From ef1d3856e38374f964927f5f3560f45a262d2baa Mon Sep 17 00:00:00 2001 From: Patrice Cote Date: Fri, 12 Sep 2014 14:31:55 -0400 Subject: [PATCH] Added SAML token decription Manage the case of encrypted SAML token from ADFS. --- .../AdfsIntegration/AdfsController.cs | 24 +++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/src/Libraries/Thinktecture.IdentityServer.Protocols/AdfsIntegration/AdfsController.cs b/src/Libraries/Thinktecture.IdentityServer.Protocols/AdfsIntegration/AdfsController.cs index 9310da12..63f3c9cb 100644 --- a/src/Libraries/Thinktecture.IdentityServer.Protocols/AdfsIntegration/AdfsController.cs +++ b/src/Libraries/Thinktecture.IdentityServer.Protocols/AdfsIntegration/AdfsController.cs @@ -1,8 +1,12 @@ using System; +using System.Collections.ObjectModel; using System.ComponentModel.Composition; +using System.IdentityModel.Selectors; using System.IdentityModel.Tokens; using System.Net; using System.Net.Http; +using System.Security.Cryptography.X509Certificates; +using System.ServiceModel.Security; using System.Text; using System.Web.Http; using Thinktecture.IdentityModel.Constants; @@ -190,8 +194,24 @@ private HttpResponseMessage CreateTokenResponse(GenericXmlSecurityToken token, s else { var bridge = new AdfsBridge(ConfigurationRepository); - - response = bridge.ConvertSamlToJwt(token.ToSecurityToken(), scope); + if (ConfigurationRepository.Keys.DecryptionCertificate != null) + { + var configuration = new SecurityTokenHandlerConfiguration + { + AudienceRestriction = { AudienceMode = AudienceUriMode.Never }, + CertificateValidationMode = X509CertificateValidationMode.None, + RevocationMode = X509RevocationMode.NoCheck, + CertificateValidator = X509CertificateValidator.None, + ServiceTokenResolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver( + new ReadOnlyCollection(new SecurityToken[] { new X509SecurityToken(ConfigurationRepository.Keys.DecryptionCertificate) }), false) + }; + var handler = SecurityTokenHandlerCollection.CreateDefaultSecurityTokenHandlerCollection(configuration); + response = bridge.ConvertSamlToJwt(token.ToSecurityToken(handler), scope); + } + else + { + response = bridge.ConvertSamlToJwt(token.ToSecurityToken(), scope); + } } return Request.CreateResponse(HttpStatusCode.OK, response);