AuthnRequest support Subject and NameID

Author: Revsgaard

src/ITfoxtec.Identity.Saml2/Request/Saml2AuthnRequest.cs

@@ -31,6 +31,13 @@ public class Saml2AuthnRequest : Saml2Request
         public bool? IsPassive { get; set; }
 
         /// <summary>
+            /// [Optional]
+        /// Specifies the requested subject of the resulting assertion(s). 
+        /// </summary>
+        public Subject Subject { get; set; }
+
+        /// <summary>
+        /// [Optional]
         /// Specifies constraints on the name identifier to be used to represent the requested subject. If omitted,
         /// then any type of identifier supported by the identity provider for the requested subject can be used,
         /// constrained by any relevant deployment-specific policies, with respect to privacy, for example.
@@ -103,6 +110,11 @@ protected override IEnumerable<XObject> GetXContent()
                 yield return new XAttribute(Saml2Constants.Message.AssertionConsumerServiceURL, AssertionConsumerServiceUrl);
             }
 
+            if (Subject != null)
+            {
+                yield return Subject.ToXElement();
+            }
+
             if (NameIdPolicy != null)
             {
                 yield return NameIdPolicy.ToXElement();
@@ -121,6 +133,8 @@ protected internal override void Read(string xml, bool validateXmlSignature = fa
             ForceAuthn = XmlDocument.DocumentElement.Attributes[Saml2Constants.Message.ForceAuthn].GetValueOrNull<bool>();
 
             IsPassive = XmlDocument.DocumentElement.Attributes[Saml2Constants.Message.IsPassive].GetValueOrNull<bool>();
+
+            Subject = XmlDocument.DocumentElement[Saml2Constants.Message.Subject, Saml2Constants.AssertionNamespace.OriginalString].GetValueOrNull<Subject>();
         }
 
         protected override void ValidateElementName()

src/ITfoxtec.Identity.Saml2/Schemas/NameID.cs

@@ -0,0 +1,48 @@
+using System;
+using System.Collections.Generic;
+using System.Xml.Linq;
+
+namespace ITfoxtec.Identity.Saml2.Schemas
+{
+    /// <summary>
+    /// The <NameID> is used when an element serves to represent an entity by a string-valued name.
+    /// </summary>
+    public class NameID
+    {
+        const string elementName = Saml2Constants.Message.NameId;
+
+        /// <summary>
+        /// String content containing the actual identifier.
+        /// </summary>
+        public string ID { get; set; }
+
+        /// <summary>
+        /// [Optional]
+        /// A URI reference representing the classification of string-based identifier information. See Section
+        /// 8.3 for the SAML-defined URI references that MAY be used as the value of the Format attribute
+        /// and their associated descriptions and processing rules.Unless otherwise specified by an element
+        /// based on this type, if no Format value is provided, then the value
+        /// urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified(see Section 8.3.1) is in effect.
+        /// </summary>
+        public string Format { get; set; }
+
+        public XElement ToXElement()
+        {
+            var envelope = new XElement(Saml2Constants.AssertionNamespaceX + elementName);
+
+            envelope.Add(GetXContent());
+
+            return envelope;
+        }
+
+        protected IEnumerable<XObject> GetXContent()
+        {
+            if (!string.IsNullOrWhiteSpace(Format))
+            {
+                yield return new XAttribute(Saml2Constants.Message.Format, Format);
+            }
+
+            yield return new XText(ID);
+        }
+    }
+}

src/ITfoxtec.Identity.Saml2/Schemas/Saml2Constants.cs

@@ -110,7 +110,7 @@ public static class Message
             internal const string NotOnOrAfter = "NotOnOrAfter";
 
             internal const string Reason = "Reason";
-
+            
             internal const string NameIdPolicy = "NameIDPolicy";
 
             internal const string AllowCreate = "AllowCreate";

src/ITfoxtec.Identity.Saml2/Schemas/Subject.cs

@@ -0,0 +1,35 @@
+using System.Collections.Generic;
+using System.Xml.Linq;
+
+namespace ITfoxtec.Identity.Saml2.Schemas
+{
+    /// <summary>
+    /// The <Subject> element specifies the principal that is the subject of all of the (zero or more) statements in the assertion.
+    /// </summary>
+    public class Subject
+    {
+        const string elementName = Saml2Constants.Message.Subject;
+
+        /// <summary>
+        /// Contains an identifier.
+        /// </summary>
+        public NameID NameID { get; set; }
+
+        public XElement ToXElement()
+        {
+            var envelope = new XElement(Saml2Constants.AssertionNamespaceX + elementName);
+
+            envelope.Add(GetXContent());
+
+            return envelope;
+        }
+
+        protected virtual IEnumerable<XObject> GetXContent()
+        {
+            if (NameID != null)
+            {
+                yield return NameID.ToXElement();
+            }
+        }
+    }
+}

src/ITfoxtec.Identity.Saml2/Util/GenericTypeConverter.cs

@@ -2,6 +2,7 @@
 using System;
 using System.Globalization;
 using System.Xml;
+using ITfoxtec.Identity.Saml2.Schemas;
 #if NETFULL
 using System.IdentityModel.Tokens;
 #else
@@ -36,11 +37,19 @@ internal static T ConvertValue<T>(string value, XmlNode xmlNode)
             {
                 return GenericConvertValue<T, Saml2NameIdentifier>(new Saml2NameIdentifier(value, ConvertValue<Uri>(xmlNode.Attributes[Schemas.Saml2Constants.Message.Format]?.Value, xmlNode)));
             }
+            if (genericType == typeof(NameID))
+            {
+                return GenericConvertValue<T, NameID>(new NameID { ID = value, Format = xmlNode.Attributes[Schemas.Saml2Constants.Message.Format]?.Value });
+            }
+            if (genericType == typeof(Subject))
+            {
+                return GenericConvertValue<T, Subject>(new Subject { NameID = ConvertValue<NameID>(xmlNode[Schemas.Saml2Constants.Message.NameId, Schemas.Saml2Constants.AssertionNamespace.OriginalString]?.InnerText?.Trim(), xmlNode) });
+            }
             else
             {
                 return GenericConvertValue<T, string>(value);
             }
-        }
+        }        
 
         static T GenericConvertValue<T, U>(U value)
         {

test/TestIdPCore/Controllers/AuthController.cs

@@ -42,7 +42,7 @@ public IActionResult Login()
                 // ****  Handle user login e.g. in GUI ****
                 // Test user with session index and claims
                 var sessionIndex = Guid.NewGuid().ToString();
-                var claims = CreateTestUserClaims();
+                var claims = CreateTestUserClaims(saml2AuthnRequest.Subject?.NameID?.ID);
 
                 return LoginResponse(saml2AuthnRequest.Id, Saml2StatusCodes.Success, requestBinding.RelayState, relyingParty, sessionIndex, claims);
             }
@@ -170,11 +170,12 @@ class RelyingParty
             public X509Certificate2 SignatureValidationCertificate { get; set; }
         }
 
-        private IEnumerable<Claim> CreateTestUserClaims()
+        private IEnumerable<Claim> CreateTestUserClaims(string selectedNameID)
         {
-            yield return new Claim(ClaimTypes.NameIdentifier, "12345");
-            yield return new Claim(ClaimTypes.Upn, "[email protected]");
-            yield return new Claim(ClaimTypes.Email, "[email protected]");
+            var userId = selectedNameID ?? "12345";
+            yield return new Claim(ClaimTypes.NameIdentifier, userId);
+            yield return new Claim(ClaimTypes.Upn, $"{userId}@email.test");
+            yield return new Claim(ClaimTypes.Email, $"{userId}@someemail.test");
         }
     }
 }        

test/TestWebAppCore/Controllers/AuthController.cs

@@ -34,6 +34,7 @@ public IActionResult Login(string returnUrl = null)
             return binding.Bind(new Saml2AuthnRequest(config)
             {
                 //ForceAuthn = true,
+                Subject = new Subject { NameID = new NameID { ID = "abcd" } },
                 //NameIdPolicy = new NameIdPolicy { AllowCreate = true, Format = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" },
                 //RequestedAuthnContext = new RequestedAuthnContext
                 //{