Issuer, EntityID and AllowedAudienceUris support string values and do…

… not require a URI. Full support in .NET Core. AllowedAudienceUris as string values is not supported in .NET Framework.
ITfoxtec · Mar 10, 2019 · d3b05f8 · d3b05f8
1 parent df95533
commit d3b05f8
Show file tree

Hide file tree

Showing 15 changed files with 44 additions and 44 deletions.
diff --git a/src/ITfoxtec.Identity.Saml2.Mvc/ITfoxtec.Identity.Saml2.Mvc.csproj b/src/ITfoxtec.Identity.Saml2.Mvc/ITfoxtec.Identity.Saml2.Mvc.csproj
@@ -16,10 +16,10 @@
     <PackageTags>SAML SAML2.0 SAML2 SAML-P SAMLP SSO Identity Provider (IdP) and Relying Party (RP) Authentication Metadata OIOSAML NemLog-in ASP.NET MVC</PackageTags>
     <NeutralLanguage>en-US</NeutralLanguage>
     <PackageIconUrl>https://itfoxtec.com/favicon.ico</PackageIconUrl>
-    <AssemblyVersion>3.1.0.1</AssemblyVersion>
-    <FileVersion>3.1.0.1</FileVersion>
+    <AssemblyVersion>3.1.0.3</AssemblyVersion>
+    <FileVersion>3.1.0.3</FileVersion>
     <Copyright>Copyright © 2019</Copyright>
-    <Version>3.1.0.0-beta2</Version>
+    <Version>3.1.0.3-beta3</Version>
     <SignAssembly>true</SignAssembly>
     <AssemblyOriginatorKeyFile>ITfoxtec.SAML2.snk</AssemblyOriginatorKeyFile>
     <DelaySign>false</DelaySign>

diff --git a/src/ITfoxtec.Identity.Saml2.MvcCore/ITfoxtec.Identity.Saml2.MvcCore.csproj b/src/ITfoxtec.Identity.Saml2.MvcCore/ITfoxtec.Identity.Saml2.MvcCore.csproj
@@ -17,10 +17,10 @@
     <PackageTags>SAML SAML2.0 SAML2 SAML-P SAMLP SSO Identity Provider (IdP) Relying Party (RP) Authentication Metadata OIOSAML NemLog-in ASP.NET MVC Core</PackageTags>
     <NeutralLanguage>en-US</NeutralLanguage>
     <PackageIconUrl>https://itfoxtec.com/favicon.ico</PackageIconUrl>
-    <AssemblyVersion>3.1.0.1</AssemblyVersion>
-    <FileVersion>3.1.0.1</FileVersion>
+    <AssemblyVersion>3.1.0.3</AssemblyVersion>
+    <FileVersion>3.1.0.3</FileVersion>
     <Copyright>Copyright © 2019</Copyright>
-    <Version>3.1.0.0-beta2</Version>
+    <Version>3.1.0.3-beta3</Version>
     <SignAssembly>true</SignAssembly>
     <AssemblyOriginatorKeyFile>ITfoxtec.SAML2.snk</AssemblyOriginatorKeyFile>
     <DelaySign>false</DelaySign>

diff --git a/src/ITfoxtec.Identity.Saml2/Configuration/Saml2Configuration.cs b/src/ITfoxtec.Identity.Saml2/Configuration/Saml2Configuration.cs
@@ -11,7 +11,7 @@ namespace ITfoxtec.Identity.Saml2
     /// </summary>
     public class Saml2Configuration
     {
-        public Uri Issuer { get; set; }
+        public string Issuer { get; set; }
 
         public Uri SingleSignOnDestination { get; set; }
 
@@ -31,7 +31,7 @@ public class Saml2Configuration
         public bool DetectReplayedTokens { get; set; } = false;
 
         public bool AudienceRestricted { get; set; } = true;
-        public List<Uri> AllowedAudienceUris { get; protected set; } = new List<Uri>();
+        public List<string> AllowedAudienceUris { get; protected set; } = new List<string>();
 
         public bool SignAuthnRequest { get; set; } = false;
     }

diff --git a/src/ITfoxtec.Identity.Saml2/Configuration/Saml2IdentityConfiguration.cs b/src/ITfoxtec.Identity.Saml2/Configuration/Saml2IdentityConfiguration.cs
@@ -42,8 +42,8 @@ public static Saml2IdentityConfiguration GetIdentityConfiguration(Saml2Configura
 #else
             configuration.SaveSigninToken = config.SaveBootstrapContext;
             configuration.ValidateAudience = config.AudienceRestricted;
-            configuration.ValidAudiences = config.AllowedAudienceUris.Select(a => a.OriginalString);
-            configuration.ValidIssuer = config.Issuer?.OriginalString;
+            configuration.ValidAudiences = config.AllowedAudienceUris.Select(a => a);
+            configuration.ValidIssuer = config.Issuer;
             configuration.ValidateTokenReplay = config.DetectReplayedTokens;
 
             configuration.NameClaimType = ClaimTypes.NameIdentifier;
@@ -58,14 +58,14 @@ public static Saml2IdentityConfiguration GetIdentityConfiguration(Saml2Configura
         }
 
 #if NETFULL
-        private static AudienceRestriction GetAudienceRestriction(bool audienceRestricted, IEnumerable<Uri> allowedAudienceUris)
+        private static AudienceRestriction GetAudienceRestriction(bool audienceRestricted, IEnumerable<string> allowedAudienceUris)
         {
             var audienceRestriction = new AudienceRestriction(audienceRestricted ? System.IdentityModel.Selectors.AudienceUriMode.Always : System.IdentityModel.Selectors.AudienceUriMode.Never);
             if (audienceRestricted)
             {
                 foreach (var audienceUri in allowedAudienceUris)
                 {
-                    audienceRestriction.AllowedAudienceUris.Add(audienceUri);
+                    audienceRestriction.AllowedAudienceUris.Add(new Uri(audienceUri));
                 }
             }
             return audienceRestriction;

diff --git a/src/ITfoxtec.Identity.Saml2/ITfoxtec.Identity.Saml2.csproj b/src/ITfoxtec.Identity.Saml2/ITfoxtec.Identity.Saml2.csproj
@@ -19,10 +19,10 @@
     <PackageTags>SAML SAML2.0 SAML2 SAML-P SAMLP SSO Identity Provider (IdP) Relying Party (RP) Authentication Metadata OIOSAML NemLog-in</PackageTags>
     <NeutralLanguage>en-US</NeutralLanguage>
     <PackageIconUrl>https://itfoxtec.com/favicon.ico</PackageIconUrl>
-    <AssemblyVersion>3.1.0.1</AssemblyVersion>
-    <FileVersion>3.1.0.1</FileVersion>
+    <AssemblyVersion>3.1.0.3</AssemblyVersion>
+    <FileVersion>3.1.0.3</FileVersion>
     <Copyright>Copyright © 2019</Copyright>
-    <Version>3.1.0.0-beta2</Version>
+    <Version>3.1.0.3-beta3</Version>
     <SignAssembly>true</SignAssembly>
     <AssemblyOriginatorKeyFile>ITfoxtec.SAML2.snk</AssemblyOriginatorKeyFile>
     <DelaySign>false</DelaySign>

diff --git a/src/ITfoxtec.Identity.Saml2/Request/Saml2AuthnResponse.cs b/src/ITfoxtec.Identity.Saml2/Request/Saml2AuthnResponse.cs
@@ -88,7 +88,7 @@ protected override void ValidateElementName()
         /// <param name="subjectConfirmationLifetime">The Subject Confirmation Lifetime in minutes.</param>
         /// <param name="issuedTokenLifetime">The Issued Token Lifetime in minutes.</param>
         /// <returns>The SAML 2.0 Security Token.</returns>
-        public Saml2SecurityToken CreateSecurityToken(Uri appliesToAddress, Uri authnContext = null, int subjectConfirmationLifetime = 5, int issuedTokenLifetime = 60)
+        public Saml2SecurityToken CreateSecurityToken(string appliesToAddress, Uri authnContext = null, int subjectConfirmationLifetime = 5, int issuedTokenLifetime = 60)
         {
             if (appliesToAddress == null) throw new ArgumentNullException(nameof(appliesToAddress));
             if (ClaimsIdentity == null) throw new ArgumentNullException("ClaimsIdentity property");
@@ -125,7 +125,7 @@ public Saml2SecurityToken CreateSecurityToken(SecurityTokenDescriptor tokenDescr
             return Saml2SecurityToken;
         }
 
-        protected virtual SecurityTokenDescriptor CreateTokenDescriptor(IEnumerable<Claim> claims, Uri appliesToAddress, int issuedTokenLifetime)
+        protected virtual SecurityTokenDescriptor CreateTokenDescriptor(IEnumerable<Claim> claims, string appliesToAddress, int issuedTokenLifetime)
         {
             if (Issuer == null) throw new ArgumentNullException("Issuer property");
 
@@ -135,12 +135,12 @@ protected virtual SecurityTokenDescriptor CreateTokenDescriptor(IEnumerable<Clai
 #if NETFULL
             tokenDescriptor.TokenType = Schemas.SamlTokenTypes.Saml2TokenProfile11.OriginalString;
             tokenDescriptor.Lifetime = new Lifetime(now.UtcDateTime, now.AddMinutes(issuedTokenLifetime).UtcDateTime);
-            tokenDescriptor.AppliesToAddress = appliesToAddress.OriginalString;
-            tokenDescriptor.TokenIssuerName = Issuer.OriginalString;
+            tokenDescriptor.AppliesToAddress = appliesToAddress;
+            tokenDescriptor.TokenIssuerName = Issuer;
 #else
             tokenDescriptor.Expires = now.AddMinutes(issuedTokenLifetime).UtcDateTime;
-            tokenDescriptor.Audience = appliesToAddress.OriginalString;
-            tokenDescriptor.Issuer = Issuer.OriginalString;
+            tokenDescriptor.Audience = appliesToAddress;
+            tokenDescriptor.Issuer = Issuer;
 #endif
             return tokenDescriptor;
         }

diff --git a/src/ITfoxtec.Identity.Saml2/Request/Saml2Request.cs b/src/ITfoxtec.Identity.Saml2/Request/Saml2Request.cs
@@ -82,7 +82,7 @@ public string IdAsString
         /// Identifies the entity that generated the response message. (For more information on this element, see
         /// Section 2.2.5.)
         /// </summary>
-        public Uri Issuer { get; set; }
+        public string Issuer { get; set; }
 
         /// <summary>
         /// [Optional]
@@ -149,7 +149,7 @@ protected virtual IEnumerable<XObject> GetXContent()
 
             if (Issuer != null)
             {
-                yield return new XElement(Schemas.Saml2Constants.AssertionNamespaceX + Schemas.Saml2Constants.Message.Issuer, Issuer.OriginalString);
+                yield return new XElement(Schemas.Saml2Constants.AssertionNamespaceX + Schemas.Saml2Constants.Message.Issuer, Issuer);
             }
 
             if (Extensions != null)
@@ -185,7 +185,7 @@ protected internal virtual void Read(string xml, bool validateXmlSignature)
 
             IssueInstant = XmlDocument.DocumentElement.Attributes[Schemas.Saml2Constants.Message.IssueInstant].GetValueOrNull<DateTimeOffset>();
 
-            Issuer = XmlDocument.DocumentElement[Schemas.Saml2Constants.Message.Issuer, Schemas.Saml2Constants.AssertionNamespace.OriginalString].GetValueOrNull<Uri>();
+            Issuer = XmlDocument.DocumentElement[Schemas.Saml2Constants.Message.Issuer, Schemas.Saml2Constants.AssertionNamespace.OriginalString].GetValueOrNull<string>();
 
             Destination = XmlDocument.DocumentElement.Attributes[Schemas.Saml2Constants.Message.Destination].GetValueOrNull<Uri>();
 

diff --git a/src/ITfoxtec.Identity.Saml2/Schemas/Metadata/EntityDescriptor.cs b/src/ITfoxtec.Identity.Saml2/Schemas/Metadata/EntityDescriptor.cs
@@ -26,7 +26,7 @@ public class EntityDescriptor
         /// <summary>
         /// Specifies the unique identifier of the SAML entity whose metadata is described by the element's contents.
         /// </summary>
-        public Uri EntityId { get; protected set; }
+        public string EntityId { get; protected set; }
 
         /// <summary>
         /// A document-unique identifier for the element, typically used as a reference point when signing.
@@ -115,7 +115,7 @@ protected IEnumerable<XObject> GetXContent()
             {
                 throw new ArgumentNullException("EntityId property");
             }
-            yield return new XAttribute(Saml2MetadataConstants.Message.EntityId, EntityId.OriginalString);
+            yield return new XAttribute(Saml2MetadataConstants.Message.EntityId, EntityId);
             yield return new XAttribute(Saml2MetadataConstants.Message.Id, IdAsString);
             if (ValidUntil.HasValue)
             {
@@ -148,7 +148,7 @@ public virtual EntityDescriptor ReadIdPSsoDescriptor(string idPMetadataXml)
                 throw new Saml2RequestException("Not Metadata.");
             }
 
-            EntityId = metadataXmlDocument.DocumentElement.Attributes[Saml2MetadataConstants.Message.EntityId].GetValueOrNull<Uri>();
+            EntityId = metadataXmlDocument.DocumentElement.Attributes[Saml2MetadataConstants.Message.EntityId].GetValueOrNull<string>();
 
             Id = metadataXmlDocument.DocumentElement.Attributes[Saml2MetadataConstants.Message.Id].GetValueOrNull<Saml2Id>();
 

diff --git a/test/TestIdPCore/Controllers/AuthController.cs b/test/TestIdPCore/Controllers/AuthController.cs
@@ -80,12 +80,12 @@ public IActionResult Logout()
             }
         }
 
-        private Uri ReadRelyingPartyFromLoginRequest<T>(Saml2Binding<T> binding)
+        private string ReadRelyingPartyFromLoginRequest<T>(Saml2Binding<T> binding)
         {
             return binding.ReadSamlRequest(Request.ToGenericHttpRequest(), new Saml2AuthnRequest(config))?.Issuer;
         }
 
-        private Uri ReadRelyingPartyFromLogoutRequest<T>(Saml2Binding<T> binding)
+        private string ReadRelyingPartyFromLogoutRequest<T>(Saml2Binding<T> binding)
         {
             return binding.ReadSamlRequest(Request.ToGenericHttpRequest(), new Saml2LogoutRequest(config))?.Issuer;
         }
@@ -131,37 +131,37 @@ private IActionResult LogoutResponse(Saml2Id inResponseTo, Saml2StatusCodes stat
             return responsebinding.Bind(saml2LogoutResponse).ToActionResult();
         }
 
-        private RelyingParty ValidateRelyingParty(Uri issuer)
+        private RelyingParty ValidateRelyingParty(string issuer)
         {
             var validRelyingPartys = new List<RelyingParty>();
             validRelyingPartys.Add(new RelyingParty
             {
-                Issuer = new Uri("urn:itfoxtec:identity:saml2:testwebapp"),
+                Issuer = "urn:itfoxtec:identity:saml2:testwebapp",
                 SingleSignOnDestination = new Uri("http://localhost:3112/Auth/AssertionConsumerService"),
                 SingleLogoutResponseDestination = new Uri("http://localhost:3112/Auth/LoggedOut"),
                 SignatureValidationCertificate = CertificateUtil.Load(Startup.AppEnvironment.MapToPhysicalFilePath("itfoxtec.identity.saml2.testwebapp_Certificate.crt"))
             });
             validRelyingPartys.Add(new RelyingParty
             {
-                Issuer = new Uri("urn:itfoxtec:identity:saml2:testwebappcore"),
+                Issuer = "itfoxtec-testwebappcore",
                 SingleSignOnDestination = new Uri("https://localhost:44306/Auth/AssertionConsumerService"),
                 SingleLogoutResponseDestination = new Uri("https://localhost:44306/Auth/LoggedOut"),
                 SignatureValidationCertificate = CertificateUtil.Load(Startup.AppEnvironment.MapToPhysicalFilePath("itfoxtec.identity.saml2.testwebappcore_Certificate.crt"))
             });
             validRelyingPartys.Add(new RelyingParty
             {
-                Issuer = new Uri("urn:itfoxtec:identity:saml2:testwebappcoreframework"),
+                Issuer = "urn:itfoxtec:identity:saml2:testwebappcoreframework",
                 SingleSignOnDestination = new Uri("https://localhost:44307/Auth/AssertionConsumerService"),
                 SingleLogoutResponseDestination = new Uri("https://localhost:44307/Auth/LoggedOut"),
                 SignatureValidationCertificate = CertificateUtil.Load(Startup.AppEnvironment.MapToPhysicalFilePath("itfoxtec.identity.saml2.testwebappcore_Certificate.crt"))
             });
 
-            return validRelyingPartys.Where(rp => rp.Issuer.OriginalString.Equals(issuer.OriginalString, StringComparison.InvariantCultureIgnoreCase)).Single();
+            return validRelyingPartys.Where(rp => rp.Issuer.Equals(issuer, StringComparison.InvariantCultureIgnoreCase)).Single();
         }
 
         class RelyingParty
         {
-            public Uri Issuer { get; set; }
+            public string Issuer { get; set; }
 
             public Uri SingleSignOnDestination { get; set; }
 

diff --git a/test/TestIdPCore/appsettings.json b/test/TestIdPCore/appsettings.json
@@ -8,7 +8,7 @@
     }
   },
   "Saml2": {
-    "Issuer": "urn:itfoxtec:identity:saml2:testidpcore",
+    "Issuer": "itfoxtec-testidpcore",
     "SingleSignOnDestination": "https://localhost:44305/Auth/Login",
     "SingleLogoutDestination": "https://localhost:44305/Auth/Logout",
     "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",

diff --git a/test/TestWebApp/App_Start/IdentityConfig.cs b/test/TestWebApp/App_Start/IdentityConfig.cs
@@ -20,7 +20,7 @@ public static void RegisterIdentity()
         {
             AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;
 
-            Saml2Configuration.Issuer = new Uri(ConfigurationManager.AppSettings["Saml2:Issuer"]);
+            Saml2Configuration.Issuer = ConfigurationManager.AppSettings["Saml2:Issuer"];
             //Saml2Configuration.SingleSignOnDestination = new Uri(ConfigurationManager.AppSettings["Saml2:SingleSignOnDestination"]);
             //Saml2Configuration.SingleLogoutDestination = new Uri(ConfigurationManager.AppSettings["Saml2:SingleLogoutDestination"]);
 

diff --git a/test/TestWebApp/Controllers/IdPInitiatedController.cs b/test/TestWebApp/Controllers/IdPInitiatedController.cs
@@ -23,12 +23,12 @@ public ActionResult Initiate()
 
             var config = new Saml2Configuration();
 
-            config.Issuer = new Uri("http://some-domain.com/this-application");
+            config.Issuer = "http://some-domain.com/this-application";
             config.SingleSignOnDestination = new Uri("https://test-adfs.itfoxtec.com/adfs/ls/");
             config.SigningCertificate = CertificateUtil.Load(HttpContext.Server.MapPath("~/App_Data/itfoxtec.identity.saml2.testwebapp_Certificate.pfx"), "!QAZ2wsx");
             config.SignatureAlgorithm = Saml2SecurityAlgorithms.RsaSha256Signature;
 
-            var appliesToAddress = new Uri("https://test-adfs.itfoxtec.com/adfs/services/trust");
+            var appliesToAddress = "https://test-adfs.itfoxtec.com/adfs/services/trust";
 
             var response = new Saml2AuthnResponse(config);
             response.Status = Saml2StatusCodes.Success;    

diff --git a/test/TestWebAppCore/Controllers/IdPInitiatedController.cs b/test/TestWebAppCore/Controllers/IdPInitiatedController.cs
@@ -25,12 +25,12 @@ public IActionResult Initiate()
 
             var config = new Saml2Configuration();
 
-            config.Issuer = new Uri("http://some-domain.com/this-application");
+            config.Issuer = "http://some-domain.com/this-application";
             config.SingleSignOnDestination = new Uri("https://test-adfs.itfoxtec.com/adfs/ls/");
             config.SigningCertificate = CertificateUtil.Load(Startup.AppEnvironment.MapToPhysicalFilePath("itfoxtec.identity.saml2.testwebappcore_Certificate.pfx"), "!QAZ2wsx");
             config.SignatureAlgorithm = Saml2SecurityAlgorithms.RsaSha256Signature;
 
-            var appliesToAddress = new Uri("https://test-adfs.itfoxtec.com/adfs/services/trust");
+            var appliesToAddress = "https://test-adfs.itfoxtec.com/adfs/services/trust";
 
             var response = new Saml2AuthnResponse(config);
             response.Status = Saml2StatusCodes.Success;    

diff --git a/test/TestWebAppCore/appsettings.json b/test/TestWebAppCore/appsettings.json
@@ -9,7 +9,7 @@
   },
   "Saml2": {
     "IdPMetadata": "https://localhost:44305/metadata",
-    "Issuer": "urn:itfoxtec:identity:saml2:testwebappcore",
+    "Issuer": "itfoxtec-testwebappcore",
     //"SingleSignOnDestination": "https://test-adfs.itfoxtec.com/adfs/ls/",
     //"SingleLogoutDestination": "https://test-adfs.itfoxtec.com/adfs/ls/",
     "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",

diff --git a/test/TestWebAppCoreFramework/Controllers/IdPInitiatedController.cs b/test/TestWebAppCoreFramework/Controllers/IdPInitiatedController.cs
@@ -25,12 +25,12 @@ public IActionResult Initiate()
 
             var config = new Saml2Configuration();
 
-            config.Issuer = new Uri("http://some-domain.com/this-application");
+            config.Issuer = "http://some-domain.com/this-application";
             config.SingleSignOnDestination = new Uri("https://test-adfs.itfoxtec.com/adfs/ls/");
             config.SigningCertificate = CertificateUtil.Load(Startup.AppEnvironment.MapToPhysicalFilePath("itfoxtec.identity.saml2.testwebappcore_Certificate.pfx"), "!QAZ2wsx");
             config.SignatureAlgorithm = Saml2SecurityAlgorithms.RsaSha256Signature;
 
-            var appliesToAddress = new Uri("https://test-adfs.itfoxtec.com/adfs/services/trust");
+            var appliesToAddress = "https://test-adfs.itfoxtec.com/adfs/services/trust";
 
             var response = new Saml2AuthnResponse(config);
             response.Status = Saml2StatusCodes.Success;