Is there any way to include the informations about the Organization into the generated SP's metadata with Spring Security? Because by default I can't see it included in the generated metadata XML.
What I'm currently getting
I've tried to create a custom class SAMLMetadataGenerator which extends the framework's class MetadataGenerator, and then tried to Override the buildExtensions method in the following way:
public class SAMLMetadataGenerator extends MetadataGenerator {
#Override
protected Extensions buildExtensions(String entityBaseURL, String entityAlias) {
super.setIncludeDiscoveryExtension(true);
Extensions extensions = super.buildExtensions(entityBaseURL, entityAlias);
if (extensions != null)
extensions.getUnknownXMLObjects().add(generateOrganization());
return extensions;
}
private Organization generateOrganization() {
OrganizationBuilder organizationBuilder = new OrganizationBuilder();
Organization organization = organizationBuilder.buildObject();
OrganizationNameBuilder organizationNameBuilder = new OrganizationNameBuilder();
OrganizationName organizationName = organizationNameBuilder.buildObject();
organizationName.setName(new LocalizedString("ACME", "en"));
OrganizationDisplayNameBuilder displayNameBuilder = new OrganizationDisplayNameBuilder();
OrganizationDisplayName organizationDisplayName = displayNameBuilder
.buildObject();
organizationDisplayName.setName(new LocalizedString("ACME Corporation", "en"));
OrganizationURLBuilder organizationURLBuilder = new OrganizationURLBuilder();
OrganizationURL organizationURL = organizationURLBuilder.buildObject();
organizationURL.setURL(new LocalizedString("http://spid.serviceprovider.it", "it"));
organization.getOrganizationNames().add(organizationName);
organization.getDisplayNames().add(organizationDisplayName);
organization.getURLs().add(organizationURL);
return organization;
}
}
This way the produced SP's metadata is then:
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="com_xegiy84105_spring_sp" entityID="com:xegiy84105:spring:sp">
<!-- Other things here -->
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:Extensions>
<idpdisco:DiscoveryResponse
xmlns:idpdisco="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="http://localhost:8091/DM-WEB/saml/login?disco=true" index="0"/>
<md:Organization>
<md:OrganizationName xml:lang="en">ACME</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">ACME Corporation</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="it">http://spid.serviceprovider.it</md:OrganizationURL>
</md:Organization>
</md:Extensions>
<!-- Other things here -->
</md:SPSSODescriptor>
</md:EntityDescriptor>
How it should really be
But the "Organization" block should be inserted without being surrounded by <md:Extensions/> and it should be placed as a direct child of the <md:EntityDescriptor/> block similiar to the following snippet:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="https://spid.serviceprovider.it"
ID="_0j40cj0848d8e3jncjdjss...">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
[...]
</ds:Signature>
<md:SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
AuthnRequestsSigned="true"
WantAssertionsSigned="true">
[...]
</md:SPSSODescriptor>
<md:Organization>
<OrganizationName xml:lang="it">Service provider</OrganizationName>
<OrganizationDisplayName xml:lang="it">Nome service provider</OrganizationDisplayName>
<OrganizationURL xml:lang="it">http://spid.serviceprovider.it</OrganizationURL>
</md:Organization>
</md:EntityDescriptor>
What is the correct way to achieve this goal?
Thanks.
The reason it's in the extensions is this:
extensions.getUnknownXMLObjects().add(generateOrganization());
according to the docs for MetadataGenerator you can use:
generateMetadata()
which returns an EntityDescriptor, which you can add the org to:
setOrganization(generateOrganization());
Related
I've created a soap client connection using the wizard of Atelier and it has created all messages (request and response) and the business operation object.
This soap connection will be used to connecto with other SOAP Webservices (changing the URL) but the namespace of the envelope will be different for the destination.
I've done a change into the Soap class to add my namespace for the envelope
Property Namespace As %String
Parameter SETTINGS = "Namespace:Basic";
Method methodFind(idEspecialist As %String(REQUIRED=1), actList As %ListOfObjects(Myapp.ns2.actType") [ Final, ProcedureBlock = 1, SoapBindingStyle = document, SoapBodyUse = literal, WebMethod ]
{
Quit ..WebMethod("methodFind").Invoke($this,..Namespace_"/methodFind",.idEspecialist,.actList)
}
and it works, only I have to create a new BO item in the producction and set the namespace for the destination.
But the ns.actType has the property namespace in the definition (as I said, this object has been created with the wizard of Atelire (SOAP)) and it is used for all BO.
/// created from: http://mywsservice.salutic.org/EspecialistWS?wsdl=EspecialistWSSoap.wsdl
Class Myapp.ns2.actoType Extends (%SerialObject, %XML.Adaptor) [ ProcedureBlock ]
{
Parameter ELEMENTQUALIFIED = 1;
Parameter NAMESPACE = "http://mywsservice.salutic.org/";
Parameter XMLNAME = "actType";
Parameter XMLSEQUENCE = 1;
Property ActCode As %String(MAXLEN = "", XMLNAME = "ActCode") [ Required ];
Property description As %String(MAXLEN = "", XMLNAME = "description") [ Required ];
......
......
}
So, when the invokeClient method is creating the SOAP Envelope, it looks like this:
<?xml version="1.0" encoding="UTF-8" ?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xmlns:s='http://www.w3.org/2001/XMLSchema'>
<SOAP-ENV:Body>
<methodFind xmlns="http://customer.namespace.org/">
<idEspecialist xsi:type="s:string">TAC</idEspecialist>
<actList>
<act xmlns:s01="http://mywsservice.salutic.org/" xsi:type="s01:actoType">
<ActCode xsi:type="s:string">1032001</ActCode>
<description xsi:type="s:string">Torax</description>
</act>
</actList>
</methodFind>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Is there any way to change the namespace of the node programmatically?
Best regards,
Kurro López
I can't see your code to give specifics but when the client object is created it should have a %SOAP.SessionHeader that has a NAMESPACE property. It should be attached to the HeadersOut property of the SOAP.WebClient
This is all from memory though so you need to check.
I created a .pdf file in the private local directory I got via (I try to work with the minimum of permissions):
string targetBaseDir = Environment.GetFolderPath(
Environment.SpecialFolder.Personal,
Environment.SpecialFolderOption.Create
);
The official Android documentation suggests that file should be shared via a FileProvider.
I also tried to get some code to start an intent, and I'm currently at:
var fileUri = Android.Net.Uri.Parse(filePath);
var intent = new Intent();
intent.SetFlags(ActivityFlags.ClearTop);
intent.SetFlags(ActivityFlags.NewTask);
intent.SetAction(Intent.ActionView);
intent.SetType("application/pdf");
intent.PutExtra(Intent.ExtraStream, fileUri);
intent.AddFlags(ActivityFlags.GrantReadUriPermission);
Android.App.Application.Context.StartActivity(intent);
This starts the share dialog for a pdf file but while the Adobe Pdf reader gets opened it shows an empty view and not my pdf file.
You need to wrap your URI with FileProvider. Since android uri will give you file:// while FileProvider will give you content://, which you actually need:
public static Android.Net.Uri WrapFileWithUri(Context context,Java.IO.File file)
{
Android.Net.Uri result;
if (Build.VERSION.SdkInt < (BuildVersionCodes)24)
{
result = Android.Net.Uri.FromFile(file);
}
else
{
result = FileProvider.GetUriForFile(context, context.ApplicationContext.PackageName + ".provider", file);
}
return result;
}
File can be createed this way:
var file = new Java.IO.File(filePath);
Then you can open it:
public static void View(Context context, string path, string mimeType)
{
Intent viewIntent = new Intent(Intent.ActionView);
Java.IO.File document = new Java.IO.File(path);
viewIntent.SetDataAndType(UriResolver.WrapFileWithUri(context,document),mimeType);
viewIntent.SetFlags(ActivityFlags.NewTask);
viewIntent.AddFlags(ActivityFlags.GrantReadUriPermission);
context.StartActivity(Intent.CreateChooser(viewIntent, "your text"));
}
Be aware, that this line
viewIntent.SetDataAndType(UriResolver.WrapFileWithUri(context,document),mimeType);
does not equal to SetData and SetType separate commands.
And yes, you need to add FileProvider to your manifest:
<provider android:name="android.support.v4.content.FileProvider" android:authorities="${applicationId}.provider" android:exported="false" android:grantUriPermissions="true">
<meta-data android:name="android.support.FILE_PROVIDER_PATHS" android:resource="#xml/provider_paths" />
</provider>
Also you need to create Resources\xml folder with provider_paths.xml file:
<?xml version="1.0" encoding="utf-8"?>
<paths xmlns:android="http://schemas.android.com/apk/res/android">
<external-path name="external_files" path="."/>
<files-path name="internal_files" path="." />
</paths>
I have the following Xml which I want to validate against Xsd Schema (below).
I am trying to validate the Xml against the given Xsd Schema using the C# function given below. I am getting this generic kind error message "Data at the root level is invalid. Line 1, position 1". This happens at "while(vr.Read())".
Can you please explain what is the cause and resolution to this problem or is there a way I can troubleshoot these type of generic errors.
As you can see from my Xsd schema that it has references to other child xsd files also. I am wondering if it has something to do with the error.
Warm Regards
XML File
<?xml version="1.0" encoding="utf-8"?>
<n1:Form109495CTransmittalUpstream xmlns="urn:us:gov:treasury:irs:ext:aca:air:6.2" xmlns:irs="urn:us:gov:treasury:irs:common" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:n1="urn:us:gov:treasury:irs:msg:form1094-1095Ctransmitterupstreammessage" xsi:schemaLocation="urn:us:gov:treasury:irs:msg:form1094-1095Ctransmitterupstreammessage IRS-Form1094-1095CTransmitterUpstreamMessage.xsd">
<Form1094CUpstreamDetail recordType="C" lineNum="0">
<--MORE XML TAGS HERE -->
</Form1094CUpstreamDetail>
</n1:Form109495CTransmittalUpstream>
XSD Schema
<?xml version="1.0" encoding="UTF-8"?>
<xsd:schema xmlns="urn:us:gov:treasury:irs:msg:form1094-1095Ctransmitterupstreammessage"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:irs="urn:us:gov:treasury:irs:common"
xmlns:air6.2="urn:us:gov:treasury:irs:ext:aca:air:6.2"
targetNamespace="urn:us:gov:treasury:irs:msg:form1094-1095Ctransmitterupstreammessage"
elementFormDefault="qualified" attributeFormDefault="unqualified" version="1.0">
<xsd:annotation>
<xsd:appinfo>
<release>ACA Release 6.2</release>
</xsd:appinfo>
<xsd:documentation>Form-1094C (Issuer) Transmittal and Form 1095C - Transmittal of Health Insurance Coverage Statements
<VersionNum>5.2</VersionNum>
<VersionEffectiveBeginDt>2015-01-06</VersionEffectiveBeginDt>
</xsd:documentation>
</xsd:annotation>
<!-- ===== Imports ===== -->
<xsd:import namespace="urn:us:gov:treasury:irs:common" schemaLocation="common-IRS-CAC.xsd"/>
<xsd:import namespace="urn:us:gov:treasury:irs:ext:aca:air:6.2"
schemaLocation="ext-IRS-EXT-ACA-AIR-6.2.xsd"/>
<xsd:element name="Form109495CTransmittalUpstream" type="Form109495CTransmittalUpstreamType">
<xsd:annotation>
<xsd:documentation>
<Component>
<DictionaryEntryNm>Form109495C Transmission Upstream</DictionaryEntryNm>
<MajorVersionNum>1</MajorVersionNum>
<MinorVersionNum>1</MinorVersionNum>
<VersionEffectiveBeginDt>2015-01-06</VersionEffectiveBeginDt>
<VersionDescriptionTxt>Initial Version</VersionDescriptionTxt>
<DescriptionTxt>The elements associated with 1094C data generated EOY report</DescriptionTxt>
</Component>
</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:complexType name="Form109495CTransmittalUpstreamType">
<xsd:annotation>
<xsd:documentation>
<Component>
<DictionaryEntryNm>Form109495C Transmission Upstream Type</DictionaryEntryNm>
<MajorVersionNum>1</MajorVersionNum>
<MinorVersionNum>1</MinorVersionNum>
<VersionEffectiveBeginDt>2014-11-05</VersionEffectiveBeginDt>
<VersionDescriptionTxt>Initial Version</VersionDescriptionTxt>
<DescriptionTxt>Transmission type for 1094C forms upstream data generated EOY report</DescriptionTxt>
</Component>
</xsd:documentation>
</xsd:annotation>
<xsd:sequence>
<xsd:element ref="air6.2:Form1094CUpstreamDetail" minOccurs="1" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:schema>
Following is the C# Validation Function:
/// <SUMMARY>
/// This method validates an xml string against an xml schema.
/// </SUMMARY>
/// <PARAM name="xml">StringReader containing xml</PARAM>
/// <PARAM name="schemaNamespace">XML Schema Namespace</PARAM>
/// <PARAM name="schemaUri">XML Schema Uri</PARAM>
/// <RETURNS>bool</RETURNS>
public bool ValidXmlDoc(StringReader xml,
string schemaNamespace, string schemaUri)
{
// Continue?
if(xml == null || schemaNamespace == null || schemaUri == null)
{
return false;
}
isValidXml = true;
XmlValidatingReader vr;
XmlTextReader tr;
XmlSchemaCollection schemaCol = new XmlSchemaCollection();
schemaCol.Add(schemaNamespace, schemaUri);
try
{
// Read the xml.
tr = new XmlTextReader(xml);
// Create the validator.
vr = new XmlValidatingReader(tr);
// Set the validation tyep.
vr.ValidationType = ValidationType.Schema;
// Add the schema.
if(schemaCol != null)
{
vr.Schemas.Add(schemaCol);
}
// Set the validation event handler.
vr.ValidationEventHandler +=
new ValidationEventHandler(ValidationCallBack);
// Read the xml schema.
while(vr.Read())
{
}
vr.Close();
return isValidXml;
}
catch(Exception ex)
{
this.ValidationError = ex.Message;
return false;
}
finally
{
// Clean up...
vr = null;
tr = null;
}
}
AFAIK XmlValidatingReader is obsolete. I think you would be much better of using XmlReader. In order to control URI resolutions(should schema has references to other schemes as relative paths) you could create your own XML URL resolver class by inheriting from XmlUrlResolver and overriding ResolveUri method. Then assign it to the XmlResolver member of XmlReaderSettings class. But I hope things would not deteriorate to that, though.:) Hopefully.:) Here is schematic code I could suggest:
XmlTextReader reader = new XmlTextReader(pathToXSD);
XmlSchema schema = XmlSchema.Read(reader, ValidationEventHandler);
XmlReaderSettings settings = new XmlReaderSettings();
settings.ValidationType = ValidationType.Schema;
settings.ValidationFlags |= XmlSchemaValidationFlags.ProcessInlineSchema;
settings.ValidationFlags |= XmlSchemaValidationFlags.ProcessSchemaLocation;
settings.ValidationFlags |= XmlSchemaValidationFlags.ReportValidationWarnings;
settings.ValidationEventHandler += new ValidationEventHandler(ValidationEventHandler);
settings.Schemas.Add(schema);
using (StringReader xmlStream = new StringReader(xml))
{
using (XmlReader xmlReader = XmlReader.Create(xmlStream, settings))
{
while (xmlReader.Read()) { }
}
}
In Sitecore, I'd like to set Upload MaxSize only for image files.
We can update Media.MaxSizeInDatabase to set the MaxSize, but this setting includes all files in Media Library.
Is there any way to set MaxSize only for image files? Or, can I create any validation for this??
Thank you in advance!!
========= Update ==========
I tried to use all code and setting, but it was not working. I think Code is fine, but I might have to make sure the place of configurations. When I add "xmlns:patch" attribute in on the top, like below
<?xml version="1.0" encoding="UTF-8"?>
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
It show error "Unrecongnized attribute xmlns:patch". So, I added the configurations in "/configuration/sitecore" element in a web.config, like below
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
.....
<sitecore database="SqlServer">
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
<sitecore>
<processors>
<uiUpload>
<processor mode="on" type="ImageMaxSize.ImageItemValidator2, Sitecore.Kernel" patch:before="processor[#type='Sitecore.Pipelines.Upload.CheckSize, Sitecore.Kernel']">
<restrictedExtensions hint="raw:AddRestrictedExtension">
<!-- Be sure to prefix with a dot -->
<extension>.jpg</extension>
<extension>.jepg</extension>
<extension>.png</extension>
<extension>.bmp</extension>
</restrictedExtensions>
</processor>
</uiUpload>
</processors>
</sitecore>
</configuration>
This is not working
You can patch in your own processor into uiUpload to check the file size for certain types, in a very similar way to this post from Mike Reynolds to restrict certain file types to be upload.
public class ImageCheckSize : UploadProcessor
{
public List<string> RestrictedExtensions { get; set; }
public ImageCheckSize()
{
RestrictedExtensions = new List<string>();
}
public void Process(UploadArgs args)
{
Assert.ArgumentNotNull((object) args, "args");
if (args.Destination == UploadDestination.File)
return;
foreach (string index in args.Files)
{
HttpPostedFile file = args.Files[index];
if (!string.IsNullOrEmpty(file.FileName) && IsRestrictedExtension(file.FileName))
{
if ((long) file.ContentLength > MaxImageSizeInDatabase)
{
args.ErrorText = string.Format("The image \"{0}\" is too big to be uploaded. The maximum size for uploading images is {1}.", file.FileName, MainUtil.FormatSize(MaxImageSizeInDatabase));
Log.Warn(args.ErrorText, this);
args.AbortPipeline();
break;
}
}
}
}
private bool IsRestrictedExtension(string filename)
{
return RestrictedExtensions.Exists(restrictedExtension => string.Equals(restrictedExtension, Path.GetExtension(filename), StringComparison.CurrentCultureIgnoreCase));
}
public static long MaxImageSizeInDatabase
{
get
{
return Sitecore.Configuration.Settings.GetLongSetting("Media.MaxImageSizeInDatabase", 524288000L);
}
}
}
And then add in the required config changes. Create a new config file in /App_Config/Includes (e.g. ImageSizeCheck.config)
<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
<sitecore>
<processors>
<uiUpload>
<processor mode="on" type="Custom.Business.Pipeline.Upload.ImageCheckSize, Custom.Business"
patch:before="processor[#type='Sitecore.Pipelines.Upload.CheckSize, Sitecore.Kernel']">
<restrictedExtensions hint="list">
<extension>.jpg</extension>
<extension>.png</extension>
</restrictedExtensions>
</processor>
</uiUpload>
</processors>
<settings>
<setting name="Media.MaxImageSizeInDatabase" value="1MB" />
</settings>
</sitecore>
</configuration>
You will also need to add another processor into attachFile processors to handle if the user attaches a new file to an existing media item - use dotPeek to see the implementation in Sitecore.Pipelines.Attach.CheckSize,Sitecore.Kernel.
One caveat to this is that the displayed error message is not too friendly, but the error is logged correctly in the log files :(
I'm experimenting with "configuration-less WIF", where I want to accept a SAML2 token that is generated by Windows Azure's AppFabric STS.
What I'm doing is parsing checking the current request for token information, like so:
if (Request.Form.Get(WSFederationConstants.Parameters.Result) != null)
{
SignInResponseMessage message =
WSFederationMessage.CreateFromFormPost(System.Web.HttpContext.Current.Request) as SignInResponseMessage;
var securityTokenHandlers = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection();
XmlTextReader xmlReader = new XmlTextReader(
new StringReader(message.Result));
SecurityToken token = securityTokenHandlers.ReadToken(xmlReader);
if (token != null)
{
ClaimsIdentityCollection claims = securityTokenHandlers.ValidateToken(token);
IPrincipal principal = new ClaimsPrincipal(claims);
}
}
The code above uses the SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(); colection to verify and handle the SAML token. However: this does not work because obviously the application has not bee nconfigured correctly. How would I specify the follwing configuration from XML programmaticaly on my securityTokenHandlers collection?
<microsoft.identityModel>
<service>
<audienceUris>
<add value="http://www.someapp.net/" />
</audienceUris>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="https://rd-test.accesscontrol.appfabriclabs.com/v2/wsfederation" realm="http://www.thisapp.net" requireHttps="false" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
<applicationService>
<claimTypeRequired>
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
</claimTypeRequired>
</applicationService>
<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<trustedIssuers>
<add thumbprint="XYZ123" name="https://somenamespace.accesscontrol.appfabriclabs.com/" />
</trustedIssuers>
</issuerNameRegistry>
</service>
I was struggling with the same and found a working solution in WIF 3.5/4.0. Since maartenba's link seems to be dead, I wanted to post my solution here.
Our requirements were:
Configuration fully in code (as we ship a default web.config with the app)
Maximum allowed .Net version 4.0 (hence I am using WIF 3.5/4.0)
What I used to arrive at the solution:
Information about dynamic WIF configuration provided by Daniel Wu
here.
This
method
to register HTTP modules at runtime, explained by David Ebbo. I
also tried the more elegant method explained by Rick
Strahl,
but that unfortunately did not do the trick for me.
Edit 2016/09/02: instead of adding a separate "pre application start
code" class as in David Ebbo's example, the WIF-related HTTP modules
can also be registered in the static constructor of the
`HttpApplication' class. I have adapted the code to this somewhat
cleaner solution.
My solution needs nothing in web.config. The bulk of the code is in global.asax.cs. Configuration is hard-coded in this sample:
using System;
using System.IdentityModel.Selectors;
using System.Security.Cryptography.X509Certificates;
using System.Web;
using Microsoft.IdentityModel.Tokens;
using Microsoft.IdentityModel.Web;
namespace TestADFS
{
public class SessionAuthenticationModule : Microsoft.IdentityModel.Web.SessionAuthenticationModule
{
protected override void InitializePropertiesFromConfiguration(string serviceName)
{
}
}
public class WSFederationAuthenticationModule : Microsoft.IdentityModel.Web.WSFederationAuthenticationModule
{
protected override void InitializePropertiesFromConfiguration(string serviceName)
{
ServiceConfiguration = FederatedAuthentication.ServiceConfiguration;
PassiveRedirectEnabled = true;
RequireHttps = true;
Issuer = "https://nl-joinadfstest.joinadfstest.local/adfs/ls/";
Realm = "https://67px95j.decos.com/testadfs";
}
}
public class Global : HttpApplication
{
static Global()
{
Microsoft.Web.Infrastructure.DynamicModuleHelper.DynamicModuleUtility.RegisterModule(typeof(SessionAuthenticationModule));
Microsoft.Web.Infrastructure.DynamicModuleHelper.DynamicModuleUtility.RegisterModule(typeof(WSFederationAuthenticationModule));
}
protected void Application_Start(object sender, EventArgs e)
{
FederatedAuthentication.ServiceConfigurationCreated += FederatedAuthentication_ServiceConfigurationCreated;
}
internal void FederatedAuthentication_ServiceConfigurationCreated(object sender, Microsoft.IdentityModel.Web.Configuration.ServiceConfigurationCreatedEventArgs e)
{
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection coll = store.Certificates.Find(X509FindType.FindByThumbprint, "245537E9BB2C086D3C880982FA86267FBD66B9A3", false);
if (coll.Count > 0)
e.ServiceConfiguration.ServiceCertificate = coll[0];
store.Close();
AudienceRestriction ar = new AudienceRestriction(AudienceUriMode.Always);
ar.AllowedAudienceUris.Add(new Uri("https://67px95j.decos.com/testadfs"));
e.ServiceConfiguration.AudienceRestriction = ar;
ConfigurationBasedIssuerNameRegistry inr = new ConfigurationBasedIssuerNameRegistry();
inr.AddTrustedIssuer("6C9B96D90257B65B6F181C2478D869473DC359EA", "http://NL-JOINADFSTEST.joinadfstest.local/adfs/services/trust");
e.ServiceConfiguration.IssuerNameRegistry = inr;
e.ServiceConfiguration.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;
}
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
FederatedAuthentication.WSFederationAuthenticationModule.ServiceConfiguration = FederatedAuthentication.ServiceConfiguration;
}
}
}
Usage
My app is asp.net WebForms, running in classic pipeline mode and supports forms authentication as well as ADFS login. Because of that, authentication is handled in a common base class shared by all .aspx pages:
protected override void OnInit(EventArgs e)
{
if (NeedsAuthentication && !User.Identity.IsAuthenticated)
{
SignInRequestMessage sirm = new SignInRequestMessage(
new Uri("https://nl-joinadfstest.joinadfstest.local/adfs/ls/"),
ApplicationRootUrl)
{
Context = ApplicationRootUrl,
HomeRealm = ApplicationRootUrl
};
Response.Redirect(sirm.WriteQueryString());
}
base.OnInit(e);
}
In this code, ApplicationRootUrl is the application path ending in "/" (the "/" is important in Classic pipeline mode).
As a stable implementation for logout in mixed mode was not so easy, I want to show the code for that as well. Technically it works, but I still have an issue with IE immediately logging in again after logging out an ADFS account:
if (User.Identity.IsAuthenticated)
{
if (User.Identity.AuthenticationType == "Forms")
{
FormsAuthentication.SignOut();
Session.Clear();
Session.Abandon();
ResetCookie(FormsAuthentication.FormsCookieName);
ResetCookie("ASP.NET_SessionId");
Response.Redirect(ApplicationRootUrl + "Default.aspx");
HttpContext.Current.ApplicationInstance.CompleteRequest();
}
else
{
FederatedAuthentication.SessionAuthenticationModule.SignOut();
FederatedAuthentication.SessionAuthenticationModule.DeleteSessionTokenCookie();
Uri uri = new Uri(ApplicationRootUrl + "Default.aspx");
WSFederationAuthenticationModule.FederatedSignOut(
new Uri("https://nl-joinadfstest.joinadfstest.local/adfs/ls/"),
uri); // 1st url is single logout service binding from adfs metadata
}
}
(ResetCookie is a helper function that clears a response cookie and sets its expiration in the past)
Just a thought, no idea whether this works: Isn't there a way to get at the actual XML (which is empty in your case) and modify it at runtime through the classes in Microsoft.IdentityModel.Configuration?
Alternatively, some of the things in the XML you can modify at the time the sign-in request is sent out, in the RedirectingToIdentityProvider event by modifying the SignInRequestMessage
FYI: found a solution and implemented it in a module described (and linked) here: http://blog.maartenballiauw.be/post/2011/02/14/Authenticate-Orchard-users-with-AppFabric-Access-Control-Service.aspx