Merge pull request #112 from ITfoxtec/development

Development

Author: Revsgaard

src/AspNetCoreSamlIdPSample/Controllers/SamlController.cs

@@ -19,6 +19,9 @@
 using FoxIDs.SampleHelperLibrary.Models;
 using ITfoxtec.Identity.Util;
 using ITfoxtec.Identity.Saml2.Claims;
+using System.Web;
+using Microsoft.AspNetCore.Mvc.Rendering;
+using ITfoxtec.Identity;
 
 namespace AspNetCoreSamlIdPSample.Controllers
 {
@@ -48,30 +51,30 @@ public IActionResult Metadata()
             entityDescriptor.ValidUntil = 365;
             entityDescriptor.IdPSsoDescriptor = new IdPSsoDescriptor
             {
-                SigningCertificates = new X509Certificate2[]
-                {
+                SigningCertificates =
+                [
                     saml2Config.SigningCertificate
-                },
-                //EncryptionCertificates = new X509Certificate2[]
-                //{
+                ],
+                //EncryptionCertificates =
+                //[
                 //    saml2Config.DecryptionCertificate
-                //},
-                SingleSignOnServices = new SingleSignOnService[]
-                {
+                //],
+                SingleSignOnServices =
+                [
                     new SingleSignOnService { Binding = ProtocolBindings.HttpRedirect, Location = new Uri(UrlCombine.Combine(defaultSite, "/Saml/Login")) }
-                },
-                SingleLogoutServices = new SingleLogoutService[]
-                {
+                ],
+                SingleLogoutServices =
+                [
                     new SingleLogoutService { Binding = ProtocolBindings.HttpPost, Location = new Uri(UrlCombine.Combine(defaultSite, "/Saml/Logout")) }
-                },
-                NameIDFormats = new Uri[] { NameIdentifierFormats.X509SubjectName },
+                ],
+                NameIDFormats = [NameIdentifierFormats.X509SubjectName],
             };
-            entityDescriptor.ContactPersons = new [] { 
+            entityDescriptor.ContactPersons = [
                 new ContactPerson(ContactTypes.Administrative)
                 {
                     Company = "Some sample IdP",
                 } 
-            };
+            ];
             return new Saml2Metadata(entityDescriptor).CreateMetadata().ToActionResult();
         }
 
@@ -86,26 +89,9 @@ public async Task<IActionResult> Login()
             {
                 httpRequest.Binding.Unbind(httpRequest, saml2AuthnRequest);
 
-                // ****  Handle user login e.g. in GUI ****
-                // Test user with session index and claims
-                var session = await idPSessionCookieRepository.GetAsync();
-                if (session == null)
-                {
-                    session = new IdPSession
-                    {
-                        RelyingPartyIssuer = relyingParty.Issuer,
-                        NameIdentifier = "12345",
-                        Upn = "12345@email.test",
-                        Email = "some@email.test",
-                        CustomId = "123abc",
-                        CustomName = "Test Users Custom Full Name",
-                        SessionIndex = Guid.NewGuid().ToString()
-                    };
-                    await idPSessionCookieRepository.SaveAsync(session);
-                }
-                var claims = GetClaims(session);
-
-                return LoginResponse(saml2AuthnRequest.Id, Saml2StatusCodes.Success, httpRequest.Binding.RelayState, relyingParty, session.SessionIndex, claims);
+                var session = await GetSession(relyingParty);
+
+                return LoginResponse(saml2AuthnRequest.Id, Saml2StatusCodes.Success, httpRequest.Binding.RelayState, relyingParty, session.SessionIndex, GetClaims(session));
             }
             catch (Exception ex)
             {
@@ -114,20 +100,78 @@ public async Task<IActionResult> Login()
             }
         }
 
-        private Saml2Configuration GetLoginSaml2Config(RelyingParty relyingParty)
+        [Route("IdPInitiated")]
+        public IActionResult IdPInitiated()
         {
-            var loginSaml2Config = new Saml2Configuration
+            return base.View(new IdPInitiatedViewModel { RelyingPartyIssuers = GetRelyingPartyListItems() });
+        }
+
+        [HttpPost("IdPInitiated")]
+        public async Task<IActionResult> IdPInitiated(IdPInitiatedViewModel idPInitiatedViewModel)
+        {
+            if ("oidc".Equals(idPInitiatedViewModel.ApplicationType, StringComparison.OrdinalIgnoreCase) && idPInitiatedViewModel.ApplicationRedirectURL.IsNullOrWhiteSpace())
             {
-                Issuer = saml2Config.Issuer,
-                SigningCertificate = saml2Config.SigningCertificate,                
-                SignatureAlgorithm = saml2Config.SignatureAlgorithm,
-                CertificateValidationMode = saml2Config.CertificateValidationMode,
-                RevocationMode = saml2Config.RevocationMode
-            };
-            loginSaml2Config.AllowedAudienceUris.AddRange(saml2Config.AllowedAudienceUris);
-            loginSaml2Config.EncryptionCertificate = relyingParty.EncryptionCertificate;
+                ModelState.AddModelError(nameof(idPInitiatedViewModel.ApplicationRedirectURL), $"The {nameof(idPInitiatedViewModel.ApplicationRedirectURL)} field is required for OpenID Connect (oidc)");
+            }
 
-            return loginSaml2Config;
+            if (!ModelState.IsValid)
+            {
+                idPInitiatedViewModel.RelyingPartyIssuers = GetRelyingPartyListItems();
+                return View(idPInitiatedViewModel);
+            }
+
+            var relyingParty = ValidateRelyingParty(idPInitiatedViewModel.RelyingPartyIssuer);
+
+            var binding = new Saml2PostBinding();
+            binding.RelayState = string.Join('&', GetRelayState(idPInitiatedViewModel));
+
+            var response = new Saml2AuthnResponse(GetLoginSaml2Config(relyingParty));
+            response.Status = Saml2StatusCodes.Success;
+
+            var session = await GetSession(relyingParty);
+
+            return LoginResponse(null, Saml2StatusCodes.Success, binding.RelayState, relyingParty, session.SessionIndex, GetClaims(session));
+
+
+            //var claimsIdentity = new ClaimsIdentity(GetClaims(session));
+            //response.NameId = new Saml2NameIdentifier(claimsIdentity.Claims.Where(c => c.Type == ClaimTypes.NameIdentifier).Select(c => c.Value).Single(), NameIdentifierFormats.Persistent);
+            //response.ClaimsIdentity = claimsIdentity;
+            //var token = response.CreateSecurityToken(relyingParty.Issuer);
+
+            //return binding.Bind(response).ToActionResult();
+        }
+
+        private IEnumerable<string> GetRelayState(IdPInitiatedViewModel idPInitiatedViewModel)
+        {
+            yield return $"app_name={HttpUtility.UrlEncode(idPInitiatedViewModel.ApplicationName.ToLower())}";
+            yield return $"app_type={idPInitiatedViewModel.ApplicationType.ToLower()}";
+            if (!idPInitiatedViewModel.ApplicationRedirectURL.IsNullOrWhiteSpace())
+            {
+                yield return $"app_redirect={HttpUtility.UrlEncode(idPInitiatedViewModel.ApplicationRedirectURL)}";
+            }
+        }
+
+        private async Task<IdPSession> GetSession(RelyingParty relyingParty)
+        {
+            // ****  Handle user login e.g. in GUI ****
+            // Test user with session index and claims
+            var session = await idPSessionCookieRepository.GetAsync();
+            if (session == null)
+            {
+                session = new IdPSession
+                {
+                    RelyingPartyIssuer = relyingParty.Issuer,
+                    NameIdentifier = "12345",
+                    Upn = "12345@email.test",
+                    Email = "some@email.test",
+                    CustomId = "123abc",
+                    CustomName = "Test Users Custom Full Name",
+                    SessionIndex = Guid.NewGuid().ToString()
+                };
+                await idPSessionCookieRepository.SaveAsync(session);
+            }
+
+            return session;
         }
 
         private IEnumerable<Claim> GetClaims(IdPSession idPSession)
@@ -145,6 +189,34 @@ private IEnumerable<Claim> GetClaims(IdPSession idPSession)
             yield return new Claim(Saml2ClaimTypes.SessionIndex, idPSession.SessionIndex);
         }
 
+        private IEnumerable<SelectListItem> GetRelyingPartyListItems() => settings.RelyingParties.Select(r => new SelectListItem(r.SingleSignOnDestination.OriginalString, r.Issuer));
+
+        private IActionResult LoginResponse(Saml2Id inResponseTo, Saml2StatusCodes status, string relayState, RelyingParty relyingParty, string sessionIndex = null, IEnumerable<Claim> claims = null)
+        {
+            var responsebinding = new Saml2PostBinding();
+            responsebinding.RelayState = relayState;
+
+            var saml2AuthnResponse = new Saml2AuthnResponse(GetLoginSaml2Config(relyingParty))
+            {
+                InResponseTo = inResponseTo,
+                Status = status,
+                Destination = relyingParty.SingleSignOnDestination,
+            };
+            if (status == Saml2StatusCodes.Success && claims != null)
+            {
+                saml2AuthnResponse.SessionIndex = sessionIndex;
+
+                var claimsIdentity = new ClaimsIdentity(claims);
+                saml2AuthnResponse.NameId = new Saml2NameIdentifier(claimsIdentity.Claims.Where(c => c.Type == ClaimTypes.NameIdentifier).Select(c => c.Value).Single(), NameIdentifierFormats.Persistent);
+                //saml2AuthnResponse.NameId = new Saml2NameIdentifier(claimsIdentity.Claims.Where(c => c.Type == ClaimTypes.NameIdentifier).Select(c => c.Value).Single());
+                saml2AuthnResponse.ClaimsIdentity = claimsIdentity;
+
+                _ = saml2AuthnResponse.CreateSecurityToken(relyingParty.Issuer);
+            }
+
+            return responsebinding.Bind(saml2AuthnResponse).ToActionResult();
+        }
+
         [Route("Logout")]
         public async Task<IActionResult> Logout()
         {
@@ -222,46 +294,36 @@ private string ReadRelyingPartyFromLogoutResponse(Saml2Http.HttpRequest httpRequ
             return httpRequest.Binding.ReadSamlResponse(httpRequest, new Saml2LogoutResponse(saml2Config))?.Issuer;
         }
 
-        private IActionResult LoginResponse(Saml2Id inResponseTo, Saml2StatusCodes status, string relayState, RelyingParty relyingParty, string sessionIndex = null, IEnumerable<Claim> claims = null)
+        private IActionResult LogoutResponse(Saml2Id inResponseTo, Saml2StatusCodes status, string relayState, string sessionIndex, RelyingParty relyingParty)
         {
             var responsebinding = new Saml2PostBinding();
             responsebinding.RelayState = relayState;
 
-            var saml2AuthnResponse = new Saml2AuthnResponse(GetLoginSaml2Config(relyingParty))
+            var saml2LogoutResponse = new Saml2LogoutResponse(saml2Config)
             {
                 InResponseTo = inResponseTo,
                 Status = status,
-                Destination = relyingParty.SingleSignOnDestination,
+                Destination = relyingParty.SingleLogoutResponseDestination,
+                SessionIndex = sessionIndex
             };
-            if (status == Saml2StatusCodes.Success && claims != null)
-            {
-                saml2AuthnResponse.SessionIndex = sessionIndex;
 
-                var claimsIdentity = new ClaimsIdentity(claims);
-                saml2AuthnResponse.NameId = new Saml2NameIdentifier(claimsIdentity.Claims.Where(c => c.Type == ClaimTypes.NameIdentifier).Select(c => c.Value).Single(), NameIdentifierFormats.Persistent);
-                //saml2AuthnResponse.NameId = new Saml2NameIdentifier(claimsIdentity.Claims.Where(c => c.Type == ClaimTypes.NameIdentifier).Select(c => c.Value).Single());
-                saml2AuthnResponse.ClaimsIdentity = claimsIdentity;
-
-                _ = saml2AuthnResponse.CreateSecurityToken(relyingParty.Issuer);
-            }
-
-            return responsebinding.Bind(saml2AuthnResponse).ToActionResult();
+            return responsebinding.Bind(saml2LogoutResponse).ToActionResult();
         }
 
-        private IActionResult LogoutResponse(Saml2Id inResponseTo, Saml2StatusCodes status, string relayState, string sessionIndex, RelyingParty relyingParty)
+        private Saml2Configuration GetLoginSaml2Config(RelyingParty relyingParty)
         {
-            var responsebinding = new Saml2PostBinding();
-            responsebinding.RelayState = relayState;
-
-            var saml2LogoutResponse = new Saml2LogoutResponse(saml2Config)
+            var loginSaml2Config = new Saml2Configuration
             {
-                InResponseTo = inResponseTo,
-                Status = status,
-                Destination = relyingParty.SingleLogoutResponseDestination,
-                SessionIndex = sessionIndex
+                Issuer = saml2Config.Issuer,
+                SigningCertificate = saml2Config.SigningCertificate,
+                SignatureAlgorithm = saml2Config.SignatureAlgorithm,
+                CertificateValidationMode = saml2Config.CertificateValidationMode,
+                RevocationMode = saml2Config.RevocationMode
             };
+            loginSaml2Config.AllowedAudienceUris.AddRange(saml2Config.AllowedAudienceUris);
+            loginSaml2Config.EncryptionCertificate = relyingParty.EncryptionCertificate;
 
-            return responsebinding.Bind(saml2LogoutResponse).ToActionResult();
+            return loginSaml2Config;
         }
 
         private RelyingParty ValidateRelyingParty(string issuer)

src/AspNetCoreSamlIdPSample/Models/ErrorViewModel.cs

@@ -1,5 +1,3 @@
-using System;
-
 namespace AspNetCoreSamlIdPSample.Models
 {
     public class ErrorViewModel

src/AspNetCoreSamlIdPSample/Models/IdPInitiatedViewModel.cs

@@ -0,0 +1,30 @@
+using Microsoft.AspNetCore.Mvc.Rendering;
+using System.Collections.Generic;
+using System.ComponentModel.DataAnnotations;
+
+namespace AspNetCoreSamlIdPSample.Models
+{
+    public class IdPInitiatedViewModel
+    {
+        [Display(Name = "Authentication method")]
+        [Required]
+        [MaxLength(500)]
+        public string RelyingPartyIssuer { get; set; }
+
+        public IEnumerable<SelectListItem> RelyingPartyIssuers { get; set; }
+
+        [Display(Name = "Application (technical name)")]
+        [Required]
+        [MaxLength(500)]
+        public string ApplicationName { get; set; }
+
+        [Display(Name = "Application redirect URL - required for OpenID Connect (oidc)")]
+        [MaxLength(500)]
+        public string ApplicationRedirectURL { get; set; }
+
+        [Display(Name = "Application type ('oidc' or 'saml2')")]
+        [Required]
+        [MaxLength(10)]
+        public string ApplicationType { get; set; } 
+    }
+}

src/AspNetCoreSamlIdPSample/Views/Saml/IdPInitiated.cshtml

@@ -0,0 +1,64 @@
+@model IdPInitiatedViewModel
+@{
+    ViewBag.Title = "IdP Initiated Login";
+}
+
+<h2>@ViewBag.Title</h2>
+
+<div class="row">
+    <div class="col-md-12">
+        <blockquote>
+            <p>Select the authentication method and fill in the name of the application that the request should be redirected to after successful login.</p>
+            <h3>Test data</h3>
+            <p>
+                <strong>SAML 2.0 sample application</strong>
+                <div>Application: aspnetcore_saml_sample</div>
+                <i>The application redirect URL is optional</i>
+                <div>Application type: saml2</div>
+            </p>
+            <p>
+                <strong>OpenID Connect sample application</strong>
+                <div>Application: aspnet_oidc_allup_sample</div>
+                <div>Application redirect URL: https://localhost:44349/home/secure</div>
+                <i>The redirect URL need to be configured as a redirect URL for the application.</i>
+                <div>Application type: oidc</div>
+            </p>
+        </blockquote>
+    </div>
+</div>
+<div class="row">
+    <div class="col-md-12">
+        <form method="post">
+            <div asp-validation-summary="ModelOnly"></div>
+            <div class="form-group">
+                <label asp-for="RelyingPartyIssuer" class="control-label"></label>
+                <select asp-for="RelyingPartyIssuer" asp-items="@Model.RelyingPartyIssuers" class="form-control"></select>
+                <span asp-validation-for="RelyingPartyIssuer" class="text-danger"></span>
+            </div>
+            <div class="form-group">
+                <label asp-for="ApplicationName" class="label-control"></label>
+                <input asp-for="ApplicationName" autocomplete="off" class="form-control input-control" autofocus />
+                <span asp-validation-for="ApplicationName"></span>
+            </div>
+            <div class="form-group">
+                <label asp-for="ApplicationRedirectURL" class="label-control"></label>
+                <input asp-for="ApplicationRedirectURL" autocomplete="off" class="form-control input-control" autofocus />
+                <span asp-validation-for="ApplicationRedirectURL"></span>
+            </div>
+            <div class="form-group">
+                <label asp-for="ApplicationType" class="label-control"></label>
+                <input asp-for="ApplicationType" autocomplete="off" class="form-control input-control" autofocus />
+                <span asp-validation-for="ApplicationType"></span>
+            </div>
+            <div class="form-group">
+                <input type="submit" value="Login" class="btn btn-primary" />
+            </div>
+        </form>
+    </div>
+</div>
+
+@section Scripts {
+    @{
+        await Html.RenderPartialAsync("_ValidationScriptsPartial");
+    }
+}

src/AspNetCoreSamlIdPSample/Views/Shared/_Layout.cshtml

@@ -26,11 +26,12 @@
                     <span class="icon-bar"></span>
                     <span class="icon-bar"></span>
                 </button>
-                <a asp-area="" asp-controller="Home" asp-action="Index" class="navbar-brand">AspNetCoreSamlIdPSample</a>
+                <a asp-controller="Home" asp-action="Index" class="navbar-brand">AspNetCoreSamlIdPSample</a>
             </div>
             <div class="navbar-collapse collapse">
                 <ul class="nav navbar-nav">
-                    <li><a asp-area="" asp-controller="Home" asp-action="Index">Home</a></li>
+                    <li><a asp-controller="Home" asp-action="Index">Home</a></li>
+                    <li><a asp-controller="Saml" asp-action="IdPInitiated">IdP Initiated Login</a></li>
                     <li><a asp-controller="Saml" asp-action="Metadata">Metadata</a></li>
                 </ul>
             </div>

src/AspNetCoreSamlIdPSample/wwwroot/css/site.css

@@ -35,3 +35,7 @@ body {
         display: none;
     }
 }
+
+.field-validation-error {
+    color: red;
+}