Welcome
Guest
, you are in:
<root>
EnterpriseLibrary
FDOT Security STS
FDOT_Application_Model
GisFramework
•
Login
FDOT Wiki
Navigation (FDOT Security STS)
¶
Main Page
Main Page (root)
Random Page
Create a new Page
All Pages
Categories
Navigation Paths
Administration
File Management
Create Account
Search the wiki
»
Back
Convert From DevToUnit To Unit
Modified on Tuesday, 30 August 2016 02:20 PM
by
Administrator
Categorized as
Uncategorized
Open up web.config and add the following to appConfig: @@<add key="UnitSTS:FederationMetadataLocation" value="https://codev1.dot.state.fl.us/fdot.sts/federationmetadata/2007-06/federationmetadata.xml" /> <add key="UnitSTS:Realm" value="https://yoururlhere/" /> <add key="UnitSTS:AudienceUri" value="https://yoururlhere/" /> <add key="UnitSTS:SigningThumb" value="9748D73D42FF7CBD1C3CCD6FC7B2DFABF3AB6FD6" /> <add key="UnitSTS:EncryptionThumb" value="9748D73D42FF7CBD1C3CCD6FC7B2DFABF3AB6FD6" /> <add key="UnitSTS:Issuer" value="https://codev1.dot.state.fl.us/FDOT.STS/securitytoken/issue" />@@ Create a class called Saml2SecurityTokenHandlerEx: @@public class Saml2SecurityTokenHandlerEx : Saml2SecurityTokenHandler, ISecurityTokenValidator { public override bool CanReadToken(string securityToken) { using (var sreader = new StringReader(securityToken)) { using (var xreader = XmlReader.Create(sreader)) { return base.CanReadToken(xreader); } } } public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken) { using (var sreader = new StringReader(securityToken)) { using (var xreader = XmlReader.Create(sreader)) { validatedToken = ReadToken(xreader, Configuration.ServiceTokenResolver); return new ClaimsPrincipal(ValidateToken(validatedToken)); } } } public int MaximumTokenSizeInBytes { get; set; } }@@ Create a class called EncryptedSecurityTokenHandlerEx: @@ public class EncryptedSecurityTokenHandlerEx : EncryptedSecurityTokenHandler, ISecurityTokenValidator { public EncryptedSecurityTokenHandlerEx(SecurityTokenResolver securityTokenResolver) { Configuration = new SecurityTokenHandlerConfiguration { ServiceTokenResolver = securityTokenResolver }; } public override bool CanReadToken(string securityToken) { using (var stringreader = new StringReader(securityToken)) { using (var xreader = new XmlTextReader(stringreader)) { return base.CanReadToken(xreader); } } } public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken) { using (var stringreader = new StringReader(securityToken)) { using (var xreader = new XmlTextReader(stringreader)) { validatedToken = ReadToken(xreader, Configuration.ServiceTokenResolver); } } return ContainingCollection != null ? new ClaimsPrincipal(ContainingCollection.ValidateToken(validatedToken)) : new ClaimsPrincipal(base.ValidateToken(validatedToken)); } public int MaximumTokenSizeInBytes { get; set; } }@@ Open up Startup.Auth: @@ public partial class Startup { private static string unitRealm = ConfigurationManager.AppSettings["UnitSTS:Realm"]; private static string unitStsMetadata = ConfigurationManager.AppSettings["UnitSTS:FederationMetadataLocation"]; public void ConfigureAuth(IAppBuilder app) { app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType); app.UseCookieAuthentication(new CookieAuthenticationOptions { CookieSecure = CookieSecureOption.Always, ExpireTimeSpan = new TimeSpan(0, 5, 0, 0), CookieHttpOnly = true, AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType, Provider = new CookieAuthenticationProvider() { OnApplyRedirect = ctx => { var response = ctx.Response; response.Redirect(ctx.RedirectUri); } } }); var tokenHandlers = MakeTokenHandlerCollection(); var stsOptions = MakeAuthenticationOptions(tokenHandlers); app.UseWsFederationAuthentication(stsOptions); app.UseStageMarker(PipelineStage.Authenticate); } private WsFederationAuthenticationOptions MakeAuthenticationOptions(SecurityTokenHandlerCollection tokenHandlerCollection) { var wsEvents = new WsFederationAuthenticationNotifications(); wsEvents.AuthenticationFailed += AuthenticationFailed; wsEvents.RedirectToIdentityProvider += RedirectToIdentityProvider; wsEvents.SecurityTokenValidated += SecurityTokenValidated; wsEvents.SecurityTokenReceived += SecurityTokenReceived; return new WsFederationAuthenticationOptions { Notifications = wsEvents, SecurityTokenHandlers = tokenHandlerCollection, MetadataAddress = unitStsMetadata, AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType, SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType, // Wreply = $"{unitRealm}api/login/logincallback/", Wtrealm = unitRealm, TokenValidationParameters = new TokenValidationParameters { AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType, ValidAudience = unitRealm } }; } private Task SecurityTokenReceived(SecurityTokenReceivedNotification<WsFederationMessage, WsFederationAuthenticationOptions> securityTokenReceivedNotification) { return Task.FromResult(0); } private SecurityTokenHandlerCollection MakeTokenHandlerCollection() { var audienceRestriction = new AudienceRestriction(AudienceUriMode.Always); audienceRestriction.AllowedAudienceUris.Add(new Uri(unitRealm)); var issuerRegistry = new ConfigurationBasedIssuerNameRegistry(); issuerRegistry.AddTrustedIssuer(ConfigurationManager.AppSettings["UnitSTS:SigningThumb"], ConfigurationManager.AppSettings["UnitSTS:Issuer"]); var tokenResolver = new X509CertificateStoreTokenResolver(StoreName.My, StoreLocation.LocalMachine); return new SecurityTokenHandlerCollection { new EncryptedSecurityTokenHandlerEx(tokenResolver), new Saml2SecurityTokenHandlerEx { CertificateValidator = X509CertificateValidator.None, Configuration = new SecurityTokenHandlerConfiguration { AudienceRestriction = audienceRestriction, IssuerNameRegistry = issuerRegistry, ServiceTokenResolver = tokenResolver } } }; } private Task SecurityTokenValidated(SecurityTokenValidatedNotification<WsFederationMessage, WsFederationAuthenticationOptions> securityTokenValidatedNotification) { var redirectUri = new Uri(securityTokenValidatedNotification.AuthenticationTicket.Properties.RedirectUri, UriKind.RelativeOrAbsolute); if (redirectUri.IsAbsoluteUri) { securityTokenValidatedNotification.AuthenticationTicket.Properties.RedirectUri = redirectUri.PathAndQuery; } // ApplyClaims(securityTokenValidatedNotification.AuthenticationTicket.Identity); return Task.FromResult(0); } private Task RedirectToIdentityProvider(RedirectToIdentityProviderNotification<WsFederationMessage, WsFederationAuthenticationOptions> redirectToIdentityProviderNotification) { if (IsAjaxRequest(redirectToIdentityProviderNotification.Request)) { redirectToIdentityProviderNotification.OwinContext.Response.StatusCode = 401; redirectToIdentityProviderNotification.HandleResponse(); } if (redirectToIdentityProviderNotification.OwinContext.Response.StatusCode == 401 && redirectToIdentityProviderNotification.OwinContext.Authentication.User.Identity.IsAuthenticated) { redirectToIdentityProviderNotification.OwinContext.Response.StatusCode = 403; redirectToIdentityProviderNotification.HandleResponse(); } return Task.FromResult(0); } private Task AuthenticationFailed(AuthenticationFailedNotification<WsFederationMessage, WsFederationAuthenticationOptions> authenticationFailedNotification) { if (IsAjaxRequest(authenticationFailedNotification.Request)) { authenticationFailedNotification.HandleResponse(); } return Task.Delay(0); } private static bool IsAjaxRequest(IOwinRequest request) { IReadableStringCollection query = request.Query; if ((query != null) && (query["X-Requested-With"] == "XMLHttpRequest")) { return true; } IHeaderDictionary headers = request.Headers; return ((headers != null) && (headers["X-Requested-With"] == "XMLHttpRequest")); } }@@
Meta Keywords:
Meta Description:
Change Comment:
ScrewTurn Wiki
version 3.0.4.560. Some of the icons created by
FamFamFam
.