A string representing the Normalized URI string.</returns>
public static string GetNormalizedEndpointId( SecurityTokenRequirement tokenRequirement )
{
if ( tokenRequirement == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull( "tokenRequirement" );
}
Uri listenUri = null;
if ( tokenRequirement.Properties.ContainsKey( ListenUriProperty ) )
{
listenUri = tokenRequirement.Properties[ListenUriProperty] as Uri;
}
if ( listenUri == null )
{
throw DiagnosticUtility.ExceptionUtility.ThrowHelperInvalidOperation( SR.GetString( SR.ID4287, tokenRequirement ) );
}
if ( listenUri.IsDefaultPort )
{
return String.Format( CultureInfo.InvariantCulture, "{0}://NormalizedHostName{1}", listenUri.Scheme, listenUri.AbsolutePath );
}
else
{
return String.Format( CultureInfo.InvariantCulture, "{0}://NormalizedHostName:{1}{2}", listenUri.Scheme, listenUri.Port, listenUri.AbsolutePath );
}
}
}
}
|